[PATCH] Fix for bug 11320

Jeremy Allison jra at samba.org
Tue Jul 28 18:35:04 UTC 2015 

Marc, you've already reviewed Justin's patch,
here is the complete patchset including the
regression test.

Please review !

Cheers,

	Jeremy.
-------------- next part --------------
From a1a42b6207a721fcb95651e290d06297afd36765 Mon Sep 17 00:00:00 2001
From: Justin Maggard <jmaggard at netgear.com>
Date: Tue, 21 Jul 2015 15:17:30 -0700
Subject: [PATCH 1/2] s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.

Somewhere along the line, a config line like "valid users = @foo"
broke when "foo" also exists as a user.

user_ok_token() already does the right thing by adding the LOOKUP_NAME_GROUP
flag; but lookup_name() was not respecting that flag, and went ahead and looked
for users anyway.

Regression test to follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11320

Signed-off-by: Justin Maggard <jmaggard at netgear.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Marc Muehlfeld <mmuehlfeld at samba.org>
---
 source3/passdb/lookup_sid.c | 4 ++--
 source3/passdb/lookup_sid.h | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 3cc64de..3f99ee1 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -120,7 +120,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 			goto ok;
 	}
 
-	if (((flags & LOOKUP_NAME_NO_NSS) == 0)
+	if (((flags & (LOOKUP_NAME_NO_NSS|LOOKUP_NAME_GROUP)) == 0)
 	    && strequal(domain, unix_users_domain_name())) {
 		if (lookup_unix_user_name(name, &sid)) {
 			type = SID_NAME_USER;
@@ -293,7 +293,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 	/* 11. Ok, windows would end here. Samba has two more options:
                Unmapped users and unmapped groups */
 
-	if (((flags & LOOKUP_NAME_NO_NSS) == 0)
+	if (((flags & (LOOKUP_NAME_NO_NSS|LOOKUP_NAME_GROUP)) == 0)
 	    && lookup_unix_user_name(name, &sid)) {
 		domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
 		type = SID_NAME_USER;
diff --git a/source3/passdb/lookup_sid.h b/source3/passdb/lookup_sid.h
index 872f4ef..8b5edf6 100644
--- a/source3/passdb/lookup_sid.h
+++ b/source3/passdb/lookup_sid.h
@@ -31,7 +31,7 @@ struct unixid;
 #define LOOKUP_NAME_NONE		0x00000000
 #define LOOKUP_NAME_ISOLATED             0x00000001  /* Look up unqualified names */
 #define LOOKUP_NAME_REMOTE               0x00000002  /* Ask others */
-#define LOOKUP_NAME_GROUP                0x00000004  /* (unused) This is a NASTY hack for
+#define LOOKUP_NAME_GROUP                0x00000004  /* This is a NASTY hack for
 							valid users = @foo where foo also
 							exists in as user. */
 #define LOOKUP_NAME_NO_NSS		 0x00000008  /* no NSS calls to avoid
-- 
2.5.0.rc2.392.g76e840b


From e55fddcdaaf2f799b72afcfb7b6c3dba32141b69 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Tue, 28 Jul 2015 11:28:20 -0700
Subject: [PATCH 2/2] tests: Add regression test for s3-passdb: Respect
 LOOKUP_NAME_GROUP flag in sid lookup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11320

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 selftest/target/Samba3.pm                | 30 ++++++++++++--
 source3/script/tests/test_valid_users.sh | 70 ++++++++++++++++++++++++++++++++
 source3/selftest/tests.py                |  1 +
 3 files changed, 97 insertions(+), 4 deletions(-)
 create mode 100755 source3/script/tests/test_valid_users.sh

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9af8faa..7ceb4fa 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -583,6 +583,9 @@ sub setup_fileserver($$)
 	my $dfree_share_dir="$share_dir/dfree";
 	push(@dirs, $dfree_share_dir);
 
+	my $valid_users_sharedir="$share_dir/valid_users";
+	push(@dirs,$valid_users_sharedir);
+
 	my $fileserver_options = "
 [lowercase]
 	path = $lower_case_share_dir
@@ -602,11 +605,14 @@ sub setup_fileserver($$)
 	path = $dfree_share_dir
 	comment = smb username is [%U]
 	dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh
+[valid-users-access]
+	path = $valid_users_sharedir
+	valid users = +SAMBA-TEST/userdup
 	";
 
 	my $vars = $self->provision($path,
 				    "FILESERVER",
-				    "fileserver_secret",
+				    "fileserver",
 				    $fileserver_options,
 				    undef,
 				    undef,
@@ -656,6 +662,17 @@ sub setup_fileserver($$)
 		close $fh;
 	}
 
