[SCM] Samba Shared Repository - branch master updated

Ralph Böhme slow at samba.org
Mon Nov 15 19:02:01 UTC 2021


The branch, master has been updated
       via  0a546be0529 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
       via  494bf7de6ff CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
       via  8a9f2aa2c1c CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
       via  fdbee5e074e CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts
       via  5ea347d3673 CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
       via  bfd093648b4 CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
      from  c69b66f649c IPA DC: add missing checks

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Nov 12 16:10:31 2021 +1300

    CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
    
    Before the CVE-2020-25717 fixes we had a fallback from
    getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
    unpredictable.
    
    Now we do the fallback based on sid_to_uid() followed by
    getpwuid() on the returned uid.
    
    This obsoletes 'username map [script]' based workaround adviced
    for CVE-2020-25717, when nss_winbindd is not used or
    idmap_nss is actually used.
    
    In future we may decide to prefer or only do the SID/UID based
    lookup, but for now we want to keep this unchanged as much as possible.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    [metze at samba.org moved the new logic into the fallback codepath only
     in order to avoid behavior changes as much as possible]
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184

commit 494bf7de6ff3e9abeb3753df0635737b80ce5bb7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Nov 12 14:22:47 2021 +1300

    CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    [metze at samba.org removed unused tests for a feature that
     was removed before merging]
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Nov 12 14:20:45 2021 +1300

    CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
    
    In reality environments without 'nss_winbind' make use of 'idmap_nss'.
    
    For testing, DOMAIN/bob is mapped to the local 'bob',
    while DOMAIN/jane gets the uid based on the local 'jane'
    vis idmap_nss.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    [metze at samba.org avoid to create a new ad_member_idmap_nss environment
    and merge it with ad_member_no_nss_wb instead]
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit fdbee5e074ebd76d659613b8b7114d70f938c38a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Nov 12 20:53:30 2021 +1300

    CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 5ea347d3673e35891613c90ca837d1ce4833c1b0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Nov 12 14:14:55 2021 +1300

    CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit bfd093648b4af51d104096c0cb3535e8706671e5
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 12 15:27:58 2021 +0100

    CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
    
    We already check the sid belongs to the domain, but checking the name
    too feels better and make it easier to understand.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 nsswitch/nsstest.c                        |   2 +-
 python/samba/tests/krb5/kdc_base_test.py  |  42 ++++++
 python/samba/tests/krb5/test_idmap_nss.py | 232 ++++++++++++++++++++++++++++++
 python/samba/tests/usage.py               |   1 +
 selftest/target/Samba.pm                  |   2 +-
 selftest/target/Samba3.pm                 |  24 +++-
 source3/auth/auth_util.c                  |  34 ++++-
 source3/winbindd/idmap_nss.c              |  26 +++-
 source4/selftest/tests.py                 |  18 ++-
 9 files changed, 368 insertions(+), 13 deletions(-)
 create mode 100755 python/samba/tests/krb5/test_idmap_nss.py


Changeset truncated at 500 lines:

diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
index e2ee9fbf3af..45270cdc459 100644
--- a/nsswitch/nsstest.c
+++ b/nsswitch/nsstest.c
@@ -466,7 +466,7 @@ static void nss_test_errors(void)
 		printf("ERROR Non existent user gave error %d\n", last_error);
 	}
 
-	pwd = getpwuid(0xFFF0);
+	pwd = getpwuid(0xFF00);
 	if (pwd || last_error != NSS_STATUS_NOTFOUND) {
 		total_errors++;
 		printf("ERROR Non existent uid gave error %d\n", last_error);
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index f64bd0b206e..6e96b982167 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1063,6 +1063,48 @@ class KDCBaseTest(RawKerberosTest):
                                  fallback_creds_fn=download_dc_creds)
         return c
 
