wbinfo fails when called from idmap tdb2 script

Joachim Achtzehnter joachima at netacquire.com
Tue Mar 29 19:44:02 UTC 2016 

With the unset in the script it is working. Thanks!

Would it make sense to do this inside the script module instead of 
requiring script authors to discover this obscure work-around?

I tried adding winbind_on() and winbind_off() calls before/after the 
call to file_lines_pload() in "idmap_script.c", but this doesn't seem to 
help. The script sill sees the _NO_WINBINDD variable set to the value 
"1". I'm not sure how this can be?

If anybody wants to try this, patch is attached.

Thanks,

Joachim


On 2016-03-28 22:55, Volker Lendecke wrote:
> On Mon, Mar 28, 2016 at 02:04:30PM -0700, Joachim Achtzehnter wrote:
>> The idmap script module delegates control over the winbindd SID to
>> GID/UID mappings to a script. It is configured like this:
>>
>>      idmap config * : backend = tdb2
>>      idmap config * : range = 10000000-20000000
>>      idmap config * : script = /opt/bin/idmap.sh
>>
>> The documentation for this feature explicitly mentions that the
>> script can call "wbinfo -s" to convert its SID command line argument
>
> Do an
>
> unset _NO_WINBINDD
>
> right before the wbinfo -s call and a
>
> _NO_WINBINDD=1; export _NO_WINBINDD
>
> right after it. It's a protection against never-ending
> recursion.
>
> Volker
>

-- 
joachima at netacquire.com http://www.netacquire.com
-------------- next part --------------
diff -ur samba-4.3.6-orig/source3/winbindd/idmap_script.c samba-4.3.6/source3/winbindd/idmap_script.c
--- samba-4.3.6-orig/source3/winbindd/idmap_script.c	2016-03-29 10:20:54.395807006 -0700
+++ samba-4.3.6/source3/winbindd/idmap_script.c	2016-03-29 10:28:19.441318744 -0700
@@ -35,6 +35,7 @@
 #include "idmap.h"
 #include "idmap_rw.h"
 #include "../libcli/security/dom_sid.h"
+#include "nsswitch/winbind_client.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_IDMAP
@@ -81,7 +82,11 @@
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	/* by default calls to winbindd are disabled
+	   the following call will not recurse so this is safe */
+	(void)winbind_on();
 	lines = file_lines_pload(cmd, &numlines);
+	(void)winbind_off();
 	talloc_free(cmd);
 	if (!lines) {
 		return NT_STATUS_NONE_MAPPED;

More information about the samba-technical mailing list