[PATCH] Fix bug #11555 - lookup_names() looks up qualified names as unqualified.
Jeremy Allison
jra at samba.org
Wed Oct 14 23:32:55 UTC 2015
This was an interesting one found by Justin @ Netgear
who had "winbind use default domain" set on a machine
that was standalone :-).
Justin confirmed the fix works for him.
Passes a local make test (which took a while and a couple
of extra changes to get it to pass, showing we're testing
the codepaths here in standalone, NT and AD-DC mode :-).
Please review + push if happy !
Jeremy.
-------------- next part --------------
From 04fe78b0f387e815053aa1cf4995a366a9e4331d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 14 Oct 2015 13:30:16 -0700
Subject: [PATCH 1/3] s3: lsa: lookup_name() needs to check if an explicit "NT
Authority" is given as a domain before falling back to unqualified name
lookups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/passdb/lookup_sid.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 3f99ee1..3976ded 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -140,6 +140,20 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
return false;
}
+ /*
+ * The only wellknown name with a non-null domain
+ * component is "NT Authority", so check that before
+ * failing if we're given an explicit "NT Authority" domain.
+ */
+
+ if ((flags & LOOKUP_NAME_WKN) &&
+ strequal(domain, "NT Authority")) {
+ if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) {
+ type = SID_NAME_WKN_GRP;
+ goto ok;
+ }
+ }
+
if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
TALLOC_FREE(tmp_ctx);
return false;
--
2.6.0.rc2.230.g3dd15c0
From 658846f0abf7fa63d9575db86b573baf8ec17fdb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 14 Oct 2015 11:06:53 -0700
Subject: [PATCH 2/3] s3: lsa: lookup_name() logic for unqualified (no DOMAIN\
component) names is incorrect.
Change so we only use unqualified name lookup logic if
domain component = "" and LOOKUP_NAME_ISOLATED flag is
passed in.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/passdb/lookup_sid.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 3976ded..d89dfed 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -154,7 +154,13 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
}
}
- if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
+ /*
+ * If we were given an explicit domain component,
+ * or we're told not to look up 'isolated' names
+ * with no domain component then we're done.
+ */
+
+ if ((domain[0] != '\0') || (!(flags & LOOKUP_NAME_ISOLATED))) {
TALLOC_FREE(tmp_ctx);
return false;
}
--
2.6.0.rc2.230.g3dd15c0
From c84255a9538e5767fac1fca1cea333a4beb928d7 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 14 Oct 2015 11:20:08 -0700
Subject: [PATCH 3/3] s3: test: Fix standalone valid users fileserver test.
Test was originally added for bug #11320. At the time
I remarked the only way I could get this to reproduce
the issue was to use "+WORKGROUP\userdup" instead of
just "+userdup" (which was the actual problem reported),
but I didn't investigage enough to discover the underlying
problem which is actually bug:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
(lookup_names() logic for unqualified (no DOMAIN\
component) names is incorrect). On a standalone
fileserver "WORKGROUP\name" should not resolve,
but "NETBIOS-NAME\name" and just "name" should.
This corrects the test now that lookups for unqualified
names are now being done correctly.
Signed-off-by: Jeremy Allison <jra at samba.org>
---
selftest/target/Samba3.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index de4346e..15423fe 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -608,7 +608,7 @@ sub setup_fileserver($$)
dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh
[valid-users-access]
path = $valid_users_sharedir
- valid users = +SAMBA-TEST/userdup
+ valid users = +userdup
";
my $vars = $self->provision($path,
--
2.6.0.rc2.230.g3dd15c0
More information about the samba-technical
mailing list