From 4f4c976e9b169176ef1ec353504be0ae97e274d8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 7 May 2018 16:20:30 +0200
Subject: [PATCH 01/10] selftest: Make sure we have correct group mappings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9bc2b922bbc6539341a2056f33f117ac350e61f1)
---
 selftest/target/Samba3.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1f80f86945b..52c7d3e07cc 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2425,6 +2425,9 @@ sub wait_for_start($$$$$)
 	$netcmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
 	$netcmd .= Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} ";
 
+	$cmd = $netcmd . "groupmap delete ntgroup=domusers";
+	$ret = system($cmd);
+
 	$cmd = $netcmd . "groupmap add rid=513 unixgroup=domusers type=domain";
 	$ret = system($cmd);
 	if ($ret != 0) {
@@ -2432,6 +2435,9 @@ sub wait_for_start($$$$$)
 		return 1;
 	}
 
+	$cmd = $netcmd . "groupmap delete ntgroup=domadmins";
+	$ret = system($cmd);
+
 	$cmd = $netcmd . "groupmap add rid=512 unixgroup=domadmins type=domain";
 	$ret = system($cmd);
 	if ($ret != 0) {
@@ -2439,6 +2445,9 @@ sub wait_for_start($$$$$)
 		return 1;
 	}
 
+	$cmd = $netcmd . "groupmap delete ntgroup=everyone";
+	$ret = system($cmd);
+
 	$cmd = $netcmd . "groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin";
 	$ret = system($cmd);
 	if ($ret != 0) {
-- 
2.16.3


From 85a6b507805162d12ad4c09e044cee4aa890141a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 20 Apr 2018 11:24:30 +0200
Subject: [PATCH 02/10] nsswitch: Add a test looking up the user using the upn

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0d2f743d826b87b369e25fc6bb9ff61f2b0896aa)
---
 nsswitch/tests/test_wbinfo_name_lookup.sh | 9 +++++++--
 source3/selftest/tests.py                 | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh
index 696e25b3a2a..a8fd5ec4d99 100755
--- a/nsswitch/tests/test_wbinfo_name_lookup.sh
+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh
@@ -8,8 +8,9 @@ exit 1;
 fi
 
 DOMAIN=$1
-DC_USERNAME=$2
-shift 2
+REALM=$2
+DC_USERNAME=$3
+shift 3
 
 failed=0
 sambabindir="$BINDIR"
@@ -22,6 +23,10 @@ testit "name-to-sid.single-separator" \
        $wbinfo -n $DOMAIN/$DC_USERNAME || \
 	failed=$(expr $failed + 1)
 
+testit "name-to-sid.upn" \
+       $wbinfo -n $DC_USERNAME@$REALM || \
+	failed=$(expr $failed + 1)
+
 # Two separator characters should fail
 testit_expect_failure "name-to-sid.double-separator" \
 		      $wbinfo -n $DOMAIN//$DC_USERNAME || \
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 172d3300463..a5acab2792a 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -210,7 +210,7 @@ plantestsuite("samba3.wbinfo_simple.(%s:local).%s" % (env, t), "%s:local" % env,
 plantestsuite("samba3.wbinfo_name_lookup", env,
               [ os.path.join(srcdir(),
                             "nsswitch/tests/test_wbinfo_name_lookup.sh"),
-                '$DOMAIN', '$DC_USERNAME' ])
+                '$DOMAIN', '$REALM', '$DC_USERNAME' ])
 t = "WBCLIENT-MULTI-PING"
 plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
 plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
-- 
2.16.3


From 66c3f73186acabc8d463a18044bc8ce53bda4ddc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 4 May 2018 12:43:05 +0200
Subject: [PATCH 03/10] nsswitch: Add a test looking up domain sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0aceca6a94e868f9c01a66f79624ca10d80560ab)
---
 nsswitch/tests/test_wbinfo_name_lookup.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh
index a8fd5ec4d99..c1d39c1a602 100755
--- a/nsswitch/tests/test_wbinfo_name_lookup.sh
+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh
@@ -23,6 +23,10 @@ testit "name-to-sid.single-separator" \
        $wbinfo -n $DOMAIN/$DC_USERNAME || \
 	failed=$(expr $failed + 1)
 
+testit "name-to-sid.at_domain" \
+       $wbinfo -n $DOMAIN/ || \
+	failed=$(expr $failed + 1)
+
 testit "name-to-sid.upn" \
        $wbinfo -n $DC_USERNAME@$REALM || \
 	failed=$(expr $failed + 1)
-- 
2.16.3


From c3c3c9f38f6a7db853d98a32b9b10e5add88c63d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 7 May 2018 13:23:42 +0200
Subject: [PATCH 04/10] nsswitch: Lookup the domain in tests with the wb
 seperator

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4fa811ec7bc301e96f5e40ba281e8d4e8709b94f)
---
 nsswitch/tests/test_idmap_ad.sh  | 2 +-
 nsswitch/tests/test_idmap_nss.sh | 4 ++--
 nsswitch/tests/test_idmap_rid.sh | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 2f4ee3293b2..7450ae06059 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -20,7 +20,7 @@ failed=0
 
 . `dirname $0`/../../testprogs/blackbox/subunit.sh
 
-DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ")
+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
 if [ $? -ne 0 ] ; then
     echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad"
     exit 1
diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh
index 5072a0df72c..1bbc177774d 100755
--- a/nsswitch/tests/test_idmap_nss.sh
+++ b/nsswitch/tests/test_idmap_nss.sh
@@ -13,8 +13,8 @@ failed=0
 
 . `dirname $0`/../../testprogs/blackbox/subunit.sh
 
-testit "wbinfo returns domain SID" $wbinfo -n "@$DOMAIN" || exit 1
-DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ")
+testit "wbinfo returns domain SID" $wbinfo -n "$DOMAIN/" || exit 1
+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
 echo "Domain $DOMAIN has SID $DOMAIN_SID"
 
 # Find an unused uid and SID
diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh
index 7fb59852cf5..8209a50a4fc 100755
--- a/nsswitch/tests/test_idmap_rid.sh
+++ b/nsswitch/tests/test_idmap_rid.sh
@@ -16,7 +16,7 @@ failed=0
 
 . `dirname $0`/../../testprogs/blackbox/subunit.sh
 
-DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ")
+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ")
 if [ $? -ne 0 ] ; then
     echo "Could not find domain SID" | subunit_fail_test "test_idmap_rid"
     exit 1
-- 
2.16.3


From 8cd657265b2789aea38dae09c5580d93575553d0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 20 Apr 2018 09:38:24 +0200
Subject: [PATCH 05/10] selftest: Add a user with a different userPrincipalName

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5319cae00096dcecc29aa9fa675a983352ad64d8)
---
 selftest/target/Samba4.pm | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c161ee082a0..d6d67f5a5ab 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -847,7 +847,7 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
 	}
 
 	# Create to users alice and bob!
-	my $user_account_array = ["alice", "bob"];
+	my $user_account_array = ["alice", "bob", "jane"];
 
 	foreach my $user_account (@{$user_account_array}) {
 		my $samba_tool_cmd = "";
@@ -862,6 +862,23 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
 		}
 	}
 
+	my $ldbmodify = "";
+	$ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+	$ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
+	$ldbmodify .= Samba::bindir_path($self, "ldbmodify");
+
+	my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
+	my $user_dn = "cn=jane,cn=users,$base_dn";
+
+	open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+	print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: jane.doe\@$ctx->{realm}
+-
+";
+	close(LDIF);
+
 	return $ret;
 }
 
-- 
2.16.3


From c643fe5d2664dbac75600f5838ec53145bd9f98a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 20 Apr 2018 11:20:44 +0200
Subject: [PATCH 06/10] nsswitch:tests: Add test for wbinfo --user-info

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2715f52f54e66a73131a92d752a8c2447da1fd33)
---
 nsswitch/tests/test_wbinfo_user_info.sh | 83 +++++++++++++++++++++++++++++++++
 selftest/knownfail.d/upn_handling       | 11 +++++
 source3/selftest/tests.py               | 14 ++++++
 3 files changed, 108 insertions(+)
 create mode 100755 nsswitch/tests/test_wbinfo_user_info.sh
 create mode 100644 selftest/knownfail.d/upn_handling

diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
new file mode 100755
index 00000000000..2803ac1408b
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -0,0 +1,83 @@
+#!/bin/sh
+# Blackbox test for wbinfo lookup for account name and upn
+# Copyright (c) 2018 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
+EOF
+exit 1;
+fi
+
+DOMAIN=$1
+REALM=$2
+USERNAME1=$3
+UPN_NAME1=$4
+USERNAME2=$5
+UPN_NAME2=$6
+shift 6
+
+failed=0
+
+samba_bindir="$BINDIR"
+wbinfo_tool="$VALGRIND $samba_bindir/wbinfo"
+
+UPN1="$UPN_NAME1@$REALM"
+UPN2="$UPN_NAME2@$REALM"
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+test_user_info()
+{
+	local cmd out ret user domain upn userinfo
+
+	domain="$1"
+	user="$2"
+	upn="$3"
+
+	if [ $# -lt 3 ]; then
+		userinfo="$domain/$user"
+	else
+		userinfo="$upn"
+	fi
+
+	cmd='$wbinfo_tool --user-info $userinfo'
+	eval echo "$cmd"
+	out=$(eval $cmd)
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		echo "failed to lookup $userinfo"
+		echo "$out"
+		return 1
+	fi
+
+	echo "$out" | grep "$domain/$user:.*:.*:.*::/home/$domain/Domain Users/$user"
+	ret=$?
+	if [ $ret != 0 ]; then
+		echo "failed to lookup $userinfo"
+		echo "$out"
+		return 1
+	fi
+
+	return 0
+}
+
+testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
+testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
+
+testit "user_info.domain.$USERNAME1" test_user_info $DOMAIN $USERNAME1 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME1" test_user_info $DOMAIN $USERNAME1 $UPN1 || failed=$(expr $failed + 1)
+
+testit "name_to_sid.domain.$USERNAME2" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME2 || failed=$(expr $failed + 1)
+testit "name_to_sid.upn.$UPN_NAME2" $wbinfo_tool --name-to-sid $UPN2 || failed=$(expr $failed + 1)
+
+testit "user_info.domain.$USERNAME2" test_user_info $DOMAIN $USERNAME2 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME2" test_user_info $DOMAIN $USERNAME2 $UPN2 || failed=$(expr $failed + 1)
+
+USERNAME3="testdenied"
+UPN_NAME3="testdenied_upn"
+UPN3="$UPN_NAME3@${REALM}.upn"
+testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
new file mode 100644
index 00000000000..308c2948e8d
--- /dev/null
+++ b/selftest/knownfail.d/upn_handling
@@ -0,0 +1,11 @@
+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.ad_member
+^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member
+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index a5acab2792a..ac21284b88b 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -211,6 +211,20 @@ plantestsuite("samba3.wbinfo_name_lookup", env,
               [ os.path.join(srcdir(),
                             "nsswitch/tests/test_wbinfo_name_lookup.sh"),
                 '$DOMAIN', '$REALM', '$DC_USERNAME' ])
+
+env = "ad_member:local"
+plantestsuite("samba3.wbinfo_user_info", env,
+              [ os.path.join(srcdir(),
+                            "nsswitch/tests/test_wbinfo_user_info.sh"),
+                '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+
+env = "fl2008r2dc:local"
+plantestsuite("samba3.wbinfo_user_info", env,
+              [ os.path.join(srcdir(),
+                            "nsswitch/tests/test_wbinfo_user_info.sh"),
+                '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+
+env = "ad_member"
 t = "WBCLIENT-MULTI-PING"
 plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
 plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
-- 
2.16.3


From dbebda48f31aa174c32120a007ec43c3c8fa7960 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 22 Feb 2018 14:10:28 +0100
Subject: [PATCH 07/10] winbind: Pass upn unmodified to lookup names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 789c89e6ecb7d388fb5acdd5abc8fe99c58524f0)
---
 selftest/knownfail.d/upn_handling      |  2 --
 source3/winbindd/wb_lookupname.c       |  8 +++++---
 source3/winbindd/wb_xids2sids.c        |  1 +
 source3/winbindd/winbindd_getgrnam.c   |  5 ++++-
 source3/winbindd/winbindd_getgroups.c  |  5 ++++-
 source3/winbindd/winbindd_getpwnam.c   |  5 ++++-
 source3/winbindd/winbindd_irpc.c       |  7 +++++--
 source3/winbindd/winbindd_lookupname.c | 17 ++++++++++-------
 source3/winbindd/winbindd_proto.h      |  4 +++-
 9 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index 308c2948e8d..0fa2aa35f30 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,10 +1,8 @@
-^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.ad_member
 ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member
 ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
 ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
 ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
 ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
-^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.fl2008r2dc
 ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
 ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
 ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
diff --git a/source3/winbindd/wb_lookupname.c b/source3/winbindd/wb_lookupname.c
index 1dd6b68334e..c7b027be801 100644
--- a/source3/winbindd/wb_lookupname.c
+++ b/source3/winbindd/wb_lookupname.c
@@ -35,7 +35,9 @@ static void wb_lookupname_done(struct tevent_req *subreq);
 
 struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
 				      struct tevent_context *ev,
-				      const char *dom_name, const char *name,
+				      const char *namespace,
+				      const char *dom_name,
+				      const char *name,
 				      uint32_t flags)
 {
 	struct tevent_req *req, *subreq;
@@ -61,9 +63,9 @@ struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	domain = find_lookup_domain_from_name(state->dom_name);
+	domain = find_lookup_domain_from_name(namespace);
 	if (domain == NULL) {
-		DEBUG(5, ("Could not find domain for %s\n", state->dom_name));
+		DEBUG(5, ("Could not find domain for %s\n", namespace));
 		tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
 		return tevent_req_post(req, ev);
 	}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index a2a4493bde8..0d21e55c25d 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -185,6 +185,7 @@ static void wb_xids2sids_init_dom_maps_lookupname_next(
 	subreq = wb_lookupname_send(state,
 				    state->ev,
 				    dom_maps[state->dom_idx].name,
+				    dom_maps[state->dom_idx].name,
 				    "",
 				    LOOKUP_NAME_NO_NSS);
 	if (tevent_req_nomem(subreq, state->req)) {
diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c
index 02d9abc28a2..1d9a8b94d48 100644
--- a/source3/winbindd/winbindd_getgrnam.c
+++ b/source3/winbindd/winbindd_getgrnam.c
@@ -76,7 +76,10 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
 		fstrcpy(state->name_domain, get_global_sam_name());
 	}
 
-	subreq = wb_lookupname_send(state, ev, state->name_domain, state->name_group,
+	subreq = wb_lookupname_send(state, ev,
+				    state->name_domain,
+				    state->name_domain,
+				    state->name_group,
 				    0);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index 8bf670654e1..68b470d6dad 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -75,7 +75,10 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	subreq = wb_lookupname_send(state, ev, state->domname, state->username,
+	subreq = wb_lookupname_send(state, ev,
+				    state->domname,
+				    state->domname,
+				    state->username,
 				    LOOKUP_NAME_NO_NSS);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c
index 73d3b3317ad..26686bf9f0f 100644
--- a/source3/winbindd/winbindd_getpwnam.c
+++ b/source3/winbindd/winbindd_getpwnam.c
@@ -71,7 +71,10 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	subreq = wb_lookupname_send(state, ev, state->domname, state->username,
+	subreq = wb_lookupname_send(state, ev,
+				    state->domname,
+				    state->domname,
+				    state->username,
 				    LOOKUP_NAME_NO_NSS);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
index e03312ec7af..c9765cccd3c 100644
--- a/source3/winbindd/winbindd_irpc.c
+++ b/source3/winbindd/winbindd_irpc.c
@@ -464,6 +464,7 @@ static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq)
 struct wb_irpc_lsa_LookupNames4_name {
 	void *state;
 	uint32_t idx;
+	const char *namespace;
 	const char *domain;
 	char *name;
 	struct dom_sid sid;
@@ -551,11 +552,12 @@ static NTSTATUS wb_irpc_lsa_LookupNames4_call(struct irpc_message *msg,
 		if (p != NULL) {
 			*p = 0;
 			nstate->domain = nstate->name;
+			nstate->namespace = nstate->domain;
 			nstate->name = p+1;
 		} else if ((p = strchr(nstate->name, '@')) != NULL) {
 			/* upn */
-			nstate->domain = p + 1;
-			*p = 0;
+			nstate->domain = "";
+			nstate->namespace = p + 1;
 		} else {
 			/*
 			 * TODO: select the domain based on
@@ -570,6 +572,7 @@ static NTSTATUS wb_irpc_lsa_LookupNames4_call(struct irpc_message *msg,
 
 		subreq = wb_lookupname_send(msg,
 					    server_event_context(),
+					    nstate->namespace,
 					    nstate->domain,
 					    nstate->name,
 					    LOOKUP_NAME_NO_NSS);
diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c
index b02269155f1..c5a7c135973 100644
--- a/source3/winbindd/winbindd_lookupname.c
+++ b/source3/winbindd/winbindd_lookupname.c
@@ -35,8 +35,10 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
 {
 	struct tevent_req *req, *subreq;
 	struct winbindd_lookupname_state *state;
-	const char *domname = NULL, *name = NULL;
 	char *p = NULL;
+	const char *domname = NULL;
+	const char *name = NULL;
+	const char *namespace = NULL;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_lookupname_state);
@@ -56,28 +58,29 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
 		if (p != NULL) {
 			*p = '\0';
 			domname = request->data.name.name;
+			namespace = domname;
 			name = p + 1;
 		} else {
 			p = strchr(request->data.name.name, '@');
 			if (p != NULL) {
 				/* upn */
-				domname = p + 1;
-				*p = '\0';
-				name = request->data.name.name;
+				namespace = p + 1;
 			} else {
-				domname = "";
-				name = request->data.name.name;
+				namespace = "";
 			}
+			domname = "";
+			name = request->data.name.name;
 		}
 	} else {
 		domname = request->data.name.dom_name;
+		namespace = domname;
 		name = request->data.name.name;
 	}
 
 	DEBUG(3, ("lookupname %s%s%s\n", domname, lp_winbind_separator(),
 		  name));
 
-	subreq = wb_lookupname_send(state, ev, domname, name, 0);
+	subreq = wb_lookupname_send(state, ev, namespace, domname, name, 0);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
 	}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 302ed1c0a23..e3091da0e40 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -568,7 +568,9 @@ NTSTATUS winbindd_lookupsids_recv(struct tevent_req *req,
 
 struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
 				      struct tevent_context *ev,
-				      const char *dom_name, const char *name,
+				      const char *namespace,
+				      const char *dom_name,
+				      const char *name,
 				      uint32_t flags);
 NTSTATUS wb_lookupname_recv(struct tevent_req *req, struct dom_sid *sid,
 			    enum lsa_SidType *type);
-- 
2.16.3


From a3b4095e345d08f7717c5ea73b617a7663032052 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 26 Apr 2018 17:23:41 +0200
Subject: [PATCH 08/10] winbind: Remove unused function
 parse_domain_user_talloc()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 32770e929ace8fe3f2469037ed887be14b3c5503)
---
 source3/winbindd/winbindd_proto.h |  2 --
 source3/winbindd/winbindd_util.c  | 12 ------------
 2 files changed, 14 deletions(-)

diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index e3091da0e40..0cbcbad2a96 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -477,8 +477,6 @@ struct winbindd_domain *find_default_route_domain(void);
 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid);
 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name);
 bool parse_domain_user(const char *domuser, fstring domain, fstring user);
-bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
-			      char **domain, char **user);
 bool canonicalize_username(fstring username_inout, fstring domain, fstring user);
 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume);
 char *fill_domain_username_talloc(TALLOC_CTX *ctx,
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index b19c42f626b..1317dfe422d 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1602,18 +1602,6 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user)
 	return strupper_m(domain);
 }
 
-bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
-			      char **domain, char **user)
-{
-	fstring fstr_domain, fstr_user;
-	if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
-		return False;
-	}
-	*domain = talloc_strdup(mem_ctx, fstr_domain);
-	*user = talloc_strdup(mem_ctx, fstr_user);
-	return ((*domain != NULL) && (*user != NULL));
-}
-
 /* Ensure an incoming username from NSS is fully qualified. Replace the
    incoming fstring with DOMAIN <separator> user. Returns the same
    values as parse_domain_user() but also replaces the incoming username.
-- 
2.16.3


From 7728d791bcae614e3406d6ea2109e2440a86bf19 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 26 Apr 2018 12:17:12 +0200
Subject: [PATCH 09/10] winbind: Fix UPN handling in parse_domain_user()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a05b63db627fdbe0bdea4d144dfaeedb39025592)
---
 selftest/knownfail.d/upn_handling         |  1 -
 source3/winbindd/winbindd_cache.c         |  5 +-
 source3/winbindd/winbindd_ccache_access.c | 26 +++++++---
 source3/winbindd/winbindd_creds.c         |  3 +-
 source3/winbindd/winbindd_getgrnam.c      | 15 ++++--
 source3/winbindd/winbindd_getgroups.c     | 10 +++-
 source3/winbindd/winbindd_getpwnam.c      | 10 +++-
 source3/winbindd/winbindd_pam.c           | 83 +++++++++++++++++++++++--------
 source3/winbindd/winbindd_proto.h         |  8 ++-
 source3/winbindd/winbindd_util.c          | 47 ++++++++++-------
 10 files changed, 151 insertions(+), 57 deletions(-)

diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index 0fa2aa35f30..bcbedb4f903 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,4 +1,3 @@
-^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member
 ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
 ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
 ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 9f9e8781c21..2778e27374f 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -3221,7 +3221,8 @@ bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
 	return NT_STATUS_IS_OK(status);
 }
 
-bool lookup_cached_name(const char *domain_name,
+bool lookup_cached_name(const char *namespace,
+			const char *domain_name,
 			const char *name,
 			struct dom_sid *sid,
 			enum lsa_SidType *type)
@@ -3230,7 +3231,7 @@ bool lookup_cached_name(const char *domain_name,
 	NTSTATUS status;
 	bool original_online_state;
 
-	domain = find_lookup_domain_from_name(domain_name);
+	domain = find_lookup_domain_from_name(namespace);
 	if (domain == NULL) {
 		return false;
 	}
diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c
index 039e6534013..6bcf9a3552c 100644
--- a/source3/winbindd/winbindd_ccache_access.c
+++ b/source3/winbindd/winbindd_ccache_access.c
@@ -43,8 +43,9 @@ static bool client_can_access_ccache_entry(uid_t client_uid,
 	return False;
 }
 
-static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username,
+static NTSTATUS do_ntlm_auth_with_stored_pw(const char *namespace,
 					    const char *domain,
+					    const char *username,
 					    const char *password,
 					    const DATA_BLOB initial_msg,
 					    const DATA_BLOB challenge_msg,
@@ -182,11 +183,12 @@ static bool check_client_uid(struct winbindd_cli_state *state, uid_t uid)
 void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
 {
 	struct winbindd_domain *domain;
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
 	struct WINBINDD_MEMORY_CREDS *entry;
 	DATA_BLOB initial, challenge, auth;
 	uint32_t initial_blob_len, challenge_blob_len, extra_len;
+	bool ok;
 
 	/* Ensure null termination */
 	state->request->data.ccache_ntlm_auth.user[
@@ -238,7 +240,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
 	}
 
 	/* Parse domain and username */
-	if (!parse_domain_user(state->request->data.ccache_ntlm_auth.user, name_domain, name_user)) {
+	ok = parse_domain_user(state->request->data.ccache_ntlm_auth.user,
+			       name_namespace,
+			       name_domain,
+			       name_user);
+	if (!ok) {
 		DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse "
 			"domain and user from name [%s]\n",
 			state->request->data.ccache_ntlm_auth.user));
@@ -273,10 +279,16 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
 		state->request->data.ccache_ntlm_auth.challenge_blob_len);
 
 	result = do_ntlm_auth_with_stored_pw(
-		name_user, name_domain, entry->pass,
-		initial, challenge, talloc_tos(), &auth,
-		state->response->data.ccache_ntlm_auth.session_key,
-		&state->response->data.ccache_ntlm_auth.new_spnego);
+			name_namespace,
+			name_domain,
+			name_user,
+			entry->pass,
+			initial,
+			challenge,
+			talloc_tos(),
+			&auth,
+			state->response->data.ccache_ntlm_auth.session_key,
+			&state->response->data.ccache_ntlm_auth.new_spnego);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		goto process_result;
diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c
index 15cca554d45..2d7aacf36a9 100644
--- a/source3/winbindd/winbindd_creds.c
+++ b/source3/winbindd/winbindd_creds.c
@@ -76,7 +76,8 @@ NTSTATUS winbindd_store_creds(struct winbindd_domain *domain,
 
 		enum lsa_SidType type;
 
-		if (!lookup_cached_name(domain->name,
+		if (!lookup_cached_name(domain->name, /* namespace */
+					domain->name,
 					user,
 					&cred_sid,
 					&type)) {
diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c
index 1d9a8b94d48..37c205ddba4 100644
--- a/source3/winbindd/winbindd_getgrnam.c
+++ b/source3/winbindd/winbindd_getgrnam.c
@@ -22,7 +22,7 @@
 
 struct winbindd_getgrnam_state {
 	struct tevent_context *ev;
-	fstring name_domain, name_group;
+	fstring name_namespace, name_domain, name_group;
 	struct dom_sid sid;
 	const char *domname;
 	const char *name;
@@ -42,6 +42,7 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
 	struct winbindd_getgrnam_state *state;
 	char *tmp;
 	NTSTATUS nt_status;
+	bool ok;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_getgrnam_state);
@@ -66,7 +67,15 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
 
 	/* Parse domain and groupname */
 
-	parse_domain_user(tmp, state->name_domain, state->name_group);
+	ok = parse_domain_user(tmp,
+			       state->name_namespace,
+			       state->name_domain,
+			       state->name_group);
+	if (!ok) {
+		DBG_INFO("Could not parse domain user: %s\n", tmp);
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return tevent_req_post(req, ev);
+	}
 
 	/* if no domain or our local domain and no local tdb group, default to
 	 * our local domain for aliases */
@@ -77,7 +86,7 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
 	}
 
 	subreq = wb_lookupname_send(state, ev,
-				    state->name_domain,
+				    state->name_namespace,
 				    state->name_domain,
 				    state->name_group,
 				    0);
diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index 68b470d6dad..f7f2df5f7b1 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -23,6 +23,7 @@
 
 struct winbindd_getgroups_state {
 	struct tevent_context *ev;
+	fstring namespace;
 	fstring domname;
 	fstring username;
 	struct dom_sid sid;
@@ -46,6 +47,7 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
 	struct winbindd_getgroups_state *state;
 	char *domuser, *mapped_user;
 	NTSTATUS status;
+	bool ok;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_getgroups_state);
@@ -69,14 +71,18 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
 		domuser = mapped_user;
 	}
 
-	if (!parse_domain_user(domuser, state->domname, state->username)) {
+	ok = parse_domain_user(domuser,
+			       state->namespace,
+			       state->domname,
+			       state->username);
+	if (!ok) {
 		DEBUG(5, ("Could not parse domain user: %s\n", domuser));
 		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		return tevent_req_post(req, ev);
 	}
 
 	subreq = wb_lookupname_send(state, ev,
-				    state->domname,
+				    state->namespace,
 				    state->domname,
 				    state->username,
 				    LOOKUP_NAME_NO_NSS);
diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c
index 26686bf9f0f..8da66c25141 100644
--- a/source3/winbindd/winbindd_getpwnam.c
+++ b/source3/winbindd/winbindd_getpwnam.c
@@ -23,6 +23,7 @@
 
 struct winbindd_getpwnam_state {
 	struct tevent_context *ev;
+	fstring namespace;
 	fstring domname;
 	fstring username;
 	struct dom_sid sid;
@@ -42,6 +43,7 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
 	struct winbindd_getpwnam_state *state;
 	char *domuser, *mapped_user;
 	NTSTATUS status;
+	bool ok;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_getpwnam_state);
@@ -65,14 +67,18 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
 		domuser = mapped_user;
 	}
 
-	if (!parse_domain_user(domuser, state->domname, state->username)) {
+	ok = parse_domain_user(domuser,
+			       state->namespace,
+			       state->domname,
+			       state->username);
+	if (!ok) {
 		DEBUG(5, ("Could not parse domain user: %s\n", domuser));
 		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		return tevent_req_post(req, ev);
 	}
 
 	subreq = wb_lookupname_send(state, ev,
-				    state->domname,
+				    state->namespace,
 				    state->domname,
 				    state->username,
 				    LOOKUP_NAME_NO_NSS);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 8403d7d57b6..9c66c6bdb82 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -645,7 +645,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	const char *principal_s = NULL;
 	const char *service = NULL;
 	char *realm = NULL;
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	time_t ticket_lifetime = 0;
 	time_t renewal_until = 0;
 	ADS_STRUCT *ads;
@@ -658,6 +658,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	const char *local_service;
 	uint32_t i;
 	struct netr_SamInfo6 *info6_copy = NULL;
+	bool ok;
 
 	*info6 = NULL;
 
@@ -693,7 +694,10 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	/* 3rd step:
 	 * do kerberos auth and setup ccache as the user */
 
-	parse_domain_user(user, name_domain, name_user);
+	ok = parse_domain_user(user, name_namespace, name_domain, name_user);
+	if (!ok) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	realm = talloc_strdup(mem_ctx, domain->alt_name);
 	if (realm == NULL) {
@@ -975,7 +979,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
 {
 	NTSTATUS result = NT_STATUS_LOGON_FAILURE;
 	uint16_t max_allowed_bad_attempts;
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	struct dom_sid sid;
 	enum lsa_SidType type;
 	uchar new_nt_pass[NT_HASH_LEN];
@@ -996,10 +1000,14 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
 
 	/* Parse domain and username */
 
-	parse_domain_user(state->request->data.auth.user, name_domain, name_user);
+	parse_domain_user(state->request->data.auth.user,
+			  name_namespace,
+			  name_domain,
+			  name_user);
 
 
-	if (!lookup_cached_name(name_domain,
+	if (!lookup_cached_name(name_namespace,
+				name_domain,
 				name_user,
 				&sid,
 				&type)) {
@@ -1244,19 +1252,28 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 						struct netr_SamInfo6 **info6)
 {
 	struct winbindd_domain *contact_domain;
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	NTSTATUS result;
+	bool ok;
 
 	DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
 
 	/* Parse domain and username */
 
-	parse_domain_user(state->request->data.auth.user, name_domain, name_user);
+	ok = parse_domain_user(state->request->data.auth.user,
+			       name_namespace,
+			       name_domain,
+			       name_user);
+	if (!ok) {
+		result = NT_STATUS_INVALID_PARAMETER;
+		goto done;
+	}
 
 	/* what domain should we contact? */
 
 	if ( IS_DC ) {
-		if (!(contact_domain = find_domain_from_name(name_domain))) {
+		contact_domain = find_domain_from_name(name_namespace);
+		if (contact_domain == NULL) {
 			DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
 				  state->request->data.auth.user, name_domain, name_user, name_domain));
 			result = NT_STATUS_NO_SUCH_USER;
@@ -1270,7 +1287,7 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 			goto done;
 		}
 
-		contact_domain = find_domain_from_name(name_domain);
+		contact_domain = find_domain_from_name(name_namespace);
 		if (contact_domain == NULL) {
 			DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
 				  state->request->data.auth.user, name_domain, name_user, name_domain));
@@ -1662,19 +1679,23 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
 	DATA_BLOB lm_resp;
 	DATA_BLOB nt_resp;
 	unsigned char local_nt_response[24];
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	NTSTATUS result;
 	uint8_t authoritative = 0;
 	uint32_t flags = 0;
 	uint16_t validation_level;
 	union netr_Validation *validation = NULL;
 	struct netr_SamBaseInfo *base_info = NULL;
+	bool ok;
 
 	DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
 
 	/* Parse domain and username */
 
-	parse_domain_user(user, name_domain, name_user);
+	ok = parse_domain_user(user, name_namespace, name_domain, name_user);
+	if (!ok) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	/*
 	 * We check against domain->name instead of
@@ -1869,12 +1890,13 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
 {
 	NTSTATUS result = NT_STATUS_LOGON_FAILURE;
 	NTSTATUS krb5_result = NT_STATUS_OK;
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	char *mapped_user;
 	fstring domain_user;
 	uint16_t validation_level = UINT16_MAX;
 	union netr_Validation *validation = NULL;
 	NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+	bool ok;
 
 	/* Ensure null termination */
 	state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
@@ -1900,7 +1922,14 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
 		mapped_user = state->request->data.auth.user;
 	}
 
-	parse_domain_user(mapped_user, name_domain, name_user);
+	ok = parse_domain_user(mapped_user,
+			       name_namespace,
+			       name_domain,
+			       name_user);
+	if (!ok) {
+		result = NT_STATUS_INVALID_PARAMETER;
+		goto process_result;
+	}
 
 	if ( mapped_user != state->request->data.auth.user ) {
 		fstr_sprintf( domain_user, "%s%c%s", name_domain,
@@ -2490,15 +2519,20 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
 	struct samr_DomInfo1 *info = NULL;
 	struct userPwdChangeFailureInformation *reject = NULL;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	fstring domain, user;
+	fstring namespace, domain, user;
 	struct dcerpc_binding_handle *b = NULL;
+	bool ok;
 
 	ZERO_STRUCT(dom_pol);
 
 	DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
 		  state->request->data.auth.user));
 
-	if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
+	ok = parse_domain_user(state->request->data.chauthtok.user,
+			       namespace,
+			       domain,
+			       user);
+	if (!ok) {
 		goto done;
 	}
 
@@ -2707,7 +2741,7 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 	DATA_BLOB old_nt_hash_enc;
 	DATA_BLOB new_lm_password;
 	DATA_BLOB old_lm_hash_enc;
-	fstring  domain,user;
+	fstring  namespace, domain, user;
 	struct policy_handle dom_pol;
 	struct winbindd_domain *contact_domain = domainSt;
 	struct rpc_pipe_client *cli = NULL;
@@ -2720,8 +2754,9 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 		sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
 	state->request->data.chng_pswd_auth_crap.domain[
 		sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
-	*domain = 0;
-	*user = 0;
+	domain[0] = '\0';
+	namespace[0] = '\0';
+	user[0] = '\0';
 
 	DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
 		  (unsigned long)state->pid,
@@ -2738,8 +2773,16 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 	if (*state->request->data.chng_pswd_auth_crap.domain) {
 		fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
 	} else {
-		parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
-				  domain, user);
+		bool ok;
+
+		ok = parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
+				       namespace,
+				       domain,
+				       user);
+		if (!ok) {
+			result = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		}
 
 		if(!*domain) {
 			DEBUG(3,("no domain specified with username (%s) - "
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 0cbcbad2a96..c4b27575b32 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -134,7 +134,8 @@ void close_winbindd_cache(void);
 bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
 		       char **domain_name, char **name,
 		       enum lsa_SidType *type);
-bool lookup_cached_name(const char *domain_name,
+bool lookup_cached_name(const char *namespace,
+			const char *domain_name,
 			const char *name,
 			struct dom_sid *sid,
 			enum lsa_SidType *type);
@@ -476,7 +477,10 @@ struct winbindd_domain *find_our_domain(void);
 struct winbindd_domain *find_default_route_domain(void);
 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid);
 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name);
-bool parse_domain_user(const char *domuser, fstring domain, fstring user);
+bool parse_domain_user(const char *domuser,
+		       fstring namespace,
+		       fstring domain,
+		       fstring user);
 bool canonicalize_username(fstring username_inout, fstring domain, fstring user);
 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume);
 char *fill_domain_username_talloc(TALLOC_CTX *ctx,
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 1317dfe422d..068be91dca5 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1575,28 +1575,37 @@ static bool assume_domain(const char *domain)
 	return False;
 }
 
-/* Parse a string of the form DOMAIN\user into a domain and a user */
-
-bool parse_domain_user(const char *domuser, fstring domain, fstring user)
+/* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */
+bool parse_domain_user(const char *domuser,
+		       fstring namespace,
+		       fstring domain,
+		       fstring user)
 {
-	char *p = strchr(domuser,*lp_winbind_separator());
+	char *p = NULL;
+
+	if (strlen(domuser) == 0) {
+		return false;
+	}
 
-	if ( !p ) {
+	p = strchr(domuser, *lp_winbind_separator());
+	if (p != NULL) {
+		fstrcpy(user, p + 1);
+		fstrcpy(domain, domuser);
+		domain[PTR_DIFF(p, domuser)] = '\0';
+		fstrcpy(namespace, domain);
+	} else {
 		fstrcpy(user, domuser);
-		p = strchr(domuser, '@');
 
-		if ( assume_domain(lp_workgroup()) && p == NULL) {
+		domain[0] = '\0';
+		namespace[0] = '\0';
+		p = strchr(domuser, '@');
+		if (p != NULL) {
+			/* upn */
+			fstrcpy(namespace, p + 1);
+		} else if (assume_domain(lp_workgroup())) {
 			fstrcpy(domain, lp_workgroup());
-		} else if (p != NULL) {
-			fstrcpy(domain, p + 1);
-			user[PTR_DIFF(p, domuser)] = 0;
-		} else {
-			return False;
+			fstrcpy(namespace, domain);
 		}
-	} else {
-		fstrcpy(user, p+1);
-		fstrcpy(domain, domuser);
-		domain[PTR_DIFF(p, domuser)] = 0;
 	}
 
 	return strupper_m(domain);
@@ -1613,7 +1622,11 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user)
 
 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
 {
-	if (!parse_domain_user(username_inout, domain, user)) {
+	fstring namespace;
+	bool ok;
+
+	ok = parse_domain_user(username_inout, namespace, domain, user);
+	if (!ok) {
 		return False;
 	}
 	slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
-- 
2.16.3


From c8f68cc0a9b1f5cf1c2467146e861aa5080aea9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 26 Apr 2018 17:32:42 +0200
Subject: [PATCH 10/10] winbind: Fix UPN handling in canonicalize_username()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 11 12:02:37 CEST 2018 on sn-devel-144

(cherry picked from commit 1766f77493c5a76e4d7d1e5eedcaa150cc9ea552)
---
 source3/winbindd/winbindd_ccache_access.c | 17 ++++++++++++-----
 source3/winbindd/winbindd_pam_auth.c      | 11 ++++++++---
 source3/winbindd/winbindd_pam_chauthtok.c | 12 ++++++++----
 source3/winbindd/winbindd_pam_logoff.c    | 12 ++++++++----
 source3/winbindd/winbindd_proto.h         |  5 ++++-
 source3/winbindd/winbindd_util.c          |  6 ++++--
 6 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c
index 6bcf9a3552c..ddeaf1d9940 100644
--- a/source3/winbindd/winbindd_ccache_access.c
+++ b/source3/winbindd/winbindd_ccache_access.c
@@ -199,8 +199,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
 
