[SCM] Samba Shared Repository - branch master updated
Alexander Bokovoy
ab at samba.org
Thu Nov 5 07:54:02 UTC 2020
The branch, master has been updated
via ca07dc775cb Revert "lookup_name: allow lookup for own realm"
via 5d80b179a1a Revert "cli_credentials: add a helper to parse user or group names"
via 49efe0ca0b0 Revert "cli_credentials_parse_string: fix parsing of principals"
from 8aebd48698e bootstrap: Add Fedora 33
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ca07dc775cbf0d6736783ced8d0dfb6ddec8520f
Author: Alexander Bokovoy <ab at samba.org>
Date: Wed Nov 4 19:21:24 2020 +0200
Revert "lookup_name: allow lookup for own realm"
This reverts commit f901691209867b32c2d7c5c9274eee196f541654.
Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
Autobuild-Date(master): Thu Nov 5 07:53:03 UTC 2020 on sn-devel-184
commit 5d80b179a1ae43325dde821fc6a869b6c1a1eeea
Author: Alexander Bokovoy <ab at samba.org>
Date: Wed Nov 4 19:21:20 2020 +0200
Revert "cli_credentials: add a helper to parse user or group names"
This reverts commit 00f4262ed0b22f6e333e5a29c5590b62c783905c.
commit 49efe0ca0b07396764f78434989165f941cf5f91
Author: Alexander Bokovoy <ab at samba.org>
Date: Wed Nov 4 19:20:58 2020 +0200
Revert "cli_credentials_parse_string: fix parsing of principals"
This reverts commit eb0474d27bae4592b25ac6bf600da29c6a1cb9f8.
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 23 ++---------
auth/credentials/credentials.h | 1 -
auth/credentials/tests/test_creds.c | 58 +---------------------------
python/samba/tests/credentials.py | 4 +-
source3/passdb/lookup_sid.c | 76 ++++++++++---------------------------
5 files changed, 27 insertions(+), 135 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 53bba78176b..1bdd6f15a09 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -836,34 +836,17 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
cli_credentials_set_password(credentials, p+1, obtained);
}
- cli_credentials_parse_name(credentials, uname, obtained);
-}
-
-/**
- * Given a string, parse it into a domain, username and realm fields
- *
- * The format accepted is [domain\\]user or user[@realm]
- *
- * @param credentials Credentials structure on which to set the components
- * @param data the string containing the username, prefixed or suffixed with domain or realm
- * @param obtained This enum describes how 'specified' this credential name is.
- */
-
-_PUBLIC_ void cli_credentials_parse_name(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
-{
- char *uname, *p;
-
- uname = talloc_strdup(credentials, data);
if ((p = strchr_m(uname,'@'))) {
/*
* We also need to set username and domain
* in order to undo the effect of
* cli_credentials_guess().
*/
- cli_credentials_set_principal(credentials, uname, obtained);
- *p = 0;
cli_credentials_set_username(credentials, uname, obtained);
cli_credentials_set_domain(credentials, "", obtained);
+
+ cli_credentials_set_principal(credentials, uname, obtained);
+ *p = 0;
cli_credentials_set_realm(credentials, p+1, obtained);
return;
} else if ((p = strchr_m(uname,'\\'))
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 7c7120b9f55..f468b8558dd 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -155,7 +155,6 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
enum credentials_obtained obtained);
struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
-void cli_credentials_parse_name(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx);
struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 38550d6ecf9..d2d3d30d73d 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -187,7 +187,7 @@ static void torture_creds_parse_string(void **state)
assert_string_equal(creds->domain, "");
assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
- assert_string_equal(creds->username, "wurst");
+ assert_string_equal(creds->username, "wurst at brot.realm");
assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
assert_string_equal(creds->principal, "wurst at brot.realm");
@@ -197,61 +197,6 @@ static void torture_creds_parse_string(void **state)
assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
}
-static void _parse_name_as_lookup_name(TALLOC_CTX *mem_ctx,
- const char *full_name,
- const char *expected_name,
- const char *expected_domain,
- const char *expected_realm)
-{
- struct cli_credentials *creds = NULL;
-
- creds = cli_credentials_init(mem_ctx);
- assert_non_null(creds);
-
- cli_credentials_parse_name(creds, full_name, CRED_SPECIFIED);
-
- if (expected_name == NULL) {
- assert_null(cli_credentials_get_username(creds));
- } else {
- assert_string_equal(cli_credentials_get_username(creds), expected_name);
- }
-
- if (expected_domain == NULL) {
- assert_null(cli_credentials_get_domain(creds));
- } else {
- assert_string_equal(cli_credentials_get_domain(creds), expected_domain);
- }
-
- if (expected_realm == NULL) {
- assert_null(cli_credentials_get_realm(creds));
- } else {
- assert_string_equal(cli_credentials_get_realm(creds), expected_realm);
- }
-
- TALLOC_FREE(creds);
-
-}
-
-static void torture_creds_parse_name(void **state)
-{
- TALLOC_CTX *mem_ctx = *state;
-
- _parse_name_as_lookup_name(mem_ctx, "XXL\\",
- "", "XXL", NULL);
-
