[PATCH] winbindd: trigger possible passdb_dsdb initialisation

Jeremy Allison jra at samba.org
Fri Mar 31 23:17:40 UTC 2017 

On Fri, Mar 31, 2017 at 10:49:51PM +0200, Ralph Böhme via samba-technical wrote:
> Hi!
> 
> Another winbindd fix that hit me when untangling the sids2xids code:
> <https://bugzilla.samba.org/show_bug.cgi?id=12729>
> 
> ---8<---
> If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
> from secrets.tdb. As we use the domain SID in various places, we must
> ensure the domain SID is migrated from dsdb to secrets.tdb before
> get_global_sam_sid() is called the first time.
> 
> The migration is done as part of the passdb_dsdb initialisation, calling
> pdb_get_domain_info() triggers it.
> ---8<---
> 
> Please review & push if ok. Thanks!

Took me a while to understand but I got there :-). Love the
removal of the knownfails !

RB+. Pushed.

Jeremy.


> From edac3e3ece6535145e71657dc3606b1b5f10b5f2 Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Wed, 29 Mar 2017 11:13:46 +0200
> Subject: [PATCH] winbindd: trigger possible passdb_dsdb initialisation
> 
> If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
> from secrets.tdb. As we use the domain SID in various places, we must
> ensure the domain SID is migrated from dsdb to secrets.tdb before
> get_global_sam_sid() is called the first time.
> 
> The migration is done as part of the passdb_dsdb initialisation, calling
> pdb_get_domain_info() triggers it.
> 
> Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729
> 
> Signed-off-by: Ralph Boehme <slow at samba.org>
> ---
>  selftest/knownfail               |  4 ----
>  source3/winbindd/winbindd_util.c | 14 ++++++++++++--
>  2 files changed, 12 insertions(+), 6 deletions(-)
> 
> diff --git a/selftest/knownfail b/selftest/knownfail
> index 39c7c99..ecacfad 100644
> --- a/selftest/knownfail
> +++ b/selftest/knownfail
> @@ -220,10 +220,6 @@
>  #
>  ^samba4.winbind.struct.domain_info\(s4member:local\)
>  ^samba4.winbind.struct.getdcname\(s4member:local\)
> -^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
> -^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
> -^samba.wbinfo_simple.\(s4member:local\).--user-groups
> -^samba.nss.test using winbind\(s4member:local\)
>  #
>  # These fail since ad_dc_ntvfs assigns the local user's uid to SAMBADOMAIN/Administrator
>  # hence we have a duplicate UID in nsswitch.
> diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
> index bfe6cca..8f16da7 100644
> --- a/source3/winbindd/winbindd_util.c
> +++ b/source3/winbindd/winbindd_util.c
> @@ -795,6 +795,7 @@ static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
>  bool init_domain_list(void)
>  {
>  	int role = lp_server_role();
> +	struct pdb_domain_info *pdb_domain_info = NULL;
>  	NTSTATUS status;
>  
>  	/* Free existing list */
> @@ -806,15 +807,24 @@ bool init_domain_list(void)
>  
>  	/* Local SAM */
>  
> +	/*
> +	 * In case the passdb backend is passdb_dsdb the domain SID comes from
> +	 * dsdb, not from secrets.tdb. As we use the domain SID in various
> +	 * places, we must ensure the domain SID is migrated from dsdb to
> +	 * secrets.tdb before get_global_sam_sid() is called the first time.
> +	 *
> +	 * The migration is done as part of the passdb_dsdb initialisation,
> +	 * calling pdb_get_domain_info() triggers it.
> +	 */
> +	pdb_domain_info = pdb_get_domain_info(talloc_tos());
> +
>  	if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
>  		struct winbindd_domain *domain;
>  		enum netr_SchannelType sec_chan_type;
>  		const char *account_name;
>  		struct samr_Password current_nt_hash;
> -		struct pdb_domain_info *pdb_domain_info;
>  		bool ok;
>  
> -		pdb_domain_info = pdb_get_domain_info(talloc_tos());
>  		if (pdb_domain_info == NULL) {
>  			DEBUG(0, ("Failed to fetch our own, local AD "
>  				"domain info from sam.ldb\n"));
> -- 
> 2.9.3
>

More information about the samba-technical mailing list