[PATCH] Fix bug #11555 - lookup_names() looks up qualified names as unqualified.

Wed Oct 14 23:32:55 UTC 2015

This was an interesting one found by Justin @ Netgear
who had "winbind use default domain" set on a machine
that was standalone :-).

Justin confirmed the fix works for him.

Passes a local make test (which took a while and a couple
of extra changes to get it to pass, showing we're testing
the codepaths here in standalone, NT and AD-DC mode :-).

Please review + push if happy !

Jeremy.
-------------- next part --------------
From 04fe78b0f387e815053aa1cf4995a366a9e4331d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 14 Oct 2015 13:30:16 -0700
Subject: [PATCH 1/3] s3: lsa: lookup_name() needs to check if an explicit "NT
 Authority" is given as a domain before falling back to unqualified name
 lookups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/passdb/lookup_sid.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 3f99ee1..3976ded 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -140,6 +140,20 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 		return false;
 	}
 
+	/*
+	 * The only wellknown name with a non-null domain
+	 * component is "NT Authority", so check that before
+	 * failing if we're given an explicit "NT Authority" domain.
+	 */
+
+	if ((flags & LOOKUP_NAME_WKN) &&
+	    strequal(domain, "NT Authority")) {
+		if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) {
+			type = SID_NAME_WKN_GRP;
+			goto ok;
+		}
+	}
+
 	if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
 		TALLOC_FREE(tmp_ctx);
 		return false;
-- 
2.6.0.rc2.230.g3dd15c0


From 658846f0abf7fa63d9575db86b573baf8ec17fdb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 14 Oct 2015 11:06:53 -0700
Subject: [PATCH 2/3] s3: lsa: lookup_name() logic for unqualified (no DOMAIN\
 component) names is incorrect.

Change so we only use unqualified name lookup logic if
domain component = "" and LOOKUP_NAME_ISOLATED flag is
passed in.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/passdb/lookup_sid.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 3976ded..d89dfed 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -154,7 +154,13 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
+	/*
+	 * If we were given an explicit domain component,
+	 * or we're told not to look up 'isolated' names
+	 * with no domain component then we're done.
+	 */
+
+	if ((domain[0] != '\0') || (!(flags & LOOKUP_NAME_ISOLATED))) {
 		TALLOC_FREE(tmp_ctx);
 		return false;
 	}
-- 
2.6.0.rc2.230.g3dd15c0


From c84255a9538e5767fac1fca1cea333a4beb928d7 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 14 Oct 2015 11:20:08 -0700
Subject: [PATCH 3/3] s3: test: Fix standalone valid users fileserver test.

Test was originally added for bug #11320. At the time
I remarked the only way I could get this to reproduce
the issue was to use "+WORKGROUP\userdup" instead of
just "+userdup" (which was the actual problem reported),
but I didn't investigage enough to discover the underlying
problem which is actually bug:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555

(lookup_names() logic for unqualified (no DOMAIN\
component) names is incorrect). On a standalone
fileserver "WORKGROUP\name" should not resolve,
but "NETBIOS-NAME\name" and just "name" should.

This corrects the test now that lookups for unqualified
names are now being done correctly.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 selftest/target/Samba3.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index de4346e..15423fe 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -608,7 +608,7 @@ sub setup_fileserver($$)
 	dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh
 [valid-users-access]
 	path = $valid_users_sharedir
-	valid users = +SAMBA-TEST/userdup
+	valid users = +userdup
 	";
 
 	my $vars = $self->provision($path,
-- 
2.6.0.rc2.230.g3dd15c0

