[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Oct 23 04:48:02 UTC 2020
The branch, master has been updated
via 54b4d2d3cb3 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE
via 493f5d6b078 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE
via c55f4f37589 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config
via 3f4626ea6d2 wb_sids2xids: fill cache as soon as possible
via 374acc2e5fc wb_sids2xids: directly use state->all_ids to collect results
via 19c8b6a8b18 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done()
via cda61f592a0 wb_sids2xids: refactor wb_sids2xids_done() a bit
via f6bb0ed21f8 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix()
via 231c8d04b19 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix()
via 797b11f198e wb_sids2xids: rename 'non_cached' to 'lookup_sids'
via 04956350a57 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache
via 79c1d3aaf6d wb_sids2xids: split out wb_sids2xids_next_sids2unix()
via 28e020c0a86 winbindd: defer the setup_child() from init_idmap_child()
via b8c74b7b46d winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle()
via 82fd07793f0 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed
via d42aaeba6e0 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step
via a8f57c94fc2 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers
via 209e81a2ea8 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers
via cd9a9702c1f winbindd: add and use is_idmap_child()
via 21035436290 winbindd: add and use idmap_child_pid()
via 1694de1ae6c wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead
via 5cc21a9d319 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead
via 7dbe5b48974 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead
via 7518a0ca32c winbindd/idmap: apply const to struct nss_info_methods pointers
via 95b0dac0af5 winbindd/idmap: apply const to struct idmap_methods pointers
via f5eec89011c test_idmap_tdb_common: correctly initialize the idmap domain with an init function
via 58e9b62222a s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_*
via 1576421dbdd winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint
via 302098c3259 rpc: avoid undefined behaviour when parsing bindings
via 09479bf0ee1 .gitlab-ci.yml: Ensure we compile before we start the main parallel testing
via 48c9b699065 .gitlab-ci.yml: Run the coverity submission job in parallel with the builds
via 895c729ce36 py3: Add is_ad_dc_built option to python glue
from 8f66ce0a3d1 oss-fuzz: Add very verbose explaination for RPATH vs RUNPATH
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 54b4d2d3cb307019a260d15c6e6b4a3fb7fc337c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 16:24:49 2020 +0200
wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE
We try to give a valid hint for predefined sids and
pass ID_TYPE_BOTH as a hint that the domain part of the sid is valid.
In most cases the idmap child/backend does not require a type_hint
as mappings already exist.
This is a speed up as we no longer need to contact a domain controller.
It's also possible to accept kerberos authentication without reaching
out to a domain controller at all (if the idmap backend doesn't need a
hint).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 23 04:47:26 UTC 2020 on sn-devel-184
commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 17:26:11 2020 +0200
winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE
This must only be used between winbindd parent and child!
It must not leak into outside world.
Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.
This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit c55f4f37589130a0d8952489da175bbcf53f6748
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 10 17:13:14 2020 +0200
wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config
In future we'll try to avoid wb_lookupsids_send() and only call
it if needed.
The domain name passed should be only relevant to find the correct
idmap backend, and these should all be available in
wb_parent_idmap_config as it was created before the idmap child was forked.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3f4626ea6d235470195918b77af35ac2cfeb227c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 10 23:06:02 2020 +0200
wb_sids2xids: fill cache as soon as possible
After adding entries to the cache we can mark them
as filled from the cache by setting its domain_index
to UINT32_MAX.
This will allow further changes to fill the results
into state->all_ids in steps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 374acc2e5fcc3c4b40f41906d0349499e3304841
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 14:17:37 2020 +0200
wb_sids2xids: directly use state->all_ids to collect results
In order to translate the indexes from state->lookup_sids[]
for wb_lookupsids_send/recv() and state->map_ids.ids[]
for dcerpc_wbint_Sids2UnixIDs_send/recv() back to
state->all_ids.ids[] or state->sids[] we have state->tmp_idx[].
This simplifies wb_sids2xids_recv() a lot and make further
restructuring much easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 19c8b6a8b188e45a6342a3d1308085800388a38e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 13:58:26 2020 +0200
wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done()
With all the indexes we have into various array, this makes clear
'li' is the index into the state->lookup_sids array.
This makes the following changes easier to review.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit cda61f592a0b33d36da8da9b6837312396cceec4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 13:54:24 2020 +0200
wb_sids2xids: refactor wb_sids2xids_done() a bit
Here we don't change the logic.
