[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Wed Apr 12 03:41:02 UTC 2017
The branch, master has been updated
via d92a23e winbind_msrpc: Use any_nt_status_not_ok
via 5ee6d44 winbind_pam: Use any_nt_status_not_ok in map_auth_samlogon
via e4173fb winbind: Slightly simplify remove_timed_out_clients
via 5eacb88 winbind: Avoid a "ok==false"
via c91bac5 winbind: Simplify a logic expression
via 8220d74 winbindd: remove fallback from lookuprids
via 2eeb538 winbindd: remove lookupsid() fallback for a failed lookupsids()
via c79a5ac winbindd: remove fallback to lookupsid for unknown SIDs
via 32e752e winbindd: handling of failed lookupsids in wb_lookupsids_single_done()
via 36e01b6 winbindd: let wb_lookupsids_move_name() handle domain_index UINT32_MAX
via 1efaeb0 winbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done()
via a58b54a libcli/security: fix dom_sid_in_domain()
via 2666121 s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot
via 16c8983 s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path
via fffd611 s3:vfs:shadow_copy2: fix quoting in debug messages
from 397d193 tdb: Test for readonly lock upgrade bug
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d92a23e4ae60801edce69bf9b26f50181fe391b5
Author: Volker Lendecke <vl at samba.org>
Date: Thu Mar 9 18:57:14 2017 +0100
winbind_msrpc: Use any_nt_status_not_ok
Less lines, less bytes .text
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Apr 12 05:40:36 CEST 2017 on sn-devel-144
commit 5ee6d44665d6a8bee2d50d241422f9b4ecd69ff2
Author: Volker Lendecke <vl at samba.org>
Date: Mon Mar 6 20:36:25 2017 +0000
winbind_pam: Use any_nt_status_not_ok in map_auth_samlogon
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e4173fbc5308aa9376a0305fc0c77a39a28d3497
Author: Volker Lendecke <vl at samba.org>
Date: Thu Mar 9 17:50:01 2017 +0100
winbind: Slightly simplify remove_timed_out_clients
Best reviewed with "git show -b"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5eacb88831e8156d5a3dc3815807f5522af53c46
Author: Volker Lendecke <vl at samba.org>
Date: Thu Mar 9 18:27:55 2017 +0100
winbind: Avoid a "ok==false"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c91bac5a63124bb33a7048e91fe1c27864251a3e
Author: Volker Lendecke <vl at samba.org>
Date: Thu Mar 9 18:49:39 2017 +0100
winbind: Simplify a logic expression
This isn't 100% the same flow, but before this patch we initialized
domain->primary to "false" via "talloc_zero". This means that the
end-result should be the same before and after this patch that IMHO
simplifies the logic a bit.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8220d7453fcf900eb50a2a06b46f1c7807b02ec9
Author: Ralph Boehme <slow at samba.org>
Date: Sun Apr 2 14:15:33 2017 +0200
winbindd: remove fallback from lookuprids
We're only calling lookuprids for our local SAM and BUILTIN domains, if
that results in a failed lookup for some rid, sending it again via
lookupsids() won't help, it will just fail again.
If the caller wrongly had sent any other SID that is not from our SAM or
BUILTIN via lookuprids(), that it is up to the caller to fix that, not
us.
The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2eeb53890bba81a0fce18c3eb185c337c9222202
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 24 16:54:39 2017 +0100
winbindd: remove lookupsid() fallback for a failed lookupsids()
If lookupsids() returned any other error then OK, SOME_NOT_MAPPED or
NONE_MAPPED we must just bail out.
If some or all SIDs could not be mapped via lookupds(), don't fallback
to lookupsid(), it will just fail again.
The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c79a5acf201f1b779a4fc833a45a9ee658f8cb31
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 24 16:46:40 2017 +0100
winbindd: remove fallback to lookupsid for unknown SIDs
In wb_lookupsids_done() if a SID failed with lookupsids(), remove the
hokey retry via lookupsid().
The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 32e752e145395c8dbe73c90250ce471ab6744e8b
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 24 17:06:38 2017 +0100
winbindd: handling of failed lookupsids in wb_lookupsids_single_done()
If lookupsid() failed with NT_STATUS_SOME_NOT_MAPPED or
NT_STATUS_NONE_MAPPED, if we didn't get a domain name, don't add a fake
domain to the lsa_RefDomainList. Just set the domain index in the
translated name to UINT32_MAX.
