Attachment 14110 Details for Bug 13312 – patches for 4.7

[patch] patches for 4.7

patches-for-4.7 (text/plain), 13.51 KB, created by Christof Schmitt on 2018-04-06 21:57:16 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Christof Schmitt

Created: 2018-04-06 21:57:16 UTC

Size: 13.51 KB

patch

obsolete

>From 24c16426562db75ad689ee75aeccf43fcf149198 Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <cs@samba.org>
>Date: Fri, 16 Mar 2018 13:52:14 -0700
>Subject: [PATCH 1/5] test_smbclient_s3.sh: Use correct separator in "list with
> backup privilege" test
>
>Samba selftest uses the forward slash as winbind separator and in the
>USERNAME passed to the test. "net sam rights" expect the backslash. Map
>the separator used in selftest to a backslash to avoid creating an
>incorrect username DOMAIN\DOMAIN/USERNAME.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
>
>Signed-off-by: Christof Schmitt <cs@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit 6f07afad07d9c670a00d9d314a8134efdda5e424)
>---
> source3/script/tests/test_smbclient_s3.sh | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
>diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
>index 905da58..05fcf69 100755
>--- a/source3/script/tests/test_smbclient_s3.sh
>+++ b/source3/script/tests/test_smbclient_s3.sh
>@@ -643,13 +643,17 @@ test_backup_privilege_list()
> {
>     tmpfile=$PREFIX/smbclient_backup_privilege_list
> 
>+    # selftest uses the forward slash as a separator, but "net sam rights
>+    # grant" requires the backslash separator
>+    USER_TMP=$(printf '%s' "$USERNAME" | tr '/' '\\')
>+
>     # If we don't have a DOMAIN component to the username, add it.
>-    echo "$USERNAME" | grep '\\' 2>&1
>+    printf '%s' "$USER_TMP" | grep '\\' 2>&1
>     ret=$?
>     if [ $ret != 0 ] ; then
>-	priv_username="$DOMAIN\\$USERNAME"
>+	priv_username="$DOMAIN\\$USER_TMP"
>     else
>-	priv_username=$USERNAME
>+	priv_username="$USER_TMP"
>     fi
> 
>     $NET sam rights grant $priv_username SeBackupPrivilege 2>&1
>-- 
>1.8.3.1
>
>
>From e16ae54b2966cab52e3a74a2f74c97f2d2b957f7 Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <cs@samba.org>
>Date: Fri, 30 Mar 2018 14:28:46 -0700
>Subject: [PATCH 2/5] nsswitch: Fix wbcListUsers test
>
>With an AD DC, wbcListUsers returns the users in the DOMAIN SEPARATOR
>USERNAME format.  The test then calls wbcLookupName with the domain name
>and the previous string (including domain and separator) as username.
>Fix this by passing the correct username and adding some additional
>checks.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
>
>Signed-off-by: Christof Schmitt <cs@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit 3c146be404affc894c0c702bbfbfcc4fb9ed902b)
>---
> nsswitch/libwbclient/tests/wbclient.c | 33 ++++++++++++++++++++++++++++++++-
> 1 file changed, 32 insertions(+), 1 deletion(-)
>
>diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c
>index e80afc4..8c532bb 100644
>--- a/nsswitch/libwbclient/tests/wbclient.c
>+++ b/nsswitch/libwbclient/tests/wbclient.c
>@@ -296,6 +296,7 @@ static bool test_wbc_users(struct torture_context *tctx)
> 	char *name = NULL;
> 	char *sid_string = NULL;
> 	wbcErr ret = false;
>+	char separator;
> 
> 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
> 		"%s", "wbcInterfaceDetails failed");
>@@ -306,6 +307,7 @@ static bool test_wbc_users(struct torture_context *tctx)
> 			    ret,
> 			    fail,
> 			    "Failed to allocate domain_name");
