rpms/samba
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Allow Windows to resolve IPA users and groups over LSA RPC

Browse Source 
Fixes: https://bugzilla.samba.org/show_bug.cgi?id=14091
This commit is contained in:
Alexander Bokovoy 2019-08-16 11:15:00 +03:00
parent 83f40a53eb
commit e9d6c3ff33
2 changed files with 657 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

650
samba-bz14091-v4.10-backport.patch Normal file
View File

@ -0,0 +1,650 @@
From 536df2c1070d516ab95ad96b606fcc1f92c3668d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Thu, 1 Aug 2019 21:08:52 +0300
Subject: [PATCH 1/3] torture/rpc/lsa: allow testing different lookup levels
Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9)
---
source4/torture/rpc/lsa.c | 118 ++++++++++++++++++---------------
source4/torture/rpc/schannel.c | 2 +-
2 files changed, 67 insertions(+), 53 deletions(-)
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index bc1e9553039..b7dd0dc8c91 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -270,6 +270,7 @@ static bool test_OpenPolicy2_fail(struct dcerpc_binding_handle *b,
static bool test_LookupNames(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level,
struct lsa_TransNameArray *tnames)
{
struct lsa_LookupNames r;
@@ -302,7 +303,7 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b,
r.in.handle = handle;
r.in.names = names;
r.in.sids = &sids;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.out.count = &count;
r.out.sids = &sids;
@@ -358,7 +359,8 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b,
static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
- struct policy_handle *handle)
+ struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level)
{
struct lsa_LookupNames r;
struct lsa_TransSidArray sids;
@@ -377,7 +379,7 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b,
r.in.num_names = 1;
r.in.names = names;
r.in.sids = &sids;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.out.count = &count;
r.out.sids = &sids;
@@ -398,7 +400,8 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b,
static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
- struct policy_handle *handle)
+ struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level)
{
struct lsa_LookupNames r;
struct lsa_TransSidArray sids;
@@ -417,7 +420,7 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b,
r.in.num_names = 1;
r.in.names = names;
r.in.sids = &sids;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.out.count = &count;
r.out.sids = &sids;
@@ -442,7 +445,8 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b,
static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
- struct policy_handle *handle)
+ struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level)
{
struct lsa_TranslatedName name;
struct lsa_TransNameArray tnames;
@@ -454,45 +458,46 @@ static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b,
tnames.count = 1;
name.name.string = "NT AUTHORITY\\SYSTEM";
name.sid_type = SID_NAME_WKN_GRP;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON";
name.sid_type = SID_NAME_WKN_GRP;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
name.name.string = "NT AUTHORITY\\Authenticated Users";
name.sid_type = SID_NAME_WKN_GRP;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
#if 0
name.name.string = "NT AUTHORITY";
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
name.name.string = "NT AUTHORITY\\";
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
#endif
name.name.string = "BUILTIN\\";
name.sid_type = SID_NAME_DOMAIN;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
name.name.string = "BUILTIN\\Administrators";
name.sid_type = SID_NAME_ALIAS;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
name.name.string = "SYSTEM";
name.sid_type = SID_NAME_WKN_GRP;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
name.name.string = "Everyone";
name.sid_type = SID_NAME_WKN_GRP;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, level, &tnames);
return ret;
}
static bool test_LookupNames2(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level,
struct lsa_TransNameArray2 *tnames,
bool check_result)
{
@@ -525,7 +530,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b,
r.in.handle = handle;
r.in.names = names;
r.in.sids = &sids;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.in.lookup_options = 0;
r.in.client_revision = 0;
@@ -554,6 +559,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b,
static bool test_LookupNames3(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level,
struct lsa_TransNameArray2 *tnames,
bool check_result)
{
@@ -585,7 +591,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b,
r.in.handle = handle;
r.in.names = names;
r.in.sids = &sids;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.in.lookup_options = 0;
r.in.client_revision = 0;
@@ -613,6 +619,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b,
static bool test_LookupNames4(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
+ enum lsa_LookupNamesLevel level,
struct lsa_TransNameArray2 *tnames,
