s3:winbindd: Add a sanity check for the range

What we want to avoid:

$ ./bin/testparm -s | grep "idmap config"
        idmap config * : rangesize = 10000
        idmap config * : range = 10000-19999
        idmap config * : backend = autorid

$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)

$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000

$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)

$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid

If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index ad53b5810ee7d32fc42578de767922387c5e8b85..c7d56a376845eccd41270d11978e1d01e812a987 100644 (file)
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
        config->maxranges = (dom->high_id - dom->low_id + 1) /
            config->rangesize;
 
-       if (config->maxranges == 0) {
-               DEBUG(1, ("Allowed uid range is smaller than rangesize. "
-                         "Increase uid range or decrease rangesize.\n"));
+       if (config->maxranges < 2) {
+               DBG_WARNING("Allowed idmap range is not a least double the "
+                           "size of the rangesize. Please increase idmap "
+                           "range.\n");
                status = NT_STATUS_INVALID_PARAMETER;
                goto error;
        }