+	##
+	## create a listable file in valid_users_share
+	##
+        my $valid_users_target = "$valid_users_sharedir/foo";
+        unless (open(VALID_USERS_TARGET, ">$valid_users_target")) {
+                warn("Unable to open $valid_users_target");
+                return undef;
+        }
+        close(VALID_USERS_TARGET);
+        chmod 0644, $valid_users_target;
+
 	return $vars;
 }
 
@@ -1193,10 +1210,11 @@ sub provision($$$$$$$$)
 	##
 
 	my ($max_uid, $max_gid);
-	my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2);
+	my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2, $uid_userdup);
 	my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
+	my ($gid_userdup);
 
-	if ($unix_uid < 0xffff - 4) {
+	if ($unix_uid < 0xffff - 5) {
 		$max_uid = 0xffff;
 	} else {
 		$max_uid = $unix_uid;
@@ -1206,8 +1224,9 @@ sub provision($$$$$$$$)
 	$uid_nobody = $max_uid - 2;
 	$uid_pdbtest = $max_uid - 3;
 	$uid_pdbtest2 = $max_uid - 4;
+	$uid_userdup = $max_uid - 5;
 
-	if ($unix_gids[0] < 0xffff - 5) {
+	if ($unix_gids[0] < 0xffff - 6) {
 		$max_gid = 0xffff;
 	} else {
 		$max_gid = $unix_gids[0];
@@ -1218,6 +1237,7 @@ sub provision($$$$$$$$)
 	$gid_root = $max_gid - 3;
 	$gid_domusers = $max_gid - 4;
 	$gid_domadmins = $max_gid - 5;
+	$gid_userdup = $max_gid - 6;
 
 	##
 	## create conffile
@@ -1488,6 +1508,7 @@ sub provision($$$$$$$$)
 $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
 pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
 pdbtest2:x:$uid_pdbtest2:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+userdup:x:$uid_userdup:$gid_userdup:userdup gecos:$prefix_abs:/bin/false
 ";
 	if ($unix_uid != 0) {
 		print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -1504,6 +1525,7 @@ nogroup:x:$gid_nogroup:nobody
 $unix_name-group:x:$unix_gids[0]:
 domusers:X:$gid_domusers:
 domadmins:X:$gid_domadmins:
+userdup:x:$gid_userdup:$unix_name
 ";
 	if ($unix_gids[0] != 0) {
 		print GROUP "root:x:$gid_root:
diff --git a/source3/script/tests/test_valid_users.sh b/source3/script/tests/test_valid_users.sh
new file mode 100755
index 0000000..a7f9333
--- /dev/null
+++ b/source3/script/tests/test_valid_users.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+#
+# Blackbox test for valid users.
+#
+
+if [ $# -lt 7 ]; then
+cat <<EOF
+Usage: valid_users SERVER SERVER_IP DOMAIN USERNAME PASSWORD PREFIX SMBCLIENT
+EOF
+exit 1;
+fi
+
+SERVER=${1}
+SERVER_IP=${2}
+DOMAIN=${3}
+USERNAME=${4}
+PASSWORD=${5}
+PREFIX=${6}
+SMBCLIENT=${7}
+shift 7
+SMBCLIENT="$VALGRIND ${SMBCLIENT}"
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+# Test listing a share with valid users succeeds
+test_valid_users_access()
+{
+    tmpfile=$PREFIX/smbclient.in.$$
+    prompt="foo"
+    cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD "//$SERVER/$1" -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+    rm -f $tmpfile
+
+    if [ $ret != 0 ] ; then
+        echo "$out"
+        echo "failed accessing share with valid users with error $ret"
+
+        false
+        return
+    fi
+
+    echo "$out" | grep "$prompt" >/dev/null 2>&1
+
+    ret=$?
+    if [ $ret = 0 ] ; then
+        # got the correct prompt .. succeed
+        true
+    else
+        echo "$out"
+        echo "failed listing share with valid users"
+        false
+    fi
+}
+
+testit "accessing a valid users share succeeds" \
+   test_valid_users_access valid-users-access || \
+   failed=`expr $failed + 1`
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 1833b9f..58f2190 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -177,6 +177,7 @@ for env in ["nt4_dc"]:
 for env in ["fileserver"]:
     plantestsuite("samba3.blackbox.preserve_case (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_preserve_case.sh"), '$SERVER', '$DOMAIN', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3])
     plantestsuite("samba3.blackbox.dfree_command (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_dfree_command.sh"), '$SERVER', '$DOMAIN', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3])
+    plantestsuite("samba3.blackbox.valid_users (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_valid_users.sh"), '$SERVER', '$SERVER_IP', '$DOMAIN', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3])
 
     #
     # tar command tests
-- 
2.5.0.rc2.392.g76e840b

More information about the samba-technical mailing list