From ced5c1f9aa525addf4c0a4649fdbeb36128157e7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 20 Dec 2006 17:56:26 +0000 Subject: r20289: IDMAP is part of winbind but not the main process. Make sure we route all request to remote DCs via the main process so that IDMAP can correctly reuse DC connections and use the async interface. This fixes also idmap_nss so that it is able to resolve local group names (requires patch on the samba dc earlier committed to SAMBA_3_0 to make it resolve both the mapped and the unmapped name). Simo. (This used to be commit 4297510f22c3fd60afd062e3c5eb142be2122b16) --- source3/nsswitch/idmap.c | 11 +++++++-- source3/nsswitch/idmap_nss.c | 53 +++++++++++++++++++------------------------- source3/nsswitch/idmap_rid.c | 22 ++++++++++++++---- 3 files changed, 50 insertions(+), 36 deletions(-) diff --git a/source3/nsswitch/idmap.c b/source3/nsswitch/idmap.c index e2d2712f48..bd81d1e83f 100644 --- a/source3/nsswitch/idmap.c +++ b/source3/nsswitch/idmap.c @@ -707,16 +707,23 @@ static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) { NTSTATUS ret; struct idmap_domain *dom; - char *domname, *name; + const char *domname, *name; enum lsa_SidType sid_type; + BOOL wbret; ret = idmap_can_map(map, &dom); if ( ! NT_STATUS_IS_OK(ret)) { return NT_STATUS_NONE_MAPPED; } + /* by default calls to winbindd are disabled + the following call will not recurse so this is safe */ + winbind_on(); + wbret =winbind_lookup_sid(ctx, map->sid, &domname, &name, &sid_type); + winbind_off(); + /* check if this is a valid SID and then map it */ - if (winbindd_lookup_name_by_sid(ctx, map->sid, &domname, &name, &sid_type)) { + if (wbret) { switch (sid_type) { case SID_NAME_USER: ret = idmap_allocate_uid(&map->xid); diff --git a/source3/nsswitch/idmap_nss.c b/source3/nsswitch/idmap_nss.c index 2748141d3b..6c513fd120 100644 --- a/source3/nsswitch/idmap_nss.c +++ b/source3/nsswitch/idmap_nss.c @@ -43,7 +43,6 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma { TALLOC_CTX *ctx; struct winbindd_domain *wdom; - BOOL winbind_env; int i; wdom = find_lookup_domain_from_name(dom->name); @@ -51,6 +50,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma DEBUG(2, ("Can't lookup domain %s\n", dom->name)); return NT_STATUS_NO_SUCH_DOMAIN; } + wdom->initialized = False; ctx = talloc_new(dom); if ( ! ctx) { @@ -58,21 +58,17 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma return NT_STATUS_NO_MEMORY; } - /* avoid any possible recursion in winbindd, - * these calls are aimed at getting info - * out of alternative nss dbs anyway */ - winbind_env = winbind_env_set(); - winbind_off(); - for (i = 0; ids[i]; i++) { struct passwd *pw; struct group *gr; const char *name; enum lsa_SidType type; + BOOL ret; switch (ids[i]->xid.type) { case ID_TYPE_UID: pw = getpwuid((uid_t)ids[i]->xid.id); + if (!pw) { ids[i]->mapped = False; continue; @@ -81,6 +77,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma break; case ID_TYPE_GID: gr = getgrgid((gid_t)ids[i]->xid.id); + if (!gr) { ids[i]->mapped = False; continue; @@ -92,8 +89,14 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma continue; } + /* by default calls to winbindd are disabled + the following call will not recurse so this is safe */ + winbind_on(); /* Lookup name from PDC using lsa_lookup_names() */ - if (!winbindd_lookup_sid_by_name(ctx, wdom, dom->name, name, ids[i]->sid, &type)) { + ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type); + winbind_off(); + + if (!ret) { ids[i]->mapped = False; continue; } @@ -121,10 +124,6 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma } } - /* allow winbindd calls again, if they were enabled */ - if (!winbind_env) { - winbind_on(); - } talloc_free(ctx); return NT_STATUS_OK; @@ -137,7 +136,6 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) { TALLOC_CTX *ctx; - BOOL winbind_env; int i; ctx = talloc_new(dom); @@ -146,20 +144,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma return NT_STATUS_NO_MEMORY; } - /* avoid any possible recursion in winbindd, - * these calls are aimed at getting info - * out of alternative nss dbs anyway */ - winbind_env = winbind_env_set(); - winbind_off(); - for (i = 0; ids[i]; i++) { struct passwd *pw; struct group *gr; enum lsa_SidType type; - char *dom_name = NULL; - char *name = NULL; + const char *dom_name = NULL; + const char *name = NULL; + BOOL ret; - if (!winbindd_lookup_name_by_sid(ctx, ids[i]->sid, &dom_name, &name, &type)) { + /* by default calls to winbindd are disabled + the following call will not recurse so this is safe */ + winbind_on(); + ret =winbind_lookup_sid(ctx, ids[i]->sid, &dom_name, &name, &type); + winbind_off(); + + if (!ret) { ids[i]->mapped = False; continue; } @@ -171,6 +170,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma case SID_NAME_USER: /* this will find also all lower case name and use username level */ + pw = Get_Pwnam(name); if (pw) { ids[i]->xid.id = pw->pw_uid; @@ -192,16 +192,9 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma break; default: + ids[i]->mapped = False; break; } - - TALLOC_FREE(dom_name); - TALLOC_FREE(name); - } - - /* allow winbindd calls again, if they were enabled */ - if (!winbind_env) { - winbind_on(); } talloc_free(ctx); diff --git a/source3/nsswitch/idmap_rid.c b/source3/nsswitch/idmap_rid.c index 83818711a2..e74283e22e 100644 --- a/source3/nsswitch/idmap_rid.c +++ b/source3/nsswitch/idmap_rid.c @@ -83,8 +83,9 @@ failed: static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) { - char *domname, *name; + const char *domname, *name; enum lsa_SidType sid_type; + BOOL ret; /* apply filters before checking */ if ((map->xid.id < ctx->low_id) || (map->xid.id > ctx->high_id)) { @@ -95,7 +96,13 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context sid_compose(map->sid, &ctx->dom_sid, map->xid.id - ctx->low_id + ctx->base_rid); - if (winbindd_lookup_name_by_sid(memctx, map->sid, &domname, &name, &sid_type)) { + /* by default calls to winbindd are disabled + the following call will not recurse so this is safe */ + winbind_on(); + ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type); + winbind_off(); + + if (ret) { switch (sid_type) { case SID_NAME_USER: if (map->xid.type != ID_TYPE_UID) { @@ -134,15 +141,22 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) { - char *domname, *name; + const char *domname, *name; enum lsa_SidType sid_type; uint32_t rid; + BOOL ret; sid_peek_rid(map->sid, &rid); map->xid.id = rid - ctx->base_rid + ctx->low_id; + /* by default calls to winbindd are disabled + the following call will not recurse so this is safe */ + winbind_on(); /* check if this is a valid SID and set the type */ - if (winbindd_lookup_name_by_sid(memctx, map->sid, &domname, &name, &sid_type)) { + ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type); + winbind_off(); + + if (ret) { switch (sid_type) { case SID_NAME_USER: map->xid.type = ID_TYPE_UID; -- cgit