>+	separator = details->winbind_separator;
> 	wbcFreeMemory(details);
> 	details = NULL;
> 
>@@ -323,9 +325,38 @@ static bool test_wbc_users(struct torture_context *tctx)
> 		struct wbcDomainSid sid;
> 		enum wbcSidType name_type;
> 		uint32_t num_sids;
>+		const char *user;
>+		char *c;
>+
>+		c = strchr(users[i], separator);
>+
>+		if (c == NULL) {
>+			/*
>+			 * NT4 DC
>+			 * user name does not contain DOMAIN SEPARATOR prefix.
>+			 */
>+
>+			user = users[i];
>+		} else {
>+			/*
>+			 * AD DC
>+			 * user name starts with DOMAIN SEPARATOR prefix.
>+			 */
>+			const char *dom;
>+
>+			*c = '\0';
>+			dom = users[i];
>+			user = c + 1;
>+
>+			torture_assert_str_equal_goto(tctx, dom, domain_name,
>+						      ret, fail, "Domain part "
>+						      "of user name does not "
>+						      "match domain name.\n");
>+		}
> 
> 		torture_assert_wbc_ok_goto_fail(tctx,
>-						wbcLookupName(domain_name, users[i], &sid, &name_type),
>+						wbcLookupName(domain_name, user,
>+							      &sid, &name_type),
> 						"wbcLookupName of %s failed",
> 						users[i]);
> 		torture_assert_int_equal_goto(tctx,
>-- 
>1.8.3.1
>
>
>From 284a2a63effb4d28ed0b0013eb3d71b933655e96 Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <cs@samba.org>
>Date: Fri, 30 Mar 2018 14:35:03 -0700
>Subject: [PATCH 3/5] nsswitch: Fix wbcListGroups test
>
>With an AD DC, wbcListGroups returns the users in the DOMAIN SEPARATOR
>GROUPNAME format.  The test then calls wbcLookupName with the domain
>name and the previous string (including domain and separator) as
>username. Fix this by passing the correct username and adding some
>additional checks.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
>
>Signed-off-by: Christof Schmitt <cs@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit f4db4e86c341a89357082e81e30c302440647530)
>---
> nsswitch/libwbclient/tests/wbclient.c | 33 ++++++++++++++++++++++++++++++++-
> 1 file changed, 32 insertions(+), 1 deletion(-)
>
>diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c
>index 8c532bb..d107942 100644
>--- a/nsswitch/libwbclient/tests/wbclient.c
>+++ b/nsswitch/libwbclient/tests/wbclient.c
>@@ -430,6 +430,7 @@ static bool test_wbc_groups(struct torture_context *tctx)
> 	char *domain = NULL;
> 	char *name = NULL;
> 	char *sid_string = NULL;
>+	char separator;
> 
> 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
> 			      "%s", "wbcInterfaceDetails failed");
>@@ -440,6 +441,7 @@ static bool test_wbc_groups(struct torture_context *tctx)
> 			    ret,
> 			    fail,
> 			    "Failed to allocate domain_name");
>+	separator = details->winbind_separator;
> 	wbcFreeMemory(details);
> 	details = NULL;
> 
>@@ -456,10 +458,39 @@ static bool test_wbc_groups(struct torture_context *tctx)
> 	for (i=0; i < MIN(num_groups,100); i++) {
> 		struct wbcDomainSid sid;
> 		enum wbcSidType name_type;
>+		const char *group;
>+		char *c;
>+
>+		c = strchr(groups[i], separator);
>+
>+		if (c == NULL) {
>+			/*
>+			 * NT4 DC
>+			 * group name does not contain DOMAIN SEPARATOR prefix.
>+			 */
>+
>+			group = groups[i];
>+		} else {
>+			/*
>+			 * AD DC
>+			 * group name starts with DOMAIN SEPARATOR prefix.
>+			 */
>+			const char *dom;
>+
>+
>+			*c = '\0';
>+			dom = groups[i];
>+			group = c + 1;
>+
>+			torture_assert_str_equal_goto(tctx, dom, domain_name,
>+						      ret, fail, "Domain part "
>+						      "of group name does not "
>+						      "match domain name.\n");
>+		}
> 
> 		torture_assert_wbc_ok_goto_fail(tctx,