It will make the following changes easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit f6bb0ed21f82f2cf1f238f9f00cd049ecf8673af
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 13:36:43 2020 +0200
wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix()
Instead of re-creating the dom_ids element,
we just use a pre-allocated map_ids_in array.
This is a bit tricky as we need to use map_ids_out as a copy of
map_ids_in, because the _ids argument of dcerpc_wbint_Sids2UnixIDs_send()
in [in,out], which means that _ids->ids is changed between
dcerpc_wbint_Sids2UnixIDs_send() and dcerpc_wbint_Sids2UnixIDs_recv()!
If the domain doesn't need any mappings, we'll move to the next domain
early, for now this can't happend but it will in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 231c8d04b19a1c17937f988d142ca5c0f889d4e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 13:19:14 2020 +0200
wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix()
For the first run this is a no-op, but it simplified the caller.
We'll call wb_sids2xids_next_sids2unix() in a few more places in future
and it's easier to have this all within wb_sids2xids_next_sids2unix().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 797b11f198e819300007997ce536bc6d05f19843
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 10 17:45:24 2020 +0200
wb_sids2xids: rename 'non_cached' to 'lookup_sids'
This array is used to pass to wb_lookupsids_send()
and that will be the only reason to have this in future.
For now it's used for all non cached sids, but that will
also change in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 04956350a5725325954b2caba662ecd6dace7829
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 10 16:45:03 2020 +0200
wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache
Entries with domain_index == UINT32_MAX are valid cache entries.
In the following commits we'll fill in missing entries step by step
until all entries are marked as filled.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 79c1d3aaf6d465a8edd1871edb85211f8715fea1
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 3 16:39:26 2020 +0200
wb_sids2xids: split out wb_sids2xids_next_sids2unix()
Put the code that calls the per-domain idmap backend
in its own function.
This makes further reconstruction easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 28e020c0a863411cfa95e3b1ed943d922b8635bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 15:42:42 2020 +0200
winbindd: defer the setup_child() from init_idmap_child()
At startup we trigger a wb_parent_idmap_setup_send() and make
sure setup_child() is called just before wb_parent_idmap_setup_recv()
finished.
This makes sure our view of the idmap config in the parent matches
what we have in the child.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit b8c74b7b46d1c7f6b66e565ee08f8c88d6dc2cc4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 14:12:17 2020 +0200
winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 82fd07793f065e150729848566e7c30f4f4d472e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 13:52:17 2020 +0200
wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit d42aaeba6e0820acd17f204ff7ab6d1aede1b303
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 12:52:40 2020 +0200
wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step
This isn't really used yet, but it will in the next commits.
Also idmap_child_handle() will soon assert that
wb_parent_idmap_setup_send/recv() was called before it's used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit a8f57c94fc2294c309ecb18ea79d0acac86c495b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 12:31:13 2020 +0200
wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 209e81a2ea8c972ee57e2f0c9579da843c0e2ac7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 12:16:00 2020 +0200
winbindd: add generic wb_parent_idmap_setup_send/recv() helpers
This is more or less a copy of wb_xids2sids_init_dom_maps_send/recv,
but it's more generic and doesn't imply global state.
It also closes a initialization race by using a tevent_queue to
serialize the calls.
In the next commits we'll replace wb_xids2sids_init_dom_maps_send/recv.
