[PATCH] lookupsids for domain sids

Michael Adam obnox at samba.org
Wed Sep 18 10:03:35 CEST 2013 

Hi list,

I found that the s4 dc does not reply correctly to a lookupsids
request for the domain sid:

We should reply with sid type DOMAIN (3) and the name string set
to NULL.

Instead we reply with sid type UNKNOWN (8) and the input sid
as the name string.

The attached patch fixes that in s4's rpc-server.

The second patch improves the output of the rpcclient tool's
lookupsids implementation in that case (printing DOMAIN_NAME
instead of DOMAIN_NAME\*unknown*).

I don't quite understand yet, what our "lsalookup" test does,
or more precisely why the server patch does not change the
test result of this test...
So this needs more investigation, but I wanted to share the
finding already at this stage.

Cheers - Michael

-------------- next part --------------
From 332760e58a6d0447bfebf3880d54de3c6dc94e9a Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 18 Sep 2013 09:32:17 +0200
Subject: [PATCH 1/2] rpcclient: fix output of lsalookupsids for sids of type
 DOMAIN

For domain sids, don't print NAME\*unknown* but print NAME instead.

Signed-off-by: Michael Adam <obnox at samba.org>
---
 source3/rpcclient/cmd_lsarpc.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index cbc089f..503e0fb 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -430,9 +430,16 @@ static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem
 		fstring sid_str;
 
 		sid_to_fstring(sid_str, &sids[i]);
-		printf("%s %s\\%s (%d)\n", sid_str, 
-		       domains[i] ? domains[i] : "*unknown*", 
-		       names[i] ? names[i] : "*unknown*", types[i]);
+		if (types[i] == SID_NAME_DOMAIN) {
+			printf("%s %s (%d)\n", sid_str,
+			       domains[i] ? domains[i] : "*unknown*",
+			       types[i]);
+		} else {
+			printf("%s %s\\%s (%d)\n", sid_str,
+			       domains[i] ? domains[i] : "*unknown*",
+			       names[i] ? names[i] : "*unknown*",
+			       types[i]);
+		}
 	}
 
 	dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
-- 
1.7.9.5


From f69cb343cee67ca65891e3e6c2451771b591e7fa Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 18 Sep 2013 09:33:07 +0200
Subject: [PATCH 2/2] s4:rpc_server: fix lsa_lookupsids return value for the
 domain sid

We currently return type UNKNOWN and copy the domain sid to the name.
Instead we should return type DOMAIN and return NULL as name.

Signed-off-by: Michael Adam <obnox at samba.org>
---
 source4/rpc_server/lsa/lsa_lookup.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index 07d5c2f..5a1b4cb 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -497,6 +497,13 @@ static NTSTATUS dcesrv_lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX
 		return status;
 	}
 
+	if (dom_sid_equal(state->domain_sid, sid)) {
+		*authority_name = state->domain_name;
+		*name = NULL;
+		*rtype = SID_NAME_DOMAIN;
+		return NT_STATUS_OK;
+	}
+
 	if (dom_sid_in_domain(state->domain_sid, sid)) {
 		*authority_name = state->domain_name;
 		domain_dn = state->domain_dn;
-- 
1.7.9.5

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 215 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130918/26ff5786/attachment.pgp>

More information about the samba-technical mailing list