- _parse_name_as_lookup_name(mem_ctx, "XXL\\wurst",
- "wurst", "XXL", NULL);
-
- _parse_name_as_lookup_name(mem_ctx, "wurst at brot.realm",
- "wurst", "", "BROT.REALM");
-
- _parse_name_as_lookup_name(mem_ctx, "wur%t",
- "wur%t", NULL, NULL);
-
- _parse_name_as_lookup_name(mem_ctx, "wurst",
- "wurst", NULL, NULL);
-}
-
int main(int argc, char *argv[])
{
int rc;
@@ -261,7 +206,6 @@ int main(int argc, char *argv[])
cmocka_unit_test(torture_creds_guess),
cmocka_unit_test(torture_creds_anon_guess),
cmocka_unit_test(torture_creds_parse_string),
- cmocka_unit_test(torture_creds_parse_name),
};
if (argc == 2) {
diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py
index 5d1378fb790..bcd15b1130f 100644
--- a/python/samba/tests/credentials.py
+++ b/python/samba/tests/credentials.py
@@ -400,7 +400,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
os.environ["USER"] = "env_user"
creds.guess(lp)
creds.parse_string("user at samba.org")
- self.assertEqual(creds.get_username(), "user")
+ self.assertEqual(creds.get_username(), "user at samba.org")
self.assertEqual(creds.get_domain(), "")
self.assertEqual(creds.get_realm(), "SAMBA.ORG")
self.assertEqual(creds.get_principal(), "user at samba.org")
@@ -441,7 +441,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
os.environ["USER"] = "env_user"
creds.guess(lp)
creds.parse_string("user at samba.org%pass")
- self.assertEqual(creds.get_username(), "user")
+ self.assertEqual(creds.get_username(), "user at samba.org")
self.assertEqual(creds.get_domain(), "")
self.assertEqual(creds.get_password(), "pass")
self.assertEqual(creds.get_realm(), "SAMBA.ORG")
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index dc32cd9753b..ff8a16619a8 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -29,7 +29,6 @@
#include "../libcli/security/security.h"
#include "lib/winbind_util.h"
#include "../librpc/gen_ndr/idmap.h"
-#include "auth/credentials/credentials.h"
static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
{
@@ -79,85 +78,52 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
const char **ret_domain, const char **ret_name,
struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
{
+ char *p;
const char *tmp;
const char *domain = NULL;
const char *name = NULL;
- const char *realm = NULL;
uint32_t rid;
struct dom_sid sid;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- struct cli_credentials *creds = NULL;
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return false;
}
- creds = cli_credentials_init(tmp_ctx);
- if (creds == NULL) {
- DEBUG(0, ("cli_credentials_init failed\n"));
- return false;
- }
-
- cli_credentials_parse_name(creds, full_name, CRED_SPECIFIED);
- name = cli_credentials_get_username(creds);
- domain = cli_credentials_get_domain(creds);
- realm = cli_credentials_get_realm(creds);
+ p = strchr_m(full_name, '\\');
- /* At this point we have:
- * - name -- normal name or empty string
- * - domain -- either NULL or domain name
- * - realm -- either NULL or realm name
- *
- * domain and realm are exclusive to each other
- * the code below in lookup_name assumes domain
- * to be at least empty string, not NULL
- */
+ if (p != NULL) {
+ domain = talloc_strndup(tmp_ctx, full_name,
+ PTR_DIFF(p, full_name));
+ name = talloc_strdup(tmp_ctx, p+1);
+ } else {
+ domain = talloc_strdup(tmp_ctx, "");
+ name = talloc_strdup(tmp_ctx, full_name);
+ }
- if (name == NULL) {
- DEBUG(0, ("lookup_name with empty name, exit\n"));
+ if ((domain == NULL) || (name == NULL)) {
+ DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
- if ((domain == NULL) && (realm == NULL)) {
- domain = talloc_strdup(creds, "");
- }
-
DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
- /* Windows clients may send a LookupNames request with both NetBIOS
- * domain name- and realm-qualified user names. Thus, we need to check
- * both against both of the SAM domain name and realm, if set. Since
- * domain name and realm in the request are exclusive, test the one
- * that is specified. cli_credentials_parse_string() will either set
- * realm or wouldn't so we can use it to detect if realm was specified.
- */
- if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
- const char *domain_name = realm ? realm : domain;
- bool check_global_sam = false;
-
- if (domain_name[0] != '\0') {
- check_global_sam = strequal(domain_name, get_global_sam_name());
- if (!check_global_sam && lp_realm() != NULL) {
- /* Only consider realm when we are DC
- * otherwise use lookup through winbind */
- check_global_sam = strequal(domain_name, lp_realm()) && IS_DC;
- }
- }
+ if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
+ strequal(domain, get_global_sam_name()))
+ {
- if (check_global_sam) {
- /* It's our own domain, lookup the name in passdb */
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
- sid_compose(&sid, get_global_sam_sid(), rid);
- goto ok;
- }
- TALLOC_FREE(tmp_ctx);
- return false;
+ /* It's our own domain, lookup the name in passdb */
+ if (lookup_global_sam_name(name, flags, &rid, &type)) {
+ sid_compose(&sid, get_global_sam_sid(), rid);
+ goto ok;
}
+ TALLOC_FREE(tmp_ctx);
+ return false;
}
if ((flags & LOOKUP_NAME_BUILTIN) &&
--
Samba Shared Repository
More information about the samba-cvs
mailing list