The Samba-Bugzilla – Attachment 15397 Details for
Bug 14091
LSA LookupNames3 does not handle properly LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 for FreeIPA DC
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v4.11 backport
samba-bz14091-v4.11-backport.patch (text/plain), 23.65 KB, created by
Alexander Bokovoy
on 2019-08-15 13:32:27 UTC
(
hide
)
Description:
v4.11 backport
Filename:
MIME Type:
Creator:
Alexander Bokovoy
Created:
2019-08-15 13:32:27 UTC
Size:
23.65 KB
patch
obsolete
>From 081dc82c0016baaae3cfcd1933210d4d2180851c Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Thu, 1 Aug 2019 21:08:52 +0300 >Subject: [PATCH 1/3] torture/rpc/lsa: allow testing different lookup levels > >Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing >different LSA_LOOKUP_NAMES_* levels. Keep existing level 1 >(LSA_LOOKUP_NAMES_ALL) for the current set of tests. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9) >--- > source4/torture/rpc/lsa.c | 118 ++++++++++++++++++--------------- > source4/torture/rpc/schannel.c | 2 +- > 2 files changed, 67 insertions(+), 53 deletions(-) > >diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c >index 5b16ed9a014..fdbfcbffc16 100644 >--- a/source4/torture/rpc/lsa.c >+++ b/source4/torture/rpc/lsa.c >@@ -281,6 +281,7 @@ static bool test_OpenPolicy2_fail(struct dcerpc_binding_handle *b, > static bool test_LookupNames(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray *tnames) > { > struct lsa_LookupNames r; >@@ -313,7 +314,7 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.sids = &sids; >@@ -369,7 +370,8 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, > > static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_LookupNames r; > struct lsa_TransSidArray sids; >@@ -388,7 +390,7 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, > r.in.num_names = 1; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.sids = &sids; >@@ -409,7 +411,8 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, > > static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_LookupNames r; > struct lsa_TransSidArray sids; >@@ -428,7 +431,7 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, > r.in.num_names = 1; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.sids = &sids; >@@ -453,7 +456,8 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, > > static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_TranslatedName name; > struct lsa_TransNameArray tnames; >@@ -465,45 +469,46 @@ static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b, > tnames.count = 1; > name.name.string = "NT AUTHORITY\\SYSTEM"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "NT AUTHORITY\\Authenticated Users"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > #if 0 > name.name.string = "NT AUTHORITY"; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "NT AUTHORITY\\"; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > #endif > > name.name.string = "BUILTIN\\"; > name.sid_type = SID_NAME_DOMAIN; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "BUILTIN\\Administrators"; > name.sid_type = SID_NAME_ALIAS; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "SYSTEM"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > > name.name.string = "Everyone"; > name.sid_type = SID_NAME_WKN_GRP; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, level, &tnames); > return ret; > } > > static bool test_LookupNames2(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray2 *tnames, > bool check_result) > { >@@ -536,7 +541,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -565,6 +570,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b, > static bool test_LookupNames3(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray2 *tnames, > bool check_result) > { >@@ -596,7 +602,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -624,6 +630,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b, > > static bool test_LookupNames4(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level, > struct lsa_TransNameArray2 *tnames, > bool check_result) > { >@@ -655,7 +662,7 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b, > r.in.num_names = tnames->count; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -693,7 +700,8 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b, > } > > static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, >- struct torture_context *tctx) >+ struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_LookupNames4 r; > struct lsa_TransSidArray3 sids; >@@ -712,7 +720,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, > r.in.num_names = count; > r.in.names = names; > r.in.sids = &sids; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -760,6 +768,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, > static bool test_LookupSids(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids r; >@@ -775,7 +784,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.out.count = &count; > r.out.names = &names; >@@ -790,7 +799,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames(b, tctx, handle, &names)) { >+ if (!test_LookupNames(b, tctx, handle, level, &names)) { > return false; > } > >@@ -801,6 +810,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, > static bool test_LookupSids2(struct dcerpc_binding_handle *b, > struct torture_context *tctx, > struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids2 r; >@@ -816,7 +826,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, > r.in.handle = handle; > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -835,11 +845,11 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames2(b, tctx, handle, &names, false)) { >+ if (!test_LookupNames2(b, tctx, handle, level, &names, false)) { > return false; > } > >- if (!test_LookupNames3(b, tctx, handle, &names, false)) { >+ if (!test_LookupNames3(b, tctx, handle, level, &names, false)) { > return false; > } > >@@ -848,6 +858,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, > > static bool test_LookupSids3(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids3 r; >@@ -862,7 +873,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, > > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -891,7 +902,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames4(b, tctx, &names, true)) { >+ if (!test_LookupNames4(b, tctx, level, &names, true)) { > return false; > } > >@@ -900,6 +911,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, > > static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >+ enum lsa_LookupNamesLevel level, > struct lsa_SidArray *sids) > { > struct lsa_LookupSids3 r; >@@ -915,7 +927,7 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, > > r.in.sids = sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &count; > r.in.lookup_options = 0; > r.in.client_revision = 0; >@@ -959,7 +971,8 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, > > bool test_many_LookupSids(struct dcerpc_pipe *p, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > uint32_t count; > struct lsa_SidArray sids; >@@ -990,7 +1003,7 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > r.in.handle = handle; > r.in.sids = &sids; > r.in.names = &names; >- r.in.level = 1; >+ r.in.level = level; > r.in.count = &names.count; > r.out.count = &count; > r.out.names = &names; >@@ -1006,16 +1019,16 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > > torture_comment(tctx, "\n"); > >- if (!test_LookupNames(b, tctx, handle, &names)) { >+ if (!test_LookupNames(b, tctx, handle, level, &names)) { > return false; > } > } > > if (transport == NCACN_NP) { >- if (!test_LookupSids3_fail(b, tctx, &sids)) { >+ if (!test_LookupSids3_fail(b, tctx, level, &sids)) { > return false; > } >- if (!test_LookupNames4_fail(b, tctx)) { >+ if (!test_LookupNames4_fail(b, tctx, level)) { > return false; > } > } else if (transport == NCACN_IP_TCP) { >@@ -1031,10 +1044,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL && > auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) { >- if (!test_LookupSids3(b, tctx, &sids)) { >+ if (!test_LookupSids3(b, tctx, level, &sids)) { > return false; > } >- if (!test_LookupNames4(b, tctx, &names, true)) { >+ if (!test_LookupNames4(b, tctx, level, &names, true)) { > return false; > } > } else { >@@ -1042,10 +1055,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, > * If we don't have a secure channel these tests must > * fail with ACCESS_DENIED. > */ >- if (!test_LookupSids3_fail(b, tctx, &sids)) { >+ if (!test_LookupSids3_fail(b, tctx, level, &sids)) { > return false; > } >- if (!test_LookupNames4_fail(b, tctx)) { >+ if (!test_LookupNames4_fail(b, tctx, level)) { > return false; > } > } >@@ -1077,7 +1090,8 @@ static void lookupsids_cb(struct tevent_req *subreq) > > static bool test_LookupSids_async(struct dcerpc_binding_handle *b, > struct torture_context *tctx, >- struct policy_handle *handle) >+ struct policy_handle *handle, >+ enum lsa_LookupNamesLevel level) > { > struct lsa_SidArray sids; > struct lsa_SidPtr sidptr; >@@ -1112,7 +1126,7 @@ static bool test_LookupSids_async(struct dcerpc_binding_handle *b, > r[i].in.handle = handle; > r[i].in.sids = &sids; > r[i].in.names = &names[i]; >- r[i].in.level = 1; >+ r[i].in.level = level; > r[i].in.count = &names[i].count; > r[i].out.count = &count[i]; > r[i].out.names = &names[i]; >@@ -1923,11 +1937,11 @@ static bool test_EnumAccounts(struct dcerpc_binding_handle *b, > torture_assert_ntstatus_ok(tctx, r.out.result, > "EnumAccounts failed"); > >- if (!test_LookupSids(b, tctx, handle, &sids1)) { >+ if (!test_LookupSids(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) { > return false; > } > >- if (!test_LookupSids2(b, tctx, handle, &sids1)) { >+ if (!test_LookupSids2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) { > return false; > } > >@@ -4836,7 +4850,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, > tnames.names[12].sid_type = SID_NAME_USER; > tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string); > tnames.names[13].sid_type = SID_NAME_USER; >- ret &= test_LookupNames(b, tctx, handle, &tnames); >+ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames); > > } > } >@@ -5002,7 +5016,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > ret = false; > } > >- if (!test_many_LookupSids(p, tctx, handle)) { >+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >@@ -5023,7 +5037,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > ret = false; > } > >- if (!test_LookupSids_async(b, tctx, handle)) { >+ if (!test_LookupSids_async(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >@@ -5047,7 +5061,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > ret = false; > } > >- if (!test_many_LookupSids(p, tctx, handle)) { >+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >@@ -5058,7 +5072,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) > torture_leave_domain(tctx, join); > > } else { >- if (!test_many_LookupSids(p, tctx, handle)) { >+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > } >@@ -5133,7 +5147,7 @@ static bool testcase_LookupNames(struct torture_context *tctx, > tnames.names[0].name.string = "BUILTIN"; > tnames.names[0].sid_type = SID_NAME_DOMAIN; > >- if (!test_LookupNames(b, tctx, handle, &tnames)) { >+ if (!test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames)) { > ret = false; > } > >@@ -5143,23 +5157,23 @@ static bool testcase_LookupNames(struct torture_context *tctx, > tnames2.names[0].name.string = "BUILTIN"; > tnames2.names[0].sid_type = SID_NAME_DOMAIN; > >- if (!test_LookupNames2(b, tctx, handle, &tnames2, true)) { >+ if (!test_LookupNames2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) { > ret = false; > } > >- if (!test_LookupNames3(b, tctx, handle, &tnames2, true)) { >+ if (!test_LookupNames3(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) { > ret = false; > } > >- if (!test_LookupNames_wellknown(b, tctx, handle)) { >+ if (!test_LookupNames_wellknown(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >- if (!test_LookupNames_NULL(b, tctx, handle)) { >+ if (!test_LookupNames_NULL(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >- if (!test_LookupNames_bogus(b, tctx, handle)) { >+ if (!test_LookupNames_bogus(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { > ret = false; > } > >diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c >index 5b40af216a5..fff0b1aacbd 100644 >--- a/source4/torture/rpc/schannel.c >+++ b/source4/torture/rpc/schannel.c >@@ -470,7 +470,7 @@ static bool test_schannel(struct torture_context *tctx, > "failed to connect lsarpc with schannel"); > > torture_assert(tctx, >- test_many_LookupSids(p_lsa, tctx, NULL), >+ test_many_LookupSids(p_lsa, tctx, NULL, LSA_LOOKUP_NAMES_ALL), > "LsaLookupSids3 failed!\n"); > > status = dcerpc_binding_set_transport(b, transport); >-- >2.21.0 > > >From 43997a246764c0b16531a2d96812ad85ef80c649 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Thu, 1 Aug 2019 15:48:58 +0300 >Subject: [PATCH 2/3] lookup_name: allow own domain lookup when flags == 0 > >In 2007, we've added support for multiple lookup levels for LSA >LookupNames family of calls. However, forest-wide lookups, as described >in MS-LSAT 2.2.16, never worked because flags passed to lookup_name() >were always set to zero, expecting at least default lookup on a DC to >apply. lookup_name() was instead treating zero flags as 'skip all >checks'. > >Allow at least own domain lookup in case domain name is the same. >This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a >trusted AD DC side. > >For the reference, below is a request Windows Server 2016 domain >controller sends to FreeIPA domain controller when attempting to look up >a user from a trusted forest root domain that attemps to login to the >domain controller. Notice the level in the lsa_LookupNames3 call and >resulting flags in lookup_name(). > >[2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) > lsa_LookupNames3: struct lsa_LookupNames3 > in: struct lsa_LookupNames3 > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 0000004c-0000-0000-455d-3018575c0000 > num_names : 0x00000001 (1) > names: ARRAY(1) > names: struct lsa_String > length : 0x000a (10) > size : 0x000c (12) > string : * > string : 'XS\ab' > sids : * > sids: struct lsa_TransSidArray3 > count : 0x00000000 (0) > sids : NULL > level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6) > count : * > count : 0x00000000 (0) > lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0) > client_revision : LSA_CLIENT_REVISION_2 (2) >[2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) > Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0. > [0010] 57 5C 00 00 W\.. >[2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) > push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2 >[2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >[2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 >[2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) >[2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups >[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids) > lookup_lsa_sids: looking up name XS\ab >[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name) > lookup_name: XS\ab => domain=[XS], name=[ab] >[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name) > lookup_name: flags = 0x00 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d) >--- > source3/passdb/lookup_sid.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index 6ab72e57838..c31a9e48739 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -113,7 +113,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, > full_name, domain, name)); > DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); > >- if ((flags & LOOKUP_NAME_DOMAIN) && >+ if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) && > strequal(domain, get_global_sam_name())) > { > >-- >2.21.0 > > >From 1cce22d45cc5435a86f4ef797dfee6f9ab05dd59 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Sat, 10 Aug 2019 11:53:12 +0300 >Subject: [PATCH 3/3] smbtorture: extend rpc.lsa to lookup machine over > forest-wide LookupNames > >Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3 >using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass >zero lookup flags to lookup_name(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Alexander Bokovoy <ab@samba.org> >Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184 > >(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6) >--- > source4/torture/rpc/lsa.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c >index fdbfcbffc16..0ce113feb5d 100644 >--- a/source4/torture/rpc/lsa.c >+++ b/source4/torture/rpc/lsa.c >@@ -4819,7 +4819,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, > || i == LSA_POLICY_INFO_DNS_INT)) { > /* Let's look up some of these names */ > >- struct lsa_TransNameArray tnames; >+ struct lsa_TransNameArray tnames, dnames; > tnames.count = 14; > tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count); > tnames.names[0].name.string = info->dns.name.string; >@@ -4852,6 +4852,12 @@ static bool test_QueryInfoPolicyCalls( bool version2, > tnames.names[13].sid_type = SID_NAME_USER; > ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames); > >+ /* Try to use in-forest search for the test machine */ >+ dnames.count = 1; >+ dnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, dnames.count); >+ dnames.names[0].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string); >+ dnames.names[0].sid_type = SID_NAME_USER; >+ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2, &dnames); > } > } > >-- >2.21.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gd
:
review+
Actions:
View
Attachments on
bug 14091
:
15395
|
15396
| 15397