diff options
| author | Simo Sorce <idra@samba.org> | 2006-12-16 18:13:12 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:16:33 -0500 |
| commit | b1de1a6eabcb565cb37307df3a0cf63697ca0dce (patch) | |
| tree | c323a91e0da39562e878ffede9fcb3f097bb1d24 | |
| parent | 55e70f69871f43328cc05104c150f76212eb369a (diff) | |
| download | samba-b1de1a6eabcb565cb37307df3a0cf63697ca0dce.tar.gz samba-b1de1a6eabcb565cb37307df3a0cf63697ca0dce.tar.bz2 samba-b1de1a6eabcb565cb37307df3a0cf63697ca0dce.zip | |
r20216: Fix fallback code.
A reversed check made it impossile to fallback to the Unix Domain mapping code.
Also fix a potential use of a freed array.
Jerry,
my tests shows that this code now correctly handle the fallback to Unix Domain
when our Domain member is asked for a mapped group that has a unix name different
from the Windows name against a Samba DC and we do not use winbindd but share
users/groups by other means (ldap / sync of passwd and group files)
Immediate Fix would be to discuss if we should answer back when DOMAIN\unixgroup -> SID
is asked for, in the case the unixgroup name is mapped to a different name.
IE: DOMAIN\Domain Admins -> ntadmins
Currently if we are asked for "DOMAIN\Domain Admins" we return the dom admins SID
If we are asked for "DOMAIN\ntadmins we return "not found", but we may consider to
return the Domain admins SID in this case too.
Comments are welcome on this point!
Long term fix I think is the unixinfo pipe and of course an idmap_unixinfo moudle.
Simo.
(This used to be commit 07bdbb4c215461a721f9b608bd375387b96ababb)
| -rw-r--r-- | source3/nsswitch/idmap.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/source3/nsswitch/idmap.c b/source3/nsswitch/idmap.c index 42e3f7abb0..e2d2712f48 100644 --- a/source3/nsswitch/idmap.c +++ b/source3/nsswitch/idmap.c @@ -791,6 +791,7 @@ static NTSTATUS idmap_backends_set_mapping(const struct id_map *map) static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) { struct idmap_domain *dom; + struct id_map **unmapped; struct id_map **_ids; TALLOC_CTX *ctx; NTSTATUS ret; @@ -819,8 +820,8 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) _ids[i]->mapped = False; } + unmapped = NULL; for (n = num_domains-1; n >= 0; n--) { /* cycle backwards */ - struct id_map **unmapped = NULL; dom = idmap_domains[n]; @@ -829,7 +830,7 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) ret = dom->methods->unixids_to_sids(dom, _ids); IDMAP_CHECK_RET(ret); - TALLOC_FREE(unmapped); + unmapped = NULL; for (i = 0, u = 0; _ids[i]; i++) { if (_ids[i]->mapped == False) { @@ -842,27 +843,28 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) if (unmapped) { /* terminate the unmapped list */ unmapped[u] = NULL; - } else { /* no more unmapped entries, get out */ + } else { /* no more entries, get out */ break; } _ids = unmapped; + } - if (!_ids) { + if (unmapped) { /* there are still unmapped ids, map them to the unix users/groups domains */ - for (i = 0; _ids[i]; i++) { - switch (_ids[i]->xid.type) { + for (i = 0; unmapped[i]; i++) { + switch (unmapped[i]->xid.type) { case ID_TYPE_UID: - uid_to_unix_users_sid((uid_t)_ids[i]->xid.id, _ids[i]->sid); - _ids[i]->mapped = True; + uid_to_unix_users_sid((uid_t)unmapped[i]->xid.id, unmapped[i]->sid); + unmapped[i]->mapped = True; break; case ID_TYPE_GID: - gid_to_unix_groups_sid((gid_t)_ids[i]->xid.id, _ids[i]->sid); - _ids[i]->mapped = True; + gid_to_unix_groups_sid((gid_t)unmapped[i]->xid.id, unmapped[i]->sid); + unmapped[i]->mapped = True; break; default: /* what?! */ - _ids[i]->mapped = False; + unmapped[i]->mapped = False; break; } } |