[PATCHES] winbindd: fix sid->xid for SID History SIDs
Ralph Böhme
slow at samba.org
Tue Mar 28 12:12:43 UTC 2017
On Tue, Mar 28, 2017 at 03:00:10PM +0300, Uri Simchoni wrote:
> On 03/28/2017 01:54 PM, Ralph Böhme wrote:
> > Hi Uri,
> > mostly lgtm, just one issue, see below.
> >
> > Fwiw, I'm currently working on another issue in sids2xids. Not really related
> > but I'm mentioning it here as you're currently having fun with the same area of
> > code.
> >
> Yeah, I figured others are working there, with recent patches by Metze
> and Volker. Another reason for me for trying to keep it small (beside
> the backporting).
>
> Another thing in TODO list is offline operation, which involves *not*
> resolving anything initially, if we're certain we know the id-mapping
> backend (and then resolving only if the backend requests us to do so).
> Are you guys working on anything similar?
Not directly.
> > Imho we should just fail early if a SID can't be resolved and refuse to provide
> > a UNIX id mapping, I have a WIP branch that does this here:
> >
>
> That's totally fine by me - I have no experience with autorid, and
> figured its ability to map anything is a feature, not a bug, so I wanted
> to keep it that way. Changing that is easy, I'll submit a V2.
no, no, please don't, just leave it broken for now. :)
> >> +static const char *
> >> +wb_get_idmap_backend_name(const struct lsa_RefDomainList *domains,
> >> + const struct lsa_TransNameArray *names,
> >> + const struct dom_sid *sids,
> >> + uint32_t idx)
> >> +{
> >> + struct dom_sid sid = sids[idx];
> >> + struct lsa_TranslatedName *n = &names->names[idx];
> >> + struct lsa_DomainInfo *info = NULL;
> >> + if (!is_domain_principal_sid(&sid)) {
> >> + /* "special" SID */
> >> + goto ret;
> >> + }
> >> +
> >> + if (sid_check_is_in_our_sam(&sid)) {
> >> + /* our domain - the lookup is always
> >> + * correct for ID mapping.
> >> + */
> >> + goto ret;
> >> + }
> >> +
> >> + sid_split_rid(&sid, NULL);
> >> + sid_append_rid(&sid, DOMAIN_RID_USERS);
> >> +
> >> + for (idx = 0; idx < names->count; ++idx) {
> >> + if (!dom_sid_equal(&sid, &sids[idx])) {
> >> + continue;
> >> + }
> >> +
> >> + /* has the DC been able to resolve
> >> + * "domain users" for same domain?
> >> + */
> >> + n = &names->names[idx];
> >> + if (lsa_SidType_to_id_type(n->sid_type) ==
> >> + ID_TYPE_NOT_SPECIFIED) {
> >> + /* default id-mapping backend */
> >> + return "";
> >> + }
> >> +
> >> + goto ret;
> >> + }
> >
> > doesn't this add O(n^2) overhead for finding the domain SID? When mapping a
> > token with a large number of groups this may be noticable.
> >
> > Maybe add_sid_to_array_unique() should be add_sid_to_array_front_unique().
> >
>
> I was thinking of having add_sid_to_array_back_unique(), because the
> code assumes that if a SID is added, it's added to the back. I didn't
> consider the O^2.
>
> I suppose I can make a pass and construct an array with just the -513
> records (hopefully just one or two of them), and then use that.
ah, another one: why would be using the domain users SID anyway? Why not just
the domain SID?
Cheerio!
-slow
More information about the samba-technical
mailing list