[SCM] Samba Shared Repository - branch v4-8-test updated

Karolin Seeger kseeger at samba.org
Tue Mar 12 17:02:02 UTC 2019


The branch, v4-8-test has been updated
       via  d3e306433f7 lib:util: Move debug message for mkdir failing to log level 1
       via  e655fa0a437 WHATSNEW: mention new vfs_glusterfs_fuse module
       via  57158ba47e7 lib/winbind_util: Add winbind_xid_to_sid for --without-winbind
       via  38d723896da lib/winbind_util: Move include out of ifdef
       via  e2588af9cc4 passdb: Update ABI to 0.27.2
       via  d7ba89435d4 s3:passdb: add create_builtin_guests()
       via  79191a7193a passdb: Make [ug]id_to_sid use xid_to_sid
       via  4fd495159d1 passdb: Introduce xid_to_sid
       via  e8bb1f65cd1 lib: Add dom_sid_str_buf
       via  b9ac92992ce lib: Introduce winbind_xid_to_sid
       via  8d0a8864b17 winbind: Use idmap_cache_find_xid2sid
       via  0a2db567327 torture: Add tests for idmap cache
       via  894567e19ec idmap_cache: Introduce idmap_cache_find_xid2sid
       via  dd9ca43d6a7 winbind: Now we explicitly track if we got ids from cache
       via  c031b9e23ac winbind: Initialize "expired" parameter to idmap_cache_xid2sid
       via  b0a1d90050c idmap_cache: Only touch "sid" on success in find_xid_to_sid
       via  14234542aa5 lib: Make idmap_cache return negative mappings
      from  29984beafc9 libcli/security: fix handling of deny type ACEs in access_check_max_allowed()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test


- Log -----------------------------------------------------------------
commit d3e306433f7be4f0d190884ba078cd39d02ab318
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Mar 7 12:31:42 2019 +0100

    lib:util: Move debug message for mkdir failing to log level 1
    
    If you connnect to a host with smbclient this gets always printed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13823
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    (cherry picked from commit c71334ec0c92e791022a9b7c900aa0dd649226c2)
    
    Autobuild-User(v4-8-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-8-test): Tue Mar 12 17:01:14 UTC 2019 on sn-devel-144

commit e655fa0a437faa7b9335a6f09b571d734df4b810
Author: G√ľnther Deschner <gd at samba.org>
Date:   Mon Mar 11 14:13:18 2019 +0100

    WHATSNEW: mention new vfs_glusterfs_fuse module
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>

commit 57158ba47e72c748f9096c9597cdb490e03403aa
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Mar 5 11:56:49 2019 -0700

    lib/winbind_util: Add winbind_xid_to_sid for --without-winbind
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13813
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Wed Mar  6 01:53:16 UTC 2019 on sn-devel-144
    
    (cherry picked from commit 4125ff89e44a3e98882cfc38c06e559a6e1e56a5)

commit 38d723896da46e5e799f2cb6ee6a25711a40e450
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Mar 5 11:50:48 2019 -0700

    lib/winbind_util: Move include out of ifdef
    
    This fixes compile errors about missing prototypes with
    --picky-developer and --without-winbind
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 4b1e4c22128bdefe549a58b181e9b755854f4c3e)

commit e2588af9cc4e712eb5afc6333e1d98fc7943af18
Author: Christof Schmitt <cs at samba.org>
Date:   Mon Mar 4 13:38:48 2019 -0700

    passdb: Update ABI to 0.27.2
    
    This change is for the backport only. The change in master increased the
    ABI version to 0.28.0 and removed some functions; this should not happen
    in a backport.
    
