idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon...

author Stefan Metzmacher <metze@samba.org>

Thu, 21 Mar 2019 15:54:31 +0000 (16:54 +0100)

committer Jule Anger <janger@samba.org>

Wed, 5 Apr 2023 10:40:13 +0000 (10:40 +0000)
author Stefan Metzmacher <metze@samba.org>
Thu, 21 Mar 2019 15:54:31 +0000 (16:54 +0100)
committer Jule Anger <janger@samba.org>
Wed, 5 Apr 2023 10:40:13 +0000 (10:40 +0000)
diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c

index fb900617ec399db926ae63edaca0728a748c442d..a34303506257d1bda7f7ac02c26ce1c855e53305 100644 (file)
--- a/source3/winbindd/idmap_hash/idmap_hash.c
+++ b/source3/winbindd/idmap_hash/idmap_hash.c
@@ -25,6 +25,7 @@
  #include "ads.h"
  #include "nss_info.h"
  #include "../libcli/security/dom_sid.h"
+#include "libsmb/samlogon_cache.h"
  
  #undef DBGC_CLASS
  #define DBGC_CLASS DBGC_IDMAP
@@ -287,6 +288,21 @@ static NTSTATUS idmap_hash_sid_to_id(struct sid_hash_table *hashed_domains,
                 goto return_mapping;
         }
  
+       /*
+        * Check of last resort: A domain is valid if a user from that
+        * domain has recently logged in. The samlogon_cache these
+        * days also stores the domain sid.
+        */
+       if (netsamlogon_cache_have(&sid)) {
+               /*
+                * We keep the legacy behavior and
+                * just return the mapping, but
+                * the reverse mapping would not
+                * still not work.
+                */
+               goto return_mapping;
+       }
+
         if (id->xid.type == ID_TYPE_NOT_SPECIFIED) {
                 /*
                  * idmap_hash used to bounce back the requested type,
author	Stefan Metzmacher <metze@samba.org>
	Thu, 21 Mar 2019 15:54:31 +0000 (16:54 +0100)
committer	Jule Anger <janger@samba.org>
	Wed, 5 Apr 2023 10:40:13 +0000 (10:40 +0000)