The Samba-Bugzilla – Attachment 15395 Details for
Bug 14091
LSA LookupNames3 does not handle properly LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 for FreeIPA DC
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v4.9 backport
samba-bz14091-v4.9-backport.patch (text/plain), 23.65 KB, created by
Alexander Bokovoy
on 2019-08-15 13:31:40 UTC
(
hide
)
Description:
v4.9 backport
Filename:
MIME Type:
Creator:
Alexander Bokovoy
Created:
2019-08-15 13:31:40 UTC
Size:
23.65 KB
patch
obsolete
>From 3342729d84798072c28af72f3c1e05106c775e59 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Thu, 1 Aug 2019 21:08:52 +0300 >Subject: [PATCH 1/3] torture/rpc/lsa: allow testing different lookup levels > >Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing >different LSA_LOOKUP_NAMES_* levels. Keep existing level 1 >(LSA_LOOKUP_NAMES_ALL) for the current set of tests. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9) >--- > source4/torture/rpc/lsa.c | 118 ++++++++++++++++++--------------- > source4/torture/rpc/schannel.c | 2 +- > 2 files changed, 67 insertions(+), 53 deletions(-) > >diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c >index 988d534bed3..51b4ca0171a 100644 >--- a/source4/torture/rpc/lsa.c >+++ b/source4/torture/rpc/lsa.c >@@ -270,6 +270,7 @@ static bool test_OpenPolicy2_fail(struct dcerpc_binding_handle *b, > static bool test_LookupNames(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray *tnames) > { > struct lsa_LookupNames r; >@@ -302,7 +303,7 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.sids = &sids; >@@ -358,7 +359,8 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, > > static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_LookupNames r; > struct lsa_TransSidArray sids; >@@ -377,7 +379,7 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, > r.in.num_names = 1; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.sids = &sids; >@@ -398,7 +400,8 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, > > static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_LookupNames r; > struct lsa_TransSidArray sids; >@@ -417,7 +420,7 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, > r.in.num_names = 1; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.sids = &sids; >@@ -442,7 +445,8 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, > > static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_TranslatedName name; > struct lsa_TransNameArray tnames; >@@ -454,45 +458,46 @@ static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b, > tnames.count = 1; > name.name.string = "NT AUTHORITY\\SYSTEM"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "NT AUTHORITY\\Authenticated Users"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > #if 0 > name.name.string = "NT AUTHORITY"; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "NT AUTHORITY\\"; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > #endif > > name.name.string = "BUILTIN\\"; > name.sid_type = SID_NAME_DOMAIN; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "BUILTIN\\Administrators"; > name.sid_type = SID_NAME_ALIAS; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "SYSTEM"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "Everyone"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > return ret; > } > > static bool test_LookupNames2(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray2 *tnames, > bool check_result) > { >@@ -525,7 +530,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -554,6 +559,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b, > static bool test_LookupNames3(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray2 *tnames, > bool check_result) > { >@@ -585,7 +591,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -613,6 +619,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b, > > static bool test_LookupNames4(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray2 *tnames, > bool check_result) > { >@@ -644,7 +651,7 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b, > r.in.num_names = tnames->count; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -682,7 +689,8 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b, > } > > static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, >- struct torture_context *tctx) >+ struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_LookupNames4 r; > struct lsa_TransSidArray3 sids; >@@ -701,7 +709,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, > r.in.num_names = count; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -749,6 +757,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, > static bool test_LookupSids(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids r; >@@ -764,7 +773,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.names = &names; >@@ -779,7 +788,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames(b, tctx, handle, &names)) { >+ if (!test_LookupNames(b, tctx, handle, level, &names)) { > return false; > } > >@@ -790,6 +799,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, > static bool test_LookupSids2(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids2 r; >@@ -805,7 +815,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -824,11 +834,11 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames2(b, tctx, handle, &names, false)) { >+ if (!test_LookupNames2(b, tctx, handle, level, &names, false)) { > return false; > } > >- if (!test_LookupNames3(b, tctx, handle, &names, false)) { >+ if (!test_LookupNames3(b, tctx, handle, level, &names, false)) { > return false; > } > >@@ -837,6 +847,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, > > static bool test_LookupSids3(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids3 r; >@@ -851,7 +862,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, > > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -880,7 +891,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames4(b, tctx, &names, true)) { >+ if (!test_LookupNames4(b, tctx, level, &names, true)) { > return false; > } > >@@ -889,6 +900,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, > > static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids3 r; >@@ -904,7 +916,7 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, > > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -948,7 +960,8 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, > > bool test_many_LookupSids(struct dcerpc_pipe *p, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > uint32_t count; > struct lsa_SidArray sids; >@@ -979,7 +992,7 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > r.in.handle = handle; > r.in.sids = &sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &names.count; > r.out.count = &count; > r.out.names = &names; >@@ -995,16 +1008,16 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames(b, tctx, handle, &names)) { >+ if (!test_LookupNames(b, tctx, handle, level, &names)) { > return false; > } > } > > if (transport == NCACN_NP) { >- if (!test_LookupSids3_fail(b, tctx, &sids)) { >+ if (!test_LookupSids3_fail(b, tctx, level, &sids)) { > return false; > } >- if (!test_LookupNames4_fail(b, tctx)) { >+ if (!test_LookupNames4_fail(b, tctx, level)) { > return false; > } > } else if (transport == NCACN_IP_TCP) { >@@ -1020,10 +1033,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL && > auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) { >- if (!test_LookupSids3(b, tctx, &sids)) { >+ if (!test_LookupSids3(b, tctx, level, &sids)) { > return false; > } >- if (!test_LookupNames4(b, tctx, &names, true)) { >+ if (!test_LookupNames4(b, tctx, level, &names, true)) { > return false; > } > } else { >@@ -1031,10 +1044,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > * If we don't have a secure channel these tests must > * fail with ACCESS_DENIED. > */ >- if (!test_LookupSids3_fail(b, tctx, &sids)) { >+ if (!test_LookupSids3_fail(b, tctx, level, &sids)) { > return false; > } >- if (!test_LookupNames4_fail(b, tctx)) { >+ if (!test_LookupNames4_fail(b, tctx, level)) { > return false; > } > } >@@ -1066,7 +1079,8 @@ static void lookupsids_cb(struct tevent_req *subreq) > > static bool test_LookupSids_async(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_SidArray sids; > struct lsa_SidPtr sidptr; >@@ -1101,7 +1115,7 @@ static bool test_LookupSids_async(struct dcerpc_binding_handle *b, > r[i].in.handle = handle; > r[i].in.sids = &sids; > r[i].in.names = &names[i]; >- r[i].in.level = 1; >+ r[i].in.level = level; > r[i].in.count = &names[i].count; > r[i].out.count = &count[i]; > r[i].out.names = &names[i]; >@@ -1912,11 +1926,11 @@ static bool test_EnumAccounts(struct dcerpc_binding_handle *b, > torture_assert_ntstatus_ok(tctx, r.out.result, > "EnumAccounts failed"); > >- if (!test_LookupSids(b, tctx, handle, &sids1)) { >+ if (!test_LookupSids(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) { > return false; > } > >- if (!test_LookupSids2(b, tctx, handle, &sids1)) { >+ if (!test_LookupSids2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) { > return false; > } > >@@ -4811,7 +4825,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, > tnames.names[12].sid_type = SID_NAME_USER; > tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string); > tnames.names[13].sid_type = SID_NAME_USER; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames); > > } > } >@@ -4977,7 +4991,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > ret = false; > } > >- if (!test_many_LookupSids(p, tctx, handle)) { >+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >@@ -4998,7 +5012,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > ret = false; > } > >- if (!test_LookupSids_async(b, tctx, handle)) { >+ if (!test_LookupSids_async(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >@@ -5022,7 +5036,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > ret = false; > } > >- if (!test_many_LookupSids(p, tctx, handle)) { >+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >@@ -5033,7 +5047,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > torture_leave_domain(tctx, join); > > } else { >- if (!test_many_LookupSids(p, tctx, handle)) { >+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > } >@@ -5108,7 +5122,7 @@ static bool testcase_LookupNames(struct torture_context *tctx, > tnames.names[0].name.string = "BUILTIN"; > tnames.names[0].sid_type = SID_NAME_DOMAIN; > >- if (!test_LookupNames(b, tctx, handle, &tnames)) { >+ if (!test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames)) { > ret = false; > } > >@@ -5118,23 +5132,23 @@ static bool testcase_LookupNames(struct torture_context *tctx, > tnames2.names[0].name.string = "BUILTIN"; > tnames2.names[0].sid_type = SID_NAME_DOMAIN; > >- if (!test_LookupNames2(b, tctx, handle, &tnames2, true)) { >+ if (!test_LookupNames2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) { > ret = false; > } > >- if (!test_LookupNames3(b, tctx, handle, &tnames2, true)) { >+ if (!test_LookupNames3(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) { > ret = false; > } > >- if (!test_LookupNames_wellknown(b, tctx, handle)) { >+ if (!test_LookupNames_wellknown(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >- if (!test_LookupNames_NULL(b, tctx, handle)) { >+ if (!test_LookupNames_NULL(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >- if (!test_LookupNames_bogus(b, tctx, handle)) { >+ if (!test_LookupNames_bogus(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c >index de3a36eaa4f..c237c82bbe7 100644 >--- a/source4/torture/rpc/schannel.c >+++ b/source4/torture/rpc/schannel.c >@@ -471,7 +471,7 @@ static bool test_schannel(struct torture_context *tctx, > "failed to connect lsarpc with schannel"); > > torture_assert(tctx, >- test_many_LookupSids(p_lsa, tctx, NULL), >+ test_many_LookupSids(p_lsa, tctx, NULL, LSA_LOOKUP_NAMES_ALL), > "LsaLookupSids3 failed!