summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2004-07-22 13:08:13 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:52:15 -0500
commitd810ffe58e9c6b3b71336f59b899012af9137fe7 (patch)
tree8cb791e2b7b6e5603345ac08eef6d85dc07e2ce6
parent77e12fe6cb492b6622bee9fdd1d170f12d3d90b6 (diff)
downloadsamba-d810ffe58e9c6b3b71336f59b899012af9137fe7.tar.gz
samba-d810ffe58e9c6b3b71336f59b899012af9137fe7.tar.bz2
samba-d810ffe58e9c6b3b71336f59b899012af9137fe7.zip
r1562: Make winbind for -S (sid->uid) and -Y (sid->gid) check whether the sid
requested actually is of type asked for. I've come across more than one installation where a group sid had ended up as a uid in idmap and vice versa. This just closes one possible for this misconfiguration, people are actually using wbinfo. Volker (This used to be commit acfbd34025c2fde3d6a3e582c120c2b9de8ed39b)
-rw-r--r--source3/nsswitch/wbinfo.c41
1 files changed, 41 insertions, 0 deletions
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index b6a09bf2a1..0028982d20 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -398,6 +398,27 @@ static BOOL wbinfo_sid_to_uid(char *sid)
ZERO_STRUCT(request);
ZERO_STRUCT(response);
+ /* First see whether the SID is actually a user -- otherwise
+ * winbind might end up a uid number for a group SID and this
+ * is asking for trouble later. */
+
+ fstrcpy(request.data.sid, sid);
+
+ if (winbindd_request(WINBINDD_LOOKUPSID, &request, &response) !=
+ NSS_STATUS_SUCCESS) {
+ d_printf("Could not lookup sid %s\n", sid);
+ return False;
+ }
+
+ if (response.data.name.type != SID_NAME_USER) {
+ d_printf("SID is of type %s\n",
+ sid_type_lookup(response.data.name.type));
+ return False;
+ }
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
/* Send request */
fstrcpy(request.data.sid, sid);
@@ -421,6 +442,26 @@ static BOOL wbinfo_sid_to_gid(char *sid)
ZERO_STRUCT(request);
ZERO_STRUCT(response);
+ /* First see whether the SID is actually a group -- otherwise
+ * winbind might end up a gid number for a user SID and this
+ * is asking for trouble later. */
+
+ fstrcpy(request.data.sid, sid);
+
+ if (winbindd_request(WINBINDD_LOOKUPSID, &request, &response) !=
+ NSS_STATUS_SUCCESS) {
+ d_printf("Could not lookup sid %s\n", sid);
+ return False;
+ }
+
+ if ((response.data.name.type != SID_NAME_DOM_GRP) &&
+ (response.data.name.type != SID_NAME_ALIAS) &&
+ (response.data.name.type != SID_NAME_WKN_GRP)) {
+ d_printf("SID is of type %s\n",
+ sid_type_lookup(response.data.name.type));
+ return False;
+ }
+
/* Send request */
fstrcpy(request.data.sid, sid);