    Signed-off-by: Christof Schmitt <cs at samba.org>

commit d7ba89435d4c14529f6d91ccb9c24cc8814d0fe5
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 6 22:47:42 2018 +0100

    s3:passdb: add create_builtin_guests()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit c5874b9b68e0795e9dc23b04efa5959ac03ec8dc)

commit 79191a7193afe430cd81ff48a59965ed3b6c81d3
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 26 15:17:36 2019 +0100

    passdb: Make [ug]id_to_sid use xid_to_sid
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit 40de67f1fcc46b7a64a7364c91dcedb474826d51)

commit 4fd495159d183fa9fd2e74bb74893a842e8cbcad
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 26 15:10:21 2019 +0100

    passdb: Introduce xid_to_sid
    
    This explicitly avoids the legacy_[ug]id_to_sid calls, which create
    long-term cache entries to S-1-22-x-y if anthing fails. We can't do
    this, because this will turn temporary winbind communication failures
    into long-term problems: A short hickup in winbind_uid_to_sid will
    create a mapping to S-1-22-1-uid for a week. It should be up to the
    lower layers to do the caching.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit 92f27ebb14c0c18b1d0fd49544ad851aeb14781c)

commit e8bb1f65cd12f3243e5b965e1e9951567cd3ed48
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Oct 18 05:46:37 2018 +0200

    lib: Add dom_sid_str_buf
    
    This is modeled after server_id_str_buf, which as an API to me is easier to
    use: I can rely on the compiler to get the buffer size right.
    
    It is designed to violate README.Coding's "Make use of helper variables", but
    as this API is simple enough and the output should never be a surprise at all,
    I think that's worth it.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Nov  2 20:11:11 CET 2018 on sn-devel-144
    
    (cherry picked from commit 8b9d36221930a487ca5c51bf2e38ed04de9d50f7)

commit b9ac92992ceb2c4e4127908994a7ee2a5624030f
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 26 14:45:32 2019 +0100

    lib: Introduce winbind_xid_to_sid
    
    This does not merge a winbind communication error into
    "global_sid_NULL" (S-1-0-0), which by the way non-intuitively does not
    go along with is_null_sid(). Instead, this just touches the output sid
    when winbind returned success. This success might well be a negative
    mapping indicated by S-0-0, which *is* is_null_sid()...
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit ef706a3e63b3e25edd27e0f99c3e2d8ff7209cb6)

commit 8d0a8864b17d2a78bf912a7bd59bb35531785f7e
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 26 14:34:56 2019 +0100

    winbind: Use idmap_cache_find_xid2sid
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit bc9824bd42d9370279819ea0d927e236f6041324)

commit 0a2db5673271a1a1976a59d815b392ccfcbeb588
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Feb 27 14:54:12 2019 +0100

    torture: Add tests for idmap cache
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit e5a903bab6eda8f7ff2a7c8149d51022d9d8aede)

commit 894567e19ec8e88825536267ad1cc457395e8275
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 26 14:32:52 2019 +0100

    idmap_cache: Introduce idmap_cache_find_xid2sid
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit bb8122dd8c53bb307819a79b7888cc0940a7c13b)

commit dd9ca43d6a740ba96489015c3a9768f1c00d638f
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Feb 25 14:55:00 2019 +0100

    winbind: Now we explicitly track if we got ids from cache
    
    This now properly makes us use negative cache entries
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit 95d33ca79cc315f1a2e41cd60859ef01d6548c77)

commit c031b9e23acc3705116460077d0d93713cb0ce24
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 26 12:52:28 2019 +0100

    winbind: Initialize "expired" parameter to idmap_cache_xid2sid
    
    The code in idmap_cache only touches its output parameters upon success
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit 8c28c12702c0935a852c7fed6565987623f09fee)

commit b0a1d90050c54bb22006b5c0e3c67187c20e7f04
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 26 12:46:39 2019 +0100

    idmap_cache: Only touch "sid" on success in find_xid_to_sid
    
    Why? This makes the negative mapping condition (is_null_sid) more
    explicit in the code.
    