bool check_result)
{
@@ -644,7 +651,7 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b,
r.in.num_names = tnames->count;
r.in.names = names;
r.in.sids = &sids;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.in.lookup_options = 0;
r.in.client_revision = 0;
@@ -682,7 +689,8 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b,
}
static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b,
- struct torture_context *tctx)
+ struct torture_context *tctx,
+ enum lsa_LookupNamesLevel level)
{
struct lsa_LookupNames4 r;
struct lsa_TransSidArray3 sids;
@@ -701,7 +709,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b,
r.in.num_names = count;
r.in.names = names;
r.in.sids = &sids;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.in.lookup_options = 0;
r.in.client_revision = 0;
@@ -749,6 +757,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b,
static bool test_LookupSids(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level,
struct lsa_SidArray *sids)
{
struct lsa_LookupSids r;
@@ -764,7 +773,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b,
r.in.handle = handle;
r.in.sids = sids;
r.in.names = &names;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.out.count = &count;
r.out.names = &names;
@@ -779,7 +788,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b,
torture_comment(tctx, "\n");
- if (!test_LookupNames(b, tctx, handle, &names)) {
+ if (!test_LookupNames(b, tctx, handle, level, &names)) {
return false;
}
@@ -790,6 +799,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b,
static bool test_LookupSids2(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level,
struct lsa_SidArray *sids)
{
struct lsa_LookupSids2 r;
@@ -805,7 +815,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b,
r.in.handle = handle;
r.in.sids = sids;
r.in.names = &names;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.in.lookup_options = 0;
r.in.client_revision = 0;
@@ -824,11 +834,11 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b,
torture_comment(tctx, "\n");
- if (!test_LookupNames2(b, tctx, handle, &names, false)) {
+ if (!test_LookupNames2(b, tctx, handle, level, &names, false)) {
return false;
}
- if (!test_LookupNames3(b, tctx, handle, &names, false)) {
+ if (!test_LookupNames3(b, tctx, handle, level, &names, false)) {
return false;
}
@@ -837,6 +847,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b,
static bool test_LookupSids3(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
+ enum lsa_LookupNamesLevel level,
struct lsa_SidArray *sids)
{
struct lsa_LookupSids3 r;
@@ -851,7 +862,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b,
r.in.sids = sids;
r.in.names = &names;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.in.lookup_options = 0;
r.in.client_revision = 0;
@@ -880,7 +891,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b,
torture_comment(tctx, "\n");
- if (!test_LookupNames4(b, tctx, &names, true)) {
+ if (!test_LookupNames4(b, tctx, level, &names, true)) {
return false;
}
@@ -889,6 +900,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b,
static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
+ enum lsa_LookupNamesLevel level,
struct lsa_SidArray *sids)
{
struct lsa_LookupSids3 r;
@@ -904,7 +916,7 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b,
r.in.sids = sids;
r.in.names = &names;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &count;
r.in.lookup_options = 0;
r.in.client_revision = 0;
@@ -948,7 +960,8 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b,
bool test_many_LookupSids(struct dcerpc_pipe *p,
struct torture_context *tctx,
- struct policy_handle *handle)
+ struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level)
{
uint32_t count;
struct lsa_SidArray sids;
@@ -979,7 +992,7 @@ bool test_many_LookupSids(struct dcerpc_pipe *p,
r.in.handle = handle;
r.in.sids = &sids;
r.in.names = &names;
- r.in.level = 1;
+ r.in.level = level;
r.in.count = &names.count;
r.out.count = &count;
r.out.names = &names;
@@ -995,16 +1008,16 @@ bool test_many_LookupSids(struct dcerpc_pipe *p,
torture_comment(tctx, "\n");
- if (!test_LookupNames(b, tctx, handle, &names)) {
+ if (!test_LookupNames(b, tctx, handle, level, &names)) {
return false;
}
}
if (transport == NCACN_NP) {
- if (!test_LookupSids3_fail(b, tctx, &sids)) {
+ if (!test_LookupSids3_fail(b, tctx, level, &sids)) {
return false;
}
- if (!test_LookupNames4_fail(b, tctx)) {
+ if (!test_LookupNames4_fail(b, tctx, level)) {
return false;
}
} else if (transport == NCACN_IP_TCP) {
@@ -1020,10 +1033,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p,
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
- if (!test_LookupSids3(b, tctx, &sids)) {
+ if (!test_LookupSids3(b, tctx, level, &sids)) {
return false;
}
- if (!test_LookupNames4(b, tctx, &names, true)) {
+ if (!test_LookupNames4(b, tctx, level, &names, true)) {
return false;
}
} else {
@@ -1031,10 +1044,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p,
* If we don't have a secure channel these tests must
* fail with ACCESS_DENIED.