\n"); > > status = dcerpc_binding_set_transport(b, transport); >-- >2.21.0 > > >From 2d4f82de41977378a7adaf6e6f563089c94052ce Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Thu, 1 Aug 2019 15:48:58 +0300 >Subject: [PATCH 2/3] lookup_name: allow own domain lookup when flags == 0 > >In 2007, we've added support for multiple lookup levels for LSA >LookupNames family of calls. However, forest-wide lookups, as described >in MS-LSAT 2.2.16, never worked because flags passed to lookup_name() >were always set to zero, expecting at least default lookup on a DC to >apply. lookup_name() was instead treating zero flags as 'skip all >checks'. > >Allow at least own domain lookup in case domain name is the same. >This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a >trusted AD DC side. > >For the reference, below is a request Windows Server 2016 domain >controller sends to FreeIPA domain controller when attempting to look up >a user from a trusted forest root domain that attemps to login to the >domain controller. Notice the level in the lsa_LookupNames3 call and >resulting flags in lookup_name(). > >[2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) > lsa_LookupNames3: struct lsa_LookupNames3 > in: struct lsa_LookupNames3 > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 0000004c-0000-0000-455d-3018575c0000 > num_names : 0x00000001 (1) > names: ARRAY(1) > names: struct lsa_String > length : 0x000a (10) > size : 0x000c (12) > string : * > string : 'XS\ab' > sids : * > sids: struct lsa_TransSidArray3 > count : 0x00000000 (0) > sids : NULL > level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6) > count : * > count : 0x00000000 (0) > lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0) > client_revision : LSA_CLIENT_REVISION_2 (2) >[2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0. > [0010] 57 5C 00 00 W\.. >[2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) > push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2 >[2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >[2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 >[2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) >[2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups >[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids) > lookup_lsa_sids: looking up name XS\ab >[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name) > lookup_name: XS\ab => domain=[XS], name=[ab] >[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name) > lookup_name: flags = 0x00 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d) >--- > source3/passdb/lookup_sid.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index caa3442c6f1..f8dfd4b86d6 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -113,7 +113,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, > full_name, domain, name)); > DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); > >- if ((flags & LOOKUP_NAME_DOMAIN) && >+ if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) && > strequal(domain, get_global_sam_name())) > { > >-- >2.21.0 > > >From 4bccf546f8800981263c16a4fb0a60abfba6bae8 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Sat, 10 Aug 2019 11:53:12 +0300 >Subject: [PATCH 3/3] smbtorture: extend rpc.lsa to lookup machine over > forest-wide LookupNames > >Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3 >using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass >zero lookup flags to lookup_name(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Alexander Bokovoy <ab@samba.org> >Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184 > >(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6) >--- > source4/torture/rpc/lsa.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c >index 51b4ca0171a..907f6e4759c 100644 >--- a/source4/torture/rpc/lsa.c >+++ b/source4/torture/rpc/lsa.c >@@ -4794,7 +4794,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, > || i == LSA_POLICY_INFO_DNS_INT)) { > /* Let's look up some of these names */ > >- struct lsa_TransNameArray tnames; >+ struct lsa_TransNameArray tnames, dnames; > tnames.count = 14; > tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count); > tnames.names[0].name.string = info->dns.name.string; >@@ -4827,6 +4827,12 @@ static bool test_QueryInfoPolicyCalls( bool version2, > tnames.names[13].sid_type = SID_NAME_USER; > ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames); > >+ /* Try to use in-forest search for the test machine */ >+ dnames.count = 1; >+ dnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, dnames.count); >+ dnames.names[0].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string); >+ dnames.names[0].sid_type = SID_NAME_USER; >+ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2, &dnames); > } > } > >-- >2.21.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gd
:
review+
Actions:
View
Attachments on
bug 14091
: 15395 |
15396
|
15397