We'll also use the new function in the wb_sids2xids code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit cd9a9702c1f97c47bd3447e2014eeff3e56268cf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 14:06:04 2020 +0200
winbindd: add and use is_idmap_child()
We should avoid calling idmap_child() as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 2103543629004a3a22e7bf60305bb15bf3b316be
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 14:06:04 2020 +0200
winbindd: add and use idmap_child_pid()
We should avoid calling idmap_child() as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 1694de1ae6ce63377d0afc47e84e55e4745905d7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 10 15:49:34 2020 +0200
wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead
This is the only aspect we need here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 5cc21a9d319e00397ad98900d81ffb9d1d70514f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 12:35:09 2020 +0200
wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead
This is the only aspect we need here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 7dbe5b4897448aa71b5a8a2175850b4010316b88
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 11 13:52:17 2020 +0200
wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead
This is the only aspect we need here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 7518a0ca32cade2b8b9eac0e2b5416ae685ffcff
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 21 12:30:37 2019 +0100
winbindd/idmap: apply const to struct nss_info_methods pointers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 95b0dac0af5bc7ee85c6c8099dda135c36c9684b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 21 12:30:37 2019 +0100
winbindd/idmap: apply const to struct idmap_methods pointers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit f5eec89011cf7b577375d83247524587f170b592
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 21 12:29:00 2019 +0100
test_idmap_tdb_common: correctly initialize the idmap domain with an init function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 58e9b62222ad62c81cdf11d704859a227cb2902b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 16:46:44 2020 +0200
s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_*
Currently these enums have the same values, but that will
change in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 1576421dbdd2cfe9a47516224cb54bf15ba51132
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 15 16:01:04 2020 +0200
winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint
This makes it clear that it's a hint from the parent to the
child.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 302098c3259c3709f61e5f2859785dbb62a393e5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Oct 20 09:42:56 2020 +1300
rpc: avoid undefined behaviour when parsing bindings
If the binding string ends with "[", we were setting options to an
empty string, then asking for 'options[strlen(options)-1]', which
UBSan dosn't like because the offset evaluates to (size_t)0xFFFFF...
causing pointer overflow.
I believe this is actually well defined in practice, but we don't want
to be in the habit of leaving sanitiser warnings in code parsing
untrusted strings.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 09479bf0ee12b8187736b0d6f4dcf0303569169a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 11 18:06:51 2020 +1200
.gitlab-ci.yml: Ensure we compile before we start the main parallel testing
This build can be as fast as 10mins if the ccache matches and there
are few tests. Therefore put it first as a sentinal.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 48c9b699065bd4d8a02048b4492237a36e81b497
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 20 11:41:11 2020 +1200
.gitlab-ci.yml: Run the coverity submission job in parallel with the builds
This avoids a flapping test elsewhere delying the submission of the code to coverity
for checking.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 895c729ce36107af44ce8564f8ef9bcf46d98b70
Author: David Mulder <dmulder at suse.com>
Date: Fri Sep 18 11:27:24 2020 -0600
py3: Add is_ad_dc_built option to python glue
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci.yml | 16 +-
librpc/idl/idmap.idl | 23 +-
librpc/idl/winbind.idl | 2 +-
librpc/rpc/binding.c | 9 +-
python/pyglue.c | 12 +
python/samba/__init__.py | 1 +
source3/include/idmap.h | 2 +-
source3/include/nss_info.h | 6 +-
source3/passdb/lookup_sid.c | 15 +-
source3/torture/test_idmap_tdb_common.c | 50 ++-
source3/winbindd/idmap.c | 6 +-
source3/winbindd/idmap_ad.c | 2 +-
source3/winbindd/idmap_ad_nss.c | 6 +-
source3/winbindd/idmap_autorid.c | 8 +-
source3/winbindd/idmap_hash/idmap_hash.c | 4 +-
source3/winbindd/idmap_ldap.c | 31 +-
source3/winbindd/idmap_nss.c | 3 +-
source3/winbindd/idmap_passdb.c | 7 +-
source3/winbindd/idmap_proto.h | 2 +-
source3/winbindd/idmap_rfc2307.c | 2 +-
source3/winbindd/idmap_rid.c | 2 +-
source3/winbindd/idmap_rw.c | 32 +-
source3/winbindd/idmap_script.c | 2 +-
source3/winbindd/idmap_tdb.c | 2 +-
source3/winbindd/idmap_tdb2.c | 2 +-
source3/winbindd/idmap_tdb_common.c | 22 +-
source3/winbindd/nss_info.c | 7 +-
source3/winbindd/wb_queryuser.c | 36 +-
source3/winbindd/wb_sids2xids.c | 561 ++++++++++++++++++++++---------
source3/winbindd/wb_xids2sids.c | 267 ++-------------
source3/winbindd/winbindd.h | 13 +
source3/winbindd/winbindd_cm.c | 12 +-
source3/winbindd/winbindd_dual.c | 10 +-
source3/winbindd/winbindd_dual_srv.c | 8 +-
source3/winbindd/winbindd_getgroups.c | 7 +
source3/winbindd/winbindd_idmap.c | 378 ++++++++++++++++++++-
source3/winbindd/winbindd_proto.h | 7 +
37 files changed, 1075 insertions(+), 500 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7555582e005..8fad80033b4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,9 +1,18 @@
# see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options
+# Stages explained
+#
+# images: Build the images with the bootstrap script
+# build_first: Build one thing first to find silly errors (fast job)
+# (don't pay for 35 machines until something compiles)
+# build: The main parallel job
+# (keep these to 1hour as we are billed per hour)
+# report: Code coverage reporting
+
stages:
- images
+ - build_first
- build
- - analysis
- report
variables:
@@ -179,7 +188,10 @@ samba-admem-mit:
samba-ad-dc-4-mitkrb5:
extends: .shared_template
+# This task is run first to ensure we compile before we start the
+# main run as it is the fastest full compile of Samba.
