The Samba-Bugzilla – Attachment 14110 Details for
Bug 13312
wbinfo --name-to-sid returns misleading result on invalid query
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patches for 4.7
patches-for-4.7 (text/plain), 13.51 KB, created by
Christof Schmitt
on 2018-04-06 21:57:16 UTC
(
hide
)
Description:
patches for 4.7
Filename:
MIME Type:
Creator:
Christof Schmitt
Created:
2018-04-06 21:57:16 UTC
Size:
13.51 KB
patch
obsolete
>From 24c16426562db75ad689ee75aeccf43fcf149198 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Fri, 16 Mar 2018 13:52:14 -0700 >Subject: [PATCH 1/5] test_smbclient_s3.sh: Use correct separator in "list with > backup privilege" test > >Samba selftest uses the forward slash as winbind separator and in the >USERNAME passed to the test. "net sam rights" expect the backslash. Map >the separator used in selftest to a backslash to avoid creating an >incorrect username DOMAIN\DOMAIN/USERNAME. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 6f07afad07d9c670a00d9d314a8134efdda5e424) >--- > source3/script/tests/test_smbclient_s3.sh | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > >diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh >index 905da58..05fcf69 100755 >--- a/source3/script/tests/test_smbclient_s3.sh >+++ b/source3/script/tests/test_smbclient_s3.sh >@@ -643,13 +643,17 @@ test_backup_privilege_list() > { > tmpfile=$PREFIX/smbclient_backup_privilege_list > >+ # selftest uses the forward slash as a separator, but "net sam rights >+ # grant" requires the backslash separator >+ USER_TMP=$(printf '%s' "$USERNAME" | tr '/' '\\') >+ > # If we don't have a DOMAIN component to the username, add it. >- echo "$USERNAME" | grep '\\' 2>&1 >+ printf '%s' "$USER_TMP" | grep '\\' 2>&1 > ret=$? > if [ $ret != 0 ] ; then >- priv_username="$DOMAIN\\$USERNAME" >+ priv_username="$DOMAIN\\$USER_TMP" > else >- priv_username=$USERNAME >+ priv_username="$USER_TMP" > fi > > $NET sam rights grant $priv_username SeBackupPrivilege 2>&1 >-- >1.8.3.1 > > >From e16ae54b2966cab52e3a74a2f74c97f2d2b957f7 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Fri, 30 Mar 2018 14:28:46 -0700 >Subject: [PATCH 2/5] nsswitch: Fix wbcListUsers test > >With an AD DC, wbcListUsers returns the users in the DOMAIN SEPARATOR >USERNAME format. The test then calls wbcLookupName with the domain name >and the previous string (including domain and separator) as username. >Fix this by passing the correct username and adding some additional >checks. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 3c146be404affc894c0c702bbfbfcc4fb9ed902b) >--- > nsswitch/libwbclient/tests/wbclient.c | 33 ++++++++++++++++++++++++++++++++- > 1 file changed, 32 insertions(+), 1 deletion(-) > >diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c >index e80afc4..8c532bb 100644 >--- a/nsswitch/libwbclient/tests/wbclient.c >+++ b/nsswitch/libwbclient/tests/wbclient.c >@@ -296,6 +296,7 @@ static bool test_wbc_users(struct torture_context *tctx) > char *name = NULL; > char *sid_string = NULL; > wbcErr ret = false; >+ char separator; > > torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details), > "%s", "wbcInterfaceDetails failed"); >@@ -306,6 +307,7 @@ static bool test_wbc_users(struct torture_context *tctx) > ret, > fail, > "Failed to allocate domain_name"); >+ separator = details->winbind_separator; > wbcFreeMemory(details); > details = NULL; > >@@ -323,9 +325,38 @@ static bool test_wbc_users(struct torture_context *tctx) > struct wbcDomainSid sid; > enum wbcSidType name_type; > uint32_t num_sids; >+ const char *user; >+ char *c; >+ >+ c = strchr(users[i], separator); >+ >+ if (c == NULL) { >+ /* >+ * NT4 DC >+ * user name does not contain DOMAIN SEPARATOR prefix. >+ */ >+ >+ user = users[i]; >+ } else { >+ /* >+ * AD DC >+ * user name starts with DOMAIN SEPARATOR prefix. >+ */ >+ const char *dom; >+ >+ *c = '\0'; >+ dom = users[i]; >+ user = c + 1; >+ >+ torture_assert_str_equal_goto(tctx, dom, domain_name, >+ ret, fail, "Domain part " >+ "of user name does not " >+ "match domain name.