[PATCH] s3:winbindd: Do not use domain SID from LookupSids for idmap

Christof Schmitt cs at samba.org
Thu Sep 4 14:25:43 MDT 2014 

The attached patch fixes a proble where invalid id mappings have been
used for objects that have been migrated from another domain. LookupSids
returns the SID of the new domain where the migrated object resides, and
the problem is that this domain SID cannot be combined with the original
RID. The RID likely has changed during the migration.

Christof
-------------- next part --------------
From 8e364c83fcae1b30fc45079b5971f1f8ea0a81a7 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Thu, 4 Sep 2014 12:07:24 -0700
Subject: [PATCH] s3:winbindd: Do not use domain SID from LookupSids for idmap

For objects that have been migrated to a new domain, LookupSids will
return the SID from the new domain. Using the domain SID from the new
domain together with the RID from the old domain results in an invalid
SID. Fix this by replacing the domain SID with the original one.

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/winbindd/wb_sids2xids.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index 519a710..c7cfb1b 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -165,10 +165,29 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
 	for (i=0; i<state->num_non_cached; i++) {
 		struct lsa_TranslatedName *n = &state->names->names[i];
 		struct wbint_TransID *t = &state->ids.ids[i];
+		struct dom_sid *orig_sid = &state->non_cached[i];
+		struct lsa_DomainInfo *lsa_dom =
+			&state->domains->domains[n->sid_index];
+
+		if (!dom_sid_in_domain(lsa_dom->sid, orig_sid)) {
+			DEBUG(10, ("LookupSids reported SID %s in domain %s.\n",
+				   sid_string_dbg(orig_sid),
+				   sid_string_dbg(lsa_dom->sid)));
+
+			/*
+			 * Use the domain SID from the sids2xids
+			 * request If the object has been migrated,
+			 * LookupSid will return the new domain, and
+			 * the RID is not valid there.
+			 */
+			talloc_free(lsa_dom->sid);
+			dom_sid_split_rid(lsa_dom, orig_sid,
+					  &lsa_dom->sid, NULL);
+		}
 
 		t->type = lsa_SidType_to_id_type(n->sid_type);
 		t->domain_index = n->sid_index;
-		sid_peek_rid(&state->non_cached[i], &t->rid);
+		sid_peek_rid(orig_sid, &t->rid);
 		t->xid.id = UINT32_MAX;
 		t->xid.type = t->type;
 	}
-- 
1.7.1

More information about the samba-technical mailing list