samba-fips:
+ stage: build_first
extends: .shared_template
image: $SAMBA_CI_CONTAINER_IMAGE_fedora32
@@ -261,7 +273,7 @@ pages:
# Coverity Scan
coverity:
- stage: analysis
+ stage: build
image: $SAMBA_CI_CONTAINER_IMAGE_fedora32
tags:
- docker
diff --git a/librpc/idl/idmap.idl b/librpc/idl/idmap.idl
index 54fd888dcab..e58e39210c7 100644
--- a/librpc/idl/idmap.idl
+++ b/librpc/idl/idmap.idl
@@ -11,7 +11,18 @@ interface idmap
ID_TYPE_NOT_SPECIFIED,
ID_TYPE_UID,
ID_TYPE_GID,
- ID_TYPE_BOTH
+ ID_TYPE_BOTH,
+ /*
+ * This are internal between winbindd
+ * parent and child.
+ *
+ * It means the idmap backend/child requires a valid type_hint
+ * for wbint_Sids2UnixIDs():
+ *
+ * - ID_TYPE_UID or ID_TYPE_GID means the user/group exists
+ * - ID_TYPE_BOTH means that only the domain exist
+ */
+ ID_TYPE_WB_REQUIRE_TYPE
} id_type;
typedef [public] struct {
@@ -23,7 +34,15 @@ interface idmap
ID_UNKNOWN,
ID_MAPPED,
ID_UNMAPPED,
- ID_EXPIRED
+ ID_EXPIRED,
+ /*
+ * This means the idmap backend requires a valid type_hint
+ * in order to map a sid to a unix id.
+ *
+ * - ID_TYPE_UID or ID_TYPE_GID means the user/group exists
+ * - ID_TYPE_BOTH means that only the domain exist
+ */
+ ID_REQUIRE_TYPE
} id_mapping;
typedef [public] struct {
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index 258dd284ad5..a2bc81a9333 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -40,7 +40,7 @@ interface winbind
);
typedef struct {
- id_type type;
+ id_type type_hint;
uint32 domain_index;
uint32 rid;
unixid xid;
diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
index aa8cc6b46c6..75246dfd538 100644
--- a/librpc/rpc/binding.c
+++ b/librpc/rpc/binding.c
@@ -385,13 +385,14 @@ _PUBLIC_ NTSTATUS dcerpc_parse_binding(TALLOC_CTX *mem_ctx, const char *_s, stru
p = strchr(s, '[');
if (p) {
- *p = '\0';
- options = p + 1;
- if (options[strlen(options)-1] != ']') {
+ char *q = p + strlen(p) - 1;
+ if (*q != ']') {
talloc_free(b);
return NT_STATUS_INVALID_PARAMETER_MIX;
}
- options[strlen(options)-1] = 0;
+ *p = '\0';
+ *q = '\0';
+ options = p + 1;
}
p = strchr(s, '@');
diff --git a/python/pyglue.c b/python/pyglue.c
index aff9365d11b..156eaf73150 100644
--- a/python/pyglue.c
+++ b/python/pyglue.c
@@ -203,6 +203,16 @@ static PyObject *py_is_heimdal_built(PyObject *self,
#endif
}
+static PyObject *py_is_ad_dc_built(PyObject *self,
+ PyObject *Py_UNUSED(ignored))
+{
+#ifdef AD_DC_BUILD_IS_ENABLED
+ Py_RETURN_TRUE;
+#else
+ Py_RETURN_FALSE;
+#endif
+}
+
/*
return the list of interface IPs we have configured
takes an loadparm context, returns a list of IPs in string form
@@ -389,6 +399,8 @@ static PyMethodDef py_misc_methods[] = {
METH_VARARGS,
"generate_random_bytes(len) -> bytes\n"
"Generate random bytes with specified length." },
+ { "is_ad_dc_built", (PyCFunction)py_is_ad_dc_built, METH_NOARGS,
+ "is Samba built with AD DC?" },
{0}
};
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 0341cb36dfe..fa047a813e2 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -379,6 +379,7 @@ strcasecmp_m = _glue.strcasecmp_m
strstr_m = _glue.strstr_m
is_ntvfs_fileserver_built = _glue.is_ntvfs_fileserver_built
is_heimdal_built = _glue.is_heimdal_built
+is_ad_dc_built = _glue.is_ad_dc_built
NTSTATUSError = _glue.NTSTATUSError
HRESULTError = _glue.HRESULTError
diff --git a/source3/include/idmap.h b/source3/include/idmap.h
index 8d80643e6e9..dce60f1f76d 100644
--- a/source3/include/idmap.h
+++ b/source3/include/idmap.h
@@ -42,7 +42,7 @@ struct idmap_domain {
* so don't rely on this being filled out everywhere!
