diff options
| author | Gerald Carter <jerry@samba.org> | 2007-04-19 22:26:09 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:19:30 -0500 |
| commit | 36da6cb5847df2754e8f9223e0784da6013c572b (patch) | |
| tree | e0c3e6fe06c658ddae8f0d947482e0bdb3657e6c /source3/nsswitch/idmap_rid.c | |
| parent | dc90cd89a7fef3b0a744ef1873193cf2c9d75cad (diff) | |
| download | samba-36da6cb5847df2754e8f9223e0784da6013c572b.tar.gz samba-36da6cb5847df2754e8f9223e0784da6013c572b.tar.bz2 samba-36da6cb5847df2754e8f9223e0784da6013c572b.zip | |
r22390: Patchset sent to samba-technical to address the winbind
loop when allocating a new id for a SID:
auth_util.patch Revert create_local_token() to
the 3.0.24 codebase
idmap_type.patch Have the caller fillin the
id_map.xid.type field when
resolving a SID so that if we allocate
a new id, we know what type to use
winbindd_api.patch Remove the WINBINDD_SIDS_TO_XIDS calls
from the public winbindd interface
for the 3.0.25 release
idmap_rid.patch Cleanup the idmap_rid backend to not
call back into winbindd to resolve
the SID in order to verify it's type.
(This used to be commit 3b24dae9e73b244540a68b631b428a4d0f57440b)
Diffstat (limited to 'source3/nsswitch/idmap_rid.c')
| -rw-r--r-- | source3/nsswitch/idmap_rid.c | 86 |
1 files changed, 9 insertions, 77 deletions
diff --git a/source3/nsswitch/idmap_rid.c b/source3/nsswitch/idmap_rid.c index 298d6fed35..8e016879b8 100644 --- a/source3/nsswitch/idmap_rid.c +++ b/source3/nsswitch/idmap_rid.c @@ -37,7 +37,7 @@ struct idmap_rid_context { we support multiple domains in the new idmap *****************************************************************************/ -static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom, const char *compat_params) +static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom) { NTSTATUS ret; struct idmap_rid_context *ctx; @@ -86,9 +86,6 @@ failed: static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) { - const char *domname, *name; - enum lsa_SidType sid_type; - BOOL ret; struct winbindd_domain *domain; /* apply filters before checking */ @@ -104,45 +101,9 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context sid_compose(map->sid, &domain->sid, map->xid.id - ctx->low_id + ctx->base_rid); - /* by default calls to winbindd are disabled - the following call will not recurse so this is safe */ - winbind_on(); - ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type); - winbind_off(); - - if (ret) { - switch (sid_type) { - case SID_NAME_USER: - if (map->xid.type != ID_TYPE_UID) { - /* wrong type */ - map->status = ID_UNMAPPED; - DEBUG(5, ("Resulting SID is of wrong ID type\n")); - return NT_STATUS_NONE_MAPPED; - } - break; - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - case SID_NAME_WKN_GRP: - if (map->xid.type != ID_TYPE_GID) { - /* wrong type */ - map->status = ID_UNMAPPED; - DEBUG(5, ("Resulting SID is of wrong ID type\n")); - return NT_STATUS_NONE_MAPPED; - } - break; - default: - /* invalid sid?? */ - map->status = ID_UNKNOWN; - DEBUG(10, ("SID %s is UNKNOWN, skip mapping\n", sid_string_static(map->sid))); - return NT_STATUS_NONE_MAPPED; - } - } else { - /* TODO: how do we known if the lookup was negative - * or something just failed? */ - map->status = ID_UNMAPPED; - DEBUG(2, ("Failed: to resolve SID\n")); - return NT_STATUS_UNSUCCESSFUL; - } + /* We **really** should have some way of validating + the SID exists and is the correct type here. But + that is a deficiency in the idmap_rid design. */ map->status = ID_MAPPED; @@ -155,46 +116,13 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) { - const char *domname, *name; - enum lsa_SidType sid_type; uint32_t rid; - BOOL ret; sid_peek_rid(map->sid, &rid); map->xid.id = rid - ctx->base_rid + ctx->low_id; - /* by default calls to winbindd are disabled - the following call will not recurse so this is safe */ - winbind_on(); - /* check if this is a valid SID and set the type */ - ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type); - winbind_off(); - - if (ret) { - switch (sid_type) { - case SID_NAME_USER: - map->xid.type = ID_TYPE_UID; - break; - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - case SID_NAME_WKN_GRP: - map->xid.type = ID_TYPE_GID; - break; - default: - /* invalid sid, let's just leave it unmapped */ - DEBUG(10, ("SID %s is UNKNOWN, skip mapping\n", sid_string_static(map->sid))); - map->status = ID_UNKNOWN; - return NT_STATUS_NONE_MAPPED; - } - } else { - /* TODO: how do we known if the lookup was negative - * or something just failed? */ - map->status = ID_UNMAPPED; - DEBUG(2, ("Failed: to resolve SID\n")); - return NT_STATUS_UNSUCCESSFUL; - } - /* apply filters before returning result */ + if ((map->xid.id < ctx->low_id) || (map->xid.id > ctx->high_id)) { DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", map->xid.id, ctx->low_id, ctx->high_id)); @@ -202,6 +130,10 @@ static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context return NT_STATUS_NONE_MAPPED; } + /* We **really** should have some way of validating + the SID exists and is the correct type here. But + that is a deficiency in the idmap_rid design. */ + map->status = ID_MAPPED; return NT_STATUS_OK; |