From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 10 Mar 2017 15:53:53 +0000 (+0100)
Subject: winbindd: avoid multiple wbint_LookupSids/lsa_LookupSids calls to the same domain
X-Git-Tag: tdb-1.3.13~511
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9eb46d587a2218ed7048c0df65ee4bf2cd6bbeb1;p=thirdparty%2Fsamba.git

winbindd: avoid multiple wbint_LookupSids/lsa_LookupSids calls to the same domain

find_lookup_domain_from_sid() returns the same domain for all non local
sids on a domain member. We should not chunk one wb_lookupsids_send/recv
into multiple wbint_LookupSids_send/recv to the same 'lookup' domain,
just because the requested SIDs don't all belong to the same domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Mar 12 00:56:14 CET 2017 on sn-devel-144
---

diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
index c395f5489c6..3f48ad748b3 100644
--- a/source3/winbindd/wb_lookupsids.c
+++ b/source3/winbindd/wb_lookupsids.c
@@ -25,7 +25,6 @@
 #include "passdb/machine_sid.h"
 
 struct wb_lookupsids_domain {
-	struct dom_sid sid;
 	struct winbindd_domain *domain;
 
 	/*
@@ -194,7 +193,12 @@ static bool wb_lookupsids_next(struct tevent_req *req,
 
 		d = &state->domains[state->domains_done];
 
-		if (sid_check_is_our_sam(&d->sid)) {
+		if (d->domain->internal) {
+			/*
+			 * This is only our local SAM,
+			 * see wb_lookupsids_bulk() and
+			 * wb_lookupsids_get_domain().
+			 */
 			state->rids.num_rids = d->sids.num_sids;
 			state->rids.rids = talloc_array(state, uint32_t,
 							state->rids.num_rids);
@@ -207,7 +211,7 @@ static bool wb_lookupsids_next(struct tevent_req *req,
 			}
 			subreq = dcerpc_wbint_LookupRids_send(
 				state, state->ev, dom_child_handle(d->domain),
-				&d->sid, &state->rids, &state->domain_name,
+				&d->domain->sid, &state->rids, &state->domain_name,
 				&state->rid_names);
 			if (tevent_req_nomem(subreq, req)) {
 				return false;
@@ -322,14 +326,42 @@ static struct wb_lookupsids_domain *wb_lookupsids_get_domain(
 	domains = *pdomains;
 	num_domains = talloc_array_length(domains);
 
+	wb_domain = find_lookup_domain_from_sid(sid);
+	if (wb_domain == NULL) {
+		return NULL;
+	}
+
 	for (i=0; i<num_domains; i++) {
-		if (dom_sid_compare_domain(sid, &domains[i].sid) == 0) {
+		if (domains[i].domain != wb_domain) {
+			continue;
+		}
+
+		if (!domains[i].domain->internal) {
+			/*
+			 * If it's not our local sam,
+			 * we can re-use the domain without
+			 * checking the sid.
+			 *
+			 * Note the wb_lookupsids_bulk() above
+			 * already catched special SIDs,
+			 * e.g. the unix and builtin domains.
+			 */
 			return &domains[i];
 		}
-	}
 
-	wb_domain = find_lookup_domain_from_sid(sid);
-	if (wb_domain == NULL) {
+		if (dom_sid_compare_domain(sid, &domains[i].domain->sid) == 0) {
+			/*
+			 * If it's out local sam we can also use it.
+			 */
+			return &domains[i];
+		}
+
+		/*
+		 * I'm not sure if this can be triggered,
+		 * as wb_lookupsids_bulk() should also catch this,
+		 * but we need to make sure that we don't use
+		 * wbint_LookupRids() without a SID match.
+		 */
 		return NULL;
 	}
 
@@ -341,8 +373,6 @@ static struct wb_lookupsids_domain *wb_lookupsids_get_domain(
 	*pdomains = domains;
 
 	domain = &domains[num_domains];
-	sid_copy(&domain->sid, sid);
-	sid_split_rid(&domain->sid, NULL);
 	domain->domain = wb_domain;
 
 	domain->sids.sids = talloc_array(domains, struct lsa_SidPtr, num_sids);