*/
- if (!test_LookupSids3_fail(b, tctx, &sids)) {
+ if (!test_LookupSids3_fail(b, tctx, level, &sids)) {
return false;
}
- if (!test_LookupNames4_fail(b, tctx)) {
+ if (!test_LookupNames4_fail(b, tctx, level)) {
return false;
}
}
@@ -1066,7 +1079,8 @@ static void lookupsids_cb(struct tevent_req *subreq)
static bool test_LookupSids_async(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
- struct policy_handle *handle)
+ struct policy_handle *handle,
+ enum lsa_LookupNamesLevel level)
{
struct lsa_SidArray sids;
struct lsa_SidPtr sidptr;
@@ -1101,7 +1115,7 @@ static bool test_LookupSids_async(struct dcerpc_binding_handle *b,
r[i].in.handle = handle;
r[i].in.sids = &sids;
r[i].in.names = &names[i];
- r[i].in.level = 1;
+ r[i].in.level = level;
r[i].in.count = &names[i].count;
r[i].out.count = &count[i];
r[i].out.names = &names[i];
@@ -1912,11 +1926,11 @@ static bool test_EnumAccounts(struct dcerpc_binding_handle *b,
torture_assert_ntstatus_ok(tctx, r.out.result,
"EnumAccounts failed");
- if (!test_LookupSids(b, tctx, handle, &sids1)) {
+ if (!test_LookupSids(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) {
return false;
}
- if (!test_LookupSids2(b, tctx, handle, &sids1)) {
+ if (!test_LookupSids2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) {
return false;
}
@@ -4811,7 +4825,7 @@ static bool test_QueryInfoPolicyCalls( bool version2,
tnames.names[12].sid_type = SID_NAME_USER;
tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string);
tnames.names[13].sid_type = SID_NAME_USER;
- ret &= test_LookupNames(b, tctx, handle, &tnames);
+ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames);
}
}
@@ -4977,7 +4991,7 @@ bool torture_rpc_lsa(struct torture_context *tctx)
ret = false;
}
- if (!test_many_LookupSids(p, tctx, handle)) {
+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
ret = false;
}
@@ -4998,7 +5012,7 @@ bool torture_rpc_lsa(struct torture_context *tctx)
ret = false;
}
- if (!test_LookupSids_async(b, tctx, handle)) {
+ if (!test_LookupSids_async(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
ret = false;
}
@@ -5022,7 +5036,7 @@ bool torture_rpc_lsa(struct torture_context *tctx)
ret = false;
}
- if (!test_many_LookupSids(p, tctx, handle)) {
+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
ret = false;
}
@@ -5033,7 +5047,7 @@ bool torture_rpc_lsa(struct torture_context *tctx)
torture_leave_domain(tctx, join);
} else {
- if (!test_many_LookupSids(p, tctx, handle)) {
+ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
ret = false;
}
}
@@ -5108,7 +5122,7 @@ static bool testcase_LookupNames(struct torture_context *tctx,
tnames.names[0].name.string = "BUILTIN";
tnames.names[0].sid_type = SID_NAME_DOMAIN;
- if (!test_LookupNames(b, tctx, handle, &tnames)) {
+ if (!test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames)) {
ret = false;
}
@@ -5118,23 +5132,23 @@ static bool testcase_LookupNames(struct torture_context *tctx,
tnames2.names[0].name.string = "BUILTIN";
tnames2.names[0].sid_type = SID_NAME_DOMAIN;
- if (!test_LookupNames2(b, tctx, handle, &tnames2, true)) {
+ if (!test_LookupNames2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) {
ret = false;
}
- if (!test_LookupNames3(b, tctx, handle, &tnames2, true)) {
+ if (!test_LookupNames3(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) {
ret = false;
}
- if (!test_LookupNames_wellknown(b, tctx, handle)) {
+ if (!test_LookupNames_wellknown(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
ret = false;
}
- if (!test_LookupNames_NULL(b, tctx, handle)) {
+ if (!test_LookupNames_NULL(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
ret = false;
}
- if (!test_LookupNames_bogus(b, tctx, handle)) {
+ if (!test_LookupNames_bogus(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
ret = false;
}
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index de3a36eaa4f..c237c82bbe7 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -471,7 +471,7 @@ static bool test_schannel(struct torture_context *tctx,
