[PATCHES] winbindd: fix sid->xid for SID History SIDs
Stefan Metzmacher
metze at samba.org
Tue Mar 28 12:11:20 UTC 2017
Hi Uri,
>> The fix finds the domain of the SID by resolving a SID with same domain
>> component and an RID of 513 (domain users), which hopefully never gets
>> migrated.
I think we should better try to resolve the domain sid, instead
of relying on RID 513.
And we should only do that if we don't know about the domain yet.
>> We've discussed other means such as smb.conf stuff or netsamlogon - I
>> think those methods can come on top of this method, because if they
>> don't work we should always fall back to something. The added resolving
>> doesn't cost much because it's in the same round-trip.
>>
>> The key thing about this fix is that doesn't try to translate sid->xid
>> in any possible case (such as when old domain is gone and forgotten), it
>> just avoids getting the *wrong* result. As such, it's a good minimal fix
>> that can be applied to stable versions. For master, we can add the
>> smb.conf-based stuff, that will support more cases.
>>
>> Review appreciated.
>> Thanks,
>> Uri.
>
> mostly lgtm, just one issue, see below.
>
> Fwiw, I'm currently working on another issue in sids2xids. Not really related
> but I'm mentioning it here as you're currently having fun with the same area of
> code.
I think this is related...
I'm wondering if your fixes would also fix Uri's problem.
At least we should carefully think about this and have one
combined and tested patchset.
Otherwise both of you have tested something that won't reflect the reality.
Uri, can you run a command like this:
bin/rpcclient -UW4EDOM-L4\\administrator%A1b2C3d4
w2008r2-133.w4edom-l4.base -c 'lookupsids
S-1-5-21-278041429-3399921908-1452754838-66666
S-1-5-21-278041429-3399921908-1452754838
S-1-5-21-278041429-3399921908-1452754837-77777
S-1-5-21-278041429-3399921908-1452754837 S-1-5-32-66666 S-1-5-32
S-1-5-32-544' -d 10
That tries to resolve the primary sid of a user, the sid history value
and both domain sids and invalid sids in both domains at the same time
(in various order combinations)?
I guess that will help a lot to see the answers from a Windows DC in that
case.
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170328/20bc391f/signature.sig>
More information about the samba-technical
mailing list