From d810ffe58e9c6b3b71336f59b899012af9137fe7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vlendec@samba.org>
Date: Thu, 22 Jul 2004 13:08:13 +0000
Subject: r1562: Make winbind for -S (sid->uid) and -Y (sid->gid) check whether
 the sid requested actually is of type asked for. I've come across more than
 one installation where a group sid had ended up as a uid in idmap and vice
 versa. This just closes one possible for this misconfiguration, people are
 actually using wbinfo.

Volker
(This used to be commit acfbd34025c2fde3d6a3e582c120c2b9de8ed39b)
---
 source3/nsswitch/wbinfo.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

(limited to 'source3/nsswitch/wbinfo.c')

diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index b6a09bf2a1..0028982d20 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -398,6 +398,27 @@ static BOOL wbinfo_sid_to_uid(char *sid)
 	ZERO_STRUCT(request);
 	ZERO_STRUCT(response);
 
+	/* First see whether the SID is actually a user -- otherwise
+	 * winbind might end up a uid number for a group SID and this
+	 * is asking for trouble later. */
+
+	fstrcpy(request.data.sid, sid);
+
+	if (winbindd_request(WINBINDD_LOOKUPSID, &request, &response) !=
+	    NSS_STATUS_SUCCESS) {
+		d_printf("Could not lookup sid %s\n", sid);
+		return False;
+	}
+
+	if (response.data.name.type != SID_NAME_USER) {
+		d_printf("SID is of type %s\n",
+			 sid_type_lookup(response.data.name.type));
+		return False;
+	}
+
+	ZERO_STRUCT(request);
+	ZERO_STRUCT(response);
+
 	/* Send request */
 
 	fstrcpy(request.data.sid, sid);
@@ -421,6 +442,26 @@ static BOOL wbinfo_sid_to_gid(char *sid)
 	ZERO_STRUCT(request);
 	ZERO_STRUCT(response);
 
+	/* First see whether the SID is actually a group -- otherwise
+	 * winbind might end up a gid number for a user SID and this
+	 * is asking for trouble later. */
+
+	fstrcpy(request.data.sid, sid);
+
+	if (winbindd_request(WINBINDD_LOOKUPSID, &request, &response) !=
+	    NSS_STATUS_SUCCESS) {
+		d_printf("Could not lookup sid %s\n", sid);
+		return False;
+	}
+
+	if ((response.data.name.type != SID_NAME_DOM_GRP) &&
+	    (response.data.name.type != SID_NAME_ALIAS) &&
+	    (response.data.name.type != SID_NAME_WKN_GRP)) {
+		d_printf("SID is of type %s\n",
+			 sid_type_lookup(response.data.name.type));
+		return False;
+	}
+
 	/* Send request */
 
 	fstrcpy(request.data.sid, sid);
-- 
cgit