It's up to callers like wb_sids2xids to handle such failed mappings and
wb_sids2xids_lookupsids_done() has been updated in a previous commit to
deal with it.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 36e01b6232247abdd2d4ad75f405b328456c1b9e
Author: Ralph Boehme <slow at samba.org>
Date: Sun Mar 26 08:34:59 2017 +0200
winbindd: let wb_lookupsids_move_name() handle domain_index UINT32_MAX
If the SID was in an unknown domain, src_name->sid_index will be
UINT32_MAX.
This change allows wb_lookupsids_move_name() to add such names to the
result set. This is not used for now, but will be used in subsequent
commits.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1efaeb072e55735421191fbae9cc586db6d07bb1
Author: Ralph Boehme <slow at samba.org>
Date: Tue Apr 4 14:51:09 2017 +0200
winbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done()
This lets wb_sids2xids_lookupsids_done() deal with wp_lookupsids
returning UINT32_MAX as domain index for SIDs from unknown domains.
Call find_domain_from_sid_noinit() to search our list of known
domains. If a matching domain is found, use it's name, otherwise use the
empty string "". This needed to handle Samba DCs which always returns
sid_index UINT32_MAX for unknown SIDs, even from known domains.
Currently the wb_lookupsids adds these fake domains with an empty string
as domain name, but that's not the correct place to do it. We need the
domain name as it gets passed to the idmap child where the choise of
idmap backend is based on the domain name. This will possibly be changed
in the future to be based on domain SIDs, not the name.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a58b54a33435d26e9fe226d3d72e4392747aeedd
Author: Ralph Boehme <slow at samba.org>
Date: Mon Apr 10 16:14:45 2017 +0200
libcli/security: fix dom_sid_in_domain()
Ensure the SID has exactly one component more then the domain SID, eg
Domain SID: S-1-5-21-1-2-3
SID: S-1-5-21-1-2-3-4
This will return true. If the SID has more components, eg
SID: S-1-5-21-1-2-3-4-5, or
SID: S-1-5-21-1-2-3-4-5-6-7-8
dom_sid_in_domain() must return false.
This was verified against Windows:
lsa_LookupSids: struct lsa_LookupSids
out: struct lsa_LookupSids
domains : *
domains : *
domains: struct lsa_RefDomainList
count : 0x00000002 (2)
domains : *
domains: ARRAY(2)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'BUILTIN'
sid : *
sid : S-1-5-32
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
string : 'W4EDOM-L4'
sid : *
sid : S-1-5-21-278041429-3399921908-1452754838
max_size : 0x00000020 (32)
names : *
names: struct lsa_TransNameArray
count : 0x00000004 (4)
names : *
names: ARRAY(4)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x001a (26)
size : 0x001a (26)
string : *
string : 'Administrator'
sid_index : 0x00000001 (1)
names: struct lsa_TranslatedName
sid_type : SID_NAME_UNKNOWN (8)
name: struct lsa_String
length : 0x005c (92)
size : 0x005e (94)
string : *
string : 'S-1-5-21-278041429-3399921908-1452754838-500-1'
sid_index : 0xffffffff (4294967295)
names: struct lsa_TranslatedName
sid_type : SID_NAME_ALIAS (4)
name: struct lsa_String
length : 0x001c (28)
size : 0x001c (28)
string : *
string : 'Administrators'
sid_index : 0x00000000 (0)
names: struct lsa_TranslatedName
sid_type : SID_NAME_UNKNOWN (8)
name: struct lsa_String
length : 0x001c (28)
size : 0x001e (30)
string : *
string : 'S-1-5-32-544-9'
sid_index : 0xffffffff (4294967295)
count : *
count : 0x00000002 (2)
result : STATUS_SOME_UNMAPPED
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 26661218b3d3f0d4ee89039727bc110e972c2851
Author: Michael Adam <obnox at samba.org>
Date: Tue Apr 11 12:03:52 2017 +0200
s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 16c89835cf07caa2082b586666095deba38ef962
