s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.

Check if the domain from the list is not already configured to use another idmap
backend. Not checking this makes the idmap_hash module map IDs for *all* domains
implicitly. This is quite dangeorous in multi-idmap-config setups.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

source3/winbindd/idmap_hash/idmap_hash.c

@@ -137,6 +137,19 @@ static NTSTATUS be_init(struct idmap_domain *dom)
 
 		if (is_null_sid(&dom_list[i].sid))
 			continue;
+
+		/*
+		 * Check if the domain from the list is not already configured
+		 * to use another idmap backend. Not checking this makes the
+		 * idmap_hash module map IDs for *all* domains implicitly.  This
+		 * is quite dangerous in setups that use multiple idmap
+		 * configurations.
+		 */
+
+		if (domain_has_idmap_config(dom_list[i].domain_name)) {
+			continue;
+		}
+
 		if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0)
 			continue;