+    def get_server_creds(self,
+                     require_keys=True,
+                     require_strongest_key=False):
+        if require_strongest_key:
+            self.assertTrue(require_keys)
+
+        def download_server_creds():
+            samdb = self.get_samdb()
+
+            res = samdb.search(base=samdb.get_default_basedn(),
+                               expression=(f'(|(sAMAccountName={self.host}*)'
+                                           f'(dNSHostName={self.host}))'),
+                               scope=ldb.SCOPE_SUBTREE,
+                               attrs=['sAMAccountName',
+                                      'msDS-KeyVersionNumber'])
+            self.assertEqual(1, len(res))
+            dn = res[0].dn
+            username = str(res[0]['sAMAccountName'])
+
+            creds = KerberosCredentials()
+            creds.set_domain(self.env_get_var('DOMAIN', 'SERVER'))
+            creds.set_realm(self.env_get_var('REALM', 'SERVER'))
+            creds.set_username(username)
+
+            kvno = int(res[0]['msDS-KeyVersionNumber'][0])
+            creds.set_kvno(kvno)
+            creds.set_dn(dn)
+
+            keys = self.get_keys(samdb, dn)
+            self.creds_set_keys(creds, keys)
+
+            self.creds_set_enctypes(creds)
+
+            return creds
+
+        c = self._get_krb5_creds(prefix='SERVER',
+                                 allow_missing_password=True,
+                                 allow_missing_keys=not require_keys,
+                                 require_strongest_key=require_strongest_key,
+                                 fallback_creds_fn=download_server_creds)
+        return c
+
     def as_req(self, cname, sname, realm, etypes, padata=None, kdc_options=0):
         '''Send a Kerberos AS_REQ, returns the undecoded response
         '''
diff --git a/python/samba/tests/krb5/test_idmap_nss.py b/python/samba/tests/krb5/test_idmap_nss.py
new file mode 100755
index 00000000000..d3480dbca3f
--- /dev/null
+++ b/python/samba/tests/krb5/test_idmap_nss.py
@@ -0,0 +1,232 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) 2021 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+from ldb import SCOPE_SUBTREE
+from samba import NTSTATUSError
+from samba.credentials import DONT_USE_KERBEROS
+from samba.dcerpc import security
+from samba.ndr import ndr_unpack
+from samba.ntstatus import (
+    NT_STATUS_NO_IMPERSONATION_TOKEN,
+    NT_STATUS_LOGON_FAILURE
+)
+from samba.samba3 import libsmb_samba_internal as libsmb
+from samba.samba3 import param as s3param
+
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
+global_asn1_print = False
+global_hexdump = False
+
+
+class IdmapNssTests(KDCBaseTest):
+
+    mappeduser_uid = 0xffff - 14
+    mappeduser_sid = security.dom_sid(f'S-1-22-1-{mappeduser_uid}')
+    unmappeduser_uid = 0xffff - 15
+    unmappeduser_sid = security.dom_sid(f'S-1-22-1-{unmappeduser_uid}')
+
+    def get_mapped_creds(self,
+                         allow_missing_password=False,
+                         allow_missing_keys=True):
+        c = self._get_krb5_creds(prefix='MAPPED',
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
+        c.set_workstation('')
+        return c
+
+    def get_unmapped_creds(self,
+                           allow_missing_password=False,
+                           allow_missing_keys=True):
+        c = self._get_krb5_creds(prefix='UNMAPPED',
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
+        c.set_workstation('')
+        return c
+
+    def get_invalid_creds(self,
+                          allow_missing_password=False,
+                          allow_missing_keys=True):
+        c = self._get_krb5_creds(prefix='INVALID',
+                                 allow_missing_password=allow_missing_password,
+                                 allow_missing_keys=allow_missing_keys)
+        c.set_workstation('')
+        return c
+
+    # Expect a mapping to the local user SID.
+    def test_mapped_user_kerberos(self):
+        user_creds = self.get_mapped_creds()
+        self._run_idmap_nss_test(user_creds, use_kerberos=True,
+                                 expected_first_sid=self.mappeduser_sid,
+                                 expected_uid=self.mappeduser_uid)
+
+    # Expect a mapping to the local user SID.
+    def test_mapped_user_ntlm(self):
+        user_creds = self.get_mapped_creds()
+        self._run_idmap_nss_test(user_creds, use_kerberos=False,
+                                 expected_first_sid=self.mappeduser_sid,
+                                 expected_uid=self.mappeduser_uid)
+
+    def test_mapped_user_no_pac_kerberos(self):
+        user_creds = self.get_mapped_creds()
+        self._run_idmap_nss_test(
+            user_creds, use_kerberos=True, remove_pac=True,
+            expected_error=NT_STATUS_NO_IMPERSONATION_TOKEN)
+
+    def test_unmapped_user_kerberos(self):
+        user_creds = self.get_unmapped_creds()
+        self._run_idmap_nss_test(user_creds, use_kerberos=True,
+                                 expected_additional_sid=self.unmappeduser_sid,
+                                 expected_uid=self.unmappeduser_uid)
+
+    def test_unmapped_user_ntlm(self):
+        user_creds = self.get_unmapped_creds()
+        self._run_idmap_nss_test(user_creds, use_kerberos=False,
