From 211abd8c6558fd6703fff051c6a5da521bd8b70c Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 27 Nov 2018 20:32:09 +0100 Subject: [PATCH 1/5] selftest: test wbinfo -n and --gid-info with "NT Authority" BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Signed-off-by: Ralph Boehme Reviewed-by: David Mulder Reviewed-by: Andreas Schneider (cherry picked from commit c46b6b111e8adcd7cf029e5c3293cbdc471793db) --- nsswitch/tests/test_wbinfo.sh | 18 ++++++++++++++++++ selftest/knownfail.d/samba.blackbox.wbinfo | 2 ++ 2 files changed, 20 insertions(+) create mode 100644 selftest/knownfail.d/samba.blackbox.wbinfo diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh index 67660e50fc8..2ac83828a0e 100755 --- a/nsswitch/tests/test_wbinfo.sh +++ b/nsswitch/tests/test_wbinfo.sh @@ -125,6 +125,24 @@ else echo "success: wbinfo -n check for sane mapping" fi +echo "test: wbinfo -n NT Authority/Authenticated Users" +$wbinfo -n "NT Authority/Authenticated Users" +if [ $? -ne 0 ] ; then + echo "failure: wbinfo -n NT Authority/Authenticated Users" + failed=`expr $failed + 1` +else + echo "success: wbinfo -n NT Authority/Authenticated Users" +fi + +echo "test: wbinfo --group-info NT Authority/Authenticated Users" +$wbinfo --group-info "NT Authority/Authenticated Users" +if [ $? -ne 0 ] ; then + echo "failure: wbinfo --group-info NT Authority/Authenticated Users" + failed=`expr $failed + 1` +else + echo "success: wbinfo --group-info NT Authority/Authenticated Users" +fi + testit "wbinfo -U against $TARGET" $wbinfo -U 30000 || failed=`expr $failed + 1` echo "test: wbinfo -U check for sane mapping" diff --git a/selftest/knownfail.d/samba.blackbox.wbinfo b/selftest/knownfail.d/samba.blackbox.wbinfo new file mode 100644 index 00000000000..e294c2d3c15 --- /dev/null +++ b/selftest/knownfail.d/samba.blackbox.wbinfo @@ -0,0 +1,2 @@ +^samba.blackbox.wbinfo\(.*\).wbinfo -n NT Authority/Authenticated Users\(.*\) +^samba.blackbox.wbinfo\(.*\).wbinfo --group-info NT Authority/Authenticated Users\(.*\) -- 2.17.2 From 3c946ed928c6a91c30297acf68709d58567661a1 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 28 Nov 2018 17:19:39 +0100 Subject: [PATCH 2/5] libcli/security: add dom_sid_lookup_is_predefined_domain() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: David Mulder Reviewed-by: Andreas Schneider (cherry picked from commit 2de5f06d399109009c343b0acfef822db38502a1) --- libcli/security/dom_sid.h | 1 + libcli/security/util_sid.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index d9f4b3fc8a6..491fc0699f4 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -74,6 +74,7 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid, enum lsa_SidType *type, const struct dom_sid **authority_sid, const char **authority_name); +bool dom_sid_lookup_is_predefined_domain(const char *domain); int dom_sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2); diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c index af04dff1325..531d3809565 100644 --- a/libcli/security/util_sid.c +++ b/libcli/security/util_sid.c @@ -879,6 +879,39 @@ NTSTATUS dom_sid_lookup_predefined_name(const char *name, return NT_STATUS_NONE_MAPPED; } +bool dom_sid_lookup_is_predefined_domain(const char *domain) +{ + size_t di; + bool match; + + if (domain == NULL) { + domain = ""; + } + + match = strequal(domain, ""); + if (match) { + /* + * Strange, but that's what W2012R2 does. + */ + domain = "BUILTIN"; + } + + for (di = 0; di < ARRAY_SIZE(predefined_domains); di++) { + const struct predefined_domain_mapping *d = + &predefined_domains[di]; + int cmp; + + cmp = strcasecmp(d->domain, domain); + if (cmp != 0) { + continue; + } + + return true; + } + + return false; +} + NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid, const char **name, enum lsa_SidType *type, -- 2.17.2 From f65998bc7450a784de25c706d00c4d3792b938f5 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 27 Nov 2018 17:32:09 +0100 Subject: [PATCH 3/5] winbindd: add some braces BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Signed-off-by: Ralph Boehme Reviewed-by: David Mulder Reviewed-by: Andreas Schneider (cherry picked from commit e0f784baeaa73096534d9a1ed941028d99f84ece) --- source3/winbindd/winbindd_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index f913d395575..b7248fa4311 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1526,8 +1526,9 @@ struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name) } if (strequal(domain_name, "BUILTIN") || - strequal(domain_name, get_global_sam_name())) + strequal(domain_name, get_global_sam_name())) { return find_domain_from_name_noinit(domain_name); + } if (IS_DC) { struct winbindd_domain *domain = NULL; -- 2.17.2 From 6b7ddbd5497a0140916936d2ca832e45af7ccd9e Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 28 Nov 2018 17:20:41 +0100 Subject: [PATCH 4/5] winbindd: fix predefined domains routing in find_lookup_domain_from_sid() Route predefined domains through the BUILTIN domain child, not passdb. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: David Mulder Reviewed-by: Andreas Schneider (cherry picked from commit b512a58bbd7361cbbcf68f6713943377338fc2a1) --- source3/winbindd/winbindd_util.c | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index b7248fa4311..d3b3eaaa1ec 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -108,15 +108,6 @@ static bool is_internal_domain(const struct dom_sid *sid) return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid)); } -static bool is_in_internal_domain(const struct dom_sid *sid) -{ - if (sid == NULL) - return False; - - return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid)); -} - - /* Add a trusted domain to our list of domains. If the domain already exists in the list, return it and don't re-initialize. */ @@ -1475,20 +1466,18 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid) sid_check_is_unix_groups(sid) || sid_check_is_in_unix_users(sid) || sid_check_is_unix_users(sid) || - sid_check_is_wellknown_domain(sid, NULL) || - sid_check_is_in_wellknown_domain(sid) ) + sid_check_is_our_sam(sid) || + sid_check_is_in_our_sam(sid) ) { return find_domain_from_sid(get_global_sam_sid()); } - /* - * On member servers the internal domains are different: These are part - * of the local SAM. - */ - - if (is_internal_domain(sid) || is_in_internal_domain(sid)) { - DEBUG(10, ("calling find_domain_from_sid\n")); - return find_domain_from_sid(sid); + if ( sid_check_is_builtin(sid) || + sid_check_is_in_builtin(sid) || + sid_check_is_wellknown_domain(sid, NULL) || + sid_check_is_in_wellknown_domain(sid) ) + { + return find_domain_from_sid(&global_sid_Builtin); } if (IS_DC) { -- 2.17.2 From ce56c1d8132fe8dd86b7e9e18bc4725f7f7865fc Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 28 Nov 2018 15:39:21 +0100 Subject: [PATCH 5/5] winbindd: Route predefined domains through the BUILTIN domain child MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without this eg "NT Authority" didn't work: $ bin/wbinfo -n "NT Authority/Authenticated Users" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name NT Authority/Authenticated Users $ bin/wbinfo --group-info="NT Authority/Authenticated Users" failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group NT Authority/Authenticated Users With the patch: $ bin/wbinfo -n "NT Authority/Authenticated Users" S-1-5-11 SID_WKN_GROUP (5) $ bin/wbinfo --group-info="NT Authority/Authenticated Users" NT AUTHORITY\authenticated users:x:10002: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Signed-off-by: Ralph Boehme Reviewed-by: David Mulder Reviewed-by: Andreas Schneider Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Dec 5 11:27:22 CET 2018 on sn-devel-144 (cherry picked from commit 8b8d9fdad4a4e2c479141b3d40e9a7320a49c0dd) --- selftest/knownfail.d/samba.blackbox.wbinfo | 2 -- source3/winbindd/winbindd_util.c | 7 +++++++ 2 files changed, 7 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/samba.blackbox.wbinfo diff --git a/selftest/knownfail.d/samba.blackbox.wbinfo b/selftest/knownfail.d/samba.blackbox.wbinfo deleted file mode 100644 index e294c2d3c15..00000000000 --- a/selftest/knownfail.d/samba.blackbox.wbinfo +++ /dev/null @@ -1,2 +0,0 @@ -^samba.blackbox.wbinfo\(.*\).wbinfo -n NT Authority/Authenticated Users\(.*\) -^samba.blackbox.wbinfo\(.*\).wbinfo --group-info NT Authority/Authenticated Users\(.*\) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index d3b3eaaa1ec..5d4fca213e0 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1504,6 +1504,8 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid) struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name) { + bool predefined; + if ( strequal(domain_name, unix_users_domain_name() ) || strequal(domain_name, unix_groups_domain_name() ) ) { @@ -1519,6 +1521,11 @@ struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name) return find_domain_from_name_noinit(domain_name); } + predefined = dom_sid_lookup_is_predefined_domain(domain_name); + if (predefined) { + return find_domain_from_name_noinit(builtin_domain_name()); + } + if (IS_DC) { struct winbindd_domain *domain = NULL; -- 2.17.2