"NT Authority" mapping failures

Ralph Böhme slow at samba.org
Tue Nov 27 17:26:42 UTC 2018

Hi Jeremy,

I came across this ancient gem: :)


By chance, do you remember the reasoning for ignoring mapping failures with 
these two domain?

I'm asking because I just stumbled across that currently mapping users and 
groups from "NT Authority" fails. I discovered this (though I fainlty remember I 
ran into this before) when modifying CI to run raw.acls tests against the 
enhanced vfs_nfs4acl_xattr module.

Most test failed because lookupname "NT Authority/Authenticated Users" isn't 
working. I have a WIP patch to fix this (attached) and while poking around I 
came across the above commit that paves above such mapping failures in the 
posix_acls.c code.

Thoughts? :)


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46
-------------- next part --------------
From f4663336ad11e8507ec771f91d0820fbebc91ab2 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Tue, 27 Nov 2018 17:05:58 +0100
Subject: [PATCH] WIP: winbindd: handle "NT Authority"

Without this:

  $ bin/wbinfo -n "NT Authority/Authenticated Users"
  failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
  Could not lookup name NT Authority/Authenticated Users

  $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
  failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
  Could not get info for group NT Authority/Authenticated Users

With the patch:

  $ bin/wbinfo -n "NT Authority/Authenticated Users"
  S-1-5-11 SID_WKN_GROUP (5)

  $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
  NT AUTHORITY/authenticated users:
 source3/winbindd/winbindd_util.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 090a90574ce..e4af81ea868 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1516,11 +1516,12 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
 	if ( strequal(domain_name, unix_users_domain_name() ) ||
-	     strequal(domain_name, unix_groups_domain_name() ) )
+	     strequal(domain_name, unix_groups_domain_name() ) ||
+	     strequal(domain_name, "NT Authority"))
-		 * The "Unix User" and "Unix Group" domain our handled by
-		 * passdb
+		 * The "Unix User", "Unix Group" and "NT Authority" domains our
+		 * handled by passdb
 		return find_domain_from_name_noinit( get_global_sam_name() );

More information about the samba-technical mailing list