winbindd: use passdb backend for well-known SIDs

On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:

$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1

localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0

On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 432908b4c38ecf52ecbb5e2e8d164e8206e7a955..21f989029514a3723eda64df17857f2a8e5011bf 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -22,14 +22,12 @@
 ^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
-^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 1a38dde2a7ac75ad16149c4be32d9ae6ddcd703a..bfe6ccad233f46c6cbcd539263da91ff15a360a4 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1009,12 +1009,19 @@ struct winbindd_domain *find_our_domain(void)
 
 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 {
-       /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
+       DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid));
+
+       /*
+        * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
+        * by our passdb.
+        */
 
        if ( sid_check_is_in_unix_groups(sid) ||
             sid_check_is_unix_groups(sid) ||
             sid_check_is_in_unix_users(sid) ||
-            sid_check_is_unix_users(sid) )
+            sid_check_is_unix_users(sid) ||
+            sid_check_is_wellknown_domain(sid, NULL) ||
+            sid_check_is_in_wellknown_domain(sid) )
        {
                return find_domain_from_sid(get_global_sam_sid());
        }
@@ -1023,8 +1030,6 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
         * one to contact the external DC's. On member servers the internal
         * domains are different: These are part of the local SAM. */
 
-       DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
-
        if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
                DEBUG(10, ("calling find_domain_from_sid\n"));
                return find_domain_from_sid(sid);