Bug 13312 - wbinfo --name-to-sid returns misleading result on invalid query
Summary: wbinfo --name-to-sid returns misleading result on invalid query
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.8.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: 4.8
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-28 21:19 UTC by Christof Schmitt
Modified: 2018-04-12 06:48 UTC (History)
3 users (show)

See Also:


Attachments
patches for 4.7 (13.51 KB, patch)
2018-04-06 21:57 UTC, Christof Schmitt
asn: review+
Details
patches for 4.8 (13.58 KB, patch)
2018-04-06 21:57 UTC, Christof Schmitt
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christof Schmitt 2018-02-28 21:19:25 UTC
When using multiple domain-name separators, winbindd can return the
wrong result for an invalid query. More specifically, the result for
the local domain is returned, even when a trusted domain has been
specified.

One way to demonstrace that is through the
selftest environment:

SELFTEST_TESTENV=ad_member make testenv

$ bin/wbinfo -n ADDOMAIN/Administrator
S-1-5-21-393092391-124448896-2709144-500 SID_USER (1)
-> correct result

$ bin/wbinfo -n ADDOMAIN//Administrator
S-1-5-21-393092391-124448896-2709144-500 SID_USER (1)
-> unexpected result, the syntax of the query is incorrect

$ bin/wbinfo -n INVALID/Administrator
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name INVALID/Administrator
-> correct result

$ bin/wbinfo -n INVALID//Administrator
S-1-5-21-393092391-124448896-2709144-500 SID_USER (1)
-> wrong result

The same can also be seen when using rpcclient, but i have not been
able to recreate this in a selftest environment with the configured
winbind separator character. This is the query to a Samba domain
member:

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\administrator"'
example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
-> correct result

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\\administrator"'
example\\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
-> unexpected result, the syntax of the query is incorrect

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\administrator"'
subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1)
-> correct result

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\\administrator"'
subdom\\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
-> wrong result, should be sid for subdom domain, not joined example domain

Comparing that to the query of a Windows domain member:

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "example\administrator"'
example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "example\\administrator"'
result was NT_STATUS_NONE_MAPPED

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "subdom\administrator"'
subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1)

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "subdom\\administrator"'
result was NT_STATUS_NONE_MAPPED
Comment 2 Christof Schmitt 2018-02-28 21:32:18 UTC
With the proposed patch applied on the Samba domain member, the
rpcclient result also matches the Windows domain member:

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\administrator"'
example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\\administrator"'
result was NT_STATUS_NONE_MAPPED
$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\administrator"'
subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1)
$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\\administrator"'
result was NT_STATUS_NONE_MAPPED
Comment 3 Christof Schmitt 2018-04-06 21:57:16 UTC
Created attachment 14110 [details]
patches for 4.7
Comment 4 Christof Schmitt 2018-04-06 21:57:40 UTC
Created attachment 14111 [details]
patches for 4.8
Comment 5 Andreas Schneider 2018-04-10 09:25:59 UTC
Karolin, please add the patches to the relevant branches. Thanks!
Comment 6 Karolin Seeger 2018-04-11 06:52:34 UTC
(In reply to Andreas Schneider from comment #5)
Pushed to autobuild-v4-[7,8]-test.
Comment 7 Karolin Seeger 2018-04-12 06:48:04 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to both branches.
Closing out bug report.

Thanks!