From: Andreas Schneider Date: Tue, 1 Feb 2022 09:06:30 +0000 (+0100) Subject: s3:winbindd: Add a sanity check for the range X-Git-Tag: tevent-0.12.0~714 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe84ae5547313e482ea0eba8ddca5b38a033dc8f;p=thirdparty%2Fsamba.git s3:winbindd: Add a sanity check for the range What we want to avoid: $ ./bin/testparm -s | grep "idmap config" idmap config * : rangesize = 10000 idmap config * : range = 10000-19999 idmap config * : backend = autorid $ ./bin/wbinfo --name-to-sid BUILTIN/Administrators S-1-5-32-544 SID_ALIAS (4) $ ./bin/wbinfo --sid-to-gid S-1-5-32-544 10000 $ ./bin/wbinfo --name-to-sid ADDOMAIN/alice S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) $ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid If only one range is configured we are either not able to map users/groups from our primary *and* the BUILTIN domain. We need at least two ranges to also cover the BUILTIN domain! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner --- diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c index ad53b5810ee..c7d56a37684 100644 --- a/source3/winbindd/idmap_autorid.c +++ b/source3/winbindd/idmap_autorid.c @@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) config->maxranges = (dom->high_id - dom->low_id + 1) / config->rangesize; - if (config->maxranges == 0) { - DEBUG(1, ("Allowed uid range is smaller than rangesize. " - "Increase uid range or decrease rangesize.\n")); + if (config->maxranges < 2) { + DBG_WARNING("Allowed idmap range is not a least double the " + "size of the rangesize. Please increase idmap " + "range.\n"); status = NT_STATUS_INVALID_PARAMETER; goto error; }