[PATCH] Fix for bug 12164

Stefan Metzmacher metze at samba.org
Wed Nov 28 13:17:16 UTC 2018

Am 28.11.18 um 12:51 schrieb Ralph Böhme via samba-technical:
> Hi!
> Attached is a fix for bug 12164.
> Fixes lookupnames in winbindd for names in the "NT Authority" domain.

find_lookup_domain_from_sid() already has something similar
using sid_check_is_wellknown_domain() from source3/lib/util_wellknown.c.
Maybe we want to add a new function there for now.

It both cases I think it should be routed to the "BUILTIN" domain
instead of the passdb domain.

The same applies to "NT Pseudo Domain", "Internet$" and
"Mandatory Label". Maybe we should have a helper function
that checks predefined_domains[] in libcli/security/util_sid.c

Or we remove source3/lib/util_wellknown.c and use the more up to
date table from libcli/security/util_sid.c, which matches the
[MS-LSAT] Predefined Translation Database and Corresponding View.

I just checked that S-1-2-1 (\CONSOLE LOGON) is missing in MS-LSAT and

But Windows 2008R2 already has it:
metze at SERNOX14:~/devel/samba/4.0/master4-test$ rpcclient -W W4EDOM-L4
-Uadministrator%A1b2C3d4 ncacn_np:w2008r2-133.w4edom-l4.base -c
'lookupsids S-1-2-1'
S-1-2-1 \CONSOLE LOGON (5)
metze at SERNOX14:~/devel/samba/4.0/master4-test$ rpcclient -W W4EDOM-L4
-Uadministrator%A1b2C3d4 ncacn_np:w2008r2-133.w4edom-l4.base -c
'lookupnames "CONSOLE LOGON"'
CONSOLE LOGON S-1-2-1 (Well-known Group: 5)

It was added in 2009 to [MS-DTYP] (v20090114) and [MS-ADTS] (v20090630),
but it wasn't added to MS-LSAT.

This commit added it to Samba:

commit 53ad886f75f189a7c865acf455398c3f3ce38111
Author: Christian Ambach <ambi at samba.org>
Date:   Thu Sep 1 16:09:01 2011 +0200

    security: add local authority well-known SIDs

    add the S-1-2 well-known SID family

    Autobuild-User: Christian Ambach <ambi at samba.org>
    Autobuild-Date: Thu Nov 24 19:01:08 CET 2011 on sn-devel-104


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181128/a5c17f74/signature.sig>

More information about the samba-technical mailing list