From 4df378cccc019a7c1717c5fdd80e7079abf89e41 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 16:26:48 -0700 Subject: [PATCH 1/6] nsswitch: Add testcase for checking output of wbinfo --sid-to-name The username should always be returned in the DOMAISHORTNAME/USERNAME format. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit d006c769a9cad275339b18b08e13d48acb29d7fc) --- nsswitch/tests/test_wbinfo_name_lookup.sh | 15 +++++++++++++++ selftest/knownfail | 1 + 2 files changed, 16 insertions(+) diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh index c1d39c1a602..ee8ae11f4b1 100755 --- a/nsswitch/tests/test_wbinfo_name_lookup.sh +++ b/nsswitch/tests/test_wbinfo_name_lookup.sh @@ -31,6 +31,21 @@ testit "name-to-sid.upn" \ $wbinfo -n $DC_USERNAME@$REALM || \ failed=$(expr $failed + 1) +testit "name-to-sid.realm-user" \ + $wbinfo -n $REALM/$DC_USERNAME || \ + failed=$(expr $failed + 1) + +# For the name-to-sid.realm-user query, ensure +# that this does not change subsequent sid-to-name +# queries. +sid=$($wbinfo -n $REALM/$DC_USERNAME | sed -e 's/ .*//') +out=$($wbinfo -s $sid | sed -e 's/ .//') +# winbindd returns usernames in lowercase +lcuser=$(echo $DC_USERNAME | tr A-Z a-z) +testit "Verify DOMAIN/USER output" \ + test "$out" = "$DOMAIN/$lcuser" || \ + failed=$(expr $failed + 1) + # Two separator characters should fail testit_expect_failure "name-to-sid.double-separator" \ $wbinfo -n $DOMAIN//$DC_USERNAME || \ diff --git a/selftest/knownfail b/selftest/knownfail index baf3d57a31a..9c2077f2c98 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -349,3 +349,4 @@ # Disabling NTLM means you can't use samr to change the password ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) +^samba3.wbinfo_name_lookup.Verify DOMAIN/USER output\(ad_member\) -- 2.17.0 From 2700783a631da19202b1fa58d0a363b8d6af66f2 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 15:53:51 -0700 Subject: [PATCH 2/6] winbind: Query domain from msrpc name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 60b0e91237179b8782c4bd83b9579f51d5af2928) --- source3/winbindd/winbindd_msrpc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c index eb400f0ebf3..4299a567907 100644 --- a/source3/winbindd/winbindd_msrpc.c +++ b/source3/winbindd/winbindd_msrpc.c @@ -226,6 +226,7 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, enum lsa_SidType *types = NULL; char *full_name = NULL; const char *names[1]; + const char **domains; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; char *mapped_name = NULL; @@ -260,7 +261,7 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, names[0] = full_name; result = winbindd_lookup_names(mem_ctx, domain, 1, - names, NULL, + names, &domains, &sids, &types); if (!NT_STATUS_IS_OK(result)) return result; -- 2.17.0 From 261cf5712b3dd80148c75f42419c958359ac50f3 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 15:54:21 -0700 Subject: [PATCH 3/6] winbind: Query domain from winbind rpc name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 562551c0886bdef1f97059e16d375c2e97452b45) --- source3/winbindd/winbindd_rpc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index f50fb8fa5db..eb892bafb97 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -246,6 +246,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sids = NULL; char *full_name = NULL; const char *names[1]; + const char **domains; char *mapped_name = NULL; NTSTATUS status; @@ -282,7 +283,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, lsa_policy, 1, /* num_names */ names, - NULL, /* domains */ + &domains, 1, /* level */ &sids, &types); -- 2.17.0 From 1af5c3abde917843679d13ac5069f37877048fac Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Thu, 14 Mar 2019 10:30:45 -0700 Subject: [PATCH 4/6] winbind: Query domain from winbind sam_name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 32e3f0663be39cf4a81639c818fc88e959791673) --- source3/winbindd/winbindd_samr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c index 31720d54997..b0c023b2dd6 100644 --- a/source3/winbindd/winbindd_samr.c +++ b/source3/winbindd/winbindd_samr.c @@ -587,6 +587,7 @@ static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain, struct rpc_pipe_client *lsa_pipe; struct policy_handle lsa_policy = { 0 }; struct dom_sid sid; + const char *dom_name; enum lsa_SidType type; TALLOC_CTX *tmp_ctx; NTSTATUS status; @@ -615,6 +616,7 @@ again: domain_name, name, flags, + &dom_name, &sid, &type); -- 2.17.0 From 0c480c1e45959757b4dc42572a3a57b854e896bb Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 16:11:01 -0700 Subject: [PATCH 5/6] winbind: Return queried domain name from name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 640e0ef4fd338ddf03b813a8d45cce67c7ec7a01) --- source3/winbindd/winbindd.h | 1 + source3/winbindd/winbindd_ads.c | 3 ++- source3/winbindd/winbindd_cache.c | 2 +- source3/winbindd/winbindd_msrpc.c | 12 ++++++++++++ source3/winbindd/winbindd_reconnect.c | 5 +++-- source3/winbindd/winbindd_reconnect_ads.c | 5 +++-- source3/winbindd/winbindd_rpc.c | 12 ++++++++++++ source3/winbindd/winbindd_rpc.h | 1 + source3/winbindd/winbindd_samr.c | 9 +++++++++ 9 files changed, 44 insertions(+), 6 deletions(-) diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h index 57371765484..292deacca85 100644 --- a/source3/winbindd/winbindd.h +++ b/source3/winbindd/winbindd.h @@ -224,6 +224,7 @@ struct winbindd_methods { const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type); diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 76d6a304366..eafb19eee39 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -558,11 +558,12 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name, - flags, sid, type); + flags, pdom_name, sid, type); } /* convert