diff options
Diffstat (limited to 'source3/nsswitch/idmap_rid.c')
-rw-r--r-- | source3/nsswitch/idmap_rid.c | 86 |
1 files changed, 9 insertions, 77 deletions
diff --git a/source3/nsswitch/idmap_rid.c b/source3/nsswitch/idmap_rid.c index 298d6fed35..8e016879b8 100644 --- a/source3/nsswitch/idmap_rid.c +++ b/source3/nsswitch/idmap_rid.c @@ -37,7 +37,7 @@ struct idmap_rid_context { we support multiple domains in the new idmap *****************************************************************************/ -static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom, const char *compat_params) +static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom) { NTSTATUS ret; struct idmap_rid_context *ctx; @@ -86,9 +86,6 @@ failed: static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) { - const char *domname, *name; - enum lsa_SidType sid_type; - BOOL ret; struct winbindd_domain *domain; /* apply filters before checking */ @@ -104,45 +101,9 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context sid_compose(map->sid, &domain->sid, map->xid.id - ctx->low_id + ctx->base_rid); - /* by default calls to winbindd are disabled - the following call will not recurse so this is safe */ - winbind_on(); - ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type); - winbind_off(); - - if (ret) { - switch (sid_type) { - case SID_NAME_USER: - if (map->xid.type != ID_TYPE_UID) { - /* wrong type */ - map->status = ID_UNMAPPED; - DEBUG(5, ("Resulting SID is of wrong ID type\n")); - return NT_STATUS_NONE_MAPPED; - } - break; - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - case SID_NAME_WKN_GRP: - if (map->xid.type != ID_TYPE_GID) { - /* wrong type */ - map->status = ID_UNMAPPED; - DEBUG(5, ("Resulting SID is of wrong ID type\n")); - return NT_STATUS_NONE_MAPPED; - } - break; - default: - /* invalid sid?? */ - map->status = ID_UNKNOWN; - DEBUG(10, ("SID %s is UNKNOWN, skip mapping\n", sid_string_static(map->sid))); - return NT_STATUS_NONE_MAPPED; - } - } else { - /* TODO: how do we known if the lookup was negative - * or something just failed? */ - map->status = ID_UNMAPPED; - DEBUG(2, ("Failed: to resolve SID\n")); - return NT_STATUS_UNSUCCESSFUL; - } + /* We **really** should have some way of validating + the SID exists and is the correct type here. But + that is a deficiency in the idmap_rid design. */ map->status = ID_MAPPED; @@ -155,46 +116,13 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) { - const char *domname, *name; - enum lsa_SidType sid_type; uint32_t rid; - BOOL ret; sid_peek_rid(map->sid, &rid); map->xid.id = rid - ctx->base_rid + ctx->low_id; - /* by default calls to winbindd are disabled - the following call will not recurse so this is safe */ - winbind_on(); - /* check if this is a valid SID and set the type */ - ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type); - winbind_off(); - - if (ret) { - switch (sid_type) { - case SID_NAME_USER: - map->xid.type = ID_TYPE_UID; - break; - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - case SID_NAME_WKN_GRP: - map->xid.type = ID_TYPE_GID; - break; - default: - /* invalid sid, let's just leave it unmapped */ - DEBUG(10, ("SID %s is UNKNOWN, skip mapping\n", sid_string_static(map->sid))); - map->status = ID_UNKNOWN; - return NT_STATUS_NONE_MAPPED; - } - } else { - /* TODO: how do we known if the lookup was negative - * or something just failed? */ - map->status = ID_UNMAPPED; - DEBUG(2, ("Failed: to resolve SID\n")); - return NT_STATUS_UNSUCCESSFUL; - } - /* apply filters before returning result */ + if ((map->xid.id < ctx->low_id) || (map->xid.id > ctx->high_id)) { DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", map->xid.id, ctx->low_id, ctx->high_id)); @@ -202,6 +130,10 @@ static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context return NT_STATUS_NONE_MAPPED; } + /* We **really** should have some way of validating + the SID exists and is the correct type here. But + that is a deficiency in the idmap_rid design. */ + map->status = ID_MAPPED; return NT_STATUS_OK; |