From 8f8e843267636b5fea076014980031afc2c0a7b4 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 26 Jul 2013 12:26:30 +0200
Subject: s3:winbind: add a warning DEBUG message when skipping a sid from the
 mapped GID list

This presents a potential security problem when ACLs contain DENY ACEs.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104
---
 source3/winbindd/winbindd_getgroups.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index 445de3dcd9..b899bebe17 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -174,10 +174,16 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
 
 	for (i=0; i < state->num_sids; i++) {
 		bool include_gid = false;
+		const char *debug_missing = NULL;
 
 		switch (xids[i].type) {
 		case ID_TYPE_NOT_SPECIFIED:
+			debug_missing = "not specified";
+			break;
 		case ID_TYPE_UID:
+			if (i != 0) {
+				debug_missing = "uid";
+			}
 			break;
 		case ID_TYPE_GID:
 		case ID_TYPE_BOTH:
@@ -186,6 +192,18 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
 		}
 
 		if (!include_gid) {
+			if (debug_missing == NULL) {
+				continue;
+			}
+
+			DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s "
+				   "from group list because the idmap type "
+				   "is %s. "
+				   "This might be a security problem when ACLs "
+				   "contain DENY ACEs!\n",
+				   (unsigned)xids[i].id,
+				   sid_string_tos(&state->sids[i]),
+				   debug_missing));
 			continue;
 		}
 
-- 
cgit