From 04fe78b0f387e815053aa1cf4995a366a9e4331d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Oct 2015 13:30:16 -0700 Subject: [PATCH 1/3] s3: lsa: lookup_name() needs to check if an explicit "NT Authority" is given as a domain before falling back to unqualified name lookups. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555 Signed-off-by: Jeremy Allison --- source3/passdb/lookup_sid.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 3f99ee1..3976ded 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -140,6 +140,20 @@ bool lookup_name(TALLOC_CTX *mem_ctx, return false; } + /* + * The only wellknown name with a non-null domain + * component is "NT Authority", so check that before + * failing if we're given an explicit "NT Authority" domain. + */ + + if ((flags & LOOKUP_NAME_WKN) && + strequal(domain, "NT Authority")) { + if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) { + type = SID_NAME_WKN_GRP; + goto ok; + } + } + if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) { TALLOC_FREE(tmp_ctx); return false; -- 2.6.0.rc2.230.g3dd15c0 From 658846f0abf7fa63d9575db86b573baf8ec17fdb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Oct 2015 11:06:53 -0700 Subject: [PATCH 2/3] s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names is incorrect. Change so we only use unqualified name lookup logic if domain component = "" and LOOKUP_NAME_ISOLATED flag is passed in. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555 Signed-off-by: Jeremy Allison --- source3/passdb/lookup_sid.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 3976ded..d89dfed 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -154,7 +154,13 @@ bool lookup_name(TALLOC_CTX *mem_ctx, } } - if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) { + /* + * If we were given an explicit domain component, + * or we're told not to look up 'isolated' names + * with no domain component then we're done. + */ + + if ((domain[0] != '\0') || (!(flags & LOOKUP_NAME_ISOLATED))) { TALLOC_FREE(tmp_ctx); return false; } -- 2.6.0.rc2.230.g3dd15c0 From c84255a9538e5767fac1fca1cea333a4beb928d7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Oct 2015 11:20:08 -0700 Subject: [PATCH 3/3] s3: test: Fix standalone valid users fileserver test. Test was originally added for bug #11320. At the time I remarked the only way I could get this to reproduce the issue was to use "+WORKGROUP\userdup" instead of just "+userdup" (which was the actual problem reported), but I didn't investigage enough to discover the underlying problem which is actually bug: BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555 (lookup_names() logic for unqualified (no DOMAIN\ component) names is incorrect). On a standalone fileserver "WORKGROUP\name" should not resolve, but "NETBIOS-NAME\name" and just "name" should. This corrects the test now that lookups for unqualified names are now being done correctly. Signed-off-by: Jeremy Allison --- selftest/target/Samba3.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index de4346e..15423fe 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -608,7 +608,7 @@ sub setup_fileserver($$) dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh [valid-users-access] path = $valid_users_sharedir - valid users = +SAMBA-TEST/userdup + valid users = +userdup "; my $vars = $self->provision($path, -- 2.6.0.rc2.230.g3dd15c0