[PATCH] winbindd: trigger possible passdb_dsdb initialisation

Fri Mar 31 20:49:51 UTC 2017

Hi!

Another winbindd fix that hit me when untangling the sids2xids code:
<https://bugzilla.samba.org/show_bug.cgi?id=12729>

---8<---
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.

The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.
---8<---

Please review & push if ok. Thanks!

Cheerio!
-slow
-------------- next part --------------
From edac3e3ece6535145e71657dc3606b1b5f10b5f2 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Wed, 29 Mar 2017 11:13:46 +0200
Subject: [PATCH] winbindd: trigger possible passdb_dsdb initialisation

If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.

The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 selftest/knownfail               |  4 ----
 source3/winbindd/winbindd_util.c | 14 ++++++++++++--
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 39c7c99..ecacfad 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -220,10 +220,6 @@
 #
 ^samba4.winbind.struct.domain_info\(s4member:local\)
 ^samba4.winbind.struct.getdcname\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--user-groups
-^samba.nss.test using winbind\(s4member:local\)
 #
 # These fail since ad_dc_ntvfs assigns the local user's uid to SAMBADOMAIN/Administrator
 # hence we have a duplicate UID in nsswitch.
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index bfe6cca..8f16da7 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -795,6 +795,7 @@ static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
 bool init_domain_list(void)
 {
 	int role = lp_server_role();
+	struct pdb_domain_info *pdb_domain_info = NULL;
 	NTSTATUS status;
 
 	/* Free existing list */
@@ -806,15 +807,24 @@ bool init_domain_list(void)
 
 	/* Local SAM */
 
+	/*
+	 * In case the passdb backend is passdb_dsdb the domain SID comes from
+	 * dsdb, not from secrets.tdb. As we use the domain SID in various
+	 * places, we must ensure the domain SID is migrated from dsdb to
+	 * secrets.tdb before get_global_sam_sid() is called the first time.
+	 *
+	 * The migration is done as part of the passdb_dsdb initialisation,
+	 * calling pdb_get_domain_info() triggers it.
+	 */
+	pdb_domain_info = pdb_get_domain_info(talloc_tos());
+
 	if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
 		struct winbindd_domain *domain;
 		enum netr_SchannelType sec_chan_type;
 		const char *account_name;
 		struct samr_Password current_nt_hash;
-		struct pdb_domain_info *pdb_domain_info;
 		bool ok;
 
-		pdb_domain_info = pdb_get_domain_info(talloc_tos());
 		if (pdb_domain_info == NULL) {
 			DEBUG(0, ("Failed to fetch our own, local AD "
 				"domain info from sam.ldb\n"));
-- 
2.9.3