Author: Michael Adam <obnox at samba.org>
Date: Tue Apr 11 12:03:20 2017 +0200
s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fffd611fdc558ab428c8a21cf1e68feaf1f6f469
Author: Michael Adam <obnox at samba.org>
Date: Tue Apr 11 11:18:30 2017 +0200
s3:vfs:shadow_copy2: fix quoting in debug messages
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/dom_sid.c | 6 +-
selftest/knownfail | 1 -
source3/modules/vfs_shadow_copy2.c | 17 ++--
source3/winbindd/wb_lookupsids.c | 163 +++++++++++++------------------------
source3/winbindd/wb_sids2xids.c | 33 ++++++--
source3/winbindd/winbindd.c | 29 +++----
source3/winbindd/winbindd_msrpc.c | 31 ++-----
source3/winbindd/winbindd_pam.c | 9 +-
source3/winbindd/winbindd_util.c | 14 ++--
9 files changed, 129 insertions(+), 174 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index 5454c51..e6beff1 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -341,7 +341,11 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
return false;
}
- if (domain_sid->num_auths > sid->num_auths) {
+ if (sid->num_auths < 2) {
+ return false;
+ }
+
+ if (domain_sid->num_auths != (sid->num_auths - 1)) {
return false;
}
diff --git a/selftest/knownfail b/selftest/knownfail
index 98c9708..1a606c8 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -38,7 +38,6 @@
^samba3.base.delete.deltest16a
^samba3.base.delete.deltest17a
^samba3.unix.whoami anonymous connection.whoami\(ad_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token
-^samba3.unix.whoami anonymous connection.whoami\(ad_member\) # smbd maps anonymous logins to domain guest in the local domain, not SID_NT_ANONYMOUS
# these show that we still have some differences between our system
# with our internal iconv because it passes except when we bypass our
# internal iconv modules
diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
index 2afc595..7cacac8 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -444,7 +444,11 @@ static bool make_relative_path(const char *cwd, char *abs_path)
if (memcmp(abs_path, cwd, cwd_len) != 0) {
return false;
}
- if (abs_path[cwd_len] != '/' && abs_path[cwd_len] != '\0') {
+ /* The cwd_len != 1 case is for $cwd == '/' */
+ if (cwd_len != 1 &&
+ abs_path[cwd_len] != '/' &&
+ abs_path[cwd_len] != '\0')
+ {
return false;
}
if (abs_path[cwd_len] == '/') {
@@ -667,10 +671,11 @@ static bool shadow_copy2_strip_snapshot_internal(TALLOC_CTX *mem_ctx,
* with a path prefix.
*/
if (pstripped != NULL) {
- if (len_before_gmt > 0) {
+ if (len_before_gmt > 1) {
/*
- * There is a slash before
- * the @GMT-. Remove it.
+ * There is a path (and not only a slash)
+ * before the @GMT-. Remove the trailing
+ * slash character.
*/
len_before_gmt -= 1;
}
@@ -684,7 +689,7 @@ static bool shadow_copy2_strip_snapshot_internal(TALLOC_CTX *mem_ctx,
if (make_relative_path(priv->shadow_cwd,
stripped) == false) {
DEBUG(10, (__location__ ": path '%s' "
- "doesn't start with cwd '%s\n",
+ "doesn't start with cwd '%s'\n",
stripped, priv->shadow_cwd));
ret = false;
errno = ENOENT;
@@ -726,7 +731,7 @@ static bool shadow_copy2_strip_snapshot_internal(TALLOC_CTX *mem_ctx,
if (make_relative_path(priv->shadow_cwd,
stripped) == false) {
DEBUG(10, (__location__ ": path '%s' "
- "doesn't start with cwd '%s\n",
+ "doesn't start with cwd '%s'\n",
stripped, priv->shadow_cwd));
ret = false;
errno = ENOENT;
diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
index c13bd5b..f2b2768 100644
--- a/source3/winbindd/wb_lookupsids.c
+++ b/source3/winbindd/wb_lookupsids.c
@@ -23,6 +23,7 @@
#include "librpc/gen_ndr/ndr_winbind_c.h"
#include "../libcli/security/security.h"
#include "passdb/machine_sid.h"
+#include "lsa.h"
struct wb_lookupsids_domain {
struct winbindd_domain *domain;
