[PATCHES] winbindd: fix sid->xid for SID History SIDs
Ralph Böhme
slow at samba.org
Mon Apr 10 17:24:27 UTC 2017
On Fri, Apr 07, 2017 at 09:23:43PM +0300, Uri Simchoni wrote:
> On 04/07/2017 08:32 PM, Ralph Böhme wrote:
> > On Mon, Apr 03, 2017 at 07:50:08AM +0300, Uri Simchoni via samba-technical wrote:
> >> Hi,
> >>
> >> Here's a V2 of the patch set.
> >
> > just fyi, I have this on my list.
> >
> > -slow
> >
> Thanks.
> Here's a rebased patch set, with 4/6 adapted to the recent change in
> wb_lookupsids_bulk(). Otherwise the same.
looks like this still has the O(N^2) performance issue I mentioned or did I miss
anything?
Besides that, attached is a simple fix for sids2xids on-top of my proposed
cleanup for wb_lookupsids [1] that should already address the SID-history if the
domain is still around.
Your patch could go on-top as a more complete patch for the case that the
"historic domain" is behind a one-way trust (where we don't have the domain in
our list of trusted domains).
Thoughts?
-slow
[1] <https://lists.samba.org/archive/samba-technical/2017-April/119944.html>
-------------- next part --------------
From 7e377362383a1b15e9d2f69a379f0129d4cd89c0 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 10 Apr 2017 14:28:18 +0200
Subject: [PATCH] winbindd: only use the domain name from lookup sids if the
domain matches
With the use of sIDHistory it happens that two sids map to the same name:
S-1-5-21-1387724271-3540671778-1971508351-1115 DOMAIN2\d1u1 (1)
S-1-5-21-3293503978-489118715-2763867031-1106 DOMAIN2\d1u1 (1)
On the net it looks like this:
lsa_LookupSids: struct lsa_LookupSids
in: struct lsa_LookupSids
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0
sids : *
sids: struct lsa_SidArray
num_sids : 0x00000002 (2)
sids : *
sids: ARRAY(2)
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351-1115
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-3293503978-489118715-2763867031-1106
names : *
names: struct lsa_TransNameArray
count : 0x00000000 (0)
names : NULL
level : LSA_LOOKUP_NAMES_ALL (1)
count : *
count : 0x00000000 (0)
lsa_LookupSids: struct lsa_LookupSids
out: struct lsa_LookupSids
domains : *
domains : *
domains: struct lsa_RefDomainList
count : 0x00000001 (1)
domains : *
domains: ARRAY(1)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'DOMAIN2'
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351
max_size : 0x00000020 (32)
names : *
names: struct lsa_TransNameArray
count : 0x00000002 (2)
names : *
names: ARRAY(7)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000000 (0)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000000 (0)
count : *
count : 0x00000002 (2)
result : NT_STATUS_OK
So the name for S-1-5-21-3293503978-489118715-2763867031-1106 has
S-1-5-21-1387724271-3540671778-1971508351 in referenced lsa_DomainInfo
structure. In that case we should not use the domain name from lsa_DomainInfo,
because we would use the wrong idmap backend.
For the case where the domain part of the sIDHistory sid is a still existing
domain, which can be found our internal list of trusted domains, we now use the
correct idmap backend: the idmap domain from the historic SID.
If the historic domain does no longer exist, we will fallback to the default
idmap domain.
The next step would be doing a lookup sid call for the domain sid, which may
help with one-way trusts.
The long term goal needs to be that idmap backends are based on sids only and
only the smb.conf allows names to be used which will be converted to sids on
startup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12702
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source3/winbindd/wb_sids2xids.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index dc90bdf..b8ad300 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -194,9 +194,13 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
if (n->sid_index != UINT32_MAX) {
const struct lsa_DomainInfo *info;
+ bool match;
info = &domains->domains[n->sid_index];
- domain_name = info->name.string;
+ match = dom_sid_in_domain(info->sid, sid);
+ if (match) {
+ domain_name = info->name.string;
+ }
}
if (domain_name == NULL) {
struct winbindd_domain *wb_domain = NULL;
--
2.9.3
More information about the samba-technical
mailing list