powerel9
/
samba
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
12 MiB
Tree: f88e8b82e2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f88e8b82e2'
${ noResults }
samba/SOURCES/samba-4-15-fix-autorid.patch

231 lines
7.1 KiB
Raw Blame History

From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:06:30 +0100
Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
---
source3/winbindd/idmap_autorid.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index ad53b5810ee..c7d56a37684 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
config->maxranges = (dom->high_id - dom->low_id + 1) /
config->rangesize;
- if (config->maxranges == 0) {
- DEBUG(1, ("Allowed uid range is smaller than rangesize. "
- "Increase uid range or decrease rangesize.\n"));
+ if (config->maxranges < 2) {
+ DBG_WARNING("Allowed idmap range is not a least double the "
+ "size of the rangesize. Please increase idmap "
+ "range.\n");
status = NT_STATUS_INVALID_PARAMETER;
goto error;
}
--
2.35.1
From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:07:50 +0100
Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
---
source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 98bcc219b1e..58ba46bc15f 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string,
return false; /* Keep scanning */
}
+static int idmap_config_int(const char *domname, const char *option, int def)
+{
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
+
+ if (len == -1) {
+ return def;
+ }
+ {
+ char config_option[len+1];
+ snprintf(config_option, sizeof(config_option),
+ "idmap config %s", domname);
+ return lp_parm_int(-1, config_option, option, def);
+ }
+}
+
static bool do_idmap_check(void)
{
struct idmap_domains *d;
@@ -157,6 +172,42 @@ static bool do_idmap_check(void)
rc);
}
+ /* Check autorid backend */
+ if (strequal(lp_idmap_default_backend(), "autorid")) {
+ struct idmap_config *c = NULL;
+ bool found = false;
+
+ for (i = 0; i < d->count; i++) {
+ c = &d->c[i];
+
+ if (strequal(c->backend, "autorid")) {
+ found = true;
+ break;
+ }
+ }
+
+ if (found) {
+ uint32_t rangesize =
+ idmap_config_int("*", "rangesize", 100000);
+ uint32_t maxranges =
+ (c->high - c->low + 1) / rangesize;
+
+ if (maxranges < 2) {
+ fprintf(stderr,
+ "ERROR: The idmap autorid range "
+ "[%u-%u] needs to be at least twice as "
+ "big as the rangesize [%u]!"
+ "\n\n",
+ c->low,
+ c->high,
+ rangesize);
+ ok = false;
+ goto done;
+ }
+ }
+ }
+
+ /* Check for overlapping idmap ranges */
for (i = 0; i < d->count; i++) {
struct idmap_config *c = &d->c[i];
uint32_t j;
--
2.35.1
From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:05:19 +0100
Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
---
docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
index 6c4da1cad8a..980718f0bd4 100644
--- a/docs-xml/manpages/idmap_autorid.8.xml
+++ b/docs-xml/manpages/idmap_autorid.8.xml
@@ -48,7 +48,13 @@
and the corresponding map is discarded. It is
intended as a way to avoid accidental UID/GID
overlaps between local and remotely defined
- IDs.
+ IDs. Note that the range should be a multiple
+ of the rangesize and needs to be at least twice
+ as large in order to have sufficient id range
+ space for the mandatory BUILTIN domain.
+ With a default rangesize of 100000 the range
+ needs to span at least 200000.
+ This would be: range = 100000 - 299999.
</para></listitem>
</varlistentry>
--
2.35.1