In 2007, we've added support for multiple lookup levels for LSA LookupNames family of calls. However, forest-wide lookups, as described in MS-LSAT 2.2.16, never worked because flags passed to lookup_name() were always set to zero, expecting at least default lookup on a DC to apply. lookup_name() was instead treating zero flags as 'skip all checks'. Allow at least own domain lookup in case domain name is the same. This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a trusted AD DC side. For the reference, below is a request Windows Server 2016 domain controller sends to FreeIPA domain controller when attempting to look up a user from a trusted forest root domain that attemps to login to the domain controller. Notice the level in the lsa_LookupNames3 call and resulting flags in lookup_name(). [2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) lsa_LookupNames3: struct lsa_LookupNames3 in: struct lsa_LookupNames3 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000004c-0000-0000-455d-3018575c0000 num_names : 0x00000001 (1) names: ARRAY(1) names: struct lsa_String length : 0x000a (10) size : 0x000c (12) string : * string : 'XS\ab' sids : * sids: struct lsa_TransSidArray3 count : 0x00000000 (0) sids : NULL level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6) count : * count : 0x00000000 (0) lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0) client_revision : LSA_CLIENT_REVISION_2 (2) [2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0. [0010] 57 5C 00 00 W\.. [2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2 [2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids) lookup_lsa_sids: looking up name XS\ab [2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name) lookup_name: XS\ab => domain=[XS], name=[ab] [2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name) lookup_name: flags = 0x00
Fixed in master: via 4d276a93fc6 smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames via 685bb03de6a lookup_name: allow own domain lookup when flags == 0 via 317bc6a7342 torture/rpc/lsa: allow testing different lookup levels
Created attachment 15395 [details] v4.9 backport
Created attachment 15396 [details] v4.10 backport
Created attachment 15397 [details] v4.11 backport
Comment on attachment 15395 [details] v4.9 backport LGTM
Comment on attachment 15396 [details] v4.10 backport LGTM
Comment on attachment 15397 [details] v4.11 backport LGTM
Karolin, please add to the branches. Thanks!
(In reply to Guenther Deschner from comment #8) Pushed to autobuild-v4-{11,10,9}-test.
All backports were pushed. Closing the bug!