[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-28-19-g821de8a

Michael Adam obnox at samba.org
Wed Dec 12 17:02:28 GMT 2007 

The branch, v3-0-test has been updated
       via  821de8a047eea10fefb0851792a9e4633c16d871 (commit)
       via  120f2c05a36a59fe6829cc73f20c269ffef134ad (commit)
      from  864175b3dc671e95afa2b6007b7f78778766384b (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit 821de8a047eea10fefb0851792a9e4633c16d871
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 30 16:11:43 2007 +0100

    Fix for bug #4801: Correctly implement lsa lookup levels for lookupnames.
    
    This is a first patch aimed at fixing bug #4801.
    It is still incomplete in that winbindd does not walk
    the the trusted domains to lookup unqualified names here.
    Apart from that this fix should be pretty much complete.
    
    Michael

commit 120f2c05a36a59fe6829cc73f20c269ffef134ad
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 30 16:11:43 2007 +0100

    Add flags for correctly implementing lsa_lookup_name levels.
    
    This is in preparation of the upcoming fix for bug #4801
    (correct implementation of lsa lookup name levels.)
    
    Michael

-----------------------------------------------------------------------

Summary of changes:
 source/include/smb.h           |   22 ++++++++++++++----
 source/passdb/lookup_sid.c     |   46 +++++++++++++++++++++++++++------------
 source/rpc_server/srv_lsa_nt.c |   37 ++++++++++++++++++++++++-------
 3 files changed, 77 insertions(+), 28 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/include/smb.h b/source/include/smb.h
index 3f2f223..ed1d049 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -257,12 +257,24 @@ enum lsa_SidType {
 	SID_NAME_COMPUTER     /* sid for a computer */
 };
 
-#define LOOKUP_NAME_ISOLATED 1	/* Look up unqualified names */
-#define LOOKUP_NAME_REMOTE   2  /* Ask others */
-#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
 
-#define LOOKUP_NAME_GROUP    4  /* (unused) This is a NASTY hack for valid users = @foo
-				 * where foo also exists in as user. */
+#define LOOKUP_NAME_NONE		0x00000000
+#define LOOKUP_NAME_ISOLATED		0x00000001  /* Look up unqualified names */
+#define LOOKUP_NAME_REMOTE		0x00000002  /* Ask others */
+#define LOOKUP_NAME_GROUP		0x00000004  /* (unused) This is a NASTY hack for
+							valid users = @foo where foo also
+							exists in as user. */
+#define LOOKUP_NAME_EXPLICIT		0x00000008  /* Only include
+							explicitly mapped names and not
+							the Unix {User,Group} domain */
+#define LOOKUP_NAME_BUILTIN		0x00000010 /* builtin names */
+#define LOOKUP_NAME_WKN			0x00000020 /* well known names */
+#define LOOKUP_NAME_DOMAIN		0x00000040 /* only lookup own domain */
+#define LOOKUP_NAME_ALL			(LOOKUP_NAME_ISOLATED\
+					|LOOKUP_NAME_REMOTE\
+					|LOOKUP_NAME_BUILTIN\
+					|LOOKUP_NAME_WKN\
+					|LOOKUP_NAME_DOMAIN)
 
 /**
  * @brief Security Identifier
diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c
index 37285f0..d1390fd 100644
--- a/source/passdb/lookup_sid.c
+++ b/source/passdb/lookup_sid.c
@@ -60,16 +60,19 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 		name = talloc_strdup(tmp_ctx, full_name);
 	}
 
-	DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n", 
-		full_name, domain, name));
-
 	if ((domain == NULL) || (name == NULL)) {
 		DEBUG(0, ("talloc failed\n"));
 		TALLOC_FREE(tmp_ctx);
 		return False;
 	}
 
-	if (strequal(domain, get_global_sam_name())) {
+	DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
+		full_name, domain, name));
+	DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
+
+	if ((flags & LOOKUP_NAME_DOMAIN) &&
+	    strequal(domain, get_global_sam_name()))
+	{
 
 		/* It's our own domain, lookup the name in passdb */
 		if (lookup_global_sam_name(name, flags, &rid, &type)) {
@@ -81,8 +84,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 		return False;
 	}
 
-	if (strequal(domain, builtin_domain_name())) {
-
+	if ((flags & LOOKUP_NAME_BUILTIN) &&
+	    strequal(domain, builtin_domain_name()))
+	{
 		/* Explicit request for a name in BUILTIN */
 		if (lookup_builtin_name(name, &rid)) {
 			sid_copy(&sid, &global_sid_Builtin);
@@ -98,6 +102,7 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 	 * domain yet at this point yet. This comes later. */
 
 	if ((domain[0] != '\0') &&
+	    (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
 	    (winbind_lookup_name(domain, name, &sid, &type))) {
 			goto ok;
 	}
@@ -132,14 +137,18 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 1. well-known names */
 
