wbclient: fix wbcLookupName with UPN
Isaac Boukris
iboukris at gmail.com
Thu Feb 22 21:57:33 UTC 2018
Hi Stefan,
On Thu, Feb 22, 2018 at 3:12 PM, Stefan Metzmacher <metze at samba.org> wrote:
> Hi Isaac,
>
>> The attached patch fixes the case where the UPN differs from
>> user at domain (both components can be different).
>> It works fine even when empty domain is specified.
>
> I think you're patch will only work on a domain member server,
> as there the find_lookup_domain_from_name() within wb_lookupname_send()
> will always return our primary domain.
Correct.
> But on a DC an empty domain string doesn't allow to find the domain.
I wonder, can't we just assume our own domain on a DC as well?
I am now testing samba DC, and if I add the below then it works fine
(didn't try make-test yet though).
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 6292cce..e842bf7 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1506,7 +1506,7 @@ struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name)
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
- return NULL;
+ return find_our_domain();
}
if (domain->secure_channel_type != SEC_CHAN_NULL) {
I am testing by changing the LHS of the UPN with ldbedit, I have:
[root at kdc samba]# /usr/local/samba/bin/ldbsearch -H
/usr/local/samba/private/sam.ldb 'cn=isaac' samaccountname
userprincipalname
...
dn: CN=isaac,CN=Users,DC=example,DC=com
sAMAccountName: isaac
userPrincipalName: frenche at example.com
Without the above patches, UPN fails:
[root at kdc samba]# /usr/local/samba/bin/wbinfo -n frenche at EXAMPLE.COM
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name frenche at EXAMPLE.COM
While with the patche, both works (!)
[root at kdc samba]# /usr/local/samba/bin/wbinfo -n frenche at EXAMPLE.COM
S-1-5-21-3376658501-3233206578-3056392530-1104 SID_USER (1)
[root at kdc samba]# /usr/local/samba/bin/wbinfo -n isaac at EXAMPLE.COM
S-1-5-21-3376658501-3233206578-3056392530-1104 SID_USER (1)
I didn't test changing the suffix, not sure how I can add UPN suffix
in samba, maybe I'll add a child domain somehow.
> Maybe we need to add an additional parameter to wb_lookupname_send()
> to indicate the namespace.
>
> struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
> struct tevent_context *ev,
> const char *namespace,
> const char *dom_name,
> const char *name,
> uint32_t flags)
>
>
> The namespace is either the domain name or the part after the @,
> it would be passed to find_lookup_domain_from_name()
On AD one can have more than one UPN suffix, either by having a child
domain or by explicitly adding a suffix, like 'abc'.
Then it's possible to have a user-a at abc on domain A, and at the same
time a user-b at abc on domain B (I guess this means GC connectivity is
needed for the DC, I think I might have read it as well).
So perhaps we should not try to interpret it as a domain component,
but try to defer it somehow to the DC who would call something like
GetUserLogonInfoByUPNOrAccountName() (maybe with a fallback to
treating it as domain, guessing it should be similar to nt-enterprise
name "3.3.5.6.1 Client Principal Lookup" in MS-KILE).
> The attached patch might be a start for this, but I think
> should unify the logic in parse_domain_user() and also pass a namespace
> to it.
Sorry, which commit from it?
> Then we also need some simple tests for it.
Sure.
More information about the samba-technical
mailing list