@@ -432,17 +433,23 @@ static bool wb_lookupsids_move_name(struct lsa_RefDomainList *src_domains,
{
struct lsa_TranslatedName *dst_name;
struct lsa_DomainInfo *src_domain;
- uint32_t src_domain_index, dst_domain_index;
+ uint32_t src_domain_index;
+ uint32_t dst_domain_index = UINT32_MAX;
+ bool ok;
src_domain_index = src_name->sid_index;
- if (src_domain_index >= src_domains->count) {
- return false;
- }
- src_domain = &src_domains->domains[src_domain_index];
+ if ((src_domain_index != UINT32_MAX) && (src_domains != NULL)) {
+ if (src_domain_index >= src_domains->count) {
+ return false;
+ }
+ src_domain = &src_domains->domains[src_domain_index];
- if (!wb_lookupsids_find_dom_idx(
- src_domain, dst_domains, &dst_domain_index)) {
- return false;
+ ok = wb_lookupsids_find_dom_idx(src_domain,
+ dst_domains,
+ &dst_domain_index);
+ if (!ok) {
+ return false;
+ }
}
dst_name = &dst_names->names[dst_name_index];
@@ -464,7 +471,6 @@ static void wb_lookupsids_done(struct tevent_req *subreq)
req, struct wb_lookupsids_state);
struct wb_lookupsids_domain *d;
uint32_t i;
- bool fallback = false;
NTSTATUS status, result;
@@ -473,25 +479,8 @@ static void wb_lookupsids_done(struct tevent_req *subreq)
if (tevent_req_nterror(req, status)) {
return;
}
-
- d = &state->domains[state->domains_done];
-
- if (NT_STATUS_IS_ERR(result)) {
- fallback = true;
- } else if (state->tmp_names.count != d->sids.num_sids) {
- fallback = true;
- }
-
- if (fallback) {
- for (i=0; i < d->sids.num_sids; i++) {
- uint32_t res_sid_index = d->sid_indexes[i];
-
- state->single_sids[state->num_single_sids] =
- res_sid_index;
- state->num_single_sids += 1;
- }
- state->domains_done += 1;
- wb_lookupsids_next(req, state);
+ if (NT_STATUS_LOOKUP_ERR(result)) {
+ tevent_req_nterror(req, result);
return;
}
@@ -499,20 +488,11 @@ static void wb_lookupsids_done(struct tevent_req *subreq)
* Look at the individual states in the translated names.
*/
- for (i=0; i<state->tmp_names.count; i++) {
+ d = &state->domains[state->domains_done];
+ for (i=0; i<state->tmp_names.count; i++) {
uint32_t res_sid_index = d->sid_indexes[i];
- if (state->tmp_names.names[i].sid_type == SID_NAME_UNKNOWN) {
- /*
- * Make unknown SIDs go through
- * wb_lookupsid. This retries the forest root.
- */
- state->single_sids[state->num_single_sids] =
- res_sid_index;
- state->num_single_sids += 1;
- continue;
- }
if (!wb_lookupsids_move_name(
&state->tmp_domains, &state->tmp_names.names[i],
state->res_domains, state->res_names,
@@ -531,7 +511,8 @@ static void wb_lookupsids_single_done(struct tevent_req *subreq)
subreq, struct tevent_req);
struct wb_lookupsids_state *state = tevent_req_data(
req, struct wb_lookupsids_state);
- const char *domain_name, *name;
+ const char *domain_name = NULL;
+ const char *name = NULL;
enum lsa_SidType type;
uint32_t res_sid_index;
uint32_t src_rid;
@@ -539,67 +520,53 @@ static void wb_lookupsids_single_done(struct tevent_req *subreq)
struct dom_sid src_domain_sid;
struct lsa_DomainInfo src_domain;
struct lsa_RefDomainList src_domains;
+ struct lsa_RefDomainList *psrc_domains = NULL;
struct lsa_TranslatedName src_name;
+ uint32_t domain_idx = UINT32_MAX;
NTSTATUS status;
+ bool ok;
status = wb_lookupsid_recv(subreq, talloc_tos(), &type,
&domain_name, &name);
TALLOC_FREE(subreq);
- if (!NT_STATUS_IS_OK(status)) {
- struct winbindd_domain *wb_domain = NULL;
- const char *tmpname;
-
- type = SID_NAME_UNKNOWN;
-
- res_sid_index = state->single_sids[state->single_sids_done];
- wb_domain = find_domain_from_sid_noinit(&state->sids[res_sid_index]);
- if (wb_domain != NULL) {
- /*
- * If the lookupsid failed because the rid not
- * found in a domain and we have a reference
- * to the lookup domain, use the name from
- * there.