-	if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) {
+	if ((flags & LOOKUP_NAME_WKN) &&
+	    lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
+	{
 		type = SID_NAME_WKN_GRP;
 		goto ok;
 	}
 
 	/* 2. Builtin domain as such */
 
-	if (strequal(name, builtin_domain_name())) {
+	if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
+	    strequal(name, builtin_domain_name()))
+	{
 		/* Swap domain and name */
 		tmp = name; name = domain; domain = tmp;
 		sid_copy(&sid, &global_sid_Builtin);
@@ -149,7 +158,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 3. Account domain */
 
-	if (strequal(name, get_global_sam_name())) {
+	if ((flags & LOOKUP_NAME_DOMAIN) &&
+	    strequal(name, get_global_sam_name()))
+	{
 		if (!secrets_fetch_domain_sid(name, &sid)) {
 			DEBUG(3, ("Could not fetch my SID\n"));
 			TALLOC_FREE(tmp_ctx);
@@ -163,7 +174,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 4. Primary domain */
 
-	if (!IS_DC && strequal(name, lp_workgroup())) {
+	if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
+	    strequal(name, lp_workgroup()))
+	{
 		if (!secrets_fetch_domain_sid(name, &sid)) {
 			DEBUG(3, ("Could not fetch the domain SID\n"));
 			TALLOC_FREE(tmp_ctx);
@@ -178,8 +191,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 	/* 5. Trusted domains as such, to me it looks as if members don't do
               this, tested an XP workstation in a NT domain -- vl */
 
-	if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL,
-							    &sid, NULL))) {
+	if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
+	    (secrets_fetch_trusted_domain_password(name, NULL, &sid, NULL)))
+	{
 		/* Swap domain and name */
 		tmp = name; name = domain; domain = tmp;
 		type = SID_NAME_DOMAIN;
@@ -188,7 +202,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 6. Builtin aliases */	
 
-	if (lookup_builtin_name(name, &rid)) {
+	if ((flags & LOOKUP_NAME_BUILTIN) &&
+	    lookup_builtin_name(name, &rid))
+	{
 		domain = talloc_strdup(tmp_ctx, builtin_domain_name());
 		sid_copy(&sid, &global_sid_Builtin);
 		sid_append_rid(&sid, rid);
@@ -201,7 +217,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* Both cases are done by looking at our passdb */
 
-	if (lookup_global_sam_name(name, flags, &rid, &type)) {
+	if ((flags & LOOKUP_NAME_DOMAIN) &&
+	    lookup_global_sam_name(name, flags, &rid, &type))
+	{
 		domain = talloc_strdup(tmp_ctx, get_global_sam_name());
 		sid_copy(&sid, get_global_sam_sid());
 		sid_append_rid(&sid, rid);
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 7a47ced..c105edf 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1032,6 +1032,31 @@ NTSTATUS _lsa_lookup_sids3(pipes_struct *p,
 	return r_u->status;
 }
 
+static int lsa_lookup_level_to_flags(uint16 level)
+{
+	int flags;
+
+	switch (level) {
+		case 1:
+			flags = LOOKUP_NAME_ALL;
+			break;
+		case 2:
+			flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
+			break;
+		case 3:
+			flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
+			break;
+		case 4:
+		case 5:
+		case 6:
+		default:
+			flags = LOOKUP_NAME_NONE;
+			break;
+	}
+
+	return flags;
+}
+
 /***************************************************************************
 lsa_reply_lookup_names
  ***************************************************************************/
@@ -1051,10 +1076,7 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP
 		DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries));
 	}
 		
-	/* Probably the lookup_level is some sort of bitmask. */
-	if (q_u->lookup_level == 1) {
-		flags = LOOKUP_NAME_ALL;
-	}
+	flags = lsa_lookup_level_to_flags(q_u->lookup_level);
 
 	ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
 	if (!ref) {
@@ -1120,11 +1142,8 @@ NTSTATUS _lsa_lookup_names2(pipes_struct *p, LSA_Q_LOOKUP_NAMES2 *q_u, LSA_R_LOO
 		num_entries = MAX_LOOKUP_SIDS;
 		DEBUG(5,("_lsa_lookup_names2: truncating name lookup list to %d\n", num_entries));
 	}
-		
-	/* Probably the lookup_level is some sort of bitmask. */
-	if (q_u->lookup_level == 1) {
-		flags = LOOKUP_NAME_ALL;
-	}
+
+	flags = lsa_lookup_level_to_flags(q_u->lookup_level);
 
 	ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
 	if (ref == NULL) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list