From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 1 Feb 2022 10:06:30 +0100 Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range What we want to avoid: $ ./bin/testparm -s | grep "idmap config" idmap config * : rangesize = 10000 idmap config * : range = 10000-19999 idmap config * : backend = autorid $ ./bin/wbinfo --name-to-sid BUILTIN/Administrators S-1-5-32-544 SID_ALIAS (4) $ ./bin/wbinfo --sid-to-gid S-1-5-32-544 10000 $ ./bin/wbinfo --name-to-sid ADDOMAIN/alice S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) $ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid If only one range is configured we are either not able to map users/groups from our primary *and* the BUILTIN domain. We need at least two ranges to also cover the BUILTIN domain! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) --- source3/winbindd/idmap_autorid.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c index ad53b5810ee..c7d56a37684 100644 --- a/source3/winbindd/idmap_autorid.c +++ b/source3/winbindd/idmap_autorid.c @@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) config->maxranges = (dom->high_id - dom->low_id + 1) / config->rangesize; - if (config->maxranges == 0) { - DEBUG(1, ("Allowed uid range is smaller than rangesize. " - "Increase uid range or decrease rangesize.\n")); + if (config->maxranges < 2) { + DBG_WARNING("Allowed idmap range is not a least double the " + "size of the rangesize. Please increase idmap " + "range.\n"); status = NT_STATUS_INVALID_PARAMETER; goto error; } -- 2.35.1 From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 1 Feb 2022 10:07:50 +0100 Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid What we want to avoid: $ ./bin/testparm -s | grep "idmap config" idmap config * : rangesize = 10000 idmap config * : range = 10000-19999 idmap config * : backend = autorid $ ./bin/wbinfo --name-to-sid BUILTIN/Administrators S-1-5-32-544 SID_ALIAS (4) $ ./bin/wbinfo --sid-to-gid S-1-5-32-544 10000 $ ./bin/wbinfo --name-to-sid ADDOMAIN/alice S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) $ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid If only one range is configured we are either not able to map users/groups from our primary *and* the BUILTIN domain. We need at least two ranges to also cover the BUILTIN domain! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) --- source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index 98bcc219b1e..58ba46bc15f 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, return false; /* Keep scanning */ } +static int idmap_config_int(const char *domname, const char *option, int def) +{ + int len = snprintf(NULL, 0, "idmap config %s", domname); + + if (len == -1) { + return def; + } + { + char config_option[len+1]; + snprintf(config_option, sizeof(config_option), + "idmap config %s", domname); + return lp_parm_int(-1, config_option, option, def); + } +} + static bool do_idmap_check(void) { struct idmap_domains *d; @@ -157,6 +172,42 @@ static bool do_idmap_check(void) rc); } + /* Check autorid backend */ + if (strequal(lp_idmap_default_backend(), "autorid")) { + struct idmap_config *c = NULL; + bool found = false; + + for (i = 0; i < d->count; i++) { + c = &d->c[i]; + + if (strequal(c->backend, "autorid")) { + found = true; + break; + } + } + + if (found) { + uint32_t rangesize = + idmap_config_int("*", "rangesize", 100000); + uint32_t maxranges = + (c->high - c->low + 1) / rangesize; + + if (maxranges < 2) { + fprintf(stderr, + "ERROR: The idmap autorid range " + "[%u-%u] needs to be at least twice as" + "big as the rangesize [%u]!" + "\n\n", + c->low, + c->high, + rangesize); + ok = false; + goto done; + } + } + } + + /* Check for overlapping idmap ranges */ for (i = 0; i < d->count; i++) { struct idmap_config *c = &d->c[i]; uint32_t j; -- 2.35.1 From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 1 Feb 2022 10:05:19 +0100 Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation What we want to avoid: $ ./bin/testparm -s | grep "idmap config" idmap config * : rangesize = 10000 idmap config * : range = 10000-19999 idmap config * : backend = autorid $ ./bin/wbinfo --name-to-sid BUILTIN/Administrators S-1-5-32-544 SID_ALIAS (4) $ ./bin/wbinfo --sid-to-gid S-1-5-32-544 10000 $ ./bin/wbinfo --name-to-sid ADDOMAIN/alice S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) $ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid If only one range is configured we are either not able to map users/groups from our primary *and* the BUILTIN domain. We need at least two ranges to also cover the BUILTIN domain! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) --- docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml index 6c4da1cad8a..980718f0bd4 100644 --- a/docs-xml/manpages/idmap_autorid.8.xml +++ b/docs-xml/manpages/idmap_autorid.8.xml @@ -48,7 +48,13 @@ and the corresponding map is discarded. It is intended as a way to avoid accidental UID/GID overlaps between local and remotely defined - IDs. + IDs. Note that the range should be a multiple + of the rangesize and needs to be at least twice + as large in order to have sufficient id range + space for the mandatory BUILTIN domain. + With a default rangesize of 100000 the range + needs to span at least 200000. + This would be: range = 100000 - 299999. -- 2.35.1