- *
- * Callers like sid2xid will use the domain
- * name in the idmap backend to figure out
- * which domain to use in processing.
- */
- tmpname = wb_domain->name;
- } else {
- tmpname = "";
- }
- domain_name = talloc_strdup(talloc_tos(), tmpname);
- if (tevent_req_nomem(domain_name, req)) {
- return;
- }
- name = talloc_strdup(talloc_tos(), "");
- if (tevent_req_nomem(name, req)) {
- return;
- }
+ if (NT_STATUS_LOOKUP_ERR(status)) {
+ tevent_req_nterror(req, status);
+ return;
}
- /*
- * Fake up structs for wb_lookupsids_move_name
- */
res_sid_index = state->single_sids[state->single_sids_done];
- sid_copy(&src_domain_sid, &state->sids[res_sid_index]);
- sid_split_rid(&src_domain_sid, &src_rid);
- src_domain.name.string = domain_name;
- src_domain.sid = &src_domain_sid;
+ if ((domain_name != NULL) && (domain_name[0] != '\0')) {
+ /*
+ * Build structs with the domain name for
+ * wb_lookupsids_move_name(). If we didn't get a name, we will
+ * pass NULL and UINT32_MAX.
+ */
- src_domains.count = 1;
- src_domains.domains = &src_domain;
+ sid_copy(&src_domain_sid, &state->sids[res_sid_index]);
+ sid_split_rid(&src_domain_sid, &src_rid);
+
+ src_domain.name.string = domain_name;
+ src_domain.sid = &src_domain_sid;
+
+ src_domains.count = 1;
+ src_domains.domains = &src_domain;
+ psrc_domains = &src_domains;
+
+ domain_idx = 0;
+ }
src_name.sid_type = type;
src_name.name.string = name;
- src_name.sid_index = 0;
-
- if (!wb_lookupsids_move_name(
- &src_domains, &src_name,
- state->res_domains, state->res_names,
- res_sid_index)) {
+ src_name.sid_index = domain_idx;
+
+ ok = wb_lookupsids_move_name(psrc_domains,
+ &src_name,
+ state->res_domains,
+ state->res_names,
+ res_sid_index);
+ if (!ok) {
tevent_req_oom(req);
return;
}
@@ -619,32 +586,14 @@ static void wb_lookupsids_lookuprids_done(struct tevent_req *subreq)
NTSTATUS status, result;
struct wb_lookupsids_domain *d;
uint32_t i;
- bool fallback = false;
status = dcerpc_wbint_LookupRids_recv(subreq, state, &result);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
return;
}
-
- d = &state->domains[state->domains_done];
-
- if (NT_STATUS_IS_ERR(result)) {
- fallback = true;
- } else if (state->rid_names.num_principals != d->sids.num_sids) {
- fallback = true;
- }
-
- if (fallback) {
- for (i=0; i < d->sids.num_sids; i++) {
- uint32_t res_sid_index = d->sid_indexes[i];
-
- state->single_sids[state->num_single_sids] =
- res_sid_index;
- state->num_single_sids += 1;
- }
- state->domains_done += 1;
- wb_lookupsids_next(req, state);
+ if (NT_STATUS_LOOKUP_ERR(result)) {
+ tevent_req_nterror(req, result);
return;
}
@@ -652,6 +601,8 @@ static void wb_lookupsids_lookuprids_done(struct tevent_req *subreq)
* Look at the individual states in the translated names.