    The callers in lookup_sid initialized "psid" anyway before, and the ones
    in wb_xids2sids now do as well. This is more in line with other APIs we
    have: Only touch output parameters if you have something to say.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit 4faf3e9f6da7515fc263d79f77226d105c2f8524)

commit 14234542aa56dcee04609019db30c598f381a491
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Feb 25 14:38:50 2019 +0100

    lib: Make idmap_cache return negative mappings
    
    Without this we'd query non-existent mappings over and over
    again.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
    (cherry picked from commit d9303e8eb90d48f09f2e2e8bdf01f4a7c3c21d11)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                       |  14 ++
 lib/util/util.c                                    |   6 +-
 libcli/security/dom_sid.c                          |  10 +
 libcli/security/dom_sid.h                          |   2 +
 source3/include/passdb.h                           |   1 +
 source3/lib/idmap_cache.c                          |  48 ++++-
 source3/lib/idmap_cache.h                          |   2 +
 source3/lib/winbind_util.c                         |  41 +++-
 source3/lib/winbind_util.h                         |   2 +
 ...passdb-0.27.0.sigs => samba-passdb-0.27.1.sigs} |   1 +
 ...passdb-0.27.0.sigs => samba-passdb-0.27.2.sigs} |   3 +
 source3/passdb/lookup_sid.c                        | 233 ++++++---------------
 source3/passdb/lookup_sid.h                        |   1 +
 source3/passdb/pdb_util.c                          |  52 +++++
 source3/selftest/tests.py                          |   1 +
 source3/torture/proto.h                            |   1 +
 source3/torture/test_idmap_cache.c                 | 122 +++++++++++
 source3/torture/torture.c                          |   1 +
 source3/winbindd/wb_xids2sids.c                    |  33 ++-
 source3/wscript_build                              |   3 +-
 20 files changed, 380 insertions(+), 197 deletions(-)
 copy source3/passdb/ABI/{samba-passdb-0.27.0.sigs => samba-passdb-0.27.1.sigs} (99%)
 copy source3/passdb/ABI/{samba-passdb-0.27.0.sigs => samba-passdb-0.27.2.sigs} (99%)
 create mode 100644 source3/torture/test_idmap_cache.c


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ecb3db1c713..52d5656d0f4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1110,6 +1110,20 @@ Kerberos would return ALICE as the username. Kerberos would not be able to map
 names can be correctly mapped. This only applies to GSSAPI authentication,
 not for the geting the initial ticket granting ticket.
 
+New glusterfs_fuse VFS module
+-----------------------------
+
+The new vfs_glusterfs_fuse module improves performance when Samba
+accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace
+as part of the Linux kernel). It achieves that by leveraging a
+mechanism to retrieve the appropriate case of filenames by querying a
+specific extended attribute in the filesystem. No extra configuration
+is required to use this module, only glusterfs_fuse needs to be set in
+the "vfs objects" parameter. Further details can be found in the
+vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does
+not replace the existing vfs_glusterfs module, it just provides an
+additional, alternative mechanism to access a Gluster volume.
+
 REMOVED FEATURES
 ================
 
diff --git a/lib/util/util.c b/lib/util/util.c
index 4291bfa5d57..5839ef83f60 100644
--- a/lib/util/util.c
+++ b/lib/util/util.c
@@ -212,9 +212,9 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname,
 	old_umask = umask(0);
 	ret = mkdir(dname, dir_perms);
 	if (ret == -1 && errno != EEXIST) {
-		DEBUG(0, ("mkdir failed on directory "
-			  "%s: %s\n", dname,
-			  strerror(errno)));
+		DBG_WARNING("mkdir failed on directory %s: %s\n",
+			    dname,
+			    strerror(errno));
 		umask(old_umask);
 		return false;
 	}
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index e6beff1a399..b24c51c380a 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -425,3 +425,13 @@ char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
 	talloc_set_name_const(result, result);
 	return result;
 }
+
+char *dom_sid_str_buf(const struct dom_sid *sid, struct dom_sid_buf *dst)
+{
+	int ret;
+	ret = dom_sid_string_buf(sid, dst->buf, sizeof(dst->buf));
+	if ((ret < 0) || (ret >= sizeof(dst->buf))) {
+		strlcpy(dst->buf, "(INVALID SID)", sizeof(dst->buf));
+	}
+	return dst->buf;
+}
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index e22ebc9abca..8a6c0d03b48 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -102,6 +102,8 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
 int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen);
 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
 
