From 36da6cb5847df2754e8f9223e0784da6013c572b Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Thu, 19 Apr 2007 22:26:09 +0000
Subject: r22390: Patchset sent to samba-technical to address the winbind loop
 when allocating a new id for a SID:

auth_util.patch		Revert create_local_token() to
			the 3.0.24 codebase

idmap_type.patch	Have the caller fillin the
			id_map.xid.type field when
			resolving a SID so that if we allocate
			a new id, we know what type to use

winbindd_api.patch	Remove the WINBINDD_SIDS_TO_XIDS calls
			from the public winbindd interface
			for the 3.0.25 release

idmap_rid.patch		Cleanup the idmap_rid backend to not
			call back into winbindd to resolve
			the SID in order to verify it's type.
(This used to be commit 3b24dae9e73b244540a68b631b428a4d0f57440b)
---
 source3/nsswitch/idmap_rid.c | 86 +++++---------------------------------------
 1 file changed, 9 insertions(+), 77 deletions(-)

(limited to 'source3/nsswitch/idmap_rid.c')

diff --git a/source3/nsswitch/idmap_rid.c b/source3/nsswitch/idmap_rid.c
index 298d6fed35..8e016879b8 100644
--- a/source3/nsswitch/idmap_rid.c
+++ b/source3/nsswitch/idmap_rid.c
@@ -37,7 +37,7 @@ struct idmap_rid_context {
   we support multiple domains in the new idmap
  *****************************************************************************/
 
-static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom, const char *compat_params)
+static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom)
 {
 	NTSTATUS ret;
 	struct idmap_rid_context *ctx;
@@ -86,9 +86,6 @@ failed:
 
 static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map)
 {
-	const char *domname, *name;
-	enum lsa_SidType sid_type;
-	BOOL ret;
 	struct winbindd_domain *domain;	
 
 	/* apply filters before checking */
@@ -104,45 +101,9 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context
 	
 	sid_compose(map->sid, &domain->sid, map->xid.id - ctx->low_id + ctx->base_rid);
 
-	/* by default calls to winbindd are disabled
-	   the following call will not recurse so this is safe */
-	winbind_on();
-	ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type);
-	winbind_off();
-
-	if (ret) {
-		switch (sid_type) {
-		case SID_NAME_USER:
-			if (map->xid.type != ID_TYPE_UID) {
-				/* wrong type */
-				map->status = ID_UNMAPPED;
-				DEBUG(5, ("Resulting SID is of wrong ID type\n"));
-				return NT_STATUS_NONE_MAPPED;
-			}
-			break;
-		case SID_NAME_DOM_GRP:
-		case SID_NAME_ALIAS:
-		case SID_NAME_WKN_GRP:
-			if (map->xid.type != ID_TYPE_GID) {
-				/* wrong type */
-				map->status = ID_UNMAPPED;
-				DEBUG(5, ("Resulting SID is of wrong ID type\n"));
-				return NT_STATUS_NONE_MAPPED;
-			}
-			break;
-		default:
-			/* invalid sid?? */
-			map->status = ID_UNKNOWN;
-			DEBUG(10, ("SID %s is UNKNOWN, skip mapping\n", sid_string_static(map->sid)));
-			return NT_STATUS_NONE_MAPPED;
-		}
-	} else {
-		/* TODO: how do we known if the lookup was negative
-		 * or something just failed? */
-		map->status = ID_UNMAPPED;
-		DEBUG(2, ("Failed: to resolve SID\n"));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
+	/* We **really** should have some way of validating 
+	   the SID exists and is the correct type here.  But 
+	   that is a deficiency in the idmap_rid design. */
 
 	map->status = ID_MAPPED;
 
@@ -155,46 +116,13 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context
 
 static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map)
 {
-	const char *domname, *name;
-	enum lsa_SidType sid_type;
 	uint32_t rid;
-	BOOL ret;
 
 	sid_peek_rid(map->sid, &rid);
 	map->xid.id = rid - ctx->base_rid + ctx->low_id;
 
-	/* by default calls to winbindd are disabled
-	   the following call will not recurse so this is safe */
-	winbind_on();
-	/* check if this is a valid SID and set the type */
-	ret = winbind_lookup_sid(memctx, map->sid, &domname, &name, &sid_type);
-	winbind_off();
-
-	if (ret) {
-		switch (sid_type) {
-		case SID_NAME_USER:
-			map->xid.type = ID_TYPE_UID;
-			break;
-		case SID_NAME_DOM_GRP:
-		case SID_NAME_ALIAS:
-		case SID_NAME_WKN_GRP:
-			map->xid.type = ID_TYPE_GID;
-			break;
-		default:
-			/* invalid sid, let's just leave it unmapped */
-			DEBUG(10, ("SID %s is UNKNOWN, skip mapping\n", sid_string_static(map->sid)));
-			map->status = ID_UNKNOWN;
-			return NT_STATUS_NONE_MAPPED;
-		}
-	} else {
-		/* TODO: how do we known if the lookup was negative
-		 * or something just failed? */
-		map->status = ID_UNMAPPED;
-		DEBUG(2, ("Failed: to resolve SID\n"));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
 	/* apply filters before returning result */
+
 	if ((map->xid.id < ctx->low_id) || (map->xid.id > ctx->high_id)) {
 		DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
 				map->xid.id, ctx->low_id, ctx->high_id));
@@ -202,6 +130,10 @@ static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context
 		return NT_STATUS_NONE_MAPPED;
 	}
 
+	/* We **really** should have some way of validating 
+	   the SID exists and is the correct type here.  But 
+	   that is a deficiency in the idmap_rid design. */
+
 	map->status = ID_MAPPED;
 
 	return NT_STATUS_OK;
-- 
cgit