[PATCH] passdb: handle UPN in lookup_name correctly
Ralph Wuerthner
ralphw at de.ibm.com
Mon Feb 11 16:39:33 UTC 2019
Hi Andreas!
On 11.02.19 16:07, Andreas Schneider wrote:
> Hi Ralph,
>
>> Please see attached patchset:
>> The fix for Samba bugzilla 13312 (commit 1775ac8aa4) caused a regression
>> when looking up names in UPN notation: Because winbind_lookup_name is
>> called with lp_workgroup as domain name the lookup is now failing and
>> the SID for an unmapped Unix user is returned by lookup_name. Fixed by
>> calling winbind_lookup_name with an empty domain name in case the name
>> is in UPN notation.
>>
>> The patchset already passed a CI run:
>> https://gitlab.com/samba-team/devel/samba/pipelines/46689980
>
> Thanks for your contribution!
>
> Please use DGB_DEBUG() instead of DEBUG(10, ...)
>
> In lookup_upn() use a helper variable 'bool ok'. And check talloc_strdup() for
> NULL.
Thanks for your feedback! I prepared a new version of the patchset with
the following changes:
- using a helper variable in lookup_upn()
- use DBG_DEBUG() instead of DEBUG(10, ...)
I didn't add a NULL check for talloc_strdup() because there is already a
NULL check right after the ok: label. This check is used by other
sequence steps in lookup_name() too.
--
Regards
Ralph Wuerthner
-------------- next part --------------
From f7e909f98a2b0a5320519601c83660ec6e892d79 Mon Sep 17 00:00:00 2001
From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed, 12 Dec 2018 11:26:10 +0100
Subject: [PATCH 1/3] passdb: Add debug code to print result of lookup_name
query
Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
---
source3/passdb/lookup_sid.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 6bda783..ce2c20b 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -86,6 +86,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
struct dom_sid sid;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct dom_sid_buf buf;
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
@@ -386,6 +387,11 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
return false;
}
+ DBG_DEBUG("lookup_name results: sid=%s domain=%s (%s)\n",
+ dom_sid_str_buf(&sid, &buf),
+ domain,
+ sid_type_lookup(type));
+
/*
* Hand over the results to the talloc context we've been given.
*/
--
2.7.4
From 7b2177765a187a927dc021786ae57617a02eef44 Mon Sep 17 00:00:00 2001
From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Fri, 30 Nov 2018 17:32:51 +0100
Subject: [PATCH 2/3] passdb: handle UPN in lookup_name correctly
The fix for Samba bugzilla 13312 (commit 1775ac8aa4) caused a regression when
looking up names in UPN notation: Because winbind_lookup_name is called with
lp_workgroup as domain name the lookup is now failing and the SID for an
unmapped Unix user is returned by lookup_name.
Fixed by calling winbind_lookup_name with an empty domain name in case the
name is in UPN notation.
Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
---
source3/passdb/lookup_sid.c | 37 +++++++++++++++++++++++++++++++++----
1 file changed, 33 insertions(+), 4 deletions(-)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index ce2c20b..ff8cef7 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -65,6 +65,20 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid)
return sid_compose(sid, &global_sid_Unix_Groups, grp->gr_gid);
}
+static bool lookup_upn(TALLOC_CTX *mem_ctx,
+ const char *name,
+ struct dom_sid *sid,
+ const char **domain,
+ enum lsa_SidType *type)
+{
+ if (!winbind_lookup_name("", name, sid, type)) {
+ return false;
+ }
+ *domain = talloc_strdup(mem_ctx, lp_workgroup());
+
+ return true;
+}
+
/*****************************************************************
Dissect a user-provided name into domain, name, sid and type.
@@ -315,10 +329,25 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* If we are not a DC, we have to ask in our primary domain. Let
* winbind do that. */
- if (!IS_DC &&
- (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
- domain = talloc_strdup(tmp_ctx, lp_workgroup());
- goto ok;
+ if (!IS_DC) {
+ if (strchr_m(name, '@')) {
+ /* UPN */
+ if (lookup_upn(tmp_ctx,
+ name,
+ &sid,
+ &domain,
+ &type)) {
+ goto ok;
+ }
+ } else {
+ if (winbind_lookup_name(lp_workgroup(),
+ name,
+ &sid,
+ &type)) {
+ domain = talloc_strdup(tmp_ctx, lp_workgroup());
+ goto ok;
+ }
+ }
}
/* 9. Trusted domains */
--
2.7.4
From 014426ebc5861cd891d89b5e0d24928fb930de81 Mon Sep 17 00:00:00 2001
From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Thu, 7 Feb 2019 13:06:17 +0100
Subject: [PATCH 3/3] passdb: query domain name when looking up UPN names
The user could be member of a different domain, so query the domain name.
Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
---
source3/passdb/lookup_sid.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index ff8cef7..1a020e8 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -71,12 +71,22 @@ static bool lookup_upn(TALLOC_CTX *mem_ctx,
const char **domain,
enum lsa_SidType *type)
{
+ struct dom_sid *domain_sid = NULL;
+ enum lsa_SidType tmp;
+ NTSTATUS status;
+ bool ok;
+
if (!winbind_lookup_name("", name, sid, type)) {
return false;
}
- *domain = talloc_strdup(mem_ctx, lp_workgroup());
+ status = dom_sid_split_rid(mem_ctx, sid, &domain_sid, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
- return true;
+ ok = winbind_lookup_sid(mem_ctx, domain_sid, domain, NULL, &tmp);
+
+ return ok;
}
/*****************************************************************
--
2.7.4
More information about the samba-technical
mailing list