cli_credentials_parse_name... (Re: [SCM] Samba Shared Repository - branch master updated)

Stefan Metzmacher metze at samba.org
Wed Nov 4 16:59:56 UTC 2020


Am 04.11.20 um 17:24 schrieb Alexander Bokovoy:
> The branch, master has been updated
>        via  f9016912098 lookup_name: allow lookup for own realm
>        via  00f4262ed0b cli_credentials: add a helper to parse user or group names
>        via  eb0474d27ba cli_credentials_parse_string: fix parsing of principals
>       from  a1b021200e3 selftest: add test for new "samba-tool user unlock" command
> 
> https://git.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit f901691209867b32c2d7c5c9274eee196f541654
> Author: Alexander Bokovoy <ab at samba.org>
> Date:   Wed Nov 4 14:21:33 2020 +0200
> 
>     lookup_name: allow lookup for own realm
>     
>     When using a security tab in Windows Explorer, a lookup over a trusted
>     forest might come as realm\name instead of NetBIOS domain name:
>     
>     --------------------------------------------------------------------
>     [2020/01/13 11:12:39.859134,  1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
>            lsa_LookupNames3: struct lsa_LookupNames3
>               in: struct lsa_LookupNames3
>                   handle                   : *
>                       handle: struct policy_handle
>                           handle_type              : 0x00000000 (0)
>                           uuid                     : 0000000e-0000-0000-1c5e-a750e5810000
>                   num_names                : 0x00000001 (1)
>                   names: ARRAY(1)
>                       names: struct lsa_String
>                           length                   : 0x001e (30)
>                           size                     : 0x0020 (32)
>                           string                   : *
>                               string                   : 'ipa.test\admins'
>                   sids                     : *
>                       sids: struct lsa_TransSidArray3
>                           count                    : 0x00000000 (0)
>                           sids                     : NULL
>                   level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
>                   count                    : *
>                       count                    : 0x00000000 (0)
>                   lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
>                   client_revision          : LSA_CLIENT_REVISION_2 (2)
>
> ...
>
> diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
> index d2d3d30d73d..38550d6ecf9 100644
> --- a/auth/credentials/tests/test_creds.c
> +++ b/auth/credentials/tests/test_creds.c
> @@ -187,7 +187,7 @@ static void torture_creds_parse_string(void **state)
>  	assert_string_equal(creds->domain, "");
>  	assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
>  
> -	assert_string_equal(creds->username, "wurst at brot.realm");
> +	assert_string_equal(creds->username, "wurst");

I'm sorry but this is wrong!
I'm wondering why this wasn't covered by any high level test.

This needs to result in domain="" and username="wurst at brot.realm"
and that's exactly what we need to use for NTLMSSP.
Also note that "brot.realm" may not be a realm and "wurst" may not
be a sAMAccountName. A userPrincipalName can be anything at anydomain-of-msDS-SPNSuffixes.

I fear we need to revert these changes.
From the merge request (https://gitlab.com/samba-team/samba/-/merge_requests/1658)
I didn't really look at the whole patchset (with behavior change)
I only focused on CRED_NO_PASSWORD.

I think we need to logic we have in wb_irpc_lsa_LookupNames4_call() and/or parse_domain_user() here.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20201104/2a48b158/signature.sig>


More information about the samba-technical mailing list