[PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Christof Schmitt cs at samba.org
Wed Sep 27 19:00:42 UTC 2017 

On Wed, Sep 27, 2017 at 04:32:41PM +0200, Ralph Wuerthner wrote:
> Hi!
> 
> On 25.09.2017 21:30, Christof Schmitt wrote:
> >On Mon, Sep 25, 2017 at 05:14:32PM +0200, Volker Lendecke via samba-technical wrote:
> >>On Wed, Sep 13, 2017 at 12:19:28PM +0200, Ralph Wuerthner via samba-technical wrote:
> >>>please see attached patch to address the following winbind error message:
> >>>
> >>>Jul 26 14:37:43 sambatest winbindd[24983]: [2017/07/26 14:37:43.057886, 0,
> >>>pid=24983, effective(0, 0), real(0, 0), class=winbind]
> >>>../source3/winbindd/winbindd_group.c:45(fill_grent)
> >>>Jul 26 14:37:43 sambatest winbindd[24983]: Failed to find domain 'Unix
> >>>Group'. Check connection to trusted domains!
> >>
> >>What about filtering S-1-2-22 in wb_getgrsid_send already?
> >
> >Something like dom_sid_in_domain(global_sid_Unix_Group, group_sid)?
> >
> >b_getpwsid_send should also get a similar check for local users:
> >dom_sid_in_domain(global_sid_Unix_Users, user_sid)
> >
> >Christof
> 
> Please see attached patchset were I moved the check to
> wb_getgrsid_send and wb_getpwsid respectively.

Looks good to me.

Reviewed-by: Christof Schmitt <cs at samba.org>

Volker, do you agree?

Christof

> 
> -- 
> Regards
> 
>    Ralph Wuerthner

> From b381ed5dccebcf10ac2e33ffddbb8d7e53adf074 Mon Sep 17 00:00:00 2001
> From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> Date: Tue, 26 Sep 2017 15:56:56 +0200
> Subject: [PATCH 1/2] s3:winbind: unmapped Unix groups in getgrgid must be
>  resolved locally
> 
> Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> ---
>  source3/winbindd/wb_getgrsid.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
> index acfedf6..8e0eac7 100644
> --- a/source3/winbindd/wb_getgrsid.c
> +++ b/source3/winbindd/wb_getgrsid.c
> @@ -53,6 +53,12 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
>  	state->ev = ev;
>  	state->max_nesting = max_nesting;
>  
> +	if (dom_sid_in_domain(&global_sid_Unix_Groups, group_sid)) {
> +		/* unmapped Unix groups must be resolved locally */
> +		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
> +		return tevent_req_post(req, ev);
> +	}
> +
>  	if (lp_winbind_trusted_domains_only()) {
>  		struct winbindd_domain *our_domain = find_our_domain();
>  
> -- 
> 2.7.4
> 
> 
> From bbd9b0420b691caf9dcb452bc7abe4add1370953 Mon Sep 17 00:00:00 2001
> From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> Date: Tue, 26 Sep 2017 15:57:53 +0200
> Subject: [PATCH 2/2] s3:winbind: unmapped Unix users must be resolved locally
> 
> Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> ---
>  source3/winbindd/wb_getpwsid.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
> index 8c764f7..9b3f12e 100644
> --- a/source3/winbindd/wb_getpwsid.c
> +++ b/source3/winbindd/wb_getpwsid.c
> @@ -47,6 +47,12 @@ struct tevent_req *wb_getpwsid_send(TALLOC_CTX *mem_ctx,
>  	state->ev = ev;
>  	state->pw = pw;
>  
> +	if (dom_sid_in_domain(&global_sid_Unix_Users, user_sid)) {
> +		/* unmapped Unix users must be resolved locally */
> +		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
> +		return tevent_req_post(req, ev);
> +	}
> +
>  	subreq = wb_queryuser_send(state, ev, &state->sid);
>  	if (tevent_req_nomem(subreq, req)) {
>  		return tevent_req_post(req, ev);
> -- 
> 2.7.4
>

More information about the samba-technical mailing list