bug in winbindd_ads.c : lookup_groupmem, domain name would be
prepended to username twice
Bo Yang
boyang at novell.com
Fri Nov 2 07:48:30 GMT 2007
hi, all
lookup_groupmem in winbindd_ads.c prepended domain name to username, and fill_grent_mem can prepend domain name to username,
which will results in domain name being prepended twice.
To reproduce the issue:
Assume, user U1 in group G1(not the primary group), D is the domain name
1. stop winbindd
2. remove winbindd_cache.tdb
3. restart winbindd
4. write junk code(as reproduce_336854.c shows) to first invoke getpwnam(D\U1), and then call getgrnam(D\G1)
the getgrnam returned member D\d\U1 as its member's name...
patch in attachment for 3.0.26 and 3.2.0
thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: reproduce_336854.c
Type: application/octet-stream
Size: 725 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20071102/32fb7f71/reproduce_336854.obj
-------------- next part --------------
Index: source/nsswitch/winbindd_ads.c
===================================================================
--- source/nsswitch/winbindd_ads.c (revision 25784)
+++ source/nsswitch/winbindd_ads.c (working copy)
@@ -1022,10 +1022,17 @@
DEBUG(10,("ads: lookup_groupmem: got sid %s from cache\n",
sid_string_static(&sid)));
sid_copy(&(*sid_mem)[*num_names], &sid);
+ /* we should not prepend domain name before
+ * the username, because fill_grent_mem will
+ * do it.........
+ **/
+ /*
(*names)[*num_names] = talloc_asprintf(*names, "%s%c%s",
domain_name,
*lp_winbind_separator(),
name );
+ */
+ (*names)[*num_names] = talloc_asprintf(*names, "%s", name);
(*name_types)[*num_names] = name_type;
(*num_names)++;
-------------- next part --------------
Index: source/winbindd/winbindd_ads.c
===================================================================
--- source/winbindd/winbindd_ads.c (revision 25784)
+++ source/winbindd/winbindd_ads.c (working copy)
@@ -1021,10 +1021,17 @@
DEBUG(10,("ads: lookup_groupmem: got sid %s from cache\n",
sid_string_static(&sid)));
sid_copy(&(*sid_mem)[*num_names], &sid);
+ /* we should not prepend domain name before
+ * the username, because fill_grent_mem
+ * will do it
+ *****/
+ /*
(*names)[*num_names] = talloc_asprintf(*names, "%s%c%s",
domain_name,
*lp_winbind_separator(),
name );
+ */
+ (*names)[*num_names] = talloc_asprintf(*names, "%s", name);
(*name_types)[*num_names] = name_type;
(*num_names)++;
More information about the samba-technical
mailing list