s3:idmap_tdb: filter out of range mappings in default idmap config

This fixes bug #6415

Michael
(cherry picked from commit 3d3f39838261ddc401053dadcc5bd8e6317a3a8e)

diff --git a/source/winbindd/idmap_tdb.c b/source/winbindd/idmap_tdb.c
index 9e66eed0c8882437d63d2335c5b724754afd7823..847b129ee692cc3219ee7a35dac7e84fd201ba25 100644 (file)
--- a/source/winbindd/idmap_tdb.c
+++ b/source/winbindd/idmap_tdb.c
@@ -569,8 +569,6 @@ static NTSTATUS idmap_tdb_db_init(struct idmap_domain *dom, const char *params)
 {
        NTSTATUS ret;
        struct idmap_tdb_context *ctx;
-       char *config_option = NULL;
-       const char *range;
 
        ctx = talloc(dom, struct idmap_tdb_context);
        if ( ! ctx) {
@@ -578,29 +576,72 @@ static NTSTATUS idmap_tdb_db_init(struct idmap_domain *dom, const char *params)
                return NT_STATUS_NO_MEMORY;
        }
 
-       config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
-       if ( ! config_option) {
-               DEBUG(0, ("Out of memory!\n"));
-               ret = NT_STATUS_NO_MEMORY;
-               goto failed;
-       }
+       if (strequal(dom->name, "*")) {
+               uid_t low_uid = 0;
+               uid_t high_uid = 0;
+               gid_t low_gid = 0;
+               gid_t high_gid = 0;
 
-       ret = idmap_tdb_open_db(ctx, &ctx->tdb);
-       if ( ! NT_STATUS_IS_OK(ret)) {
-               goto failed;
+               ctx->filter_low_id = 0;
+               ctx->filter_high_id = 0;
+
+               if (lp_idmap_uid(&low_uid, &high_uid)) {
+                       ctx->filter_low_id = low_uid;
+                       ctx->filter_high_id = high_uid;
+               } else {
+                       DEBUG(3, ("Warning: 'idmap uid' not set!\n"));
+               }
+
+               if (lp_idmap_gid(&low_gid, &high_gid)) {
+                       if ((low_gid != low_uid) || (high_gid != high_uid)) {
+                               DEBUG(1, ("Warning: 'idmap uid' and 'idmap gid'"
+                                     " ranges do not agree -- building "
+                                     "intersection\n"));
+                               ctx->filter_low_id = MAX(ctx->filter_low_id,
+                                                        low_gid);
+                               ctx->filter_high_id = MIN(ctx->filter_high_id,
+                                                         high_gid);
+                       }
+               } else {
+                       DEBUG(3, ("Warning: 'idmap gid' not set!\n"));
+               }
+       } else {
+               char *config_option = NULL;
+               const char *range;
+
+               config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
+               if ( ! config_option) {
+                       DEBUG(0, ("Out of memory!\n"));
+                       ret = NT_STATUS_NO_MEMORY;
+                       goto failed;
+               }
+
+               range = lp_parm_const_string(-1, config_option, "range", NULL);
+               if (( ! range) ||
+                   (sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2))
+               {
+                       ctx->filter_low_id = 0;
+                       ctx->filter_high_id = 0;
+               }
+
+               talloc_free(config_option);
        }
 
-       range = lp_parm_const_string(-1, config_option, "range", NULL);
-       if (( ! range) ||
-           (sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
-           (ctx->filter_low_id > ctx->filter_high_id)) {
+       if (ctx->filter_low_id > ctx->filter_high_id) {
                ctx->filter_low_id = 0;
                ctx->filter_high_id = 0;
        }
 
+       DEBUG(10, ("idmap_tdb_db_init: filter range %u-%u loaded for domain "
+             "'%s'\n", ctx->filter_low_id, ctx->filter_high_id, dom->name));
+
+       ret = idmap_tdb_open_db(ctx, &ctx->tdb);
+       if ( ! NT_STATUS_IS_OK(ret)) {
+               goto failed;
+       }
+
        dom->private_data = ctx;
 
-       talloc_free(config_option);
        return NT_STATUS_OK;
 
 failed: