The Samba-Bugzilla – Attachment 14199 Details for
Bug 13369
Looking up the user using the UPN results in user name with the REALM instead of the DOMAIN
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.8
upn_fixes_v4-8.patch1.txt (text/plain), 52.59 KB, created by
Andreas Schneider
on 2018-05-15 07:13:51 UTC
(
hide
)
Description:
patch for 4.8
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2018-05-15 07:13:51 UTC
Size:
52.59 KB
patch
obsolete
>From 4f4c976e9b169176ef1ec353504be0ae97e274d8 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 7 May 2018 16:20:30 +0200 >Subject: [PATCH 01/10] selftest: Make sure we have correct group mappings > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 9bc2b922bbc6539341a2056f33f117ac350e61f1) >--- > selftest/target/Samba3.pm | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 1f80f86945b..52c7d3e07cc 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -2425,6 +2425,9 @@ sub wait_for_start($$$$$) > $netcmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' "; > $netcmd .= Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} "; > >+ $cmd = $netcmd . "groupmap delete ntgroup=domusers"; >+ $ret = system($cmd); >+ > $cmd = $netcmd . "groupmap add rid=513 unixgroup=domusers type=domain"; > $ret = system($cmd); > if ($ret != 0) { >@@ -2432,6 +2435,9 @@ sub wait_for_start($$$$$) > return 1; > } > >+ $cmd = $netcmd . "groupmap delete ntgroup=domadmins"; >+ $ret = system($cmd); >+ > $cmd = $netcmd . "groupmap add rid=512 unixgroup=domadmins type=domain"; > $ret = system($cmd); > if ($ret != 0) { >@@ -2439,6 +2445,9 @@ sub wait_for_start($$$$$) > return 1; > } > >+ $cmd = $netcmd . "groupmap delete ntgroup=everyone"; >+ $ret = system($cmd); >+ > $cmd = $netcmd . "groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin"; > $ret = system($cmd); > if ($ret != 0) { >-- >2.16.3 > > >From 85a6b507805162d12ad4c09e044cee4aa890141a Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 20 Apr 2018 11:24:30 +0200 >Subject: [PATCH 02/10] nsswitch: Add a test looking up the user using the upn > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 0d2f743d826b87b369e25fc6bb9ff61f2b0896aa) >--- > nsswitch/tests/test_wbinfo_name_lookup.sh | 9 +++++++-- > source3/selftest/tests.py | 2 +- > 2 files changed, 8 insertions(+), 3 deletions(-) > >diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh >index 696e25b3a2a..a8fd5ec4d99 100755 >--- a/nsswitch/tests/test_wbinfo_name_lookup.sh >+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh >@@ -8,8 +8,9 @@ exit 1; > fi > > DOMAIN=$1 >-DC_USERNAME=$2 >-shift 2 >+REALM=$2 >+DC_USERNAME=$3 >+shift 3 > > failed=0 > sambabindir="$BINDIR" >@@ -22,6 +23,10 @@ testit "name-to-sid.single-separator" \ > $wbinfo -n $DOMAIN/$DC_USERNAME || \ > failed=$(expr $failed + 1) > >+testit "name-to-sid.upn" \ >+ $wbinfo -n $DC_USERNAME@$REALM || \ >+ failed=$(expr $failed + 1) >+ > # Two separator characters should fail > testit_expect_failure "name-to-sid.double-separator" \ > $wbinfo -n $DOMAIN//$DC_USERNAME || \ >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 172d3300463..a5acab2792a 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -210,7 +210,7 @@ plantestsuite("samba3.wbinfo_simple.(%s:local).%s" % (env, t), "%s:local" % env, > plantestsuite("samba3.wbinfo_name_lookup", env, > [ os.path.join(srcdir(), > "nsswitch/tests/test_wbinfo_name_lookup.sh"), >- '$DOMAIN', '$DC_USERNAME' ]) >+ '$DOMAIN', '$REALM', '$DC_USERNAME' ]) > t = "WBCLIENT-MULTI-PING" > plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""]) > plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"]) >-- >2.16.3 > > >From 66c3f73186acabc8d463a18044bc8ce53bda4ddc Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 4 May 2018 12:43:05 +0200 >Subject: [PATCH 03/10] nsswitch: Add a test looking up domain sid > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 0aceca6a94e868f9c01a66f79624ca10d80560ab) >--- > nsswitch/tests/test_wbinfo_name_lookup.sh | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh >index a8fd5ec4d99..c1d39c1a602 100755 >--- a/nsswitch/tests/test_wbinfo_name_lookup.sh >+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh >@@ -23,6 +23,10 @@ testit "name-to-sid.single-separator" \ > $wbinfo -n $DOMAIN/$DC_USERNAME || \ > failed=$(expr $failed + 1) > >+testit "name-to-sid.at_domain" \ >+ $wbinfo -n $DOMAIN/ || \ >+ failed=$(expr $failed + 1) >+ > testit "name-to-sid.upn" \ > $wbinfo -n $DC_USERNAME@$REALM || \ > failed=$(expr $failed + 1) >-- >2.16.3 > > >From c3c3c9f38f6a7db853d98a32b9b10e5add88c63d Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 7 May 2018 13:23:42 +0200 >Subject: [PATCH 04/10] nsswitch: Lookup the domain in tests with the wb > seperator > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 4fa811ec7bc301e96f5e40ba281e8d4e8709b94f) >--- > nsswitch/tests/test_idmap_ad.sh | 2 +- > nsswitch/tests/test_idmap_nss.sh | 4 ++-- > nsswitch/tests/test_idmap_rid.sh | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > >diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh >index 2f4ee3293b2..7450ae06059 100755 >--- a/nsswitch/tests/test_idmap_ad.sh >+++ b/nsswitch/tests/test_idmap_ad.sh >@@ -20,7 +20,7 @@ failed=0 > > . `dirname $0`/../../testprogs/blackbox/subunit.sh > >-DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ") >+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") > if [ $? -ne 0 ] ; then > echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad" > exit 1 >diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh >index 5072a0df72c..1bbc177774d 100755 >--- a/nsswitch/tests/test_idmap_nss.sh >+++ b/nsswitch/tests/test_idmap_nss.sh >@@ -13,8 +13,8 @@ failed=0 > > . `dirname $0`/../../testprogs/blackbox/subunit.sh > >-testit "wbinfo returns domain SID" $wbinfo -n "@$DOMAIN" || exit 1 >-DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ") >+testit "wbinfo returns domain SID" $wbinfo -n "$DOMAIN/" || exit 1 >+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") > echo "Domain $DOMAIN has SID $DOMAIN_SID" > > # Find an unused uid and SID >diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh >index 7fb59852cf5..8209a50a4fc 100755 >--- a/nsswitch/tests/test_idmap_rid.sh >+++ b/nsswitch/tests/test_idmap_rid.sh >@@ -16,7 +16,7 @@ failed=0 > > . `dirname $0`/../../testprogs/blackbox/subunit.sh > >-DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ") >+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") > if [ $? -ne 0 ] ; then > echo "Could not find domain SID" | subunit_fail_test "test_idmap_rid" > exit 1 >-- >2.16.3 > > >From 8cd657265b2789aea38dae09c5580d93575553d0 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 20 Apr 2018 09:38:24 +0200 >Subject: [PATCH 05/10] selftest: Add a user with a different userPrincipalName > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5319cae00096dcecc29aa9fa675a983352ad64d8) >--- > selftest/target/Samba4.pm | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index c161ee082a0..d6d67f5a5ab 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -847,7 +847,7 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn > } > > # Create to users alice and bob! >- my $user_account_array = ["alice", "bob"]; >+ my $user_account_array = ["alice", "bob", "jane"]; > > foreach my $user_account (@{$user_account_array}) { > my $samba_tool_cmd = ""; >@@ -862,6 +862,23 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn > } > } > >+ my $ldbmodify = ""; >+ $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; >+ $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; >+ $ldbmodify .= Samba::bindir_path($self, "ldbmodify"); >+ >+ my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm})); >+ my $user_dn = "cn=jane,cn=users,$base_dn"; >+ >+ open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb"); >+ print LDIF "dn: $user_dn >+changetype: modify >+replace: userPrincipalName >+userPrincipalName: jane.doe\@$ctx->{realm} >+- >+"; >+ close(LDIF); >+ > return $ret; > } > >-- >2.16.3 > > >From c643fe5d2664dbac75600f5838ec53145bd9f98a Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 20 Apr 2018 11:20:44 +0200 >Subject: [PATCH 06/10] nsswitch:tests: Add test for wbinfo --user-info > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 2715f52f54e66a73131a92d752a8c2447da1fd33) >--- > nsswitch/tests/test_wbinfo_user_info.sh | 83 +++++++++++++++++++++++++++++++++ > selftest/knownfail.d/upn_handling | 11 +++++ > source3/selftest/tests.py | 14 ++++++ > 3 files changed, 108 insertions(+) > create mode 100755 nsswitch/tests/test_wbinfo_user_info.sh > create mode 100644 selftest/knownfail.d/upn_handling > >diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh >new file mode 100755 >index 00000000000..2803ac1408b >--- /dev/null >+++ b/nsswitch/tests/test_wbinfo_user_info.sh >@@ -0,0 +1,83 @@ >+#!/bin/sh >+# Blackbox test for wbinfo lookup for account name and upn >+# Copyright (c) 2018 Andreas Schneider <asn@samba.org> >+ >+if [ $# -lt 5 ]; then >+cat <<EOF >+Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2 >+EOF >+exit 1; >+fi >+ >+DOMAIN=$1 >+REALM=$2 >+USERNAME1=$3 >+UPN_NAME1=$4 >+USERNAME2=$5 >+UPN_NAME2=$6 >+shift 6 >+ >+failed=0 >+ >+samba_bindir="$BINDIR" >+wbinfo_tool="$VALGRIND $samba_bindir/wbinfo" >+ >+UPN1="$UPN_NAME1@$REALM" >+UPN2="$UPN_NAME2@$REALM" >+ >+. $(dirname $0)/../../testprogs/blackbox/subunit.sh >+ >+test_user_info() >+{ >+ local cmd out ret user domain upn userinfo >+ >+ domain="$1" >+ user="$2" >+ upn="$3" >+ >+ if [ $# -lt 3 ]; then >+ userinfo="$domain/$user" >+ else >+ userinfo="$upn" >+ fi >+ >+ cmd='$wbinfo_tool --user-info $userinfo' >+ eval echo "$cmd" >+ out=$(eval $cmd) >+ ret=$? >+ if [ $ret -ne 0 ]; then >+ echo "failed to lookup $userinfo" >+ echo "$out" >+ return 1 >+ fi >+ >+ echo "$out" | grep "$domain/$user:.*:.*:.*::/home/$domain/Domain Users/$user" >+ ret=$? >+ if [ $ret != 0 ]; then >+ echo "failed to lookup $userinfo" >+ echo "$out" >+ return 1 >+ fi >+ >+ return 0 >+} >+ >+testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1) >+testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1) >+ >+testit "user_info.domain.$USERNAME1" test_user_info $DOMAIN $USERNAME1 || failed=$(expr $failed + 1) >+testit "user_info.upn.$UPN_NAME1" test_user_info $DOMAIN $USERNAME1 $UPN1 || failed=$(expr $failed + 1) >+ >+testit "name_to_sid.domain.$USERNAME2" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME2 || failed=$(expr $failed + 1) >+testit "name_to_sid.upn.$UPN_NAME2" $wbinfo_tool --name-to-sid $UPN2 || failed=$(expr $failed + 1) >+ >+testit "user_info.domain.$USERNAME2" test_user_info $DOMAIN $USERNAME2 || failed=$(expr $failed + 1) >+testit "user_info.upn.$UPN_NAME2" test_user_info $DOMAIN $USERNAME2 $UPN2 || failed=$(expr $failed + 1) >+ >+USERNAME3="testdenied" >+UPN_NAME3="testdenied_upn" >+UPN3="$UPN_NAME3@${REALM}.upn" >+testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1) >+testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1) >+ >+exit $failed >diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling >new file mode 100644 >index 00000000000..308c2948e8d >--- /dev/null >+++ b/selftest/knownfail.d/upn_handling >@@ -0,0 +1,11 @@ >+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.ad_member >+^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member >+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member >+^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member >+^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc >+^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc >+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.fl2008r2dc >+^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc >+^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc >+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc >+^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index a5acab2792a..ac21284b88b 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -211,6 +211,20 @@ plantestsuite("samba3.wbinfo_name_lookup", env, > [ os.path.join(srcdir(), > "nsswitch/tests/test_wbinfo_name_lookup.sh"), > '$DOMAIN', '$REALM', '$DC_USERNAME' ]) >+ >+env = "ad_member:local" >+plantestsuite("samba3.wbinfo_user_info", env, >+ [ os.path.join(srcdir(), >+ "nsswitch/tests/test_wbinfo_user_info.sh"), >+ '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ]) >+ >+env = "fl2008r2dc:local" >+plantestsuite("samba3.wbinfo_user_info", env, >+ [ os.path.join(srcdir(), >+ "nsswitch/tests/test_wbinfo_user_info.sh"), >+ '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ]) >+ >+env = "ad_member" > t = "WBCLIENT-MULTI-PING" > plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""]) > plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"]) >-- >2.16.3 > > >From dbebda48f31aa174c32120a007ec43c3c8fa7960 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 22 Feb 2018 14:10:28 +0100 >Subject: [PATCH 07/10] winbind: Pass upn unmodified to lookup names > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 789c89e6ecb7d388fb5acdd5abc8fe99c58524f0) >--- > selftest/knownfail.d/upn_handling | 2 -- > source3/winbindd/wb_lookupname.c | 8 +++++--- > source3/winbindd/wb_xids2sids.c | 1 + > source3/winbindd/winbindd_getgrnam.c | 5 ++++- > source3/winbindd/winbindd_getgroups.c | 5 ++++- > source3/winbindd/winbindd_getpwnam.c | 5 ++++- > source3/winbindd/winbindd_irpc.c | 7 +++++-- > source3/winbindd/winbindd_lookupname.c | 17 ++++++++++------- > source3/winbindd/winbindd_proto.h | 4 +++- > 9 files changed, 36 insertions(+), 18 deletions(-) > >diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling >index 308c2948e8d..0fa2aa35f30 100644 >--- a/selftest/knownfail.d/upn_handling >+++ b/selftest/knownfail.d/upn_handling >@@ -1,10 +1,8 @@ >-^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.ad_member > ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member > ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member > ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member > ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc > ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc >-^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.fl2008r2dc > ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc > ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc > ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc >diff --git a/source3/winbindd/wb_lookupname.c b/source3/winbindd/wb_lookupname.c >index 1dd6b68334e..c7b027be801 100644 >--- a/source3/winbindd/wb_lookupname.c >+++ b/source3/winbindd/wb_lookupname.c >@@ -35,7 +35,9 @@ static void wb_lookupname_done(struct tevent_req *subreq); > > struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx, > struct tevent_context *ev, >- const char *dom_name, const char *name, >+ const char *namespace, >+ const char *dom_name, >+ const char *name, > uint32_t flags) > { > struct tevent_req *req, *subreq; >@@ -61,9 +63,9 @@ struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx, > return tevent_req_post(req, ev); > } > >- domain = find_lookup_domain_from_name(state->dom_name); >+ domain = find_lookup_domain_from_name(namespace); > if (domain == NULL) { >- DEBUG(5, ("Could not find domain for %s\n", state->dom_name)); >+ DEBUG(5, ("Could not find domain for %s\n", namespace)); > tevent_req_nterror(req, NT_STATUS_NONE_MAPPED); > return tevent_req_post(req, ev); > } >diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c >index a2a4493bde8..0d21e55c25d 100644 >--- a/source3/winbindd/wb_xids2sids.c >+++ b/source3/winbindd/wb_xids2sids.c >@@ -185,6 +185,7 @@ static void wb_xids2sids_init_dom_maps_lookupname_next( > subreq = wb_lookupname_send(state, > state->ev, > dom_maps[state->dom_idx].name, >+ dom_maps[state->dom_idx].name, > "", > LOOKUP_NAME_NO_NSS); > if (tevent_req_nomem(subreq, state->req)) { >diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c >index 02d9abc28a2..1d9a8b94d48 100644 >--- a/source3/winbindd/winbindd_getgrnam.c >+++ b/source3/winbindd/winbindd_getgrnam.c >@@ -76,7 +76,10 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, > fstrcpy(state->name_domain, get_global_sam_name()); > } > >- subreq = wb_lookupname_send(state, ev, state->name_domain, state->name_group, >+ subreq = wb_lookupname_send(state, ev, >+ state->name_domain, >+ state->name_domain, >+ state->name_group, > 0); > if (tevent_req_nomem(subreq, req)) { > return tevent_req_post(req, ev); >diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c >index 8bf670654e1..68b470d6dad 100644 >--- a/source3/winbindd/winbindd_getgroups.c >+++ b/source3/winbindd/winbindd_getgroups.c >@@ -75,7 +75,10 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, > return tevent_req_post(req, ev); > } > >- subreq = wb_lookupname_send(state, ev, state->domname, state->username, >+ subreq = wb_lookupname_send(state, ev, >+ state->domname, >+ state->domname, >+ state->username, > LOOKUP_NAME_NO_NSS); > if (tevent_req_nomem(subreq, req)) { > return tevent_req_post(req, ev); >diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c >index 73d3b3317ad..26686bf9f0f 100644 >--- a/source3/winbindd/winbindd_getpwnam.c >+++ b/source3/winbindd/winbindd_getpwnam.c >@@ -71,7 +71,10 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx, > return tevent_req_post(req, ev); > } > >- subreq = wb_lookupname_send(state, ev, state->domname, state->username, >+ subreq = wb_lookupname_send(state, ev, >+ state->domname, >+ state->domname, >+ state->username, > LOOKUP_NAME_NO_NSS); > if (tevent_req_nomem(subreq, req)) { > return tevent_req_post(req, ev); >diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c >index e03312ec7af..c9765cccd3c 100644 >--- a/source3/winbindd/winbindd_irpc.c >+++ b/source3/winbindd/winbindd_irpc.c >@@ -464,6 +464,7 @@ static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq) > struct wb_irpc_lsa_LookupNames4_name { > void *state; > uint32_t idx; >+ const char *namespace; > const char *domain; > char *name; > struct dom_sid sid; >@@ -551,11 +552,12 @@ static NTSTATUS wb_irpc_lsa_LookupNames4_call(struct irpc_message *msg, > if (p != NULL) { > *p = 0; > nstate->domain = nstate->name; >+ nstate->namespace = nstate->domain; > nstate->name = p+1; > } else if ((p = strchr(nstate->name, '@')) != NULL) { > /* upn */ >- nstate->domain = p + 1; >- *p = 0; >+ nstate->domain = ""; >+ nstate->namespace = p + 1; > } else { > /* > * TODO: select the domain based on >@@ -570,6 +572,7 @@ static NTSTATUS wb_irpc_lsa_LookupNames4_call(struct irpc_message *msg, > > subreq = wb_lookupname_send(msg, > server_event_context(), >+ nstate->namespace, > nstate->domain, > nstate->name, > LOOKUP_NAME_NO_NSS); >diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c >index b02269155f1..c5a7c135973 100644 >--- a/source3/winbindd/winbindd_lookupname.c >+++ b/source3/winbindd/winbindd_lookupname.c >@@ -35,8 +35,10 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx, > { > struct tevent_req *req, *subreq; > struct winbindd_lookupname_state *state; >- const char *domname = NULL, *name = NULL; > char *p = NULL; >+ const char *domname = NULL; >+ const char *name = NULL; >+ const char *namespace = NULL; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_lookupname_state); >@@ -56,28 +58,29 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx, > if (p != NULL) { > *p = '\0'; > domname = request->data.name.name; >+ namespace = domname; > name = p + 1; > } else { > p = strchr(request->data.name.name, '@'); > if (p != NULL) { > /* upn */ >- domname = p + 1; >- *p = '\0'; >- name = request->data.name.name; >+ namespace = p + 1; > } else { >- domname = ""; >- name = request->data.name.name; >+ namespace = ""; > } >+ domname = ""; >+ name = request->data.name.name; > } > } else { > domname = request->data.name.dom_name; >+ namespace = domname; > name = request->data.name.name; > } > > DEBUG(3, ("lookupname %s%s%s\n", domname, lp_winbind_separator(), > name)); > >- subreq = wb_lookupname_send(state, ev, domname, name, 0); >+ subreq = wb_lookupname_send(state, ev, namespace, domname, name, 0); > if (tevent_req_nomem(subreq, req)) { > return tevent_req_post(req, ev); > } >diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h >index 302ed1c0a23..e3091da0e40 100644 >--- a/source3/winbindd/winbindd_proto.h >+++ b/source3/winbindd/winbindd_proto.h >@@ -568,7 +568,9 @@ NTSTATUS winbindd_lookupsids_recv(struct tevent_req *req, > > struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx, > struct tevent_context *ev, >- const char *dom_name, const char *name, >+ const char *namespace, >+ const char *dom_name, >+ const char *name, > uint32_t flags); > NTSTATUS wb_lookupname_recv(struct tevent_req *req, struct dom_sid *sid, > enum lsa_SidType *type); >-- >2.16.3 > > >From a3b4095e345d08f7717c5ea73b617a7663032052 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 26 Apr 2018 17:23:41 +0200 >Subject: [PATCH 08/10] winbind: Remove unused function > parse_domain_user_talloc() > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 32770e929ace8fe3f2469037ed887be14b3c5503) >--- > source3/winbindd/winbindd_proto.h | 2 -- > source3/winbindd/winbindd_util.c | 12 ------------ > 2 files changed, 14 deletions(-) > >diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h >index e3091da0e40..0cbcbad2a96 100644 >--- a/source3/winbindd/winbindd_proto.h >+++ b/source3/winbindd/winbindd_proto.h >@@ -477,8 +477,6 @@ struct winbindd_domain *find_default_route_domain(void); > struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid); > struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name); > bool parse_domain_user(const char *domuser, fstring domain, fstring user); >-bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, >- char **domain, char **user); > bool canonicalize_username(fstring username_inout, fstring domain, fstring user); > void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); > char *fill_domain_username_talloc(TALLOC_CTX *ctx, >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index b19c42f626b..1317dfe422d 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -1602,18 +1602,6 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user) > return strupper_m(domain); > } > >-bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, >- char **domain, char **user) >-{ >- fstring fstr_domain, fstr_user; >- if (!parse_domain_user(domuser, fstr_domain, fstr_user)) { >- return False; >- } >- *domain = talloc_strdup(mem_ctx, fstr_domain); >- *user = talloc_strdup(mem_ctx, fstr_user); >- return ((*domain != NULL) && (*user != NULL)); >-} >- > /* Ensure an incoming username from NSS is fully qualified. Replace the > incoming fstring with DOMAIN <separator> user. Returns the same > values as parse_domain_user() but also replaces the incoming username. >-- >2.16.3 > > >From 7728d791bcae614e3406d6ea2109e2440a86bf19 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 26 Apr 2018 12:17:12 +0200 >Subject: [PATCH 09/10] winbind: Fix UPN handling in parse_domain_user() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit a05b63db627fdbe0bdea4d144dfaeedb39025592) >--- > selftest/knownfail.d/upn_handling | 1 - > source3/winbindd/winbindd_cache.c | 5 +- > source3/winbindd/winbindd_ccache_access.c | 26 +++++++--- > source3/winbindd/winbindd_creds.c | 3 +- > source3/winbindd/winbindd_getgrnam.c | 15 ++++-- > source3/winbindd/winbindd_getgroups.c | 10 +++- > source3/winbindd/winbindd_getpwnam.c | 10 +++- > source3/winbindd/winbindd_pam.c | 83 +++++++++++++++++++++++-------- > source3/winbindd/winbindd_proto.h | 8 ++- > source3/winbindd/winbindd_util.c | 47 ++++++++++------- > 10 files changed, 151 insertions(+), 57 deletions(-) > >diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling >index 0fa2aa35f30..bcbedb4f903 100644 >--- a/selftest/knownfail.d/upn_handling >+++ b/selftest/knownfail.d/upn_handling >@@ -1,4 +1,3 @@ >-^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member > ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member > ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member > ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc >diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c >index 9f9e8781c21..2778e27374f 100644 >--- a/source3/winbindd/winbindd_cache.c >+++ b/source3/winbindd/winbindd_cache.c >@@ -3221,7 +3221,8 @@ bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, > return NT_STATUS_IS_OK(status); > } > >-bool lookup_cached_name(const char *domain_name, >+bool lookup_cached_name(const char *namespace, >+ const char *domain_name, > const char *name, > struct dom_sid *sid, > enum lsa_SidType *type) >@@ -3230,7 +3231,7 @@ bool lookup_cached_name(const char *domain_name, > NTSTATUS status; > bool original_online_state; > >- domain = find_lookup_domain_from_name(domain_name); >+ domain = find_lookup_domain_from_name(namespace); > if (domain == NULL) { > return false; > } >diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c >index 039e6534013..6bcf9a3552c 100644 >--- a/source3/winbindd/winbindd_ccache_access.c >+++ b/source3/winbindd/winbindd_ccache_access.c >@@ -43,8 +43,9 @@ static bool client_can_access_ccache_entry(uid_t client_uid, > return False; > } > >-static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username, >+static NTSTATUS do_ntlm_auth_with_stored_pw(const char *namespace, > const char *domain, >+ const char *username, > const char *password, > const DATA_BLOB initial_msg, > const DATA_BLOB challenge_msg, >@@ -182,11 +183,12 @@ static bool check_client_uid(struct winbindd_cli_state *state, uid_t uid) > void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) > { > struct winbindd_domain *domain; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > NTSTATUS result = NT_STATUS_NOT_SUPPORTED; > struct WINBINDD_MEMORY_CREDS *entry; > DATA_BLOB initial, challenge, auth; > uint32_t initial_blob_len, challenge_blob_len, extra_len; >+ bool ok; > > /* Ensure null termination */ > state->request->data.ccache_ntlm_auth.user[ >@@ -238,7 +240,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) > } > > /* Parse domain and username */ >- if (!parse_domain_user(state->request->data.ccache_ntlm_auth.user, name_domain, name_user)) { >+ ok = parse_domain_user(state->request->data.ccache_ntlm_auth.user, >+ name_namespace, >+ name_domain, >+ name_user); >+ if (!ok) { > DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse " > "domain and user from name [%s]\n", > state->request->data.ccache_ntlm_auth.user)); >@@ -273,10 +279,16 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) > state->request->data.ccache_ntlm_auth.challenge_blob_len); > > result = do_ntlm_auth_with_stored_pw( >- name_user, name_domain, entry->pass, >- initial, challenge, talloc_tos(), &auth, >- state->response->data.ccache_ntlm_auth.session_key, >- &state->response->data.ccache_ntlm_auth.new_spnego); >+ name_namespace, >+ name_domain, >+ name_user, >+ entry->pass, >+ initial, >+ challenge, >+ talloc_tos(), >+ &auth, >+ state->response->data.ccache_ntlm_auth.session_key, >+ &state->response->data.ccache_ntlm_auth.new_spnego); > > if (!NT_STATUS_IS_OK(result)) { > goto process_result; >diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c >index 15cca554d45..2d7aacf36a9 100644 >--- a/source3/winbindd/winbindd_creds.c >+++ b/source3/winbindd/winbindd_creds.c >@@ -76,7 +76,8 @@ NTSTATUS winbindd_store_creds(struct winbindd_domain *domain, > > enum lsa_SidType type; > >- if (!lookup_cached_name(domain->name, >+ if (!lookup_cached_name(domain->name, /* namespace */ >+ domain->name, > user, > &cred_sid, > &type)) { >diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c >index 1d9a8b94d48..37c205ddba4 100644 >--- a/source3/winbindd/winbindd_getgrnam.c >+++ b/source3/winbindd/winbindd_getgrnam.c >@@ -22,7 +22,7 @@ > > struct winbindd_getgrnam_state { > struct tevent_context *ev; >- fstring name_domain, name_group; >+ fstring name_namespace, name_domain, name_group; > struct dom_sid sid; > const char *domname; > const char *name; >@@ -42,6 +42,7 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, > struct winbindd_getgrnam_state *state; > char *tmp; > NTSTATUS nt_status; >+ bool ok; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_getgrnam_state); >@@ -66,7 +67,15 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, > > /* Parse domain and groupname */ > >- parse_domain_user(tmp, state->name_domain, state->name_group); >+ ok = parse_domain_user(tmp, >+ state->name_namespace, >+ state->name_domain, >+ state->name_group); >+ if (!ok) { >+ DBG_INFO("Could not parse domain user: %s\n", tmp); >+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return tevent_req_post(req, ev); >+ } > > /* if no domain or our local domain and no local tdb group, default to > * our local domain for aliases */ >@@ -77,7 +86,7 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, > } > > subreq = wb_lookupname_send(state, ev, >- state->name_domain, >+ state->name_namespace, > state->name_domain, > state->name_group, > 0); >diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c >index 68b470d6dad..f7f2df5f7b1 100644 >--- a/source3/winbindd/winbindd_getgroups.c >+++ b/source3/winbindd/winbindd_getgroups.c >@@ -23,6 +23,7 @@ > > struct winbindd_getgroups_state { > struct tevent_context *ev; >+ fstring namespace; > fstring domname; > fstring username; > struct dom_sid sid; >@@ -46,6 +47,7 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, > struct winbindd_getgroups_state *state; > char *domuser, *mapped_user; > NTSTATUS status; >+ bool ok; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_getgroups_state); >@@ -69,14 +71,18 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, > domuser = mapped_user; > } > >- if (!parse_domain_user(domuser, state->domname, state->username)) { >+ ok = parse_domain_user(domuser, >+ state->namespace, >+ state->domname, >+ state->username); >+ if (!ok) { > DEBUG(5, ("Could not parse domain user: %s\n", domuser)); > tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); > return tevent_req_post(req, ev); > } > > subreq = wb_lookupname_send(state, ev, >- state->domname, >+ state->namespace, > state->domname, > state->username, > LOOKUP_NAME_NO_NSS); >diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c >index 26686bf9f0f..8da66c25141 100644 >--- a/source3/winbindd/winbindd_getpwnam.c >+++ b/source3/winbindd/winbindd_getpwnam.c >@@ -23,6 +23,7 @@ > > struct winbindd_getpwnam_state { > struct tevent_context *ev; >+ fstring namespace; > fstring domname; > fstring username; > struct dom_sid sid; >@@ -42,6 +43,7 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx, > struct winbindd_getpwnam_state *state; > char *domuser, *mapped_user; > NTSTATUS status; >+ bool ok; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_getpwnam_state); >@@ -65,14 +67,18 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx, > domuser = mapped_user; > } > >- if (!parse_domain_user(domuser, state->domname, state->username)) { >+ ok = parse_domain_user(domuser, >+ state->namespace, >+ state->domname, >+ state->username); >+ if (!ok) { > DEBUG(5, ("Could not parse domain user: %s\n", domuser)); > tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); > return tevent_req_post(req, ev); > } > > subreq = wb_lookupname_send(state, ev, >- state->domname, >+ state->namespace, > state->domname, > state->username, > LOOKUP_NAME_NO_NSS); >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 8403d7d57b6..9c66c6bdb82 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -645,7 +645,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > const char *principal_s = NULL; > const char *service = NULL; > char *realm = NULL; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > time_t ticket_lifetime = 0; > time_t renewal_until = 0; > ADS_STRUCT *ads; >@@ -658,6 +658,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > const char *local_service; > uint32_t i; > struct netr_SamInfo6 *info6_copy = NULL; >+ bool ok; > > *info6 = NULL; > >@@ -693,7 +694,10 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > /* 3rd step: > * do kerberos auth and setup ccache as the user */ > >- parse_domain_user(user, name_domain, name_user); >+ ok = parse_domain_user(user, name_namespace, name_domain, name_user); >+ if (!ok) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } > > realm = talloc_strdup(mem_ctx, domain->alt_name); > if (realm == NULL) { >@@ -975,7 +979,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, > { > NTSTATUS result = NT_STATUS_LOGON_FAILURE; > uint16_t max_allowed_bad_attempts; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > struct dom_sid sid; > enum lsa_SidType type; > uchar new_nt_pass[NT_HASH_LEN]; >@@ -996,10 +1000,14 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, > > /* Parse domain and username */ > >- parse_domain_user(state->request->data.auth.user, name_domain, name_user); >+ parse_domain_user(state->request->data.auth.user, >+ name_namespace, >+ name_domain, >+ name_user); > > >- if (!lookup_cached_name(name_domain, >+ if (!lookup_cached_name(name_namespace, >+ name_domain, > name_user, > &sid, > &type)) { >@@ -1244,19 +1252,28 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, > struct netr_SamInfo6 **info6) > { > struct winbindd_domain *contact_domain; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > NTSTATUS result; >+ bool ok; > > DEBUG(10,("winbindd_dual_pam_auth_kerberos\n")); > > /* Parse domain and username */ > >- parse_domain_user(state->request->data.auth.user, name_domain, name_user); >+ ok = parse_domain_user(state->request->data.auth.user, >+ name_namespace, >+ name_domain, >+ name_user); >+ if (!ok) { >+ result = NT_STATUS_INVALID_PARAMETER; >+ goto done; >+ } > > /* what domain should we contact? */ > > if ( IS_DC ) { >- if (!(contact_domain = find_domain_from_name(name_domain))) { >+ contact_domain = find_domain_from_name(name_namespace); >+ if (contact_domain == NULL) { > DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", > state->request->data.auth.user, name_domain, name_user, name_domain)); > result = NT_STATUS_NO_SUCH_USER; >@@ -1270,7 +1287,7 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, > goto done; > } > >- contact_domain = find_domain_from_name(name_domain); >+ contact_domain = find_domain_from_name(name_namespace); > if (contact_domain == NULL) { > DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", > state->request->data.auth.user, name_domain, name_user, name_domain)); >@@ -1662,19 +1679,23 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon( > DATA_BLOB lm_resp; > DATA_BLOB nt_resp; > unsigned char local_nt_response[24]; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > NTSTATUS result; > uint8_t authoritative = 0; > uint32_t flags = 0; > uint16_t validation_level; > union netr_Validation *validation = NULL; > struct netr_SamBaseInfo *base_info = NULL; >+ bool ok; > > DEBUG(10,("winbindd_dual_pam_auth_samlogon\n")); > > /* Parse domain and username */ > >- parse_domain_user(user, name_domain, name_user); >+ ok = parse_domain_user(user, name_namespace, name_domain, name_user); >+ if (!ok) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } > > /* > * We check against domain->name instead of >@@ -1869,12 +1890,13 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, > { > NTSTATUS result = NT_STATUS_LOGON_FAILURE; > NTSTATUS krb5_result = NT_STATUS_OK; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > char *mapped_user; > fstring domain_user; > uint16_t validation_level = UINT16_MAX; > union netr_Validation *validation = NULL; > NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; >+ bool ok; > > /* Ensure null termination */ > state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0'; >@@ -1900,7 +1922,14 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, > mapped_user = state->request->data.auth.user; > } > >- parse_domain_user(mapped_user, name_domain, name_user); >+ ok = parse_domain_user(mapped_user, >+ name_namespace, >+ name_domain, >+ name_user); >+ if (!ok) { >+ result = NT_STATUS_INVALID_PARAMETER; >+ goto process_result; >+ } > > if ( mapped_user != state->request->data.auth.user ) { > fstr_sprintf( domain_user, "%s%c%s", name_domain, >@@ -2490,15 +2519,20 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact > struct samr_DomInfo1 *info = NULL; > struct userPwdChangeFailureInformation *reject = NULL; > NTSTATUS result = NT_STATUS_UNSUCCESSFUL; >- fstring domain, user; >+ fstring namespace, domain, user; > struct dcerpc_binding_handle *b = NULL; >+ bool ok; > > ZERO_STRUCT(dom_pol); > > DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid, > state->request->data.auth.user)); > >- if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) { >+ ok = parse_domain_user(state->request->data.chauthtok.user, >+ namespace, >+ domain, >+ user); >+ if (!ok) { > goto done; > } > >@@ -2707,7 +2741,7 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai > DATA_BLOB old_nt_hash_enc; > DATA_BLOB new_lm_password; > DATA_BLOB old_lm_hash_enc; >- fstring domain,user; >+ fstring namespace, domain, user; > struct policy_handle dom_pol; > struct winbindd_domain *contact_domain = domainSt; > struct rpc_pipe_client *cli = NULL; >@@ -2720,8 +2754,9 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai > sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0; > state->request->data.chng_pswd_auth_crap.domain[ > sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0; >- *domain = 0; >- *user = 0; >+ domain[0] = '\0'; >+ namespace[0] = '\0'; >+ user[0] = '\0'; > > DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n", > (unsigned long)state->pid, >@@ -2738,8 +2773,16 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai > if (*state->request->data.chng_pswd_auth_crap.domain) { > fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain); > } else { >- parse_domain_user(state->request->data.chng_pswd_auth_crap.user, >- domain, user); >+ bool ok; >+ >+ ok = parse_domain_user(state->request->data.chng_pswd_auth_crap.user, >+ namespace, >+ domain, >+ user); >+ if (!ok) { >+ result = NT_STATUS_INVALID_PARAMETER; >+ goto done; >+ } > > if(!*domain) { > DEBUG(3,("no domain specified with username (%s) - " >diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h >index 0cbcbad2a96..c4b27575b32 100644 >--- a/source3/winbindd/winbindd_proto.h >+++ b/source3/winbindd/winbindd_proto.h >@@ -134,7 +134,8 @@ void close_winbindd_cache(void); > bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, > char **domain_name, char **name, > enum lsa_SidType *type); >-bool lookup_cached_name(const char *domain_name, >+bool lookup_cached_name(const char *namespace, >+ const char *domain_name, > const char *name, > struct dom_sid *sid, > enum lsa_SidType *type); >@@ -476,7 +477,10 @@ struct winbindd_domain *find_our_domain(void); > struct winbindd_domain *find_default_route_domain(void); > struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid); > struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name); >-bool parse_domain_user(const char *domuser, fstring domain, fstring user); >+bool parse_domain_user(const char *domuser, >+ fstring namespace, >+ fstring domain, >+ fstring user); > bool canonicalize_username(fstring username_inout, fstring domain, fstring user); > void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); > char *fill_domain_username_talloc(TALLOC_CTX *ctx, >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 1317dfe422d..068be91dca5 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -1575,28 +1575,37 @@ static bool assume_domain(const char *domain) > return False; > } > >-/* Parse a string of the form DOMAIN\user into a domain and a user */ >- >-bool parse_domain_user(const char *domuser, fstring domain, fstring user) >+/* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */ >+bool parse_domain_user(const char *domuser, >+ fstring namespace, >+ fstring domain, >+ fstring user) > { >- char *p = strchr(domuser,*lp_winbind_separator()); >+ char *p = NULL; >+ >+ if (strlen(domuser) == 0) { >+ return false; >+ } > >- if ( !p ) { >+ p = strchr(domuser, *lp_winbind_separator()); >+ if (p != NULL) { >+ fstrcpy(user, p + 1); >+ fstrcpy(domain, domuser); >+ domain[PTR_DIFF(p, domuser)] = '\0'; >+ fstrcpy(namespace, domain); >+ } else { > fstrcpy(user, domuser); >- p = strchr(domuser, '@'); > >- if ( assume_domain(lp_workgroup()) && p == NULL) { >+ domain[0] = '\0'; >+ namespace[0] = '\0'; >+ p = strchr(domuser, '@'); >+ if (p != NULL) { >+ /* upn */ >+ fstrcpy(namespace, p + 1); >+ } else if (assume_domain(lp_workgroup())) { > fstrcpy(domain, lp_workgroup()); >- } else if (p != NULL) { >- fstrcpy(domain, p + 1); >- user[PTR_DIFF(p, domuser)] = 0; >- } else { >- return False; >+ fstrcpy(namespace, domain); > } >- } else { >- fstrcpy(user, p+1); >- fstrcpy(domain, domuser); >- domain[PTR_DIFF(p, domuser)] = 0; > } > > return strupper_m(domain); >@@ -1613,7 +1622,11 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user) > > bool canonicalize_username(fstring username_inout, fstring domain, fstring user) > { >- if (!parse_domain_user(username_inout, domain, user)) { >+ fstring namespace; >+ bool ok; >+ >+ ok = parse_domain_user(username_inout, namespace, domain, user); >+ if (!ok) { > return False; > } > slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s", >-- >2.16.3 > > >From c8f68cc0a9b1f5cf1c2467146e861aa5080aea9a Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 26 Apr 2018 17:32:42 +0200 >Subject: [PATCH 10/10] winbind: Fix UPN handling in canonicalize_username() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Fri May 11 12:02:37 CEST 2018 on sn-devel-144 > >(cherry picked from commit 1766f77493c5a76e4d7d1e5eedcaa150cc9ea552) >--- > source3/winbindd/winbindd_ccache_access.c | 17 ++++++++++++----- > source3/winbindd/winbindd_pam_auth.c | 11 ++++++++--- > source3/winbindd/winbindd_pam_chauthtok.c | 12 ++++++++---- > source3/winbindd/winbindd_pam_logoff.c | 12 ++++++++---- > source3/winbindd/winbindd_proto.h | 5 ++++- > source3/winbindd/winbindd_util.c | 6 ++++-- > 6 files changed, 44 insertions(+), 19 deletions(-) > >diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c >index 6bcf9a3552c..ddeaf1d9940 100644 >--- a/source3/winbindd/winbindd_ccache_access.c >+++ b/source3/winbindd/winbindd_ccache_access.c >@@ -199,8 +199,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) > > /* Parse domain and username */ > >- if (!canonicalize_username(state->request->data.ccache_ntlm_auth.user, >- name_domain, name_user)) { >+ ok = canonicalize_username(state->request->data.ccache_ntlm_auth.user, >+ name_namespace, >+ name_domain, >+ name_user); >+ if (!ok) { > DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n", > state->request->data.ccache_ntlm_auth.user)); > request_error(state); >@@ -316,8 +319,9 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) > void winbindd_ccache_save(struct winbindd_cli_state *state) > { > struct winbindd_domain *domain; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > NTSTATUS status; >+ bool ok; > > /* Ensure null termination */ > state->request->data.ccache_save.user[ >@@ -331,8 +335,11 @@ void winbindd_ccache_save(struct winbindd_cli_state *state) > > /* Parse domain and username */ > >- if (!canonicalize_username(state->request->data.ccache_save.user, >- name_domain, name_user)) { >+ ok = canonicalize_username(state->request->data.ccache_save.user, >+ name_namespace, >+ name_domain, >+ name_user); >+ if (!ok) { > DEBUG(5,("winbindd_ccache_save: cannot parse domain and user " > "from name [%s]\n", > state->request->data.ccache_save.user)); >diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c >index b35a17cf319..95550ba9066 100644 >--- a/source3/winbindd/winbindd_pam_auth.c >+++ b/source3/winbindd/winbindd_pam_auth.c >@@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx, > struct tevent_req *req, *subreq; > struct winbindd_pam_auth_state *state; > struct winbindd_domain *domain; >- fstring name_domain, name_user; >+ fstring name_namespace, name_domain, name_user; > char *mapped = NULL; > NTSTATUS status; >+ bool ok; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_pam_auth_state); >@@ -71,12 +72,16 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx, > fstrcpy(request->data.auth.user, mapped); > } > >- if (!canonicalize_username(request->data.auth.user, name_domain, name_user)) { >+ ok = canonicalize_username(request->data.auth.user, >+ name_namespace, >+ name_domain, >+ name_user); >+ if (!ok) { > tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); > return tevent_req_post(req, ev); > } > >- domain = find_auth_domain(request->flags, name_domain); >+ domain = find_auth_domain(request->flags, name_namespace); > if (domain == NULL) { > tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); > return tevent_req_post(req, ev); >diff --git a/source3/winbindd/winbindd_pam_chauthtok.c b/source3/winbindd/winbindd_pam_chauthtok.c >index 0d749fbcecd..a6b8b66b9be 100644 >--- a/source3/winbindd/winbindd_pam_chauthtok.c >+++ b/source3/winbindd/winbindd_pam_chauthtok.c >@@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_chauthtok_send( > struct tevent_req *req, *subreq; > struct winbindd_pam_chauthtok_state *state; > struct winbindd_domain *contact_domain; >- fstring domain, user; >+ fstring namespace, domain, user; > char *mapped_user; > NTSTATUS status; >+ bool ok; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_pam_chauthtok_state); >@@ -62,15 +63,18 @@ struct tevent_req *winbindd_pam_chauthtok_send( > fstrcpy(request->data.chauthtok.user, mapped_user); > } > >- if (!canonicalize_username(request->data.chauthtok.user, domain, >- user)) { >+ ok = canonicalize_username(request->data.chauthtok.user, >+ namespace, >+ domain, >+ user); >+ if (!ok) { > DEBUG(10, ("winbindd_pam_chauthtok: canonicalize_username %s " > "failed with\n", request->data.chauthtok.user)); > tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); > return tevent_req_post(req, ev); > } > >- contact_domain = find_domain_from_name(domain); >+ contact_domain = find_domain_from_name(namespace); > if (contact_domain == NULL) { > DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] " > "as %s is not a trusted domain\n", >diff --git a/source3/winbindd/winbindd_pam_logoff.c b/source3/winbindd/winbindd_pam_logoff.c >index b5b7840f99c..8f2b4882521 100644 >--- a/source3/winbindd/winbindd_pam_logoff.c >+++ b/source3/winbindd/winbindd_pam_logoff.c >@@ -35,10 +35,11 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, > struct tevent_req *req, *subreq; > struct winbindd_pam_logoff_state *state; > struct winbindd_domain *domain; >- fstring name_domain, user; >+ fstring name_namespace, name_domain, user; > uid_t caller_uid; > gid_t caller_gid; > int res; >+ bool ok; > > req = tevent_req_create(mem_ctx, &state, > struct winbindd_pam_logoff_state); >@@ -60,12 +61,15 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, > goto failed; > } > >- if (!canonicalize_username(request->data.logoff.user, name_domain, >- user)) { >+ ok = canonicalize_username(request->data.logoff.user, >+ name_namespace, >+ name_domain, >+ user); >+ if (!ok) { > goto failed; > } > >- domain = find_auth_domain(request->flags, name_domain); >+ domain = find_auth_domain(request->flags, name_namespace); > if (domain == NULL) { > goto failed; > } >diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h >index c4b27575b32..95f24d2c279 100644 >--- a/source3/winbindd/winbindd_proto.h >+++ b/source3/winbindd/winbindd_proto.h >@@ -481,7 +481,10 @@ bool parse_domain_user(const char *domuser, > fstring namespace, > fstring domain, > fstring user); >-bool canonicalize_username(fstring username_inout, fstring domain, fstring user); >+bool canonicalize_username(fstring username_inout, >+ fstring namespace, >+ fstring domain, >+ fstring user); > void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); > char *fill_domain_username_talloc(TALLOC_CTX *ctx, > const char *domain, >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 068be91dca5..c2ec164e143 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -1620,9 +1620,11 @@ bool parse_domain_user(const char *domuser, > really should be changed to use this instead of doing things > by hand. JRA. */ > >-bool canonicalize_username(fstring username_inout, fstring domain, fstring user) >+bool canonicalize_username(fstring username_inout, >+ fstring namespace, >+ fstring domain, >+ fstring user) > { >- fstring namespace; > bool ok; > > ok = parse_domain_user(username_inout, namespace, domain, user); >-- >2.16.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14199">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 13369
:
14106
|
14133
| 14199 |
14200