*/
struct dom_sid dom_sid;
- struct idmap_methods *methods;
+ const struct idmap_methods *methods;
NTSTATUS (*query_user)(struct idmap_domain *domain,
struct wbint_userinfo *info);
uint32_t low_id;
diff --git a/source3/include/nss_info.h b/source3/include/nss_info.h
index 448f8847be9..94df56ee7db 100644
--- a/source3/include/nss_info.h
+++ b/source3/include/nss_info.h
@@ -38,7 +38,7 @@ struct nss_function_entry {
struct nss_function_entry *prev, *next;
const char *name;
- struct nss_info_methods *methods;
+ const struct nss_info_methods *methods;
};
/* List of configured domains. Each domain points
@@ -50,7 +50,7 @@ struct nss_domain_entry {
const char *domain;
NTSTATUS init_status;
- struct nss_function_entry *backend;
+ const struct nss_function_entry *backend;
/* hold state on a per domain basis */
@@ -75,7 +75,7 @@ struct nss_info_methods {
NTSTATUS smb_register_idmap_nss(int version,
const char *name,
- struct nss_info_methods *methods);
+ const struct nss_info_methods *methods);
NTSTATUS nss_map_to_alias( TALLOC_CTX *mem_ctx, const char *domain,
const char *name, char **alias );
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 82c47b3145b..ff8a16619a8 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -1339,14 +1339,21 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids,
done:
for (i=0; i<num_sids; i++) {
switch(ids[i].type) {
- case WBC_ID_TYPE_GID:
- case WBC_ID_TYPE_UID:
- case WBC_ID_TYPE_BOTH:
+ case ID_TYPE_GID:
+ case ID_TYPE_UID:
+ case ID_TYPE_BOTH:
if (ids[i].id == -1) {
ids[i].type = ID_TYPE_NOT_SPECIFIED;
}
break;
- case WBC_ID_TYPE_NOT_SPECIFIED:
+ case ID_TYPE_NOT_SPECIFIED:
+ break;
+ case ID_TYPE_WB_REQUIRE_TYPE:
+ /*
+ * these are internal between winbindd
+ * parent and child.