+                                 expected_additional_sid=self.unmappeduser_sid,
+                                 expected_uid=self.unmappeduser_uid)
+
+    def test_unmapped_user_no_pac_kerberos(self):
+        user_creds = self.get_unmapped_creds()
+        self._run_idmap_nss_test(
+            user_creds, use_kerberos=True, remove_pac=True,
+            expected_error=NT_STATUS_NO_IMPERSONATION_TOKEN)
+
+    def test_invalid_user_kerberos(self):
+        user_creds = self.get_invalid_creds()
+        self._run_idmap_nss_test(user_creds, use_kerberos=True,
+                                 expected_error=NT_STATUS_LOGON_FAILURE)
+
+    def test_invalid_user_ntlm(self):
+        user_creds = self.get_invalid_creds()
+        self._run_idmap_nss_test(user_creds, use_kerberos=False,
+                                 expected_error=NT_STATUS_LOGON_FAILURE)
+
+    def test_invalid_user_no_pac_kerberos(self):
+        user_creds = self.get_invalid_creds()
+        self._run_idmap_nss_test(
+            user_creds, use_kerberos=True, remove_pac=True,
+            expected_error=NT_STATUS_NO_IMPERSONATION_TOKEN)
+
+    def _run_idmap_nss_test(self, user_creds,
+                            use_kerberos,
+                            remove_pac=False,
+                            expected_error=None,
+                            expected_first_sid=None,
+                            expected_additional_sid=None,
+                            expected_uid=None):
+        if expected_first_sid is not None:
+            self.assertIsNotNone(expected_uid)
+        if expected_additional_sid is not None:
+            self.assertIsNotNone(expected_uid)
+        if expected_uid is not None:
+            self.assertIsNone(expected_error)
+
+        if not use_kerberos:
+            self.assertFalse(remove_pac)
+
+        samdb = self.get_samdb()
+
+        server_name = self.host
+        service = 'cifs'
+        share = 'tmp'
+
+        server_creds = self.get_server_creds()
+
+        if expected_first_sid is None:
+            # Retrieve the user account's SID.
+            user_name = user_creds.get_username()
+            res = samdb.search(scope=SCOPE_SUBTREE,
+                               expression=f'(sAMAccountName={user_name})',
+                               attrs=['objectSid'])
+            self.assertEqual(1, len(res))
+
+            expected_first_sid = ndr_unpack(security.dom_sid,
+                                      res[0].get('objectSid', idx=0))
+
+        if use_kerberos:
+            # Talk to the KDC to obtain the service ticket, which gets placed
+            # into the cache. The machine account name has to match the name in
+            # the ticket, to ensure that the krbtgt ticket doesn't also need to
+            # be stored.
+            creds, cachefile = self.create_ccache_with_user(
+                user_creds,
+                server_creds,
+                service,
+                server_name,
+                pac=not remove_pac)
+
+            # Remove the cached creds file.
+            self.addCleanup(os.remove, cachefile.name)
+
+            # Set the Kerberos 5 creds cache environment variable. This is
+            # required because the codepath that gets run (gse_krb5) looks for
+            # it in here and not in the creds object.
+            krb5_ccname = os.environ.get('KRB5CCNAME', '')
+            self.addCleanup(os.environ.__setitem__, 'KRB5CCNAME', krb5_ccname)
+            os.environ['KRB5CCNAME'] = 'FILE:' + cachefile.name
+        else:
+            creds = user_creds
+            creds.set_kerberos_state(DONT_USE_KERBEROS)
+
+        # Connect to a share and retrieve the user SID.
+        s3_lp = s3param.get_context()
+        s3_lp.load(self.get_lp().configfile)
+
+        min_protocol = s3_lp.get('client min protocol')
+        self.addCleanup(s3_lp.set, 'client min protocol', min_protocol)
+        s3_lp.set('client min protocol', 'NT1')
+
+        max_protocol = s3_lp.get('client max protocol')
+        self.addCleanup(s3_lp.set, 'client max protocol', max_protocol)
+        s3_lp.set('client max protocol', 'NT1')
+
+        try:
+            conn = libsmb.Conn(server_name, share, lp=s3_lp, creds=creds)
+        except NTSTATUSError as e:
+            enum, _ = e.args
+            self.assertEqual(expected_error, enum)
+            return
+        else:
+            self.assertIsNone(expected_error)
+
+        uid, gid, gids, sids, guest = conn.posix_whoami()
+
+        # Ensure that they match.
+        self.assertEqual(expected_first_sid, sids[0])
+        self.assertNotIn(expected_first_sid, sids[1:-1])
+
+        if expected_additional_sid:
+            self.assertNotEqual(expected_additional_sid, sids[0])
+            self.assertIn(expected_additional_sid, sids)
+
+        self.assertIsNotNone(expected_uid)
+        self.assertEqual(expected_uid, uid)
+
+
+if __name__ == '__main__':
+    global_asn1_print = False
+    global_hexdump = False
+    import unittest
+    unittest.main()
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index 42aa1afc998..cf66e0afe71 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -108,6 +108,7 @@ EXCLUDE_USAGE = {
     'python/samba/tests/krb5/spn_tests.py',
     'python/samba/tests/krb5/alias_tests.py',
     'python/samba/tests/krb5/test_min_domain_uid.py',
+    'python/samba/tests/krb5/test_idmap_nss.py',
 }
 
