[SCM] Samba Shared Repository - branch master updated

Ralph Böhme slow at samba.org
Wed Dec 5 10:28:02 UTC 2018 

The branch, master has been updated
       via  8b8d9fdad4a winbindd: Route predefined domains through the BUILTIN domain child
       via  b512a58bbd7 winbindd: fix predefined domains routing in find_lookup_domain_from_sid()
       via  e0f784baeaa winbindd: add some braces
       via  2de5f06d399 libcli/security: add dom_sid_lookup_is_predefined_domain()
       via  c46b6b111e8 selftest: test wbinfo -n and --gid-info with "NT Authority"
      from  a92f0ccce60 s3:tests: Add test for checking that root is not allowed as home dir

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8b8d9fdad4a4e2c479141b3d40e9a7320a49c0dd
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Nov 28 15:39:21 2018 +0100

    winbindd: Route predefined domains through the BUILTIN domain child
    
    Without this eg "NT Authority" didn't work:
    
      $ bin/wbinfo -n "NT Authority/Authenticated Users"
      failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
      Could not lookup name NT Authority/Authenticated Users
    
      $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
      failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
      Could not get info for group NT Authority/Authenticated Users
    
    With the patch:
    
      $ bin/wbinfo -n "NT Authority/Authenticated Users"
      S-1-5-11 SID_WKN_GROUP (5)
    
      $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
      NT AUTHORITY\authenticated users:x:10002:
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Wed Dec  5 11:27:22 CET 2018 on sn-devel-144

commit b512a58bbd7361cbbcf68f6713943377338fc2a1
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Nov 28 17:20:41 2018 +0100

    winbindd: fix predefined domains routing in find_lookup_domain_from_sid()
    
    Route predefined domains through the BUILTIN domain child, not passdb.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit e0f784baeaa73096534d9a1ed941028d99f84ece
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Nov 27 17:32:09 2018 +0100

    winbindd: add some braces
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2de5f06d399109009c343b0acfef822db38502a1
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Nov 28 17:19:39 2018 +0100

    libcli/security: add dom_sid_lookup_is_predefined_domain()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit c46b6b111e8adcd7cf029e5c3293cbdc471793db
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Nov 27 20:32:09 2018 +0100

    selftest: test wbinfo -n and --gid-info with "NT Authority"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: David Mulder <dmulder at suse.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/dom_sid.h        |  1 +
 libcli/security/util_sid.c       | 33 +++++++++++++++++++++++++++++++++
 nsswitch/tests/test_wbinfo.sh    | 18 ++++++++++++++++++
 source3/winbindd/winbindd_util.c | 37 +++++++++++++++++--------------------
 4 files changed, 69 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 1effdbc2f6c..abaf305f96a 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -74,6 +74,7 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
 				       enum lsa_SidType *type,
 				       const struct dom_sid **authority_sid,
 				       const char **authority_name);
+bool dom_sid_lookup_is_predefined_domain(const char *domain);
 
 int dom_sid_compare_auth(const struct dom_sid *sid1,
 			 const struct dom_sid *sid2);
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index af04dff1325..531d3809565 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -879,6 +879,39 @@ NTSTATUS dom_sid_lookup_predefined_name(const char *name,
 	return NT_STATUS_NONE_MAPPED;
 }
 
+bool dom_sid_lookup_is_predefined_domain(const char *domain)
+{
+	size_t di;
+	bool match;
+
+	if (domain == NULL) {
+		domain = "";
+	}
+
+	match = strequal(domain, "");
+	if (match) {
+		/*
+		 * Strange, but that's what W2012R2 does.
+		 */
+		domain = "BUILTIN";
+	}
+
+	for (di = 0; di < ARRAY_SIZE(predefined_domains); di++) {
+		const struct predefined_domain_mapping *d =
+			&predefined_domains[di];
+		int cmp;
+
+		cmp = strcasecmp(d->domain, domain);
+		if (cmp != 0) {
+			continue;
+		}
+
+		return true;
+	}
+
+	return false;
+}
+
 NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
 				       const char **name,
 				       enum lsa_SidType *type,
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 67660e50fc8..2ac83828a0e 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -125,6 +125,24 @@ else
 	echo "success: wbinfo -n check for sane mapping"
 fi
 
+echo "test: wbinfo -n NT Authority/Authenticated Users"
+$wbinfo -n "NT Authority/Authenticated Users"
+if [ $? -ne 0 ] ; then
+    echo "failure: wbinfo -n NT Authority/Authenticated Users"
+    failed=`expr $failed + 1`
+else
+    echo "success: wbinfo -n NT Authority/Authenticated Users"
+fi
+
+echo "test: wbinfo --group-info NT Authority/Authenticated Users"
+$wbinfo --group-info "NT Authority/Authenticated Users"
+if [ $? -ne 0 ] ; then
+    echo "failure: wbinfo --group-info NT Authority/Authenticated Users"
+    failed=`expr $failed + 1`
+else
+    echo "success: wbinfo --group-info NT Authority/Authenticated Users"
+fi
+
 testit "wbinfo -U against $TARGET" $wbinfo -U 30000 || failed=`expr $failed + 1`
 
 echo "test: wbinfo -U check for sane mapping"
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 9bc25d98c4e..75d2f31b55f 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -108,15 +108,6 @@ static bool is_internal_domain(const struct dom_sid *sid)
 	return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
 }
 
-static bool is_in_internal_domain(const struct dom_sid *sid)
-{
-	if (sid == NULL)
-		return False;
-
-	return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
-}
-
-
 /* Add a trusted domain to our list of domains.
    If the domain already exists in the list,
    return it and don't re-initialize.  */
@@ -1475,20 +1466,18 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 	     sid_check_is_unix_groups(sid) ||
 	     sid_check_is_in_unix_users(sid) ||
 	     sid_check_is_unix_users(sid) ||
-	     sid_check_is_wellknown_domain(sid, NULL) ||
-	     sid_check_is_in_wellknown_domain(sid) )
+	     sid_check_is_our_sam(sid) ||
+             sid_check_is_in_our_sam(sid) )
 	{
 		return find_domain_from_sid(get_global_sam_sid());
 	}
 
-	/*
-	 * On member servers the internal domains are different: These are part
-	 * of the local SAM.
-	 */
-
-	if (is_internal_domain(sid) || is_in_internal_domain(sid)) {
-		DEBUG(10, ("calling find_domain_from_sid\n"));
-		return find_domain_from_sid(sid);
+	if ( sid_check_is_builtin(sid) ||
+	     sid_check_is_in_builtin(sid) ||
+	     sid_check_is_wellknown_domain(sid, NULL) ||
+	     sid_check_is_in_wellknown_domain(sid) )
+	{
+		return find_domain_from_sid(&global_sid_Builtin);
 	}
 
 	if (IS_DC) {
@@ -1515,6 +1504,8 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 
 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
 {
+	bool predefined;
+
 	if ( strequal(domain_name, unix_users_domain_name() ) ||
 	     strequal(domain_name, unix_groups_domain_name() ) )
 	{
@@ -1526,8 +1517,14 @@ struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
 	}
 
 	if (strequal(domain_name, "BUILTIN") ||
-	    strequal(domain_name, get_global_sam_name()))
+	    strequal(domain_name, get_global_sam_name())) {
 		return find_domain_from_name_noinit(domain_name);
+	}
+
+	predefined = dom_sid_lookup_is_predefined_domain(domain_name);
+	if (predefined) {
+		return find_domain_from_name_noinit(builtin_domain_name());
+	}
 
 	if (IS_DC) {
 		struct winbindd_domain *domain = NULL;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list