| 1 |
unnilennium |
1.1 |
From 70bab87ab37d30521a65056fd6f6a3f4f8bf6716 Mon Sep 17 00:00:00 2001 |
| 2 |
|
|
From: Michael Adam <obnox@samba.org> |
| 3 |
|
|
Date: Mon, 15 Aug 2016 23:07:33 +0200 |
| 4 |
|
|
Subject: [PATCH 1/2] idmap: don't generally forbid id==0 from |
| 5 |
|
|
idmap_unix_id_is_in_range() |
| 6 |
|
|
|
| 7 |
|
|
If the range allows it, then id==0 should not be forbidden. |
| 8 |
|
|
This seems to have been taken in from idmap_ldap when the |
| 9 |
|
|
function was originally created. |
| 10 |
|
|
|
| 11 |
|
|
See 634cd2e0451d4388c3e3f78239495cf595368b15 . |
| 12 |
|
|
The other backends don't seem to have had that |
| 13 |
|
|
extra check for id == 0. |
| 14 |
|
|
|
| 15 |
|
|
The reasoning for this change is that the range check should |
| 16 |
|
|
apply to all cases. If the range includes the 0, then it |
| 17 |
|
|
should be possible to get it as result. In particular, |
| 18 |
|
|
this way, the function becomes applicable also to the |
| 19 |
|
|
passdb backend case, e.g. in a samba4-ad-dc setup where |
| 20 |
|
|
the Admin gets uid == 0. |
| 21 |
|
|
|
| 22 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 |
| 23 |
|
|
|
| 24 |
|
|
Signed-off-by: Michael Adam <obnox@samba.org> |
| 25 |
|
|
Reviewed-by: Volker Lendecke <vl@samba.org> |
| 26 |
|
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
| 27 |
|
|
(cherry picked from commit c21976d4b1c604699299f2c0f768c1add93b349d) |
| 28 |
|
|
--- |
| 29 |
|
|
source3/winbindd/idmap_util.c | 5 ----- |
| 30 |
|
|
1 file changed, 5 deletions(-) |
| 31 |
|
|
|
| 32 |
|
|
diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c |
| 33 |
|
|
index f90565f..b6f7b52 100644 |
| 34 |
|
|
--- a/source3/winbindd/idmap_util.c |
| 35 |
|
|
+++ b/source3/winbindd/idmap_util.c |
| 36 |
|
|
@@ -160,11 +160,6 @@ backend: |
| 37 |
|
|
*/ |
| 38 |
|
|
bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom) |
| 39 |
|
|
{ |
| 40 |
|
|
- if (id == 0) { |
| 41 |
|
|
- /* 0 is not an allowed unix id for id mapping */ |
| 42 |
|
|
- return false; |
| 43 |
|
|
- } |
| 44 |
|
|
- |
| 45 |
|
|
if ((dom->low_id && (id < dom->low_id)) || |
| 46 |
|
|
(dom->high_id && (id > dom->high_id))) |
| 47 |
|
|
{ |
| 48 |
|
|
-- |
| 49 |
|
|
2.7.4 |
| 50 |
|
|
|
| 51 |
|
|
|
| 52 |
|
|
From 739167276bc26dfc62acdd96cc9cadb5f88dd02b Mon Sep 17 00:00:00 2001 |
| 53 |
|
|
From: Michael Adam <obnox@samba.org> |
| 54 |
|
|
Date: Tue, 9 Aug 2016 18:25:12 +0200 |
| 55 |
|
|
Subject: [PATCH 2/2] idmap: centrally check that unix IDs returned by the |
| 56 |
|
|
idmap backends are in range |
| 57 |
|
|
|
| 58 |
|
|
Note: in the long run, it might be good to move this kind of |
| 59 |
|
|
exit check (before handing the result back to the client) |
| 60 |
|
|
to the parent winbindd code. |
| 61 |
|
|
|
| 62 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 |
| 63 |
|
|
|
| 64 |
|
|
Signed-off-by: Michael Adam <obnox@samba.org> |
| 65 |
|
|
|
| 66 |
|
|
(Backported from master commit b2bf61307cffd8ff7b6fb9852c107ab763653119.) |
| 67 |
|
|
--- |
| 68 |
|
|
source3/winbindd/winbindd_dual_srv.c | 4 ++++ |
| 69 |
|
|
1 file changed, 4 insertions(+) |
| 70 |
|
|
|
| 71 |
|
|
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c |
| 72 |
|
|
index cdd9bbd..630d28a 100644 |
| 73 |
|
|
--- a/source3/winbindd/winbindd_dual_srv.c |
| 74 |
|
|
+++ b/source3/winbindd/winbindd_dual_srv.c |
| 75 |
|
|
@@ -203,6 +203,10 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, |
| 76 |
|
|
for (j=0; j<num_ids; j++) { |
| 77 |
|
|
struct wbint_TransID *id = &r->in.ids->ids[id_idx[j]]; |
| 78 |
|
|
|
| 79 |
|
|
+ if (!idmap_unix_id_is_in_range(ids[j].xid.id, dom)) { |
| 80 |
|
|
+ ids[j].status = ID_UNMAPPED; |
| 81 |
|
|
+ } |
| 82 |
|
|
+ |
| 83 |
|
|
if (ids[j].status != ID_MAPPED) { |
| 84 |
|
|
id->xid.id = UINT32_MAX; |
| 85 |
|
|
id->xid.type = ID_TYPE_NOT_SPECIFIED; |
| 86 |
|
|
-- |
| 87 |
|
|
2.7.4 |
| 88 |
|
|
|
Parent Directory
| 
Revision Log
| 
Revision Graph
