13312 – wbinfo --name-to-sid returns misleading result on invalid query

Bug 13312 - wbinfo --name-to-sid returns misleading result on invalid query

Summary: wbinfo --name-to-sid returns misleading result on invalid query

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.8.0rc2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	4.8
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-28 21:19 UTC by Christof Schmitt
Modified:	2018-04-12 06:48 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
patches for 4.7 (13.51 KB, patch) 2018-04-06 21:57 UTC, Christof Schmitt	asn: review+	Details
patches for 4.8 (13.58 KB, patch) 2018-04-06 21:57 UTC, Christof Schmitt	asn: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christof Schmitt 2018-02-28 21:19:25 UTC

When using multiple domain-name separators, winbindd can return the
wrong result for an invalid query. More specifically, the result for
the local domain is returned, even when a trusted domain has been
specified.

One way to demonstrace that is through the
selftest environment:

SELFTEST_TESTENV=ad_member make testenv

$ bin/wbinfo -n ADDOMAIN/Administrator
S-1-5-21-393092391-124448896-2709144-500 SID_USER (1)
-> correct result

$ bin/wbinfo -n ADDOMAIN//Administrator
S-1-5-21-393092391-124448896-2709144-500 SID_USER (1)
-> unexpected result, the syntax of the query is incorrect

$ bin/wbinfo -n INVALID/Administrator
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name INVALID/Administrator
-> correct result

$ bin/wbinfo -n INVALID//Administrator
S-1-5-21-393092391-124448896-2709144-500 SID_USER (1)
-> wrong result

The same can also be seen when using rpcclient, but i have not been
able to recreate this in a selftest environment with the configured
winbind separator character. This is the query to a Samba domain
member:

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\administrator"'
example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
-> correct result

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\\administrator"'
example\\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
-> unexpected result, the syntax of the query is incorrect

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\administrator"'
subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1)
-> correct result

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\\administrator"'
subdom\\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
-> wrong result, should be sid for subdom domain, not joined example domain

Comparing that to the query of a Windows domain member:

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "example\administrator"'
example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "example\\administrator"'
result was NT_STATUS_NONE_MAPPED

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "subdom\administrator"'
subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1)

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "subdom\\administrator"'
result was NT_STATUS_NONE_MAPPED

Comment 1 Christof Schmitt 2018-02-28 21:29:51 UTC

https://lists.samba.org/archive/samba-technical/2018-February/125910.html

Comment 2 Christof Schmitt 2018-02-28 21:32:18 UTC

With the proposed patch applied on the Samba domain member, the
rpcclient result also matches the Windows domain member:

$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\administrator"'
example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1)
$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\\administrator"'
result was NT_STATUS_NONE_MAPPED
$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\administrator"'
subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1)
$ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\\administrator"'
result was NT_STATUS_NONE_MAPPED

Comment 3 Christof Schmitt 2018-04-06 21:57:16 UTC

Created attachment 14110 [details]
patches for 4.7

Comment 4 Christof Schmitt 2018-04-06 21:57:40 UTC

Created attachment 14111 [details]
patches for 4.8

Comment 5 Andreas Schneider 2018-04-10 09:25:59 UTC

Karolin, please add the patches to the relevant branches. Thanks!

Comment 6 Karolin Seeger 2018-04-11 06:52:34 UTC

(In reply to Andreas Schneider from comment #5)
Pushed to autobuild-v4-[7,8]-test.

Comment 7 Karolin Seeger 2018-04-12 06:48:04 UTC

(In reply to Karolin Seeger from comment #6)
Pushed to both branches.
Closing out bug report.

Thanks!