+ */
+ smb_panic(__location__);
break;
}
}
diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
index 5ecb978990d..f881babcc52 100644
--- a/source3/torture/test_idmap_tdb_common.c
+++ b/source3/torture/test_idmap_tdb_common.c
@@ -110,12 +110,21 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
return true;
}
-static struct idmap_tdb_common_context *createcontext(TALLOC_CTX *memctx)
+static NTSTATUS idmap_test_tdb_db_init(struct idmap_domain *dom)
{
struct idmap_tdb_common_context *ret;
- ret = talloc_zero(memctx, struct idmap_tdb_common_context);
+ DBG_DEBUG("called for domain '%s'\n", dom->name);
+
+ ret = talloc_zero(dom, struct idmap_tdb_common_context);
+ if (ret == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
ret->rw_ops = talloc_zero(ret, struct idmap_rw_ops);
+ if (ret->rw_ops == NULL) {
+ TALLOC_FREE(ret);
+ return NT_STATUS_NO_MEMORY;
+ }
ret->max_id = HIGH_ID;
ret->hwmkey_uid = HWM_USER;
@@ -125,25 +134,33 @@ static struct idmap_tdb_common_context *createcontext(TALLOC_CTX *memctx)
ret->rw_ops->set_mapping = idmap_tdb_common_set_mapping;
if (!open_db(ret)) {
- return NULL;
+ TALLOC_FREE(ret);
+ return NT_STATUS_INTERNAL_ERROR;
};
- return ret;
+ dom->private_data = ret;
+
+ return NT_STATUS_OK;
}
static struct idmap_domain *createdomain(TALLOC_CTX *memctx)
{
struct idmap_domain *dom;
+ struct idmap_methods *m;
dom = talloc_zero(memctx, struct idmap_domain);
dom->name = "*";
dom->low_id = LOW_ID;
dom->high_id = HIGH_ID;
dom->read_only = false;
- dom->methods = talloc_zero(dom, struct idmap_methods);
- dom->methods->sids_to_unixids = idmap_tdb_common_sids_to_unixids;
- dom->methods->unixids_to_sids = idmap_tdb_common_unixids_to_sids;
- dom->methods->allocate_id = idmap_tdb_common_get_new_id;
+ m = talloc_zero(dom, struct idmap_methods);
+ *m = (struct idmap_methods) {
+ .init = idmap_test_tdb_db_init,
+ .sids_to_unixids = idmap_tdb_common_sids_to_unixids,
+ .unixids_to_sids = idmap_tdb_common_unixids_to_sids,
+ .allocate_id = idmap_tdb_common_get_new_id,
+ };
+ dom->methods = m;
return dom;
}
@@ -965,20 +982,20 @@ out:
bool run_idmap_tdb_common_test(int dummy)
{
bool result;
- struct idmap_tdb_common_context *ctx;
struct idmap_domain *dom;
-
- TALLOC_CTX *memctx = talloc_new(NULL);
TALLOC_CTX *stack = talloc_stackframe();
+ TALLOC_CTX *memctx = talloc_new(stack);
+ NTSTATUS status;
- ctx = createcontext(memctx);
- if(!ctx) {
+ dom = createdomain(memctx);
+ if (dom == NULL) {
return false;
}
- dom = createdomain(memctx);
-
- dom->private_data = ctx;
+ status = dom->methods->init(dom);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
/* test a single allocation from pool (no mapping) */
result = test_getnewid1(memctx, dom);
@@ -1022,7 +1039,6 @@ bool run_idmap_tdb_common_test(int dummy)
result = test_getnewid2(memctx, dom);
CHECKRESULT(result);
- talloc_free(memctx);
talloc_free(stack);
return true;
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index bfac7f86432..eee28992929 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -40,7 +40,7 @@ static_decl_idmap;
struct idmap_backend {
const char *name;
- struct idmap_methods *methods;
+ const struct idmap_methods *methods;
struct idmap_backend *prev, *next;
};
static struct idmap_backend *backends = NULL;
@@ -285,7 +285,7 @@ static bool idmap_found_domain_backend(const char *domname,
return false;
}
-static struct idmap_methods *get_methods(const char *name)
+static const struct idmap_methods *get_methods(const char *name)
{
struct idmap_backend *b;
@@ -309,7 +309,7 @@ bool idmap_is_offline(void)
**********************************************************************/
NTSTATUS smb_register_idmap(int version, const char *name,
- struct idmap_methods *methods)
+ const struct idmap_methods *methods)
{
struct idmap_backend *entry;
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 0595a7b270a..7e858d349d9 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -1029,7 +1029,7 @@ static NTSTATUS idmap_ad_sids_to_unixids_retry(struct idmap_domain *dom,
return status;
}
-static struct idmap_methods ad_methods = {
+static const struct idmap_methods ad_methods = {
.init = idmap_ad_initialize,
.unixids_to_sids = idmap_ad_unixids_to_sids_retry,
.sids_to_unixids = idmap_ad_sids_to_unixids_retry,
diff --git a/source3/winbindd/idmap_ad_nss.c b/source3/winbindd/idmap_ad_nss.c
index 0fd2b51e156..96fee84997f 100644
--- a/source3/winbindd/idmap_ad_nss.c
+++ b/source3/winbindd/idmap_ad_nss.c
@@ -370,19 +370,19 @@ done:
/* The SFU and RFC2307 NSS plugins share everything but the init
function which sets the intended schema model to use */
-static struct nss_info_methods nss_rfc2307_methods = {
+static const struct nss_info_methods nss_rfc2307_methods = {
.init = nss_rfc2307_init,
.map_to_alias = nss_ad_map_to_alias,
.map_from_alias = nss_ad_map_from_alias,
};
-static struct nss_info_methods nss_sfu_methods = {
+static const struct nss_info_methods nss_sfu_methods = {
.init = nss_sfu_init,
.map_to_alias = nss_ad_map_to_alias,
.map_from_alias = nss_ad_map_from_alias,
};
-static struct nss_info_methods nss_sfu20_methods = {
+static const struct nss_info_methods nss_sfu20_methods = {
.init = nss_sfu20_init,
.map_to_alias = nss_ad_map_to_alias,
.map_from_alias = nss_ad_map_from_alias,
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index c84e70db841..ad53b5810ee 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -671,9 +671,9 @@ static NTSTATUS idmap_autorid_sid_to_id(struct idmap_tdb_common_context *common,
* range.