*/
+ d = &state->domains[state->domains_done];
+
sid_copy(&src_domain_sid, get_global_sam_sid());
src_domain.name.string = get_global_sam_name();
src_domain.sid = &src_domain_sid;
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index 9bb8fa8..dc90bdf 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -185,20 +185,41 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
}
for (i=0; i<state->num_non_cached; i++) {
+ const struct dom_sid *sid = &state->non_cached[i];
struct dom_sid dom_sid;
- struct lsa_DomainInfo *info;
struct lsa_TranslatedName *n = &names->names[i];
struct wbint_TransID *t = &state->ids.ids[i];
int domain_index;
+ const char *domain_name = NULL;
- sid_copy(&dom_sid, &state->non_cached[i]);
- sid_split_rid(&dom_sid, &t->rid);
+ if (n->sid_index != UINT32_MAX) {
+ const struct lsa_DomainInfo *info;
- info = &domains->domains[n->sid_index];
- t->type = lsa_SidType_to_id_type(n->sid_type);
+ info = &domains->domains[n->sid_index];
+ domain_name = info->name.string;
+ }
+ if (domain_name == NULL) {
+ struct winbindd_domain *wb_domain = NULL;
+
+ /*
+ * This is needed to handle Samba DCs
+ * which always return sid_index == UINT32_MAX for
+ * unknown sids.
+ */
+ wb_domain = find_domain_from_sid_noinit(sid);
+ if (wb_domain != NULL) {
+ domain_name = wb_domain->name;
+ }
+ }
+ if (domain_name == NULL) {
+ domain_name = "";
+ }
+ sid_copy(&dom_sid, sid);
+ sid_split_rid(&dom_sid, &t->rid);
+ t->type = lsa_SidType_to_id_type(n->sid_type);
domain_index = init_lsa_ref_domain_list(
- state, &state->idmap_doms, info->name.string, &dom_sid);
+ state, &state->idmap_doms, domain_name, &dom_sid);
if (domain_index == -1) {
tevent_req_oom(req);
return;
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 3c16366..58e4d89 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1125,24 +1125,25 @@ static void remove_timed_out_clients(void)
prev = winbindd_client_list_prev(state);
expiry_time = state->last_access + timeout_val;
- if (curr_time > expiry_time) {
- if (client_is_idle(state)) {
- DEBUG(5,("Idle client timed out, "
- "shutting down sock %d, pid %u\n",
- state->sock,
- (unsigned int)state->pid));
- } else {
- DEBUG(5,("Client request timed out, "
- "shutting down sock %d, pid %u\n",
- state->sock,
- (unsigned int)state->pid));
- }
- remove_client(state);
- } else {
+ if (curr_time <= expiry_time) {
/* list is sorted, previous clients in
list are newer */
break;
}
+
+ if (client_is_idle(state)) {
+ DEBUG(5,("Idle client timed out, "
+ "shutting down sock %d, pid %u\n",
+ state->sock,
+ (unsigned int)state->pid));
+ } else {
+ DEBUG(5,("Client request timed out, "
+ "shutting down sock %d, pid %u\n",
+ state->sock,
+ (unsigned int)state->pid));
+ }
+
+ remove_client(state);
}
}
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index cd7dfbc..c565376 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -576,12 +576,9 @@ static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
group_rid,
&group_pol,
&result);
- if (!NT_STATUS_IS_OK(status)) {
+ if (any_nt_status_not_ok(status, result, &status)) {
return status;
}
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
/* Step #1: Get a list of user rids that are the members of the
group. */
@@ -604,14 +601,10 @@ static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
}
- if (!NT_STATUS_IS_OK(status)) {
+ if (any_nt_status_not_ok(status, result, &status)) {
return status;
}
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
-
if (!rids || !rids->count) {
names = NULL;
name_types = NULL;
@@ -927,12 +920,8 @@ static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
DomainLockoutInformation,
&info,
&result);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- if (!NT_STATUS_IS_OK(result)) {
- status = result;
- goto done;
+ if (any_nt_status_not_ok(status, result, &status)) {
+ return status;
}
*lockout_policy = info->info12;
@@ -1062,14 +1051,10 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
status = NT_STATUS_ACCESS_DENIED;
}
- if (!NT_STATUS_IS_OK(status)) {
+ if (any_nt_status_not_ok(status, result, &status)) {
return status;
}
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
-
return NT_STATUS_OK;
}
@@ -1141,14 +1126,10 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
status = NT_STATUS_ACCESS_DENIED;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list