a domain SID to a user or group name - use rpc methods */ diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index b0644d38761..fb999841af2 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -1818,7 +1818,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, winbindd_domain_init_backend(domain); status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, - name, flags, sid, type); + name, flags, NULL, sid, type); if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) || NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c index 4299a567907..17148806b24 100644 --- a/source3/winbindd/winbindd_msrpc.c +++ b/source3/winbindd/winbindd_msrpc.c @@ -218,6 +218,7 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { @@ -268,6 +269,17 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, /* Return rid and type if lookup successful */ + if (pdom_name != NULL) { + const char *dom_name; + + dom_name = talloc_strdup(mem_ctx, domains[0]); + if (dom_name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + *pdom_name = dom_name; + } + sid_copy(sid, &sids[0]); *type = types[0]; diff --git a/source3/winbindd/winbindd_reconnect.c b/source3/winbindd/winbindd_reconnect.c index 1d0e8e6d472..56741d4670e 100644 --- a/source3/winbindd/winbindd_reconnect.c +++ b/source3/winbindd/winbindd_reconnect.c @@ -131,18 +131,19 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { NTSTATUS result; result = msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name, - flags, sid, type); + flags, pdom_name, sid, type); if (reconnect_need_retry(result, domain)) result = msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name, flags, - sid, type); + pdom_name, sid, type); return result; } diff --git a/source3/winbindd/winbindd_reconnect_ads.c b/source3/winbindd/winbindd_reconnect_ads.c index 0a0a14f6dd0..f77430572d0 100644 --- a/source3/winbindd/winbindd_reconnect_ads.c +++ b/source3/winbindd/winbindd_reconnect_ads.c @@ -137,18 +137,19 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { NTSTATUS result; result = ads_methods.name_to_sid(domain, mem_ctx, domain_name, name, - flags, sid, type); + flags, pdom_name, sid, type); if (reconnect_need_retry(result, domain)) { result = ads_methods.name_to_sid(domain, mem_ctx, domain_name, name, flags, - sid, type); + pdom_name, sid, type); } return result; diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index eb892bafb97..2bd1c7155e0 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -239,6 +239,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { @@ -293,6 +294,17 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, return status; } + if (pdom_name != NULL) { + const char *dom_name; + + dom_name = talloc_strdup(mem_ctx, domains[0]); + if (dom_name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + *pdom_name = dom_name; + } + sid_copy(sid, &sids[0]); *type = types[0]; diff --git a/source3/winbindd/winbindd_rpc.h b/source3/winbindd/winbindd_rpc.h index 162f1ef3329..a5cfe77f289 100644 --- a/source3/winbindd/winbindd_rpc.h +++ b/source3/winbindd/winbindd_rpc.h @@ -53,6 +53,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *psid, enum lsa_SidType *ptype); diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c index b0c023b2dd6..55af168dabf 100644 --- a/source3/winbindd/winbindd_samr.c +++ b/source3/winbindd/winbindd_samr.c @@ -581,6 +581,7 @@ static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *psid, enum lsa_SidType *ptype) { @@ -629,6 +630,14 @@ again: goto done; } + if (pdom_name != NULL) { + *pdom_name = talloc_strdup(mem_ctx, dom_name); + if (*pdom_name == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + } + if (psid) { sid_copy(psid, &sid); } -- 2.17.0 From 314039d9cb4fc283b0ac0b927e355759abd9037e Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 16:14:02 -0700 Subject: [PATCH 6/6] winbind: Use domain name from lsa query for sid_to_name cache entry When winbindd is asked to map a name like realm.com\name to a SID ,that is sucessfully resolved through the lsa lookup name call. The same call also returns the short domain name (netbios name of the domain). Use that short domain name for the sid_to_name cache entry, so that subsequent sid_to_name queries return the expected netbiosname\name result and not realm.com\name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit aec9bda25f10ca2710d91fb680cca7904e92f9de) --- selftest/knownfail | 1 - source3/winbindd/winbindd_cache.c | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index 9c2077f2c98..baf3d57a31a 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -349,4 +349,3 @@ # Disabling NTLM means you can't use samr to change the password ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) -^samba3.wbinfo_name_lookup.Verify DOMAIN/USER output\(ad_member\) diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index fb999841af2..1af3d929e49 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -1792,6 +1792,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, { NTSTATUS status; bool old_status; + const char *dom_name; old_status = domain->online; @@ -1818,7 +1819,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, winbindd_domain_init_backend(domain); status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, - name, flags, NULL, sid, type); + name, flags, &dom_name, sid, type); if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) || NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { @@ -1853,7 +1854,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, } (void)strlower_m(discard_const_p(char, name)); wcache_save_sid_to_name(domain, status, sid, - domain_name, name, save_type); + dom_name, name, save_type); } } -- 2.17.0