*/
- DBG_NOTICE("Allocating range for domain %s refused\n", range.domsid);
- map->status = ID_UNMAPPED;
- return NT_STATUS_NONE_MAPPED;
+ DBG_NOTICE("Allocating range for domain %s required type_hint\n", range.domsid);
+ map->status = ID_REQUIRE_TYPE;
+ return NT_STATUS_SOME_NOT_MAPPED;
allocate:
ret = idmap_autorid_acquire_range(autorid_db, &range);
@@ -920,7 +920,7 @@ done:
return status;
}
-static struct idmap_methods autorid_methods = {
+static const struct idmap_methods autorid_methods = {
.init = idmap_autorid_initialize,
.unixids_to_sids = idmap_autorid_unixids_to_sids,
.sids_to_unixids = idmap_autorid_sids_to_unixids,
diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
index 1747b7c56c1..be0ba45a044 100644
--- a/source3/winbindd/idmap_hash/idmap_hash.c
+++ b/source3/winbindd/idmap_hash/idmap_hash.c
@@ -331,13 +331,13 @@ static NTSTATUS nss_hash_close(void)
Dispatch Tables for IDMap and NssInfo Methods
********************************************************************/
-static struct idmap_methods hash_idmap_methods = {
+static const struct idmap_methods hash_idmap_methods = {
.init = idmap_hash_initialize,
.unixids_to_sids = unixids_to_sids,
.sids_to_unixids = sids_to_unixids,
};
-static struct nss_info_methods hash_nss_methods = {
+static const struct nss_info_methods hash_nss_methods = {
.init = nss_hash_init,
.map_to_alias = nss_hash_map_to_alias,
.map_from_alias = nss_hash_map_from_alias,
diff --git a/source3/winbindd/idmap_ldap.c b/source3/winbindd/idmap_ldap.c
index b29e990f97a..2f879bf77e8 100644
--- a/source3/winbindd/idmap_ldap.c
+++ b/source3/winbindd/idmap_ldap.c
@@ -251,6 +251,17 @@ static NTSTATUS idmap_ldap_allocate_id_internal(struct idmap_domain *dom,
LDAP_ATTR_GIDNUMBER);
break;
+ case ID_TYPE_BOTH:
+ /*
+ * This is not supported here yet and
+ * already handled in idmap_rw_new_mapping()
+ */
+ FALL_THROUGH;
+ case ID_TYPE_NOT_SPECIFIED:
+ /*
+ * This is handled in idmap_rw_new_mapping()
+ */
+ FALL_THROUGH;
default:
DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
return NT_STATUS_INVALID_PARAMETER;
@@ -868,6 +879,7 @@ static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
const char **attr_list;
char *filter = NULL;
bool multi = False;
+ size_t num_required = 0;
int idx = 0;
int bidx = 0;
int count;
@@ -1076,7 +1088,21 @@ again:
ids[i]->status = ID_UNMAPPED;
if (ids[i]->sid != NULL) {
ret = idmap_ldap_new_mapping(dom, ids[i]);
+ DBG_DEBUG("idmap_ldap_new_mapping returned %s\n",
+ nt_errstr(ret));
+ if (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED)) {
+ if (ids[i]->status == ID_REQUIRE_TYPE) {
+ num_required += 1;
+ continue;
+ }
--
Samba Shared Repository
More information about the samba-cvs
mailing list