 	/* Parse domain and username */
 
-	if (!canonicalize_username(state->request->data.ccache_ntlm_auth.user,
-				name_domain, name_user)) {
+	ok = canonicalize_username(state->request->data.ccache_ntlm_auth.user,
+				   name_namespace,
+				   name_domain,
+				   name_user);
+	if (!ok) {
 		DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
 			state->request->data.ccache_ntlm_auth.user));
 		request_error(state);
@@ -316,8 +319,9 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
 void winbindd_ccache_save(struct winbindd_cli_state *state)
 {
 	struct winbindd_domain *domain;
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	NTSTATUS status;
+	bool ok;
 
 	/* Ensure null termination */
 	state->request->data.ccache_save.user[
@@ -331,8 +335,11 @@ void winbindd_ccache_save(struct winbindd_cli_state *state)
 
 	/* Parse domain and username */
 
-	if (!canonicalize_username(state->request->data.ccache_save.user,
-				   name_domain, name_user)) {
+	ok = canonicalize_username(state->request->data.ccache_save.user,
+				   name_namespace,
+				   name_domain,
+				   name_user);
+	if (!ok) {
 		DEBUG(5,("winbindd_ccache_save: cannot parse domain and user "
 			 "from name [%s]\n",
 			 state->request->data.ccache_save.user));
diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index b35a17cf319..95550ba9066 100644
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
 	struct tevent_req *req, *subreq;
 	struct winbindd_pam_auth_state *state;
 	struct winbindd_domain *domain;
-	fstring name_domain, name_user;
+	fstring name_namespace, name_domain, name_user;
 	char *mapped = NULL;
 	NTSTATUS status;
+	bool ok;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_pam_auth_state);
@@ -71,12 +72,16 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
 		fstrcpy(request->data.auth.user, mapped);
 	}
 
-	if (!canonicalize_username(request->data.auth.user, name_domain, name_user)) {
+	ok = canonicalize_username(request->data.auth.user,
+				   name_namespace,
+				   name_domain,
+				   name_user);
+	if (!ok) {
 		tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
 		return tevent_req_post(req, ev);
 	}
 
-	domain = find_auth_domain(request->flags, name_domain);
+	domain = find_auth_domain(request->flags, name_namespace);
 	if (domain == NULL) {
 		tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
 		return tevent_req_post(req, ev);
diff --git a/source3/winbindd/winbindd_pam_chauthtok.c b/source3/winbindd/winbindd_pam_chauthtok.c
index 0d749fbcecd..a6b8b66b9be 100644
--- a/source3/winbindd/winbindd_pam_chauthtok.c
+++ b/source3/winbindd/winbindd_pam_chauthtok.c
@@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_chauthtok_send(
 	struct tevent_req *req, *subreq;
 	struct winbindd_pam_chauthtok_state *state;
 	struct winbindd_domain *contact_domain;
-	fstring domain, user;
+	fstring namespace, domain, user;
 	char *mapped_user;
 	NTSTATUS status;
+	bool ok;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_pam_chauthtok_state);
@@ -62,15 +63,18 @@ struct tevent_req *winbindd_pam_chauthtok_send(
 		fstrcpy(request->data.chauthtok.user, mapped_user);
 	}
 
-	if (!canonicalize_username(request->data.chauthtok.user, domain,
-				   user)) {
+	ok = canonicalize_username(request->data.chauthtok.user,
+				   namespace,
+				   domain,
+				   user);
+	if (!ok) {
 		DEBUG(10, ("winbindd_pam_chauthtok: canonicalize_username %s "
 			   "failed with\n", request->data.chauthtok.user));
 		tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
 		return tevent_req_post(req, ev);
 	}
 
-	contact_domain = find_domain_from_name(domain);
+	contact_domain = find_domain_from_name(namespace);
 	if (contact_domain == NULL) {
 		DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] "
 			  "as %s is not a trusted domain\n",
diff --git a/source3/winbindd/winbindd_pam_logoff.c b/source3/winbindd/winbindd_pam_logoff.c
index b5b7840f99c..8f2b4882521 100644
--- a/source3/winbindd/winbindd_pam_logoff.c
+++ b/source3/winbindd/winbindd_pam_logoff.c
@@ -35,10 +35,11 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
 	struct tevent_req *req, *subreq;
 	struct winbindd_pam_logoff_state *state;
 	struct winbindd_domain *domain;
-	fstring name_domain, user;
+	fstring name_namespace, name_domain, user;
 	uid_t caller_uid;
 	gid_t caller_gid;
 	int res;
+	bool ok;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_pam_logoff_state);
@@ -60,12 +61,15 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
 		goto failed;
 	}
 
-	if (!canonicalize_username(request->data.logoff.user, name_domain,
-				   user)) {
+	ok = canonicalize_username(request->data.logoff.user,
+				   name_namespace,
+				   name_domain,
+				   user);
+	if (!ok) {
 		goto failed;
 	}
 
-	domain = find_auth_domain(request->flags, name_domain);
+	domain = find_auth_domain(request->flags, name_namespace);
 	if (domain == NULL) {
 		goto failed;
 	}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index c4b27575b32..95f24d2c279 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -481,7 +481,10 @@ bool parse_domain_user(const char *domuser,
 		       fstring namespace,
 		       fstring domain,
 		       fstring user);
-bool canonicalize_username(fstring username_inout, fstring domain, fstring user);
+bool canonicalize_username(fstring username_inout,
+			   fstring namespace,
+			   fstring domain,
+			   fstring user);
 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume);
 char *fill_domain_username_talloc(TALLOC_CTX *ctx,
 				  const char *domain,
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 068be91dca5..c2ec164e143 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1620,9 +1620,11 @@ bool parse_domain_user(const char *domuser,
    really should be changed to use this instead of doing things
    by hand. JRA. */
 
-bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
+bool canonicalize_username(fstring username_inout,
+			   fstring namespace,
+			   fstring domain,
+			   fstring user)
 {
-	fstring namespace;
 	bool ok;
 
 	ok = parse_domain_user(username_inout, namespace, domain, user);
-- 
2.16.3