From 6b7a14b4b9c3411bd2e05383917e8fdedae51c90 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 30 Mar 2017 23:41:59 +0200 Subject: [PATCH] winbindd: use passdb backend for well-known SIDs On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the local domain, otherwise something simple like this fails with WBC_ERR_DOMAIN_NOT_FOUND: $ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1 localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-1-0 On a member server asking our DC works and is what we're currently doing, but changing it to ask passdb avoids the overhead. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- selftest/knownfail | 2 -- source3/winbindd/winbindd_util.c | 13 +++++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index 432908b4c38..21f98902951 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -22,14 +22,12 @@ ^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled ^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet. -^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\) -^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 1a38dde2a7a..bfe6ccad233 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1009,12 +1009,19 @@ struct winbindd_domain *find_our_domain(void) struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid) { - /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */ + DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid)); + + /* + * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled + * by our passdb. + */ if ( sid_check_is_in_unix_groups(sid) || sid_check_is_unix_groups(sid) || sid_check_is_in_unix_users(sid) || - sid_check_is_unix_users(sid) ) + sid_check_is_unix_users(sid) || + sid_check_is_wellknown_domain(sid, NULL) || + sid_check_is_in_wellknown_domain(sid) ) { return find_domain_from_sid(get_global_sam_sid()); } @@ -1023,8 +1030,6 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid) * one to contact the external DC's. On member servers the internal * domains are different: These are part of the local SAM. */ - DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid))); - if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) { DEBUG(10, ("calling find_domain_from_sid\n")); return find_domain_from_sid(sid); -- 2.34.1