From: Christof Schmitt <cs@samba.org>
Date: Fri, 5 Mar 2021 23:07:54 +0000 (-0700)
Subject: idmap_nss: Do not return SID from unixids_to_sids on type mismatch
X-Git-Tag: tevent-0.11.0~1597
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e789ba1802ca22e5a01abd6e93ef66cd45566a7;p=thirdparty%2Fsamba.git

idmap_nss: Do not return SID from unixids_to_sids on type mismatch

The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.

Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184
---

diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
index 9e1efefeb24..da50e2b4aa7 100644
--- a/source3/winbindd/idmap_nss.c
+++ b/source3/winbindd/idmap_nss.c
@@ -25,6 +25,7 @@
 #include "nsswitch/winbind_client.h"
 #include "idmap.h"
 #include "lib/winbind_util.h"
+#include "libcli/security/dom_sid.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_IDMAP
@@ -55,6 +56,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
 		struct passwd *pw;
 		struct group *gr;
 		const char *name;
+		struct dom_sid sid;
 		enum lsa_SidType type;
 		bool ret;
 
@@ -86,7 +88,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
 		   the following call will not recurse so this is safe */
 		(void)winbind_on();
 		/* Lookup name from PDC using lsa_lookup_names() */
-		ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type);
+		ret = winbind_lookup_name(dom->name, name, &sid, &type);
 		(void)winbind_off();
 
 		if (!ret) {
@@ -99,6 +101,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
 		switch (type) {
 		case SID_NAME_USER:
 			if (ids[i]->xid.type == ID_TYPE_UID) {
+				sid_copy(ids[i]->sid, &sid);
 				ids[i]->status = ID_MAPPED;
 			}
 			break;
@@ -107,6 +110,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma
 		case SID_NAME_ALIAS:
 		case SID_NAME_WKN_GRP:
 			if (ids[i]->xid.type == ID_TYPE_GID) {
+				sid_copy(ids[i]->sid, &sid);
 				ids[i]->status = ID_MAPPED;
 			}
 			break;