wbclient: fix wbcLookupName with UPN

Isaac Boukris iboukris at gmail.com
Thu Feb 22 21:57:33 UTC 2018 

Hi Stefan,

On Thu, Feb 22, 2018 at 3:12 PM, Stefan Metzmacher <metze at samba.org> wrote:
> Hi Isaac,
>
>> The attached patch fixes the case where the UPN differs from
>> user at domain (both components can be different).
>> It works fine even when empty domain is specified.
>
> I think you're patch will only work on a domain member server,
> as there the find_lookup_domain_from_name() within wb_lookupname_send()
> will always return our primary domain.

Correct.

> But on a DC an empty domain string doesn't allow to find the domain.

I wonder, can't we just assume our own domain on a DC as well?

I am now testing samba DC, and if I add the below then it works fine
(didn't try make-test yet though).

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 6292cce..e842bf7 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1506,7 +1506,7 @@ struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name)

                domain = find_domain_from_name_noinit(domain_name);
                if (domain == NULL) {
-                       return NULL;
+                       return find_our_domain();
                }

                if (domain->secure_channel_type != SEC_CHAN_NULL) {


I am testing by changing the LHS of the UPN with ldbedit, I have:
[root at kdc samba]# /usr/local/samba/bin/ldbsearch -H
/usr/local/samba/private/sam.ldb 'cn=isaac' samaccountname
userprincipalname
...
dn: CN=isaac,CN=Users,DC=example,DC=com
sAMAccountName: isaac
userPrincipalName: frenche at example.com

Without the above patches, UPN fails:
[root at kdc samba]# /usr/local/samba/bin/wbinfo -n frenche at EXAMPLE.COM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name frenche at EXAMPLE.COM

While with the patche, both works (!)
[root at kdc samba]# /usr/local/samba/bin/wbinfo -n frenche at EXAMPLE.COM
S-1-5-21-3376658501-3233206578-3056392530-1104 SID_USER (1)
[root at kdc samba]# /usr/local/samba/bin/wbinfo -n isaac at EXAMPLE.COM
S-1-5-21-3376658501-3233206578-3056392530-1104 SID_USER (1)

I didn't test changing the suffix, not sure how I can add UPN suffix
in samba, maybe I'll add a child domain somehow.

> Maybe we need to add an additional parameter to wb_lookupname_send()
> to indicate the namespace.
>
> struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
>                                       struct tevent_context *ev,
>                                       const char *namespace,
>                                       const char *dom_name,
>                                       const char *name,
>                                       uint32_t flags)
>
>
> The namespace is either the domain name or the part after the @,
> it would be passed to find_lookup_domain_from_name()

On AD one can have more than one UPN suffix, either by having a child
domain or by explicitly adding a suffix, like 'abc'.
Then it's possible to have a user-a at abc on domain A, and at the same
time a user-b at abc on domain B (I guess this means GC connectivity is
needed for the DC, I think I might have read it as well).

So perhaps we should not try to interpret it as a domain component,
but try to defer it somehow to the DC who would call something like
GetUserLogonInfoByUPNOrAccountName() (maybe with a fallback to
treating it as domain, guessing it should be similar to nt-enterprise
name "3.3.5.6.1 Client Principal Lookup" in MS-KILE).

> The attached patch might be a start for this, but I think
> should unify the logic in parse_domain_user() and also pass a namespace
> to it.

Sorry, which commit from it?

> Then we also need some simple tests for it.

Sure.

More information about the samba-technical mailing list