> 						wbcLookupName(domain_name,
>-							      groups[i],
>+							      group,
> 							      &sid,
> 							      &name_type),
> 						"wbcLookupName for %s failed",
>-- 
>1.8.3.1
>
>
>From f17fcc98ac9be15a88f5dfb1e991c257f94315b7 Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <cs@samba.org>
>Date: Wed, 28 Feb 2018 13:10:43 -0700
>Subject: [PATCH 4/5] Add test for wbinfo name lookup
>
>This demonstrates that wbinfo -n / --name-to-sid returns information
>instead of failing the request. More specifically the query for
>INVALIDDOMAIN//user returns the user SID for the joined domain, instead
>of failing the request.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
>
>Signed-off-by: Christof Schmitt <cs@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit 552a00ec1f6795b9025298931a6cc50ebe552052)
>---
> nsswitch/tests/test_wbinfo_name_lookup.sh | 40 +++++++++++++++++++++++++++++++
> selftest/knownfail                        |  2 ++
> source3/selftest/tests.py                 |  4 ++++
> 3 files changed, 46 insertions(+)
> create mode 100755 nsswitch/tests/test_wbinfo_name_lookup.sh
>
>diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh
>new file mode 100755
>index 0000000..696e25b
>--- /dev/null
>+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh
>@@ -0,0 +1,40 @@
>+#!/bin/sh
>+# Blackbox test for wbinfo name lookup
>+if [ $# -lt 2 ]; then
>+cat <<EOF
>+Usage: test_wbinfo.sh DOMAIN DC_USERNAME
>+EOF
>+exit 1;
>+fi
>+
>+DOMAIN=$1
>+DC_USERNAME=$2
>+shift 2
>+
>+failed=0
>+sambabindir="$BINDIR"
>+wbinfo="$VALGRIND $sambabindir/wbinfo"
>+
>+. `dirname $0`/../../testprogs/blackbox/subunit.sh
>+
>+# Correct query is expected to work
>+testit "name-to-sid.single-separator" \
>+       $wbinfo -n $DOMAIN/$DC_USERNAME || \
>+	failed=$(expr $failed + 1)
>+
>+# Two separator characters should fail
>+testit_expect_failure "name-to-sid.double-separator" \
>+		      $wbinfo -n $DOMAIN//$DC_USERNAME || \
>+	failed=$(expr $failed + 1)
>+
>+# Invalid domain is expected to fail
>+testit_expect_failure "name-to-sid.invalid-domain" \
>+		      $wbinfo -n INVALID/$DC_USERNAME || \
>+	failed=$(expr $failed + 1)
>+
>+# Invalid domain with two separator characters is expected to fail
>+testit_expect_failure "name-to-sid.double-separator-invalid-domain" \
>+		      $wbinfo -n INVALID//$DC_USERNAME || \
>+	failed=$(expr $failed + 1)
>+
>+exit $failed
>diff --git a/selftest/knownfail b/selftest/knownfail
>index dd23c7d..6abbf3a 100644
>--- a/selftest/knownfail
>+++ b/selftest/knownfail
>@@ -345,3 +345,5 @@
> ^samba.tests.ntlmauth.python$ktest$.ntlmauth.NtlmAuthTests.test_ntlm_connection$ktest$
> # Disabling NTLM means you can't use samr to change the password
> ^samba.tests.ntlmauth.python$ktest$.ntlmauth.NtlmAuthTests.test_samr_change_password$ktest$
>+samba3.wbinfo_name_lookup.name-to-sid.double-separator$ad_member$
>+samba3.wbinfo_name_lookup.name-to-sid.double-separator-invalid-domain$ad_member$
>diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
>index 1520990..593ac1d 100755
>--- a/source3/selftest/tests.py
>+++ b/source3/selftest/tests.py
>@@ -198,6 +198,10 @@ for env in ["nt4_member", "ad_member"]:
> env = "ad_member"
> t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"
> plantestsuite("samba3.wbinfo_simple.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t])
>+plantestsuite("samba3.wbinfo_name_lookup", env,
>+              [ os.path.join(srcdir(),
>+                            "nsswitch/tests/test_wbinfo_name_lookup.sh"),
