[PATCH] winbindd: trigger possible passdb_dsdb initialisation
Jeremy Allison
jra at samba.org
Fri Mar 31 23:17:40 UTC 2017
On Fri, Mar 31, 2017 at 10:49:51PM +0200, Ralph Böhme via samba-technical wrote:
> Hi!
>
> Another winbindd fix that hit me when untangling the sids2xids code:
> <https://bugzilla.samba.org/show_bug.cgi?id=12729>
>
> ---8<---
> If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
> from secrets.tdb. As we use the domain SID in various places, we must
> ensure the domain SID is migrated from dsdb to secrets.tdb before
> get_global_sam_sid() is called the first time.
>
> The migration is done as part of the passdb_dsdb initialisation, calling
> pdb_get_domain_info() triggers it.
> ---8<---
>
> Please review & push if ok. Thanks!
Took me a while to understand but I got there :-). Love the
removal of the knownfails !
RB+. Pushed.
Jeremy.
> From edac3e3ece6535145e71657dc3606b1b5f10b5f2 Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Wed, 29 Mar 2017 11:13:46 +0200
> Subject: [PATCH] winbindd: trigger possible passdb_dsdb initialisation
>
> If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
> from secrets.tdb. As we use the domain SID in various places, we must
> ensure the domain SID is migrated from dsdb to secrets.tdb before
> get_global_sam_sid() is called the first time.
>
> The migration is done as part of the passdb_dsdb initialisation, calling
> pdb_get_domain_info() triggers it.
>
> Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729
>
> Signed-off-by: Ralph Boehme <slow at samba.org>
> ---
> selftest/knownfail | 4 ----
> source3/winbindd/winbindd_util.c | 14 ++++++++++++--
> 2 files changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/selftest/knownfail b/selftest/knownfail
> index 39c7c99..ecacfad 100644
> --- a/selftest/knownfail
> +++ b/selftest/knownfail
> @@ -220,10 +220,6 @@
> #
> ^samba4.winbind.struct.domain_info\(s4member:local\)
> ^samba4.winbind.struct.getdcname\(s4member:local\)
> -^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
> -^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
> -^samba.wbinfo_simple.\(s4member:local\).--user-groups
> -^samba.nss.test using winbind\(s4member:local\)
> #
> # These fail since ad_dc_ntvfs assigns the local user's uid to SAMBADOMAIN/Administrator
> # hence we have a duplicate UID in nsswitch.
> diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
> index bfe6cca..8f16da7 100644
> --- a/source3/winbindd/winbindd_util.c
> +++ b/source3/winbindd/winbindd_util.c
> @@ -795,6 +795,7 @@ static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
> bool init_domain_list(void)
> {
> int role = lp_server_role();
> + struct pdb_domain_info *pdb_domain_info = NULL;
> NTSTATUS status;
>
> /* Free existing list */
> @@ -806,15 +807,24 @@ bool init_domain_list(void)
>
> /* Local SAM */
>
> + /*
> + * In case the passdb backend is passdb_dsdb the domain SID comes from
> + * dsdb, not from secrets.tdb. As we use the domain SID in various
> + * places, we must ensure the domain SID is migrated from dsdb to
> + * secrets.tdb before get_global_sam_sid() is called the first time.
> + *
> + * The migration is done as part of the passdb_dsdb initialisation,
> + * calling pdb_get_domain_info() triggers it.
> + */
> + pdb_domain_info = pdb_get_domain_info(talloc_tos());
> +
> if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
> struct winbindd_domain *domain;
> enum netr_SchannelType sec_chan_type;
> const char *account_name;
> struct samr_Password current_nt_hash;
> - struct pdb_domain_info *pdb_domain_info;
> bool ok;
>
> - pdb_domain_info = pdb_get_domain_info(talloc_tos());
> if (pdb_domain_info == NULL) {
> DEBUG(0, ("Failed to fetch our own, local AD "
> "domain info from sam.ldb\n"));
> --
> 2.9.3
>
More information about the samba-technical
mailing list