wbinfo fails when called from idmap tdb2 script
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Mar 31 15:18:34 UTC 2016
On Wed, Mar 30, 2016 at 12:49:17PM -0700, Joachim Achtzehnter wrote:
> How about the attached patch to add a paragraph to the idmap_script(8) man
> page explaining the need to undefine this environment variable?
>
> By the way, how should this script handle an alias SID? The "wbinfo -s"
> output ends with a type identifier, the values of which are presumably from
> the following enumeration:
>
> enum wbcSidType {
> WBC_SID_NAME_USE_NONE=0,
> WBC_SID_NAME_USER=1,
> WBC_SID_NAME_DOM_GRP=2,
> WBC_SID_NAME_DOMAIN=3,
> WBC_SID_NAME_ALIAS=4,
> WBC_SID_NAME_WKN_GRP=5,
> WBC_SID_NAME_DELETED=6,
> WBC_SID_NAME_INVALID=7,
> WBC_SID_NAME_UNKNOWN=8,
> WBC_SID_NAME_COMPUTER=9
> };
Correct.
> I assume 2 and 5 can be treated as a group, returning GID, and for 1 the
> script should return UID, but what to do for type 4 (alias)? I've seen it
> called with 4, in this case for an alias group, but how would the script
> know that the alias is a group?
Aliases are the windows technical term for "local groups", so treat it
as a group.
What do you think about the attached patches? I've done the wording
slightly differently.
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 6f524e126d397a8d1b18d76c4ae97ad65ef8b552 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 31 Mar 2016 16:57:58 +0200
Subject: [PATCH 1/2] docs: build idmap_script.8 by default
Signed-off-by: Volker Lendecke <vl at samba.org>
---
docs-xml/wscript_build | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 11b826b..2b3a180 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -15,6 +15,7 @@ manpages='''
manpages/idmap_nss.8
manpages/idmap_rfc2307.8
manpages/idmap_rid.8
+ manpages/idmap_script.8
manpages/idmap_tdb.8
manpages/idmap_tdb2.8
manpages/net.8
--
1.7.9.5
From 05db10444f4cd6bc776239c064ddfc15d498b8dc Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 31 Mar 2016 17:10:39 +0200
Subject: [PATCH 2/2] docs: Mention _NO_WINBINDD in idmap_script.8
Thanks to Joachim Achtzehnter <joachima at netacquire.com> for pointing out this
flaw!
Signed-off-by: Volker Lendecke <vl at samba.org>
---
docs-xml/manpages/idmap_script.8.xml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/docs-xml/manpages/idmap_script.8.xml b/docs-xml/manpages/idmap_script.8.xml
index a378e7b..328a16b 100644
--- a/docs-xml/manpages/idmap_script.8.xml
+++ b/docs-xml/manpages/idmap_script.8.xml
@@ -148,6 +148,24 @@
look up the mapping in a table or use some other mechanism for
mapping SIDs to UIDs and etc.
</para>
+
+ <para>
+ Please be aware that the script is called with the
+ _NO_WINBINDD environment variable set to 1. This prevents
+ recursive calls into winbind from the script both via
+ explicit calls to wbinfo and via implicit calls via
+ nss_winbind. For example a call to <command>ls -l</command>
+ could trigger such an infinite recursion.
+ </para>
+
+ <para>
+ It is safe to call <command>wbinfo -n</command> and
+ <command>wbinfo -s</command> from within an idmap script. To
+ do so, the script must unset the _NO_WINBINDD environment
+ variable right before the call to <command>wbinfo</command>
+ and set it to 1 again right after <command>wbinfo</command>
+ has returned to protect against the recursion.
+ </para>
</refsect1>
<refsect1>
--
1.7.9.5
More information about the samba-technical
mailing list