[PATCH] winbindd: lookup-domain for well-known SIDs on a DC

Ralph Böhme slow at samba.org
Sat Apr 1 21:37:46 UTC 2017


On Sat, Apr 01, 2017 at 06:34:58PM +0100, Rowland Penny wrote:
> Fairly sure:
> 
> #!/bin/sh
> 
> failed=0
> WELL_KNOWN_SIDS="S-1-1-0\n /EVERYONE 5\n S-1-3-1\n /CREATOR GROUP 5\n S-1-5-1\n NT AUTHORITY/DIALUP 5"
> 
> echo -e "$WELL_KNOWN_SIDS" | while read SID ; do
>     read NAME
> 
>     failed=1
> done
> 
> echo "FAILED: $failed"
> 
> exit 0
> 
> root at devstation:# bash ./testfrag3.sh 
> FAILED: 0
> 
> Rowland

d'oh! The pipe starts a subshell, so of course the value of failed is lost.

Attached version works without a pipe so it should be ok. Thanks a lot for
spotting this!

Cheerio!
-slow
-------------- next part --------------
From cbdfe8af08f18a5ec0e4a2b98ee18f523f8053a3 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 30 Mar 2017 23:41:59 +0200
Subject: [PATCH 1/3] winbindd: use passdb backend for well-known SIDs

On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:

$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1

localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0

On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 selftest/knownfail               |  2 --
 source3/winbindd/winbindd_util.c | 13 +++++++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index cfd4b35..39c7c99 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -22,14 +22,12 @@
 ^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
-^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 1a38dde..bfe6cca 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1009,12 +1009,19 @@ struct winbindd_domain *find_our_domain(void)
 
 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 {
-	/* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
+	DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid));
+
+	/*
+	 * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
+	 * by our passdb.
+	 */
 
 	if ( sid_check_is_in_unix_groups(sid) ||
 	     sid_check_is_unix_groups(sid) ||
 	     sid_check_is_in_unix_users(sid) ||
-	     sid_check_is_unix_users(sid) )
+	     sid_check_is_unix_users(sid) ||
+	     sid_check_is_wellknown_domain(sid, NULL) ||
+	     sid_check_is_in_wellknown_domain(sid) )
 	{
 		return find_domain_from_sid(get_global_sam_sid());
 	}
@@ -1023,8 +1030,6 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 	 * one to contact the external DC's. On member servers the internal
 	 * domains are different: These are part of the local SAM. */
 
-	DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
-
 	if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
 		DEBUG(10, ("calling find_domain_from_sid\n"));
 		return find_domain_from_sid(sid);
-- 
2.9.3


From 2c39ccc557a142a15c5430015fb4631fc019dc8b Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 31 Mar 2017 16:06:18 +0200
Subject: [PATCH 2/3] selftest: wbinfo -s tests for wellknown SIDs

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 nsswitch/tests/test_wbinfo.sh | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index cfe582d..ff99a96 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -88,6 +88,31 @@ else
 	echo "success: wbinfo -s check for sane mapping"
 fi
 
+while read SID ; do
+    read NAME
+
+    testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1`
+
+    RESOLVED_NAME=`$wbinfo -s $SID | tr a-z A-Z`
+    echo "$SID resolved to $RESOLVED_NAME"
+
+    echo "test: wbinfo -s $SID against $TARGET"
+    if test x"$RESOLVED_NAME" != x"$NAME" ; then
+        echo "$RESOLVED_NAME does not match $NAME"
+	echo "failure: wbinfo -s $SID against $TARGET"
+	failed=`expr $failed + 1`
+    else
+        echo "success: wbinfo -s $SID against $TARGET"
+    fi
+done <<EOF
+S-1-1-0
+/EVERYONE 5
+S-1-3-1
+/CREATOR GROUP 5
+S-1-5-1
+NT AUTHORITY/DIALUP 5
+EOF
+
 testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1`
 test_sid=`$wbinfo -n $tested_name | cut -d " " -f1`
 
-- 
2.9.3


From 1ffd4e059082d143a8518cb4352eb3a57339f9df Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 31 Mar 2017 16:24:05 +0200
Subject: [PATCH 3/3] selftest: wbinfo --sids-to-unix-ids tests for wellknown
 SIDs

This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/script/tests/test_wbinfo_sids2xids_int.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/script/tests/test_wbinfo_sids2xids_int.py b/source3/script/tests/test_wbinfo_sids2xids_int.py
index f3dbed8..3ad3156 100755
--- a/source3/script/tests/test_wbinfo_sids2xids_int.py
+++ b/source3/script/tests/test_wbinfo_sids2xids_int.py
@@ -29,7 +29,7 @@ domsid = domsid.split(' ')[0]
 #print domain
 #print domsid
 
-sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513' ]
+sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513', 'S-1-1-0', 'S-1-3-1', 'S-1-5-1' ]
 
 flush_cache()
 
-- 
2.9.3



More information about the samba-technical mailing list