\n"); >+ } > > torture_assert_wbc_ok_goto_fail(tctx, >- wbcLookupName(domain_name, users[i], &sid, &name_type), >+ wbcLookupName(domain_name, user, >+ &sid, &name_type), > "wbcLookupName of %s failed", > users[i]); > torture_assert_int_equal_goto(tctx, >-- >1.8.3.1 > > >From 284a2a63effb4d28ed0b0013eb3d71b933655e96 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Fri, 30 Mar 2018 14:35:03 -0700 >Subject: [PATCH 3/5] nsswitch: Fix wbcListGroups test > >With an AD DC, wbcListGroups returns the users in the DOMAIN SEPARATOR >GROUPNAME format. The test then calls wbcLookupName with the domain >name and the previous string (including domain and separator) as >username. Fix this by passing the correct username and adding some >additional checks. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit f4db4e86c341a89357082e81e30c302440647530) >--- > nsswitch/libwbclient/tests/wbclient.c | 33 ++++++++++++++++++++++++++++++++- > 1 file changed, 32 insertions(+), 1 deletion(-) > >diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c >index 8c532bb..d107942 100644 >--- a/nsswitch/libwbclient/tests/wbclient.c >+++ b/nsswitch/libwbclient/tests/wbclient.c >@@ -430,6 +430,7 @@ static bool test_wbc_groups(struct torture_context *tctx) > char *domain = NULL; > char *name = NULL; > char *sid_string = NULL; >+ char separator; > > torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details), > "%s", "wbcInterfaceDetails failed"); >@@ -440,6 +441,7 @@ static bool test_wbc_groups(struct torture_context *tctx) > ret, > fail, > "Failed to allocate domain_name"); >+ separator = details->winbind_separator; > wbcFreeMemory(details); > details = NULL; > >@@ -456,10 +458,39 @@ static bool test_wbc_groups(struct torture_context *tctx) > for (i=0; i < MIN(num_groups,100); i++) { > struct wbcDomainSid sid; > enum wbcSidType name_type; >+ const char *group; >+ char *c; >+ >+ c = strchr(groups[i], separator); >+ >+ if (c == NULL) { >+ /* >+ * NT4 DC >+ * group name does not contain DOMAIN SEPARATOR prefix. >+ */ >+ >+ group = groups[i]; >+ } else { >+ /* >+ * AD DC >+ * group name starts with DOMAIN SEPARATOR prefix. >+ */ >+ const char *dom; >+ >+ >+ *c = '\0'; >+ dom = groups[i]; >+ group = c + 1; >+ >+ torture_assert_str_equal_goto(tctx, dom, domain_name, >+ ret, fail, "Domain part " >+ "of group name does not " >+ "match domain name.\n"); >+ } > > torture_assert_wbc_ok_goto_fail(tctx, > wbcLookupName(domain_name, >- groups[i], >+ group, > &sid, > &name_type), > "wbcLookupName for %s failed", >-- >1.8.3.1 > > >From f17fcc98ac9be15a88f5dfb1e991c257f94315b7 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Wed, 28 Feb 2018 13:10:43 -0700 >Subject: [PATCH 4/5] Add test for wbinfo name lookup > >This demonstrates that wbinfo -n / --name-to-sid returns information >instead of failing the request. More specifically the query for >INVALIDDOMAIN//user returns the user SID for the joined domain, instead >of failing the request. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 552a00ec1f6795b9025298931a6cc50ebe552052) >--- > nsswitch/tests/test_wbinfo_name_lookup.sh | 40 +++++++++++++++++++++++++++++++ > selftest/knownfail | 2 ++ > source3/selftest/tests.py | 4 ++++ > 3 files changed, 46 insertions(+) > create mode 100755 nsswitch/tests/test_wbinfo_name_lookup.sh > >diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh >new file mode 100755 >index 0000000..696e25b >--- /dev/null >+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh >@@ -0,0 +1,40 @@ >+#!/bin/sh >+# Blackbox test for wbinfo name lookup >+if [ $# -lt 2 ]; then >+cat <<EOF >+Usage: test_wbinfo.sh DOMAIN DC_USERNAME >+EOF >+exit 1; >+fi >+ >+DOMAIN=$1 >+DC_USERNAME=$2 >+shift 2 >+ >+failed=0 >+sambabindir="$BINDIR" >+wbinfo="$VALGRIND $sambabindir/wbinfo" >+ >+. `dirname $0`/../../testprogs/blackbox/subunit.sh >+ >+# Correct query is expected to work >+testit "name-to-sid.single-separator" \ >+ $wbinfo -n $DOMAIN/$DC_USERNAME || \ >+ failed=$(expr $failed + 1) >+ >+# Two separator characters should fail >+testit_expect_failure "name-to-sid.double-separator" \ >+ $wbinfo -n $DOMAIN//$DC_USERNAME || \ >+ failed=$(expr $failed + 1) >+ >+# Invalid domain is expected to fail >+testit_expect_failure "name-to-sid.invalid-domain" \ >+ $wbinfo -n INVALID/$DC_USERNAME || \ >+ failed=$(expr $failed + 1) >+ >+# Invalid domain with two separator characters is expected to fail >+testit_expect_failure "name-to-sid.double-separator-invalid-domain" \ >+ $wbinfo -n INVALID//$DC_USERNAME || \ >+ failed=$(expr $failed + 1) >+ >+exit $failed >diff --git a/selftest/knownfail b/selftest/knownfail >index dd23c7d..6abbf3a 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -345,3 +345,5 @@ > ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\) > # Disabling NTLM means you can't use samr to change the password > ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\) >+samba3.wbinfo_name_lookup.name-to-sid.double-separator\(ad_member\) >+samba3.wbinfo_name_lookup.name-to-sid.double-separator-invalid-domain\(ad_member\) >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 1520990..593ac1d 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -198,6 +198,10 @@ for env in ["nt4_member", "ad_member"]: > env = "ad_member" > t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD" > plantestsuite("samba3.wbinfo_simple.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t]) >+plantestsuite("samba3.wbinfo_name_lookup", env, >+ [ os.path.join(srcdir(), >+ "nsswitch/tests/test_wbinfo_name_lookup.sh"), >+ '$DOMAIN', '$DC_USERNAME' ]) > t = "WBCLIENT-MULTI-PING" > plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""]) > plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"]) >-- >1.8.3.1 > > >From b2c613956771284a1892c2dee83f28f8c103c466 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Wed, 28 Feb 2018 12:05:34 -0700 >Subject: [PATCH 5/5] winbindd: Do not ignore domain in the LOOKUPNAME request > >A LOOKUPNAME request with a domain and a name containing a winbind >separator character would return the result for the joined domain, >instead of the specified domain. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Fri Apr 6 21:03:31 CEST 2018 on sn-devel-144 > >(cherry picked from commit 1775ac8aa4dc00b9a0845ade238254ebb8b32429) >--- > selftest/knownfail | 2 -- > source3/winbindd/winbindd_lookupname.c | 33 +++++++++++++++++++++------------ > 2 files changed, 21 insertions(+), 14 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 6abbf3a..dd23c7d 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -345,5 +345,3 @@ > ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_ntlm_connection\(ktest\) > # Disabling NTLM means you can't use samr to change the password > ^samba.tests.ntlmauth.python\(ktest\).ntlmauth.NtlmAuthTests.test_samr_change_password\(ktest\) >-samba3.wbinfo_name_lookup.name-to-sid.double-separator\(ad_member\) >-samba3.wbinfo_name_lookup.name-to-sid.double-separator-invalid-domain\(ad_member\) >diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c >index 1be29fd..b022691 100644 >--- a/source3/winbindd/winbindd_lookupname.c >+++ b/source3/winbindd/winbindd_lookupname.c >@@ -35,7 +35,8 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx, > { > struct tevent_req *req, *subreq; > struct winbindd_lookupname_state *state; >- char *domname, *name, *p; >+ const char *domname = NULL, *name = NULL; >+ char *p = NULL; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_lookupname_state); >@@ -49,17 +50,25 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx, > sizeof(request->data.name.dom_name)-1]='\0'; > request->data.name.name[sizeof(request->data.name.name)-1]='\0'; > >- /* cope with the name being a fully qualified name */ >- p = strstr(request->data.name.name, lp_winbind_separator()); >- if (p) { >- *p = 0; >- domname = request->data.name.name; >- name = p+1; >- } else if ((p = strchr(request->data.name.name, '@')) != NULL) { >- /* upn */ >- domname = p + 1; >- *p = 0; >- name = request->data.name.name; >+ if (strlen(request->data.name.dom_name) == 0) { >+ /* cope with the name being a fully qualified name */ >+ p = strstr(request->data.name.name, lp_winbind_separator()); >+ if (p != NULL) { >+ *p = '\0'; >+ domname = request->data.name.name; >+ name = p + 1; >+ } else { >+ p = strchr(request->data.name.name, '@'); >+ if (p != NULL) { >+ /* upn */ >+ domname = p + 1; >+ *p = '\0'; >+ name = request->data.name.name; >+ } else { >+ domname = ""; >+ name = request->data.name.name; >+ } >+ } > } else { > domname = request->data.name.dom_name; > name = request->data.name.name; >-- >1.8.3.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 13312
: 14110 |
14111