From 5f838d8df10bd76bcc45cd6560020a79ec59feb7 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 16:26:48 -0700 Subject: [PATCH 1/6] nsswitch: Add testcase for checking output of wbinfo --sid-to-name The username should always be returned in the DOMAISHORTNAME/USERNAME format. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit d006c769a9cad275339b18b08e13d48acb29d7fc) --- nsswitch/tests/test_wbinfo_name_lookup.sh | 15 +++++++++++++++ selftest/knownfail | 1 + 2 files changed, 16 insertions(+) diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh index c1d39c1a602..ee8ae11f4b1 100755 --- a/nsswitch/tests/test_wbinfo_name_lookup.sh +++ b/nsswitch/tests/test_wbinfo_name_lookup.sh @@ -31,6 +31,21 @@ testit "name-to-sid.upn" \ $wbinfo -n $DC_USERNAME@$REALM || \ failed=$(expr $failed + 1) +testit "name-to-sid.realm-user" \ + $wbinfo -n $REALM/$DC_USERNAME || \ + failed=$(expr $failed + 1) + +# For the name-to-sid.realm-user query, ensure +# that this does not change subsequent sid-to-name +# queries. +sid=$($wbinfo -n $REALM/$DC_USERNAME | sed -e 's/ .*//') +out=$($wbinfo -s $sid | sed -e 's/ .//') +# winbindd returns usernames in lowercase +lcuser=$(echo $DC_USERNAME | tr A-Z a-z) +testit "Verify DOMAIN/USER output" \ + test "$out" = "$DOMAIN/$lcuser" || \ + failed=$(expr $failed + 1) + # Two separator characters should fail testit_expect_failure "name-to-sid.double-separator" \ $wbinfo -n $DOMAIN//$DC_USERNAME || \ diff --git a/selftest/knownfail b/selftest/knownfail index 7176e097eb2..eebe3864b74 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -360,3 +360,4 @@ ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) +^samba3.wbinfo_name_lookup.Verify DOMAIN/USER output\(ad_member\) -- 2.17.0 From 240cafc2ebcb26617b3e1b1e8baf9d1b82f8fce0 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 15:53:51 -0700 Subject: [PATCH 2/6] winbind: Query domain from msrpc name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 60b0e91237179b8782c4bd83b9579f51d5af2928) --- source3/winbindd/winbindd_msrpc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c index 203fbc6b56a..69a049556dd 100644 --- a/source3/winbindd/winbindd_msrpc.c +++ b/source3/winbindd/winbindd_msrpc.c @@ -226,6 +226,7 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, enum lsa_SidType *types = NULL; char *full_name = NULL; const char *names[1]; + const char **domains; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; char *mapped_name = NULL; @@ -260,7 +261,7 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, names[0] = full_name; result = winbindd_lookup_names(mem_ctx, domain, 1, - names, NULL, + names, &domains, &sids, &types); if (!NT_STATUS_IS_OK(result)) return result; -- 2.17.0 From ef2fe9d7649ce63f60f1985a5178a55a16db3ab0 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 15:54:21 -0700 Subject: [PATCH 3/6] winbind: Query domain from winbind rpc name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 562551c0886bdef1f97059e16d375c2e97452b45) --- source3/winbindd/winbindd_rpc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 6f7cb07f4e3..81f9f98a4bd 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -254,6 +254,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sids = NULL; char *full_name = NULL; const char *names[1]; + const char **domains; char *mapped_name = NULL; NTSTATUS status; @@ -290,7 +291,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, lsa_policy, 1, /* num_names */ names, - NULL, /* domains */ + &domains, 1, /* level */ &sids, &types); -- 2.17.0 From f481a1fe07a8045080ed5b658efa9b364859632f Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Thu, 14 Mar 2019 10:30:45 -0700 Subject: [PATCH 4/6] winbind: Query domain from winbind sam_name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 32e3f0663be39cf4a81639c818fc88e959791673) --- source3/winbindd/winbindd_samr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c index 3727e8fa39f..35e7febceff 100644 --- a/source3/winbindd/winbindd_samr.c +++ b/source3/winbindd/winbindd_samr.c @@ -587,6 +587,7 @@ static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain, struct rpc_pipe_client *lsa_pipe; struct policy_handle lsa_policy = { 0 }; struct dom_sid sid; + const char *dom_name; enum lsa_SidType type; TALLOC_CTX *tmp_ctx; NTSTATUS status; @@ -615,6 +616,7 @@ again: domain_name, name, flags, + &dom_name, &sid, &type); -- 2.17.0 From 360c49729cf7ff13b4f0111357d3990835ee273e Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 16:11:01 -0700 Subject: [PATCH 5/6] winbind: Return queried domain name from name_to_sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 640e0ef4fd338ddf03b813a8d45cce67c7ec7a01) --- source3/winbindd/winbindd.h | 1 + source3/winbindd/winbindd_ads.c | 3 ++- source3/winbindd/winbindd_cache.c | 2 +- source3/winbindd/winbindd_msrpc.c | 12 ++++++++++++ source3/winbindd/winbindd_reconnect.c | 5 +++-- source3/winbindd/winbindd_reconnect_ads.c | 5 +++-- source3/winbindd/winbindd_rpc.c | 12 ++++++++++++ source3/winbindd/winbindd_rpc.h | 1 + source3/winbindd/winbindd_samr.c | 9 +++++++++ 9 files changed, 44 insertions(+), 6 deletions(-) diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h index 7490d62a705..a72d6aa7830 100644 --- a/source3/winbindd/winbindd.h +++ b/source3/winbindd/winbindd.h @@ -225,6 +225,7 @@ struct winbindd_methods { const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type); diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 4076f8227cb..204afdffb1f 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -558,11 +558,12 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name, - flags, sid, type); + flags, pdom_name, sid, type); } /* convert a domain SID to a user or group name - use rpc methods */ diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index c686089d517..92a5e1d333b 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -1820,7 +1820,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, winbindd_domain_init_backend(domain); status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, - name, flags, sid, type); + name, flags, NULL, sid, type); if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) || NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c index 69a049556dd..342f22cfde3 100644 --- a/source3/winbindd/winbindd_msrpc.c +++ b/source3/winbindd/winbindd_msrpc.c @@ -218,6 +218,7 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { @@ -268,6 +269,17 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, /* Return rid and type if lookup successful */ + if (pdom_name != NULL) { + const char *dom_name; + + dom_name = talloc_strdup(mem_ctx, domains[0]); + if (dom_name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + *pdom_name = dom_name; + } + sid_copy(sid, &sids[0]); *type = types[0]; diff --git a/source3/winbindd/winbindd_reconnect.c b/source3/winbindd/winbindd_reconnect.c index 1d0e8e6d472..56741d4670e 100644 --- a/source3/winbindd/winbindd_reconnect.c +++ b/source3/winbindd/winbindd_reconnect.c @@ -131,18 +131,19 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { NTSTATUS result; result = msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name, - flags, sid, type); + flags, pdom_name, sid, type); if (reconnect_need_retry(result, domain)) result = msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name, flags, - sid, type); + pdom_name, sid, type); return result; } diff --git a/source3/winbindd/winbindd_reconnect_ads.c b/source3/winbindd/winbindd_reconnect_ads.c index 0a0a14f6dd0..f77430572d0 100644 --- a/source3/winbindd/winbindd_reconnect_ads.c +++ b/source3/winbindd/winbindd_reconnect_ads.c @@ -137,18 +137,19 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { NTSTATUS result; result = ads_methods.name_to_sid(domain, mem_ctx, domain_name, name, - flags, sid, type); + flags, pdom_name, sid, type); if (reconnect_need_retry(result, domain)) { result = ads_methods.name_to_sid(domain, mem_ctx, domain_name, name, flags, - sid, type); + pdom_name, sid, type); } return result; diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 81f9f98a4bd..ffbaabcfe49 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -247,6 +247,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *sid, enum lsa_SidType *type) { @@ -301,6 +302,17 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, return status; } + if (pdom_name != NULL) { + const char *dom_name; + + dom_name = talloc_strdup(mem_ctx, domains[0]); + if (dom_name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + *pdom_name = dom_name; + } + sid_copy(sid, &sids[0]); *type = types[0]; diff --git a/source3/winbindd/winbindd_rpc.h b/source3/winbindd/winbindd_rpc.h index 162f1ef3329..a5cfe77f289 100644 --- a/source3/winbindd/winbindd_rpc.h +++ b/source3/winbindd/winbindd_rpc.h @@ -53,6 +53,7 @@ NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *psid, enum lsa_SidType *ptype); diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c index 35e7febceff..396e2c97709 100644 --- a/source3/winbindd/winbindd_samr.c +++ b/source3/winbindd/winbindd_samr.c @@ -581,6 +581,7 @@ static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain, const char *domain_name, const char *name, uint32_t flags, + const char **pdom_name, struct dom_sid *psid, enum lsa_SidType *ptype) { @@ -629,6 +630,14 @@ again: goto done; } + if (pdom_name != NULL) { + *pdom_name = talloc_strdup(mem_ctx, dom_name); + if (*pdom_name == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + } + if (psid) { sid_copy(psid, &sid); } -- 2.17.0 From 889e2b959af8f010dc3c39589baab9b78142cf4b Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Mar 2019 16:14:02 -0700 Subject: [PATCH 6/6] winbind: Use domain name from lsa query for sid_to_name cache entry When winbindd is asked to map a name like realm.com\name to a SID ,that is sucessfully resolved through the lsa lookup name call. The same call also returns the short domain name (netbios name of the domain). Use that short domain name for the sid_to_name cache entry, so that subsequent sid_to_name queries return the expected netbiosname\name result and not realm.com\name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit aec9bda25f10ca2710d91fb680cca7904e92f9de) --- selftest/knownfail | 1 - source3/winbindd/winbindd_cache.c | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index eebe3864b74..7176e097eb2 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -360,4 +360,3 @@ ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) -^samba3.wbinfo_name_lookup.Verify DOMAIN/USER output\(ad_member\) diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 92a5e1d333b..abdfd11dc53 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -1794,6 +1794,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, { NTSTATUS status; bool old_status; + const char *dom_name; old_status = domain->online; @@ -1820,7 +1821,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, winbindd_domain_init_backend(domain); status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, - name, flags, NULL, sid, type); + name, flags, &dom_name, sid, type); if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) || NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { @@ -1855,7 +1856,7 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, } (void)strlower_m(discard_const_p(char, name)); wcache_save_sid_to_name(domain, status, sid, - domain_name, name, save_type); + dom_name, name, save_type); } } -- 2.17.0