about local group member detection
Jeremy Allison
jra at samba.org
Fri Dec 3 15:05:55 MST 2010
On Fri, Dec 03, 2010 at 03:07:12PM +0800, drag chan wrote:
> Hi,
>
> when getting group info for a user, the domain which the user belongs
> to is first checked, then the local domain, and the builtin domain.
> but in samba-3.5.4/source3/winbind/wb_gettoken.c, find_our_domain() is
> called to get the local domain.
>
> What's the meaning of local domain? If it means local SAM,
> find_our_domain() return error result:
>
> struct winbindd_domain *find_our_domain(void)
> {
> struct winbindd_domain *domain;
>
> /* Search through list */
>
> for (domain = domain_list(); domain != NULL; domain = domain->next) {
> if (domain->primary)
> return domain;
> }
>
> smb_panic("Could not find our domain");
> return NULL;
> }
>
> If samba rule is a domain member, find_our_domain() doesn't return the
> local SAM.
>
> Maybe we should call find_domain_from_sid(get_global_sam_sid()) to get
> the local domain in samba-3.5.4/source3/winbind/wb_gettoken.c?
So you're thinking of something like this patch (attached) ? Can you give an
example of how this bug would affect winbindd - how did you discover this
issue ?
Jeremy.
-------------- next part --------------
diff --git a/source3/winbindd/wb_gettoken.c b/source3/winbindd/wb_gettoken.c
index ca407b21..f2fbe4c 100644
--- a/source3/winbindd/wb_gettoken.c
+++ b/source3/winbindd/wb_gettoken.c
@@ -106,7 +106,7 @@ static void wb_gettoken_gotgroups(struct tevent_req *subreq)
/*
* Expand our domain's aliases
*/
- domain = find_our_domain();
+ domain = find_domain_from_sid_noinit(get_global_sam_sid());
if (domain == NULL) {
tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
return;
@@ -137,7 +137,7 @@ static void wb_gettoken_gotlocalgroups(struct tevent_req *subreq)
tevent_req_nterror(req, status);
return;
}
- domain = find_our_domain();
+ domain = find_domain_from_sid_noinit(get_global_sam_sid());
if (!wb_add_rids_to_sids(state, &state->num_sids, &state->sids,
&domain->sid, num_rids, rids)) {
tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
More information about the samba-technical
mailing list