wbinfo fails when called from idmap tdb2 script

Joachim Achtzehnter joachima at netacquire.com
Wed Mar 30 19:49:17 UTC 2016 

How about the attached patch to add a paragraph to the idmap_script(8) 
man page explaining the need to undefine this environment variable?

By the way, how should this script handle an alias SID? The "wbinfo -s" 
output ends with a type identifier, the values of which are presumably 
from the following enumeration:

    enum wbcSidType {
         WBC_SID_NAME_USE_NONE=0,
         WBC_SID_NAME_USER=1,
         WBC_SID_NAME_DOM_GRP=2,
         WBC_SID_NAME_DOMAIN=3,
         WBC_SID_NAME_ALIAS=4,
         WBC_SID_NAME_WKN_GRP=5,
         WBC_SID_NAME_DELETED=6,
         WBC_SID_NAME_INVALID=7,
         WBC_SID_NAME_UNKNOWN=8,
         WBC_SID_NAME_COMPUTER=9
   };

I assume 2 and 5 can be treated as a group, returning GID, and for 1 the 
script should return UID, but what to do for type 4 (alias)? I've seen 
it called with 4, in this case for an alias group, but how would the 
script know that the alias is a group?

Thanks,

Joachim


On 2016-03-29 12:51, Volker Lendecke wrote:
> On Tue, Mar 29, 2016 at 12:44:02PM -0700, Joachim Achtzehnter wrote:
>> With the unset in the script it is working. Thanks!
>>
>> Would it make sense to do this inside the script module instead of requiring
>> script authors to discover this obscure work-around?
>>
>> I tried adding winbind_on() and winbind_off() calls before/after the call to
>> file_lines_pload() in "idmap_script.c", but this doesn't seem to help. The
>> script sill sees the _NO_WINBINDD variable set to the value "1". I'm not
>> sure how this can be?
>
> Not sure either. But I would argue that this is more a documentation than
> a code problem. Calling wbinfo -s from within an idmap script should be
> a very conscious decision, as careless use of nsswitch functions like
> getpwnam (even ls -l would do that) can very easily lead to recursive
> calls. So we need to protect winbind from itself. Agreed, this could be
> better documented. Feel free to send in a wording and/or a patch.
>
> Volker
>

-- 
joachima at netacquire.com http://www.netacquire.com
-------------- next part --------------
diff -ru samba-4.3.6-orig/docs/manpages/idmap_script.8 samba-4.3.6/docs/manpages/idmap_script.8
--- samba-4.3.6-orig/docs/manpages/idmap_script.8	2016-03-30 11:58:09.122680555 -0700
+++ samba-4.3.6/docs/manpages/idmap_script.8	2016-03-30 12:34:57.765630541 -0700
@@ -134,6 +134,24 @@
 .\}
 .PP
 Clearly, this script is not enough, as it should probably use wbinfo to determine if an incoming SID is a user or group SID and then look up the mapping in a table or use some other mechanism for mapping SIDs to UIDs and etc\&.
+.PP
+For wbinfo to work from such a script it is important to undefine the
+_NO_WINBINDD environment variable inside the script before calling wbinfo:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+	unset _NO_WINBINDD
+	
+.fi
+.if n \{\
+.RE
+.\}
+The winbindd daemon uses this environment variable to prevent infinite
+recursion, but it is safe to call "winbind -s" from the script\&. This
+way the script can convert an SID to a user or group name, and
+determine whether the SID represents a group or a user\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.

More information about the samba-technical mailing list