[PATCH] passdb: handle UPN in lookup_name correctly

Ralph Wuerthner ralphw at de.ibm.com
Mon Feb 11 16:39:33 UTC 2019 

Hi Andreas!

On 11.02.19 16:07, Andreas Schneider wrote:

> Hi Ralph,
>   
>> Please see attached patchset:
>> The fix for Samba bugzilla 13312 (commit 1775ac8aa4) caused a regression
>> when looking up names in UPN notation: Because winbind_lookup_name is
>> called with lp_workgroup as domain name the lookup is now failing and
>> the SID for an unmapped Unix user is returned by lookup_name. Fixed by
>> calling winbind_lookup_name with an empty domain name in case the name
>> is in UPN notation.
>>
>> The patchset already passed a CI run:
>> https://gitlab.com/samba-team/devel/samba/pipelines/46689980
> 
> Thanks for your contribution!
> 
> Please use DGB_DEBUG() instead of DEBUG(10, ...)
> 
> In lookup_upn() use a helper variable 'bool ok'. And check talloc_strdup() for
> NULL.

Thanks for your feedback! I prepared a new version of the patchset with 
the following changes:
- using a helper variable in lookup_upn()
- use DBG_DEBUG() instead of DEBUG(10, ...)

I didn't add a NULL check for talloc_strdup() because there is already a 
NULL check right after the ok: label. This check is used by other 
sequence steps in lookup_name() too.

-- 
Regards

    Ralph Wuerthner
-------------- next part --------------
From f7e909f98a2b0a5320519601c83660ec6e892d79 Mon Sep 17 00:00:00 2001
From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed, 12 Dec 2018 11:26:10 +0100
Subject: [PATCH 1/3] passdb: Add debug code to print result of lookup_name
 query

Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
---
 source3/passdb/lookup_sid.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 6bda783..ce2c20b 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -86,6 +86,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 	struct dom_sid sid;
 	enum lsa_SidType type;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	struct dom_sid_buf buf;
 
 	if (tmp_ctx == NULL) {
 		DEBUG(0, ("talloc_new failed\n"));
@@ -386,6 +387,11 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 		return false;
 	}
 
+	DBG_DEBUG("lookup_name results: sid=%s domain=%s (%s)\n",
+		  dom_sid_str_buf(&sid, &buf),
+		  domain,
+		  sid_type_lookup(type));
+
 	/*
 	 * Hand over the results to the talloc context we've been given.
 	 */
-- 
2.7.4


From 7b2177765a187a927dc021786ae57617a02eef44 Mon Sep 17 00:00:00 2001
From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Fri, 30 Nov 2018 17:32:51 +0100
Subject: [PATCH 2/3] passdb: handle UPN in lookup_name correctly

The fix for Samba bugzilla 13312 (commit 1775ac8aa4) caused a regression when
looking up names in UPN notation: Because winbind_lookup_name is called with
lp_workgroup as domain name the lookup is now failing and the SID for an
unmapped Unix user is returned by lookup_name.
Fixed by calling winbind_lookup_name with an empty domain name in case the
name is in UPN notation.

Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
---
 source3/passdb/lookup_sid.c | 37 +++++++++++++++++++++++++++++++++----
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index ce2c20b..ff8cef7 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -65,6 +65,20 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid)
 	return sid_compose(sid, &global_sid_Unix_Groups, grp->gr_gid);
 }
 
+static bool lookup_upn(TALLOC_CTX *mem_ctx,
+		       const char *name,
+		       struct dom_sid *sid,
+		       const char **domain,
+		       enum lsa_SidType *type)
+{
+	if (!winbind_lookup_name("", name, sid, type)) {
+		return false;
+	}
+	*domain = talloc_strdup(mem_ctx, lp_workgroup());
+
+	return true;
+}
+
 /*****************************************************************
  Dissect a user-provided name into domain, name, sid and type.
 
@@ -315,10 +329,25 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 	/* If we are not a DC, we have to ask in our primary domain. Let
 	 * winbind do that. */
 
-	if (!IS_DC &&
-	    (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
-		domain = talloc_strdup(tmp_ctx, lp_workgroup());
-		goto ok;
+	if (!IS_DC) {
+		if (strchr_m(name, '@')) {
+			/* UPN */
+			if (lookup_upn(tmp_ctx,
+				       name,
+				       &sid,
+				       &domain,
+				       &type)) {
+				goto ok;
+			}
+		} else {
+			if (winbind_lookup_name(lp_workgroup(),
+						name,
+						&sid,
+						&type)) {
+			domain = talloc_strdup(tmp_ctx, lp_workgroup());
+			goto ok;
+			}
+		}
 	}
 
 	/* 9. Trusted domains */
-- 
2.7.4


From 014426ebc5861cd891d89b5e0d24928fb930de81 Mon Sep 17 00:00:00 2001
From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Thu, 7 Feb 2019 13:06:17 +0100
Subject: [PATCH 3/3] passdb: query domain name when looking up UPN names

The user could be member of a different domain, so query the domain name.

Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
---
 source3/passdb/lookup_sid.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index ff8cef7..1a020e8 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -71,12 +71,22 @@ static bool lookup_upn(TALLOC_CTX *mem_ctx,
 		       const char **domain,
 		       enum lsa_SidType *type)
 {
+	struct dom_sid *domain_sid = NULL;
+	enum lsa_SidType tmp;
+	NTSTATUS status;
+	bool ok;
+
 	if (!winbind_lookup_name("", name, sid, type)) {
 		return false;
 	}
-	*domain = talloc_strdup(mem_ctx, lp_workgroup());
+	status = dom_sid_split_rid(mem_ctx, sid, &domain_sid, NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		return false;
+	}
 
-	return true;
+	ok = winbind_lookup_sid(mem_ctx, domain_sid, domain, NULL, &tmp);
+
+	return ok;
 }
 
 /*****************************************************************
-- 
2.7.4

More information about the samba-technical mailing list