+struct dom_sid_buf { char buf[DOM_SID_STR_BUFLEN]; };
+char *dom_sid_str_buf(const struct dom_sid *sid, struct dom_sid_buf *dst);
 
 const char *sid_type_lookup(uint32_t sid_type);
 const struct security_token *get_system_token(void);
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 7579cdcb0d7..950c439e7a1 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -971,6 +971,7 @@ bool pdb_is_responsible_for_everything_else(void);
 NTSTATUS pdb_create_builtin(uint32_t rid);
 NTSTATUS create_builtin_users(const struct dom_sid *sid);
 NTSTATUS create_builtin_administrators(const struct dom_sid *sid);
+NTSTATUS create_builtin_guests(const struct dom_sid *dom_sid);
 
 #include "passdb/machine_sid.h"
 #include "passdb/lookup_sid.h"
diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c
index 1e8a1ebc607..9fc32215001 100644
--- a/source3/lib/idmap_cache.c
+++ b/source3/lib/idmap_cache.c
@@ -201,19 +201,23 @@ static void idmap_cache_xid2sid_parser(time_t timeout, DATA_BLOB blob,
 		(struct idmap_cache_xid2sid_state *)private_data;
 	char *value;
 
-	ZERO_STRUCTP(state->sid);
-	state->ret = false;
-
 	if ((blob.length == 0) || (blob.data[blob.length-1] != 0)) {
 		/*
 		 * Not a string, can't be a valid mapping
 		 */
+		state->ret = false;
 		return;
 	}
 
 	value = (char *)blob.data;
 
-	if (value[0] != '-') {
+	if ((value[0] == '-') && (value[1] == '\0')) {
+		/*
+		 * Return NULL SID, see comment to uid2sid
+		 */
+		*state->sid = (struct dom_sid) {0};
+		state->ret = true;
+	} else {
 		state->ret = string_to_sid(state->sid, value);
 	}
 	if (state->ret) {
@@ -271,6 +275,42 @@ bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired)
 	return state.ret;
 }
 
+/**
+ * Find a xid2sid mapping
+ * @param[in] id		the unix id to map
+ * @param[out] sid		where to put the result
+ * @param[out] expired		is the cache entry expired?
+ * @retval Was anything in the cache at all?
+ *
+ * If "is_null_sid(sid)", this was a negative mapping.
+ */
+bool idmap_cache_find_xid2sid(
+	const struct unixid *id, struct dom_sid *sid, bool *expired)
+{
+	struct idmap_cache_xid2sid_state state = {
+		.sid = sid, .expired = expired
+	};
+	fstring key;
+	char c;
+
+	switch (id->type) {
+	case ID_TYPE_UID:
+		c = 'U';
+		break;
+	case ID_TYPE_GID:
+		c = 'G';
+		break;
+	default:
+		return false;
+	}
+
+	fstr_sprintf(key, "IDMAP/%cID2SID/%d", c, (int)id->id);
+
+	gencache_parse(key, idmap_cache_xid2sid_parser, &state);
+	return state.ret;
+}
+
+
 /**
  * Store a mapping in the idmap cache
  * @param[in] sid		the sid to map
diff --git a/source3/lib/idmap_cache.h b/source3/lib/idmap_cache.h
index dc497022e3b..d5afa170e1a 100644
--- a/source3/lib/idmap_cache.h
+++ b/source3/lib/idmap_cache.h
@@ -31,6 +31,8 @@ bool idmap_cache_find_sid2gid(const struct dom_sid *sid, gid_t *pgid,
 			      bool *expired);
 bool idmap_cache_find_uid2sid(uid_t uid, struct dom_sid *sid, bool *expired);
 bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired);
+bool idmap_cache_find_xid2sid(
+	const struct unixid *id, struct dom_sid *sid, bool *expired);
 void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id);
 
 bool idmap_cache_del_uid(uid_t uid);
diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c
index 427831f04c8..0e31aa8380a 100644
--- a/source3/lib/winbind_util.c
+++ b/source3/lib/winbind_util.c
@@ -23,10 +23,10 @@
 #include "../lib/util/util_pw.h"
 #include "nsswitch/libwbclient/wbclient.h"
 
