[SCM] Samba Shared Repository - branch master updated

Uri Simchoni uri at samba.org
Thu Oct 15 20:59:04 UTC 2015 

The branch, master has been updated
       via  8bcbb6f s3: test: Fix standalone valid users fileserver test.
       via  2f6dc26 s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names is incorrect.
       via  23f6744 s3:lib: validate domain name in lookup_wellknown_name()
      from  808f29c s4: torture: Add SMB2 access-based enumeration test. Passes against Win2k12R2.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8bcbb6fb16c13d20556fc50ea2744020cb895be3
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Oct 14 11:20:08 2015 -0700

    s3: test: Fix standalone valid users fileserver test.
    
    Test was originally added for bug #11320. At the time
    I remarked the only way I could get this to reproduce
    the issue was to use "+WORKGROUP\userdup" instead of
    just "+userdup" (which was the actual problem reported),
    but I didn't investigage enough to discover the underlying
    problem which is actually bug:
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
    
    (lookup_names() logic for unqualified (no DOMAIN\
    component) names is incorrect). On a standalone
    fileserver "WORKGROUP\name" should not resolve,
    but "NETBIOS-NAME\name" and just "name" should.
    
    This corrects the test now that lookups for unqualified
    names are now being done correctly.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    
    Autobuild-User(master): Uri Simchoni <uri at samba.org>
    Autobuild-Date(master): Thu Oct 15 22:58:54 CEST 2015 on sn-devel-104

commit 2f6dc260ada6cd178a650ca003c2ad22e12697c1
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Oct 15 09:20:58 2015 -0700

    s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names is incorrect.
    
    Change so we only use unqualified name lookup logic if
    domain component = "" and LOOKUP_NAME_ISOLATED flag is
    passed in.
    
    Remember to search for "NT Authority" *before* going
    into unqualified name lookup logic.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 23f674488a1f62fcc58bb94bed0abed98078b96d
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Oct 15 12:35:26 2015 +0200

    s3:lib: validate domain name in lookup_wellknown_name()
    
    If domain argument is not an empty string, only search the matching
    wellknown domain name.
    
    As the only wellknown domain with a name is "NT Authority", passing ""
    to lookup_wellknown_name() will search all domains inlcuding "NT
    Authority".
    
    Passing "NT Authority" otoh will obviously only search that domain.
    
    This change makes lookup_wellknown_name() behave like this:
    
    in domain         | in name       | ok | out sid | out domain
    ========================================================
                        Dialup          +    S-1-5-1   NT Authority
    NT Authority        Dialup          +    S-1-5-1   NT Authority
    Creator Authority   Dialup          -    -         -
                        Creator Owner   +    S-1-3-0   ""
    Creator Authority   Creator Owner   -    -         -
    NT Authority        Creator Owner   -    -         -
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 selftest/target/Samba3.pm    |  2 +-
 source3/lib/util_wellknown.c | 13 ++++++++++---
 source3/passdb/lookup_sid.c  | 31 ++++++++++++++++++++++++++++++-
 3 files changed, 41 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index de4346e..15423fe 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -608,7 +608,7 @@ sub setup_fileserver($$)
 	dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh
 [valid-users-access]
 	path = $valid_users_sharedir
-	valid users = +SAMBA-TEST/userdup
+	valid users = +userdup
 	";
 
 	my $vars = $self->provision($path,
diff --git a/source3/lib/util_wellknown.c b/source3/lib/util_wellknown.c
index 0f627d1..a3db9ab 100644
--- a/source3/lib/util_wellknown.c
+++ b/source3/lib/util_wellknown.c
@@ -154,16 +154,23 @@ bool lookup_wellknown_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
 ***************************************************************************/
 
 bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char *name,
-			   struct dom_sid *sid, const char **domain)
+			   struct dom_sid *sid, const char **pdomain)
 {
 	int i, j;
+	const char *domain = *pdomain;
 
-	DEBUG(10,("map_name_to_wellknown_sid: looking up %s\n", name));
+	DEBUG(10,("map_name_to_wellknown_sid: looking up %s\\%s\n", domain, name));
 
 	for (i=0; special_domains[i].sid != NULL; i++) {
 		const struct rid_name_map *users =
 			special_domains[i].known_users;
 
+		if (domain[0] != '\0') {
+			if (!strequal(domain, special_domains[i].name)) {
+				continue;
+			}
+		}
+
 		if (users == NULL)
 			continue;
 
@@ -171,7 +178,7 @@ bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char *name,
 			if ( strequal(users[j].name, name) ) {
 				sid_compose(sid, special_domains[i].sid,
 					    users[j].rid);
-				*domain = talloc_strdup(
+				*pdomain = talloc_strdup(
 					mem_ctx, special_domains[i].name);
 				return True;
 			}
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 3f99ee1..1ffd657 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -140,7 +140,31 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 		return false;
 	}
 
-	if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
+	/*
+	 * Finally check for a well known domain name ("NT Authority"),
+	 * this is taken care if in lookup_wellknown_name().
+	 */
+	if ((domain[0] != '\0') &&
+	    (flags & LOOKUP_NAME_WKN) &&
+	    lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
+	{
+		type = SID_NAME_WKN_GRP;
+		goto ok;
+	}
+
+	/*
+	 * If we're told not to look up 'isolated' names then we're
+	 * done.
+	 */
+	if (!(flags & LOOKUP_NAME_ISOLATED)) {
+		TALLOC_FREE(tmp_ctx);
+		return false;
+	}
+
+	/*
+	 * No domain names beyond this point
+	 */
+	if (domain[0] != '\0') {
 		TALLOC_FREE(tmp_ctx);
 		return false;
 	}
@@ -152,6 +176,11 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 1. well-known names */
 
+	/*
+	 * Check for well known names without a domain name.
+	 * e.g. \Creator Owner.
+	 */
+
 	if ((flags & LOOKUP_NAME_WKN) &&
 	    lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
 	{


-- 
Samba Shared Repository

More information about the samba-cvs mailing list