git.ipfire.org Git - thirdparty/samba.git/commit

author	Stefan Metzmacher <metze@samba.org>
	Tue, 15 Sep 2020 15:26:11 +0000 (17:26 +0200)
committer	Jule Anger <janger@samba.org>
	Mon, 8 Nov 2021 09:52:09 +0000 (10:52 +0100)
commit	04e10a843187810e97bf565731ddc5d70b0f4245
tree	88404e347033f849acf2c9036d806075203cf3f9	tree
parent	ed1542b9f37734bc77906c4ba49ea6ea3be09af8	commit \| diff

CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE

This must only be used between winbindd parent and child!
It must not leak into outside world.

Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.

This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

(cherry picked from commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87)

librpc/idl/idmap.idl		diff \| blob \| blame \| history
source3/passdb/lookup_sid.c		diff \| blob \| blame \| history
source3/winbindd/idmap_autorid.c		diff \| blob \| blame \| history
source3/winbindd/idmap_ldap.c		diff \| blob \| blame \| history
source3/winbindd/idmap_rw.c		diff \| blob \| blame \| history
source3/winbindd/idmap_tdb_common.c		diff \| blob \| blame \| history
source3/winbindd/wb_sids2xids.c		diff \| blob \| blame \| history
source3/winbindd/winbindd_dual_srv.c		diff \| blob \| blame \| history
source3/winbindd/winbindd_getgroups.c		diff \| blob \| blame \| history