-#if defined(WITH_WINBIND)
-
 #include "lib/winbind_util.h"
 
+#if defined(WITH_WINBIND)
+
 struct passwd * winbind_getpwnam(const char * name)
 {
 	wbcErr result;
@@ -197,6 +197,36 @@ bool winbind_gid_to_sid(struct dom_sid *sid, gid_t gid)
 	return (result == WBC_ERR_SUCCESS);
 }
 
+bool winbind_xid_to_sid(struct dom_sid *sid, const struct unixid *xid)
+{
+	struct wbcUnixId wbc_xid;
+	struct wbcDomainSid dom_sid;
+	wbcErr result;
+
+	switch (xid->type) {
+	case ID_TYPE_UID:
+		wbc_xid = (struct wbcUnixId) {
+			.type = WBC_ID_TYPE_UID, .id.uid = xid->id
+		};
+		break;
+	case ID_TYPE_GID:
+		wbc_xid = (struct wbcUnixId) {
+			.type = WBC_ID_TYPE_GID, .id.gid = xid->id
+		};
+		break;
+	default:
+		return false;
+	}
+
+	result = wbcUnixIdsToSids(&wbc_xid, 1, &dom_sid);
+	if (result != WBC_ERR_SUCCESS) {
+		return false;
+	}
+
+	memcpy(sid, &dom_sid, sizeof(struct dom_sid));
+	return true;
+}
+
 /* Check for a trusted domain */
 
 wbcErr wb_is_trusted_domain(const char *domain)
@@ -370,6 +400,13 @@ bool winbind_gid_to_sid(struct dom_sid *sid, gid_t gid)
 	return false;
 }
 
+/* Call winbindd to convert uid or gid to SID */
+
+bool winbind_xid_to_sid(struct dom_sid *sid, const struct unixid *xid)
+{
+	return false;
+}
+
 /* Check for a trusted domain */
 
 wbcErr wb_is_trusted_domain(const char *domain)
diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h
index c2bf0e02d76..5ecda5a7b09 100644
--- a/source3/lib/winbind_util.h
+++ b/source3/lib/winbind_util.h
@@ -22,6 +22,7 @@
 #define __LIB__WINBIND_UTIL_H__
 
 #include "../librpc/gen_ndr/lsa.h"
+#include "librpc/gen_ndr/idmap.h"
 
 /* needed for wbcErr below */
 #include "nsswitch/libwbclient/wbclient.h"
@@ -38,6 +39,7 @@ bool winbind_sid_to_uid(uid_t *puid, const struct dom_sid *sid);
 bool winbind_uid_to_sid(struct dom_sid *sid, uid_t uid);
 bool winbind_sid_to_gid(gid_t *pgid, const struct dom_sid *sid);
 bool winbind_gid_to_sid(struct dom_sid *sid, gid_t gid);
+bool winbind_xid_to_sid(struct dom_sid *sid, const struct unixid *xid);
 struct passwd * winbind_getpwnam(const char * sname);
 struct passwd * winbind_getpwsid(const struct dom_sid *sid);
 wbcErr wb_is_trusted_domain(const char *domain);
diff --git a/source3/passdb/ABI/samba-passdb-0.27.0.sigs b/source3/passdb/ABI/samba-passdb-0.27.1.sigs
similarity index 99%
copy from source3/passdb/ABI/samba-passdb-0.27.0.sigs
copy to source3/passdb/ABI/samba-passdb-0.27.1.sigs
index 1245ce5e02d..6437ed26ce9 100644
--- a/source3/passdb/ABI/samba-passdb-0.27.0.sigs
+++ b/source3/passdb/ABI/samba-passdb-0.27.1.sigs
@@ -20,6 +20,7 @@ builtin_domain_name: const char *(void)
 cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
 cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
 create_builtin_administrators: NTSTATUS (const struct dom_sid *)
+create_builtin_guests: NTSTATUS (const struct dom_sid *)
 create_builtin_users: NTSTATUS (const struct dom_sid *)
 decode_account_policy_name: const char *(enum pdb_policy_type)
 get_account_pol_db: struct db_context *(void)
diff --git a/source3/passdb/ABI/samba-passdb-0.27.0.sigs b/source3/passdb/ABI/samba-passdb-0.27.2.sigs
similarity index 99%
copy from source3/passdb/ABI/samba-passdb-0.27.0.sigs
copy to source3/passdb/ABI/samba-passdb-0.27.2.sigs
index 1245ce5e02d..17876abac16 100644
--- a/source3/passdb/ABI/samba-passdb-0.27.0.sigs
+++ b/source3/passdb/ABI/samba-passdb-0.27.2.sigs
@@ -20,6 +20,7 @@ builtin_domain_name: const char *(void)
 cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
 cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
 create_builtin_administrators: NTSTATUS (const struct dom_sid *)
+create_builtin_guests: NTSTATUS (const struct dom_sid *)
 create_builtin_users: NTSTATUS (const struct dom_sid *)
 decode_account_policy_name: const char *(enum pdb_policy_type)
 get_account_pol_db: struct db_context *(void)
@@ -306,3 +307,5 @@ winbind_ping: bool (void)
 winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *)
 winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *)
 winbind_uid_to_sid: bool (struct dom_sid *, uid_t)
+winbind_xid_to_sid: bool (struct dom_sid *, const struct unixid *)
+xid_to_sid: void (struct dom_sid *, const struct unixid *)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index eeaf2b720a7..caa3442c6f1 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -1101,97 +1101,6 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
 	return ret;
 }
 
-/*****************************************************************
- Id mapping cache.  This is to avoid Winbind mappings already
- seen by smbd to be queried too frequently, keeping winbindd
- busy, and blocking smbd while winbindd is busy with other
- stuff. Written by Michael Steffens <michael.steffens at hp.com>,
- modified to use linked lists by jra.
-*****************************************************************/  
-
-
-/*****************************************************************
- *THE LEGACY* convert uid_t to SID function.
-*****************************************************************/  
-
-static void legacy_uid_to_sid(struct dom_sid *psid, uid_t uid)
-{
-	bool ret;
-	struct unixid id;
-
-	ZERO_STRUCTP(psid);
-
-	id.id = uid;
-	id.type = ID_TYPE_UID;
-
-	become_root();
-	ret = pdb_id_to_sid(&id, psid);
-	unbecome_root();
-
-	if (ret) {
-		/* This is a mapped user */
-		goto done;
-	}
-
-	/* This is an unmapped user */
-
-	uid_to_unix_users_sid(uid, psid);
-
-	{
-		struct unixid xid = {
-			.id = uid, .type = ID_TYPE_UID
-		};
-		idmap_cache_set_sid2unixid(psid, &xid);
-	}
-
- done:
-	DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid,
-		  sid_string_dbg(psid)));
-
-	return;
-}
-
-/*****************************************************************
- *THE LEGACY* convert gid_t to SID function.
-*****************************************************************/  
-
-static void legacy_gid_to_sid(struct dom_sid *psid, gid_t gid)
-{
-	bool ret;
-	struct unixid id;
-
-	ZERO_STRUCTP(psid);
-
-	id.id = gid;
-	id.type = ID_TYPE_GID;
-
-	become_root();
-	ret = pdb_id_to_sid(&id, psid);
-	unbecome_root();
-
-	if (ret) {
-		/* This is a mapped group */
-		goto done;
-	}
-
-	/* This is an unmapped group */
-
-	gid_to_unix_groups_sid(gid, psid);
-
-	{
-		struct unixid xid = {
-			.id = gid, .type = ID_TYPE_GID
-		};
-		idmap_cache_set_sid2unixid(psid, &xid);
-	}
-
- done:
-	DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid,
-		  sid_string_dbg(psid)));
-
-	return;
-}
-
 /*****************************************************************
  *THE LEGACY* convert SID to id function.
 *****************************************************************/  
@@ -1239,102 +1148,90 @@ static bool legacy_sid_to_uid(const struct dom_sid *psid, uid_t *puid)
 	return false;
 }
 
