idmap_nss: Do not return SID from unixids_to_sids on type mismatch

The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.

Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184

(cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7)

diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
index 3fe98cbc729666e4442565febede3132e922ee06..16f5a74bc0f3b702232c5f2305402f7d1b83e5e9 100644 (file)
--- a/source3/winbindd/idmap_nss.c
+++ b/source3/winbindd/idmap_nss.c
@@ -25,6 +25,7 @@
 #include "nsswitch/winbind_client.h"
 #include "idmap.h"
 #include "lib/winbind_util.h"
+#include "libcli/security/dom_sid.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_IDMAP
@@ -55,6 +56,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
                struct passwd *pw;
                struct group *gr;
                const char *name;
+               struct dom_sid sid;
                enum lsa_SidType type;
                bool ret;
 
@@ -86,7 +88,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
                   the following call will not recurse so this is safe */
                (void)winbind_on();
                /* Lookup name from PDC using lsa_lookup_names() */
-               ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type);
+               ret = winbind_lookup_name(dom->name, name, &sid, &type);
                (void)winbind_off();
 
                if (!ret) {
@@ -99,6 +101,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
                switch (type) {
                case SID_NAME_USER:
                        if (ids[i]->xid.type == ID_TYPE_UID) {
+                               sid_copy(ids[i]->sid, &sid);
                                ids[i]->status = ID_MAPPED;
                        }
                        break;
@@ -107,6 +110,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
                case SID_NAME_ALIAS:
                case SID_NAME_WKN_GRP:
                        if (ids[i]->xid.type == ID_TYPE_GID) {
+                               sid_copy(ids[i]->sid, &sid);
                                ids[i]->status = ID_MAPPED;
                        }
                        break;