"failed to connect lsarpc with schannel");
torture_assert(tctx,
- test_many_LookupSids(p_lsa, tctx, NULL),
+ test_many_LookupSids(p_lsa, tctx, NULL, LSA_LOOKUP_NAMES_ALL),
"LsaLookupSids3 failed!\n");
status = dcerpc_binding_set_transport(b, transport);
--
2.21.0
From e76b56290c2be142c43a3fd68584d51b9dc0efb7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Thu, 1 Aug 2019 15:48:58 +0300
Subject: [PATCH 2/3] lookup_name: allow own domain lookup when flags == 0
In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.
Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.
For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().
[2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000004c-0000-0000-455d-3018575c0000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x000a (10)
size : 0x000c (12)
string : *
string : 'XS\ab'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
[2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0.
[0010] 57 5C 00 00 W\..
[2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
lookup_lsa_sids: looking up name XS\ab
[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
lookup_name: XS\ab => domain=[XS], name=[ab]
[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
lookup_name: flags = 0x00
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d)
---
source3/passdb/lookup_sid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 2281bd0b64d..1bb15ccb8b4 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -113,7 +113,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
- if ((flags & LOOKUP_NAME_DOMAIN) &&
+ if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
strequal(domain, get_global_sam_name()))
{
--
2.21.0
From 03d1a9f4f07f6e06c125875fe454925f4c1f6c2b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Sat, 10 Aug 2019 11:53:12 +0300
Subject: [PATCH 3/3] smbtorture: extend rpc.lsa to lookup machine over
forest-wide LookupNames
Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184
(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6)
---
source4/torture/rpc/lsa.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index b7dd0dc8c91..21cc16afbaf 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -4794,7 +4794,7 @@ static bool test_QueryInfoPolicyCalls( bool version2,
|| i == LSA_POLICY_INFO_DNS_INT)) {
/* Let's look up some of these names */
- struct lsa_TransNameArray tnames;
+ struct lsa_TransNameArray tnames, dnames;
tnames.count = 14;
tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count);
tnames.names[0].name.string = info->dns.name.string;
@@ -4827,6 +4827,12 @@ static bool test_QueryInfoPolicyCalls( bool version2,
tnames.names[13].sid_type = SID_NAME_USER;
ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames);
+ /* Try to use in-forest search for the test machine */
+ dnames.count = 1;
+ dnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, dnames.count);
+ dnames.names[0].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string);
+ dnames.names[0].sid_type = SID_NAME_USER;
+ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2, &dnames);
}
}
--
2.21.0

9
samba.spec
View File

@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
%define main_release 0
%define main_release 1
%define samba_version 4.10.6
%define talloc_version 2.1.16
@ -86,7 +86,7 @@
Name: samba
Version: %{samba_version}
Release: %{samba_release}.2
Release: %{samba_release}
%if 0%{?rhel}
Epoch: 0
@ -119,6 +119,7 @@ Source14: samba.pamd
Source201: README.downgrade
Patch0: samba-4.10.x-waf_update.patch
Patch1: samba-bz14091-v4.10-backport.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -3439,6 +3440,10 @@ fi
%endif # with_clustering_support
%changelog
* Fri Aug 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 2:4.10.6-1
- Fix Samba bug https://bugzilla.samba.org/show_bug.cgi?id=14091
- Fixes: Windows systems cannot resolve IPA users and groups over LSA RPC
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.10.6-0.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild