From 0e8e9711b6f3784d8883d76cef715c3ceccbc6d6 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 16 Mar 2018 13:52:14 -0700
Subject: [PATCH 1/5] test_smbclient_s3.sh: Use correct separator in "list with
 backup privilege" test

Samba selftest uses the forward slash as winbind separator and in the
USERNAME passed to the test. "net sam rights" expect the backslash. Map
the separator used in selftest to a backslash to avoid creating an
incorrect username DOMAIN\DOMAIN/USERNAME.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6f07afad07d9c670a00d9d314a8134efdda5e424)
---
 source3/script/tests/test_smbclient_s3.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index 8017d19..e48ad30 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -643,13 +643,17 @@ test_backup_privilege_list()
 {
     tmpfile=$PREFIX/smbclient_backup_privilege_list
 
+    # selftest uses the forward slash as a separator, but "net sam rights
+    # grant" requires the backslash separator
+    USER_TMP=$(printf '%s' "$USERNAME" | tr '/' '\\')
+
     # If we don't have a DOMAIN component to the username, add it.
-    echo "$USERNAME" | grep '\\' 2>&1
+    printf '%s' "$USER_TMP" | grep '\\' 2>&1
     ret=$?
     if [ $ret != 0 ] ; then
-	priv_username="$DOMAIN\\$USERNAME"
+	priv_username="$DOMAIN\\$USER_TMP"
     else
-	priv_username=$USERNAME
+	priv_username="$USER_TMP"
     fi
 
     $NET sam rights grant $priv_username SeBackupPrivilege 2>&1
-- 
1.8.3.1


From ecb663b47c1330156ec1334baac96cf17e25e3f4 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 30 Mar 2018 14:28:46 -0700
Subject: [PATCH 2/5] nsswitch: Fix wbcListUsers test

With an AD DC, wbcListUsers returns the users in the DOMAIN SEPARATOR
USERNAME format.  The test then calls wbcLookupName with the domain name
and the previous string (including domain and separator) as username.
Fix this by passing the correct username and adding some additional
checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3c146be404affc894c0c702bbfbfcc4fb9ed902b)
---
 nsswitch/libwbclient/tests/wbclient.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c
index e80afc4..8c532bb 100644
--- a/nsswitch/libwbclient/tests/wbclient.c
+++ b/nsswitch/libwbclient/tests/wbclient.c
@@ -296,6 +296,7 @@ static bool test_wbc_users(struct torture_context *tctx)
 	char *name = NULL;
 	char *sid_string = NULL;
 	wbcErr ret = false;
+	char separator;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
 		"%s", "wbcInterfaceDetails failed");
@@ -306,6 +307,7 @@ static bool test_wbc_users(struct torture_context *tctx)
 			    ret,
 			    fail,
 			    "Failed to allocate domain_name");
+	separator = details->winbind_separator;
 	wbcFreeMemory(details);
 	details = NULL;
 
@@ -323,9 +325,38 @@ static bool test_wbc_users(struct torture_context *tctx)
 		struct wbcDomainSid sid;
 		enum wbcSidType name_type;
 		uint32_t num_sids;
+		const char *user;
+		char *c;
+
+		c = strchr(users[i], separator);
+
+		if (c == NULL) {
+			/*
+			 * NT4 DC
+			 * user name does not contain DOMAIN SEPARATOR prefix.
+			 */
+
+			user = users[i];
+		} else {
+			/*
+			 * AD DC
+			 * user name starts with DOMAIN SEPARATOR prefix.
+			 */
+			const char *dom;
+
+			*c = '\0';
+			dom = users[i];
+			user = c + 1;
+
+			torture_assert_str_equal_goto(tctx, dom, domain_name,
+						      ret, fail, "Domain part "
+						      "of user name does not "
+						      "match domain name.\n");
+		}
 
 		torture_assert_wbc_ok_goto_fail(tctx,
-						wbcLookupName(domain_name, users[i], &sid, &name_type),
+						wbcLookupName(domain_name, user,
+							      &sid, &name_type),
 						"wbcLookupName of %s failed",
 						users[i]);
 		torture_assert_int_equal_goto(tctx,
-- 
1.8.3.1


From 53b47101bdbf8a6b806bc51b1f554599701ea677 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 30 Mar 2018 14:35:03 -0700
Subject: [PATCH 3/5] nsswitch: Fix wbcListGroups test

With an AD DC, wbcListGroups returns the users in the DOMAIN SEPARATOR
GROUPNAME format.  The test then calls wbcLookupName with the domain
name and the previous string (including domain and separator) as
username. Fix this by passing the correct username and adding some
additional checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit f4db4e86c341a89357082e81e30c302440647530)
---
 nsswitch/libwbclient/tests/wbclient.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c
index 8c532bb..d107942 100644
--- a/nsswitch/libwbclient/tests/wbclient.c
+++ b/nsswitch/libwbclient/tests/wbclient.c
@@ -430,6 +430,7 @@ static bool test_wbc_groups(struct torture_context *tctx)
 	char *domain = NULL;
 	char *name = NULL;
 	char *sid_string = NULL;
+	char separator;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
 			      "%s", "wbcInterfaceDetails failed");
@@ -440,6 +441,7 @@ static bool test_wbc_groups(struct torture_context *tctx)
 			    ret,
 			    fail,
 			    "Failed to allocate domain_name");
+	separator = details->winbind_separator;
 	wbcFreeMemory(details);
 	details = NULL;
 
@@ -456,10 +458,39 @@ static bool test_wbc_groups(struct torture_context *tctx)
 	for (i=0; i < MIN(num_groups,100); i++) {
 		struct wbcDomainSid sid;
 		enum wbcSidType name_type;
+		const char *group;
+		char *c;
+
+		c = strchr(groups[i], separator);
+
+		if (c == NULL) {
+			/*
+			 * NT4 DC
+			 * group name does not contain DOMAIN SEPARATOR prefix.
+			 */
+
+			group = groups[i];
+		} else {
+			/*
+			 * AD DC
+			 * group name starts with DOMAIN SEPARATOR prefix.
+			 */
+			const char *dom;
+
+
+			*c = '\0';
+			dom = groups[i];
+			group = c + 1;
+
+			torture_assert_str_equal_goto(tctx, dom, domain_name,
+						      ret, fail, "Domain part "
+						      "of group name does not "
+						      "match domain name.\n");
+		}
 
 		torture_assert_wbc_ok_goto_fail(tctx,
 						wbcLookupName(domain_name,
-							      groups[i],
+							      group,
 							      &sid,
 							      &name_type),
 						"wbcLookupName for %s failed",
-- 
1.8.3.1


From 515418c469e10bd270cc0fa1b3f1d53089f53e87 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Wed, 28 Feb 2018 13:10:43 -0700
Subject: [PATCH 4/5] Add test for wbinfo name lookup

This demonstrates that wbinfo -n / --name-to-sid returns information
instead of failing the request. More specifically the query for
INVALIDDOMAIN//user returns the user SID for the joined domain, instead
of failing the request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 552a00ec1f6795b9025298931a6cc50ebe552052)
---
 nsswitch/tests/test_wbinfo_name_lookup.sh | 40 +++++++++++++++++++++++++++++++
 selftest/knownfail                        |  2 ++
 source3/selftest/tests.py                 |  4 ++++
 3 files changed, 46 insertions(+)
 create mode 100755 nsswitch/tests/test_wbinfo_name_lookup.sh

diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh
new file mode 100755
index 0000000..696e25b
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Blackbox test for wbinfo name lookup
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: test_wbinfo.sh DOMAIN DC_USERNAME
+EOF
+exit 1;
+fi
+
+DOMAIN=$1
+DC_USERNAME=$2
+shift 2
+
+failed=0
+sambabindir="$BINDIR"
+wbinfo="$VALGRIND $sambabindir/wbinfo"
+
+. `dirname $0`/../../testprogs/blackbox/subunit.sh
+
+# Correct query is expected to work
+testit "name-to-sid.single-separator" \
+       $wbinfo -n $DOMAIN/$DC_USERNAME || \
+	failed=$(expr $failed + 1)
+
+# Two separator characters should fail
+testit_expect_failure "name-to-sid.double-separator" \
+		      $wbinfo -n $DOMAIN//$DC_USERNAME || \
+	failed=$(expr $failed + 1)
+
+# Invalid domain is expected to fail
+testit_expect_failure "name-to-sid.invalid-domain" \
+		      $wbinfo -n INVALID/$DC_USERNAME || \
+	failed=$(expr $failed + 1)
+
+# Invalid domain with two separator characters is expected to fail
+testit_expect_failure "name-to-sid.double-separator-invalid-domain" \
+		      $wbinfo -n INVALID//$DC_USERNAME || \
+	failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/selftest/knownfail b/selftest/knownfail
index 710fd33..06d4cd6 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -343,3 +343,5 @@
 # Disabling NTLM means you can't use samr to change the password
 ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
+samba3.wbinfo_name_lookup.name-to-sid.double-separator\(ad_member\)
+samba3.wbinfo_name_lookup.name-to-sid.double-separator-invalid-domain\(ad_member\)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index e1b0e35..092605d 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -207,6 +207,10 @@ for env in ["nt4_member", "ad_member"]:
 env = "ad_member"
 t = "--krb5auth=$DOMAIN/$DC_USERNAME%$DC_PASSWORD"
 plantestsuite("samba3.wbinfo_simple.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_simple.sh"), t])
+plantestsuite("samba3.wbinfo_name_lookup", env,
+              [ os.path.join(srcdir(),
+                            "nsswitch/tests/test_wbinfo_name_lookup.sh"),
+                '$DOMAIN', '$DC_USERNAME' ])
 t = "WBCLIENT-MULTI-PING"
 plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
 plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
-- 
1.8.3.1


From adc573a3acd9db1104caa27255fa26c153c5fa11 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Wed, 28 Feb 2018 12:05:34 -0700
Subject: [PATCH 5/5] winbindd: Do not ignore domain in the LOOKUPNAME request

A LOOKUPNAME request with a domain and a name containing a winbind
separator character would return the result for the joined domain,
instead of the specified domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr  6 21:03:31 CEST 2018 on sn-devel-144

(cherry picked from commit 1775ac8aa4dc00b9a0845ade238254ebb8b32429)
---
 selftest/knownfail                     |  2 --
 source3/winbindd/winbindd_lookupname.c | 33 +++++++++++++++++++++------------
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 06d4cd6..710fd33 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -343,5 +343,3 @@
 # Disabling NTLM means you can't use samr to change the password
 ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
-samba3.wbinfo_name_lookup.name-to-sid.double-separator\(ad_member\)
-samba3.wbinfo_name_lookup.name-to-sid.double-separator-invalid-domain\(ad_member\)
diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c
index 1be29fd..b022691 100644
--- a/source3/winbindd/winbindd_lookupname.c
+++ b/source3/winbindd/winbindd_lookupname.c
@@ -35,7 +35,8 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
 {
 	struct tevent_req *req, *subreq;
 	struct winbindd_lookupname_state *state;
-	char *domname, *name, *p;
+	const char *domname = NULL, *name = NULL;
+	char *p = NULL;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_lookupname_state);
@@ -49,17 +50,25 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
 		sizeof(request->data.name.dom_name)-1]='\0';
 	request->data.name.name[sizeof(request->data.name.name)-1]='\0';
 
-	/* cope with the name being a fully qualified name */
-	p = strstr(request->data.name.name, lp_winbind_separator());
-	if (p) {
-		*p = 0;
-		domname = request->data.name.name;
-		name = p+1;
-	} else if ((p = strchr(request->data.name.name, '@')) != NULL) {
-		/* upn */
-		domname = p + 1;
-		*p = 0;
-		name = request->data.name.name;
+	if (strlen(request->data.name.dom_name) == 0) {
+		/* cope with the name being a fully qualified name */
+		p = strstr(request->data.name.name, lp_winbind_separator());
+		if (p != NULL) {
+			*p = '\0';
+			domname = request->data.name.name;
+			name = p + 1;
+		} else {
+			p = strchr(request->data.name.name, '@');
+			if (p != NULL) {
+				/* upn */
+				domname = p + 1;
+				*p = '\0';
+				name = request->data.name.name;
+			} else {
+				domname = "";
+				name = request->data.name.name;
+			}
+		}
 	} else {
 		domname = request->data.name.dom_name;
 		name = request->data.name.name;
-- 
1.8.3.1