 EXCLUDE_HELP = {
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 69e6dcee591..c4f8eb5d4f9 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -610,7 +610,7 @@ sub get_interface($)
 		fipsadmember      => 57,
 		offlineadmem      => 58,
 		s2kmember         => 59,
-		admemnonsswb      => 60,
+		admemidmapnss     => 60,
 
 		rootdnsforwarder  => 64,
 
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index c0ed379bf3f..d1ac5c16c26 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -240,7 +240,7 @@ sub check_env($$)
 	ad_member_fips      => ["ad_dc_fips"],
 	ad_member_offlogon  => ["ad_dc"],
 	ad_member_oneway    => ["fl2000dc"],
-	ad_member_no_nss_wb => ["ad_dc"],
+	ad_member_idmap_nss => ["ad_dc"],
 
 	clusteredmember => ["nt4_dc"],
 );
@@ -1448,7 +1448,7 @@ sub setup_ad_member_offlogon
 					  1);
 }
 
-sub setup_ad_member_no_nss_wb
+sub setup_ad_member_idmap_nss
 {
 	my ($self,
 	    $prefix,
@@ -1461,14 +1461,23 @@ sub setup_ad_member_no_nss_wb
 	        return "UNKNOWN";
 	}
 
-	print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND...";
+	print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND WITH idmap_nss config...";
 
 	my $extra_member_options = "
+	# bob:x:65521:65531:localbob gecos:/:/bin/false
+	# jane:x:65520:65531:localjane gecos:/:/bin/false
+	idmap config $dcvars->{DOMAIN} : backend = nss
+	idmap config $dcvars->{DOMAIN} : range = 65520-65521
+
+	# Support SMB1 so that we can use posix_whoami().
+	client min protocol = CORE
+	server min protocol = LANMAN1
+
 	username map = $prefix/lib/username.map
 ";
 
 	my $ret = $self->provision_ad_member($prefix,
-					     "ADMEMNONSSWB",
+					     "ADMEMIDMAPNSS",
 					     $dcvars,
 					     $trustvars_f,
 					     $trustvars_e,
@@ -1480,6 +1489,7 @@ sub setup_ad_member_no_nss_wb
 	open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
 	print USERMAP "
 root = $dcvars->{DOMAIN}/root
+bob = $dcvars->{DOMAIN}/bob
 ";
 	close(USERMAP);
 