>+                '$DOMAIN', '$DC_USERNAME' ])
> t = "WBCLIENT-MULTI-PING"
> plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
> plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
>-- 
>1.8.3.1
>
>
>From b2c613956771284a1892c2dee83f28f8c103c466 Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <cs@samba.org>
>Date: Wed, 28 Feb 2018 12:05:34 -0700
>Subject: [PATCH 5/5] winbindd: Do not ignore domain in the LOOKUPNAME request
>
>A LOOKUPNAME request with a domain and a name containing a winbind
>separator character would return the result for the joined domain,
>instead of the specified domain.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
>
>Signed-off-by: Christof Schmitt <cs@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>
>Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
>Autobuild-Date(master): Fri Apr  6 21:03:31 CEST 2018 on sn-devel-144
>
>(cherry picked from commit 1775ac8aa4dc00b9a0845ade238254ebb8b32429)
>---
> selftest/knownfail                     |  2 --
> source3/winbindd/winbindd_lookupname.c | 33 +++++++++++++++++++++------------
> 2 files changed, 21 insertions(+), 14 deletions(-)
>
>diff --git a/selftest/knownfail b/selftest/knownfail
>index 6abbf3a..dd23c7d 100644
>--- a/selftest/knownfail
>+++ b/selftest/knownfail
>@@ -345,5 +345,3 @@
> ^samba.tests.ntlmauth.python$ktest$.ntlmauth.NtlmAuthTests.test_ntlm_connection$ktest$
> # Disabling NTLM means you can't use samr to change the password
> ^samba.tests.ntlmauth.python$ktest$.ntlmauth.NtlmAuthTests.test_samr_change_password$ktest$
>-samba3.wbinfo_name_lookup.name-to-sid.double-separator$ad_member$
>-samba3.wbinfo_name_lookup.name-to-sid.double-separator-invalid-domain$ad_member$
>diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c
>index 1be29fd..b022691 100644
>--- a/source3/winbindd/winbindd_lookupname.c
>+++ b/source3/winbindd/winbindd_lookupname.c
>@@ -35,7 +35,8 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
> {
> 	struct tevent_req *req, *subreq;
> 	struct winbindd_lookupname_state *state;
>-	char *domname, *name, *p;
>+	const char *domname = NULL, *name = NULL;
>+	char *p = NULL;
> 
> 	req = tevent_req_create(mem_ctx, &state,
> 				struct winbindd_lookupname_state);
>@@ -49,17 +50,25 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
> 		sizeof(request->data.name.dom_name)-1]='\0';
> 	request->data.name.name[sizeof(request->data.name.name)-1]='\0';
> 
>-	/* cope with the name being a fully qualified name */
>-	p = strstr(request->data.name.name, lp_winbind_separator());
>-	if (p) {
>-		*p = 0;
>-		domname = request->data.name.name;
>-		name = p+1;
>-	} else if ((p = strchr(request->data.name.name, '@')) != NULL) {
>-		/* upn */
>-		domname = p + 1;
>-		*p = 0;
>-		name = request->data.name.name;
>+	if (strlen(request->data.name.dom_name) == 0) {
>+		/* cope with the name being a fully qualified name */
>+		p = strstr(request->data.name.name, lp_winbind_separator());
>+		if (p != NULL) {
>+			*p = '\0';
>+			domname = request->data.name.name;
>+			name = p + 1;
>+		} else {
>+			p = strchr(request->data.name.name, '@');
>+			if (p != NULL) {
>+				/* upn */
>+				domname = p + 1;
>+				*p = '\0';
>+				name = request->data.name.name;
>+			} else {
>+				domname = "";
>+				name = request->data.name.name;
>+			}
>+		}
> 	} else {
> 		domname = request->data.name.dom_name;
> 		name = request->data.name.name;
>-- 
>1.8.3.1
>

Flags:

asn: review+

Actions: View

Attachments on bug 13312: 14110 | 14111