cli_credentials_parse_name... (Re: [SCM] Samba Shared Repository - branch master updated)
Alexander Bokovoy
ab at samba.org
Wed Nov 4 17:23:20 UTC 2020
On ke, 04 marras 2020, Stefan Metzmacher wrote:
> Am 04.11.20 um 17:24 schrieb Alexander Bokovoy:
> > The branch, master has been updated
> > via f9016912098 lookup_name: allow lookup for own realm
> > via 00f4262ed0b cli_credentials: add a helper to parse user or group names
> > via eb0474d27ba cli_credentials_parse_string: fix parsing of principals
> > from a1b021200e3 selftest: add test for new "samba-tool user unlock" command
> >
> > https://git.samba.org/?p=samba.git;a=shortlog;h=master
> >
> >
> > - Log -----------------------------------------------------------------
> > commit f901691209867b32c2d7c5c9274eee196f541654
> > Author: Alexander Bokovoy <ab at samba.org>
> > Date: Wed Nov 4 14:21:33 2020 +0200
> >
> > lookup_name: allow lookup for own realm
> >
> > When using a security tab in Windows Explorer, a lookup over a trusted
> > forest might come as realm\name instead of NetBIOS domain name:
> >
> > --------------------------------------------------------------------
> > [2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
> > lsa_LookupNames3: struct lsa_LookupNames3
> > in: struct lsa_LookupNames3
> > handle : *
> > handle: struct policy_handle
> > handle_type : 0x00000000 (0)
> > uuid : 0000000e-0000-0000-1c5e-a750e5810000
> > num_names : 0x00000001 (1)
> > names: ARRAY(1)
> > names: struct lsa_String
> > length : 0x001e (30)
> > size : 0x0020 (32)
> > string : *
> > string : 'ipa.test\admins'
> > sids : *
> > sids: struct lsa_TransSidArray3
> > count : 0x00000000 (0)
> > sids : NULL
> > level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
> > count : *
> > count : 0x00000000 (0)
> > lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
> > client_revision : LSA_CLIENT_REVISION_2 (2)
> >
> > ...
> >
> > diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
> > index d2d3d30d73d..38550d6ecf9 100644
> > --- a/auth/credentials/tests/test_creds.c
> > +++ b/auth/credentials/tests/test_creds.c
> > @@ -187,7 +187,7 @@ static void torture_creds_parse_string(void **state)
> > assert_string_equal(creds->domain, "");
> > assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
> >
> > - assert_string_equal(creds->username, "wurst at brot.realm");
> > + assert_string_equal(creds->username, "wurst");
>
> I'm sorry but this is wrong!
> I'm wondering why this wasn't covered by any high level test.
>
> This needs to result in domain="" and username="wurst at brot.realm"
> and that's exactly what we need to use for NTLMSSP.
> Also note that "brot.realm" may not be a realm and "wurst" may not
> be a sAMAccountName. A userPrincipalName can be anything at anydomain-of-msDS-SPNSuffixes.
>
> I fear we need to revert these changes.
> From the merge request (https://gitlab.com/samba-team/samba/-/merge_requests/1658)
> I didn't really look at the whole patchset (with behavior change)
> I only focused on CRED_NO_PASSWORD.
>
> I think we need to logic we have in wb_irpc_lsa_LookupNames4_call() and/or parse_domain_user() here.
I'm pushing a revert for now and will look at those.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list