Bug 14091 - LSA LookupNames3 does not handle properly LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 for FreeIPA DC
LSA LookupNames3 does not handle properly LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONL...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes
4.10.6
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-15 13:13 UTC by Alexander Bokovoy
Modified: 2019-08-19 19:48 UTC (History)
1 user (show)

See Also:


Attachments
v4.9 backport (23.65 KB, patch)
2019-08-15 13:31 UTC, Alexander Bokovoy
gd: review+
Details
v4.10 backport (23.65 KB, patch)
2019-08-15 13:32 UTC, Alexander Bokovoy
gd: review+
Details
v4.11 backport (23.65 KB, patch)
2019-08-15 13:32 UTC, Alexander Bokovoy
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2019-08-15 13:13:34 UTC
In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.

Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.

For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().

    [2019/08/03 07:14:24.156065,  1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
           lsa_LookupNames3: struct lsa_LookupNames3
              in: struct lsa_LookupNames3
                  handle                   : *
                      handle: struct policy_handle
                          handle_type              : 0x00000000 (0)
                          uuid                     : 0000004c-0000-0000-455d-3018575c0000
                  num_names                : 0x00000001 (1)
                  names: ARRAY(1)
                      names: struct lsa_String
                          length                   : 0x000a (10)
                          size                     : 0x000c (12)
                          string                   : *
                              string                   : 'XS\ab'
                  sids                     : *
                      sids: struct lsa_TransSidArray3
                          count                    : 0x00000000 (0)
                          sids                     : NULL
                  level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
                  count                    : *
                      count                    : 0x00000000 (0)
                  lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
                  client_revision          : LSA_CLIENT_REVISION_2 (2)
    [2019/08/03 07:14:24.156189,  6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
      Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00   00 00 00 00 45 5D 30 18   ....L... ....E]0.
      [0010] 57 5C 00 00                                        W\..
    [2019/08/03 07:14:24.156228,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
      push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2
    [2019/08/03 07:14:24.156246,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
      push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2019/08/03 07:14:24.156259,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
      setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
    [2019/08/03 07:14:24.156273,  5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
      Security token: (NULL)
    [2019/08/03 07:14:24.156285,  5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
      UNIX token of user 0
      Primary group is 0 and contains 0 supplementary groups
    [2019/08/03 07:14:24.156311,  5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
      lookup_lsa_sids: looking up name XS\ab
    [2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
      lookup_name: XS\ab => domain=[XS], name=[ab]
    [2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
      lookup_name: flags = 0x00
Comment 1 Alexander Bokovoy 2019-08-15 13:17:44 UTC
Fixed in master:
       via  4d276a93fc6 smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames
       via  685bb03de6a lookup_name:  allow own domain lookup when flags == 0
       via  317bc6a7342 torture/rpc/lsa: allow testing different lookup levels
Comment 2 Alexander Bokovoy 2019-08-15 13:31:40 UTC
Created attachment 15395 [details]
v4.9 backport
Comment 3 Alexander Bokovoy 2019-08-15 13:32:07 UTC
Created attachment 15396 [details]
v4.10 backport
Comment 4 Alexander Bokovoy 2019-08-15 13:32:27 UTC
Created attachment 15397 [details]
v4.11 backport
Comment 5 Guenther Deschner 2019-08-15 15:56:13 UTC
Comment on attachment 15395 [details]
v4.9 backport

LGTM
Comment 6 Guenther Deschner 2019-08-15 15:56:28 UTC
Comment on attachment 15396 [details]
v4.10 backport

LGTM
Comment 7 Guenther Deschner 2019-08-15 15:56:42 UTC
Comment on attachment 15397 [details]
v4.11 backport

LGTM
Comment 8 Guenther Deschner 2019-08-15 15:57:12 UTC
Karolin, please add to the branches. Thanks!
Comment 9 Karolin Seeger 2019-08-16 09:47:55 UTC
(In reply to Guenther Deschner from comment #8)
Pushed to autobuild-v4-{11,10,9}-test.
Comment 10 Alexander Bokovoy 2019-08-19 19:48:12 UTC
All backports were pushed. Closing the bug!