-/*****************************************************************
- *THE CANONICAL* convert uid_t to SID function.
-*****************************************************************/  
-
-void uid_to_sid(struct dom_sid *psid, uid_t uid)
+void xid_to_sid(struct dom_sid *psid, const struct unixid *xid)
 {
 	bool expired = true;
 	bool ret;
-	ZERO_STRUCTP(psid);
+	struct dom_sid_buf buf;
 
-	/* Check the winbindd cache directly. */
-	ret = idmap_cache_find_uid2sid(uid, psid, &expired);
+	SMB_ASSERT(xid->type == ID_TYPE_UID || xid->type == ID_TYPE_GID);
+
+	*psid = (struct dom_sid) {0};
+
+	ret = idmap_cache_find_xid2sid(xid, psid, &expired);
+	if (ret && !expired) {
+		DBG_DEBUG("%cID %"PRIu32" -> %s from cache\n",
+			  xid->type == ID_TYPE_UID ? 'U' : 'G',
+			  xid->id,
+			  dom_sid_str_buf(psid, &buf));
+		goto done;
+	}
 
-	if (ret && !expired && is_null_sid(psid)) {
+	ret = winbind_xid_to_sid(psid, xid);
+	if (ret) {
 		/*
-		 * Negative cache entry, we already asked.
-		 * do legacy.
+		 * winbind can return an explicit negative mapping
+		 * here. It's up to winbind to prime the cache either
+		 * positively or negatively, don't mess with the cache
+		 * here.
 		 */
-		legacy_uid_to_sid(psid, uid);
-		return;
+		DBG_DEBUG("%cID %"PRIu32" -> %s from cache\n",
+			  xid->type == ID_TYPE_UID ? 'U' : 'G',
+			  xid->id,
+			  dom_sid_str_buf(psid, &buf));
+		goto done;
 	}
 
-	if (!ret || expired) {
-		/* Not in cache. Ask winbindd. */
-		if (!winbind_uid_to_sid(psid, uid)) {
-			/*
-			 * We shouldn't return the NULL SID
-			 * here if winbind was running and
-			 * couldn't map, as winbind will have
-			 * added a negative entry that will
-			 * cause us to go though the
-			 * legacy_uid_to_sid()
-			 * function anyway in the case above
-			 * the next time we ask.
-			 */
-			DEBUG(5, ("uid_to_sid: winbind failed to find a sid "
-				  "for uid %u\n", (unsigned int)uid));
+	{
+		/*
+		 * Make a copy, pdb_id_to_sid might want to turn
+		 * xid->type into ID_TYPE_BOTH, which we ignore here.
+		 */
+		struct unixid rw_xid = *xid;
 
-			legacy_uid_to_sid(psid, uid);
-			return;
-		}
+		become_root();
+		ret = pdb_id_to_sid(&rw_xid, psid);
+		unbecome_root();
 	}
 
-	DEBUG(10,("uid %u -> sid %s\n", (unsigned int)uid,
-		  sid_string_dbg(psid)));
-
-	return;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert gid_t to SID function.
-*****************************************************************/  
-
-void gid_to_sid(struct dom_sid *psid, gid_t gid)
-{
-	bool expired = true;
-	bool ret;
-	ZERO_STRUCTP(psid);
-
-	/* Check the winbindd cache directly. */
-	ret = idmap_cache_find_gid2sid(gid, psid, &expired);
+	if (ret) {
+		DBG_DEBUG("%cID %"PRIu32" -> %s from passdb\n",


-- 
Samba Shared Repository



More information about the samba-cvs mailing list