@@ -2528,6 +2538,8 @@ sub provision($$)
 	my ($uid_gooduser);
 	my ($uid_eviluser);
 	my ($uid_slashuser);
+	my ($uid_localbob);
+	my ($uid_localjane);
 
 	if ($unix_uid < 0xffff - 13) {
 		$max_uid = 0xffff;
@@ -2548,6 +2560,8 @@ sub provision($$)
 	$uid_gooduser = $max_uid - 11;
 	$uid_eviluser = $max_uid - 12;
 	$uid_slashuser = $max_uid - 13;
+	$uid_localbob = $max_uid - 14;
+	$uid_localjane = $max_uid - 15;
 
 	if ($unix_gids[0] < 0xffff - 8) {
 		$max_gid = 0xffff;
@@ -3289,6 +3303,8 @@ user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
 gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
 eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
 slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
+bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false
+jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false
 ";
 	if ($unix_uid != 0) {
 		print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 4527dedc49d..28850cd8520 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1877,7 +1877,9 @@ const struct auth_session_info *get_session_info_system(void)
 ***************************************************************************/
 
 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
-			      const char *username, char **found_username,
+			      const char *username,
+			      const struct dom_sid *sid,
+			      char **found_username,
 			      struct passwd **pwd,
 			      bool *username_was_mapped)
 {
@@ -1912,6 +1914,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
 	}
 
 	passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
+	if (!passwd && !*username_was_mapped) {
+		struct dom_sid_buf buf;
+		uid_t uid;
+		bool ok;
+
+		DBG_DEBUG("Failed to find authenticated user %s via "
+			  "getpwnam(), fallback to sid_to_uid(%s).\n",
+			  dom_user, dom_sid_str_buf(sid, &buf));
+
+		ok = sid_to_uid(sid, &uid);
+		if (!ok) {
+			DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n",
+				dom_sid_str_buf(sid, &buf), dom_user);
+			return NT_STATUS_NO_SUCH_USER;
+		}
+		passwd = getpwuid_alloc(mem_ctx, uid);
+		if (!passwd) {
+			DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n",
+				(long long)uid,
+				dom_sid_str_buf(sid, &buf),
+				dom_user);
+			return NT_STATUS_NO_SUCH_USER;
+		}
+		real_username = talloc_strdup(mem_ctx, passwd->pw_name);
+	}
 	if (!passwd) {
 		DEBUG(3, ("Failed to find authenticated user %s via "
 			  "getpwnam(), denying access.\n", dom_user));
@@ -2057,6 +2084,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	bool username_was_mapped;
 	struct passwd *pwd;
 	struct auth_serversupplied_info *result;
+	struct dom_sid sid;
 	TALLOC_CTX *tmp_ctx = talloc_stackframe();
 
 	/* 
@@ -2103,9 +2131,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
 	/* this call will try to create the user if necessary */
 
+	sid_copy(&sid, info3->base.domain_sid);
+	sid_append_rid(&sid, info3->base.rid);
+
 	nt_status = check_account(tmp_ctx,
 				  nt_domain,
 				  nt_username,
+				  &sid,
 				  &found_username,
 				  &pwd,
 				  &username_was_mapped);
diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
index da50e2b4aa7..2729a0de3f3 100644
--- a/source3/winbindd/idmap_nss.c
+++ b/source3/winbindd/idmap_nss.c
@@ -139,18 +139,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
 	for (i = 0; ids[i]; i++) {
 		struct group *gr;
 		enum lsa_SidType type;
-		const char *p = NULL;
+		const char *_domain = NULL;
+		const char *_name = NULL;
+		char *domain = NULL;
 		char *name = NULL;
 		bool ret;
 
 		/* by default calls to winbindd are disabled
 		   the following call will not recurse so this is safe */
 		(void)winbind_on();
-		ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list