r23048: Simo is correct in that winbind_lookup{sid,name}_async() needs

to be able to handle SIDs in the S-1-22-{1,2} domain in order
for winbindd_sid_to_uid(), et. al. to succeed.  For 3.0.25a,
we will short circuit in the sid_to_uid() family of functions
so that smbd is ok.

For 3.0.26, we need to allow winbindd to handle all types of SIDs.
(This used to be commit d70cec31965de41d3296c9b585ff0aea4f2bcffe)

diff --git a/source3/nsswitch/idmap.c b/source3/nsswitch/idmap.c
index babd5645aaf79b2a61c8b094731c017e292446f6..8f3e7c465e46c3889ef2adab725fec649ffd255a 100644 (file)
--- a/source3/nsswitch/idmap.c
+++ b/source3/nsswitch/idmap.c
@@ -821,7 +821,10 @@ static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **re
        /* Check we do not create mappings for our own local domain, or BUILTIN or special SIDs */
        if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) ||
            sid_check_is_in_builtin(map->sid) ||
-           sid_check_is_in_wellknown_domain(map->sid)) {
+           sid_check_is_in_wellknown_domain(map->sid) ||
+           sid_check_is_in_unix_users(map->sid) ||
+           sid_check_is_in_unix_groups(map->sid) ) 
+       {
                DEBUG(10, ("We are not supposed to create mappings for our own domains (local, builtin, specials)\n"));
                return NT_STATUS_UNSUCCESSFUL;
        }

diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
index e8b0ae641f75167f83d8f0617796555565a912a6..2a61908f0e01f1169d59afe8f9665e4e7245b684 100644 (file)
--- a/source3/nsswitch/winbindd_passdb.c
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -125,7 +125,12 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain,
 
        /* Paranoia check */
        if (!sid_check_is_in_builtin(sid) &&
-           !sid_check_is_in_our_domain(sid)) {
+           !sid_check_is_in_our_domain(sid) &&
+           !sid_check_is_in_unix_users(sid) &&
+           !sid_check_is_unix_users(sid) &&
+           !sid_check_is_in_unix_groups(sid) &&
+           !sid_check_is_unix_groups(sid) )
+       {
                DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
                          "passdb backend\n", sid_string_static(sid)));
                return NT_STATUS_NONE_MAPPED;

diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 2bec404a1375b9b99cce48db1f6eaf0bf9a677d7..e05f698ee8ddab0b82e8ca80c696f667e7b910ae 100644 (file)
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -914,6 +914,17 @@ struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
                return find_domain_from_sid(sid);
        }
 
+       /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
+
+       if ( sid_check_is_in_unix_groups(sid) || 
+            sid_check_is_unix_groups(sid) ||
+            sid_check_is_in_unix_users(sid) ||
+            sid_check_is_unix_users(sid) )
+       {
+               return find_domain_from_sid(get_global_sam_sid());
+       }
+       
+
        /* On a member server a query for SID or name can always go to our
         * primary DC. */
 
@@ -927,6 +938,14 @@ struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
            strequal(domain_name, get_global_sam_name()))
                return find_domain_from_name_noinit(domain_name);
 
+       /* The "Unix User" and "Unix Group" domain our handled by passdb */
+
+       if ( strequal(domain_name, unix_users_domain_name() ) ||
+            strequal(domain_name, unix_groups_domain_name() ) )
+       {
+               return find_domain_from_name_noinit( get_global_sam_name() );
+       }
+
        return find_our_domain();
 }