[SCM] Samba Shared Repository - branch master updated

Alexander Bokovoy ab at samba.org
Wed Nov 11 11:00:03 UTC 2020 

The branch, master has been updated
       via  31c703766fd lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
      from  f214a3ba5a3 selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 31c703766fd2b89737826fb7e9a707f0622bb8cd
Author: Alexander Bokovoy <ab at samba.org>
Date:   Tue Nov 10 17:35:24 2020 +0200

    lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
    
    In FreeIPA deployment with active Global Catalog service, when a two-way
    trust to Active Directory forest is established, Windows systems can
    look up FreeIPA users and groups. When using a security tab in Windows
    Explorer on AD side, a lookup over a trusted forest might come as
    realm\name instead of NetBIOS domain name:
    
    --------------------------------------------------------------------
    [2020/01/13 11:12:39.859134,  1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
           lsa_LookupNames3: struct lsa_LookupNames3
              in: struct lsa_LookupNames3
                  handle                   : *
                      handle: struct policy_handle
                          handle_type              : 0x00000000 (0)
                          uuid                     : 0000000e-0000-0000-1c5e-a750e5810000
                  num_names                : 0x00000001 (1)
                  names: ARRAY(1)
                      names: struct lsa_String
                          length                   : 0x001e (30)
                          size                     : 0x0020 (32)
                          string                   : *
                              string                   : 'ipa.test\admins'
                  sids                     : *
                      sids: struct lsa_TransSidArray3
                          count                    : 0x00000000 (0)
                          sids                     : NULL
                  level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
                  count                    : *
                      count                    : 0x00000000 (0)
                  lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
                  client_revision          : LSA_CLIENT_REVISION_2 (2)
    --------------------------------------------------------------------
    
    If we are running as a DC and PASSDB supports returning domain info
    (pdb_get_domain_info() returns a valid structure), check domain of the
    name in lookup_name() against DNS forest name and allow the request to
    be done against the primary domain. This corresponds to FreeIPA's use of
    Samba as a DC. For normal domain members a realm-based lookup falls back
    to a lookup over to its own domain controller with the help of winbindd.
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
    Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/passdb/lookup_sid.c | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index ff8a16619a8..cf80a300189 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -113,17 +113,36 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 		full_name, domain, name));
 	DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
 
-	if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
-	    strequal(domain, get_global_sam_name()))
-	{
+	if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
+		bool check_global_sam = false;
+
+		check_global_sam = strequal(domain, get_global_sam_name());
+
+		/* If we are running on a DC that has PASSDB module with domain
+		 * information, check if DNS forest name is matching the domain
+		 * name. This is the case of FreeIPA domain controller when
+		 * trusted AD DC looks up users found in a Global Catalog of
+		 * the forest root domain. */
+		if (!check_global_sam && (IS_DC)) {
+			struct pdb_domain_info *dom_info = NULL;
+			dom_info = pdb_get_domain_info(tmp_ctx);
+
+			if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
+				check_global_sam = strequal(domain, dom_info->dns_forest);
+			}
 
-		/* It's our own domain, lookup the name in passdb */
-		if (lookup_global_sam_name(name, flags, &rid, &type)) {
-			sid_compose(&sid, get_global_sam_sid(), rid);
-			goto ok;
+			TALLOC_FREE(dom_info);
+		}
+
+		if (check_global_sam) {
+			/* It's our own domain, lookup the name in passdb */
+			if (lookup_global_sam_name(name, flags, &rid, &type)) {
+				sid_compose(&sid, get_global_sam_sid(), rid);
+				goto ok;
+			}
+			TALLOC_FREE(tmp_ctx);
+			return false;
 		}
-		TALLOC_FREE(tmp_ctx);
-		return false;
 	}
 
 	if ((flags & LOOKUP_NAME_BUILTIN) &&


-- 
Samba Shared Repository

More information about the samba-cvs mailing list