The branch, master has been updated
via 8bcbb6f s3: test: Fix standalone valid users fileserver test.
via 2f6dc26 s3: lsa: lookup_name() logic for unqualified (no DOMAIN\
component) names is incorrect.
via 23f6744 s3:lib: validate domain name in lookup_wellknown_name()
from 808f29c s4: torture: Add SMB2 access-based enumeration test. Passes
against Win2k12R2.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8bcbb6fb16c13d20556fc50ea2744020cb895be3
Author: Jeremy Allison <[email protected]>
Date: Wed Oct 14 11:20:08 2015 -0700
s3: test: Fix standalone valid users fileserver test.
Test was originally added for bug #11320. At the time
I remarked the only way I could get this to reproduce
the issue was to use "+WORKGROUP\userdup" instead of
just "+userdup" (which was the actual problem reported),
but I didn't investigage enough to discover the underlying
problem which is actually bug:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
(lookup_names() logic for unqualified (no DOMAIN\
component) names is incorrect). On a standalone
fileserver "WORKGROUP\name" should not resolve,
but "NETBIOS-NAME\name" and just "name" should.
This corrects the test now that lookups for unqualified
names are now being done correctly.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Uri Simchoni <[email protected]>
Autobuild-User(master): Uri Simchoni <[email protected]>
Autobuild-Date(master): Thu Oct 15 22:58:54 CEST 2015 on sn-devel-104
commit 2f6dc260ada6cd178a650ca003c2ad22e12697c1
Author: Jeremy Allison <[email protected]>
Date: Thu Oct 15 09:20:58 2015 -0700
s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names
is incorrect.
Change so we only use unqualified name lookup logic if
domain component = "" and LOOKUP_NAME_ISOLATED flag is
passed in.
Remember to search for "NT Authority" *before* going
into unqualified name lookup logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Uri Simchoni <[email protected]>
commit 23f674488a1f62fcc58bb94bed0abed98078b96d
Author: Ralph Boehme <[email protected]>
Date: Thu Oct 15 12:35:26 2015 +0200
s3:lib: validate domain name in lookup_wellknown_name()
If domain argument is not an empty string, only search the matching
wellknown domain name.
As the only wellknown domain with a name is "NT Authority", passing ""
to lookup_wellknown_name() will search all domains inlcuding "NT
Authority".
Passing "NT Authority" otoh will obviously only search that domain.
This change makes lookup_wellknown_name() behave like this:
in domain | in name | ok | out sid | out domain
========================================================
Dialup + S-1-5-1 NT Authority
NT Authority Dialup + S-1-5-1 NT Authority
Creator Authority Dialup - - -
Creator Owner + S-1-3-0 ""
Creator Authority Creator Owner - - -
NT Authority Creator Owner - - -
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Reviewed-by: Uri Simchoni <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba3.pm | 2 +-
source3/lib/util_wellknown.c | 13 ++++++++++---
source3/passdb/lookup_sid.c | 31 ++++++++++++++++++++++++++++++-
3 files changed, 41 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index de4346e..15423fe 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -608,7 +608,7 @@ sub setup_fileserver($$)
dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh
[valid-users-access]
path = $valid_users_sharedir
- valid users = +SAMBA-TEST/userdup
+ valid users = +userdup
";
my $vars = $self->provision($path,
diff --git a/source3/lib/util_wellknown.c b/source3/lib/util_wellknown.c
index 0f627d1..a3db9ab 100644
--- a/source3/lib/util_wellknown.c
+++ b/source3/lib/util_wellknown.c
@@ -154,16 +154,23 @@ bool lookup_wellknown_sid(TALLOC_CTX *mem_ctx, const
struct dom_sid *sid,
***************************************************************************/
bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char *name,
- struct dom_sid *sid, const char **domain)
+ struct dom_sid *sid, const char **pdomain)
{
int i, j;
+ const char *domain = *pdomain;
- DEBUG(10,("map_name_to_wellknown_sid: looking up %s\n", name));
+ DEBUG(10,("map_name_to_wellknown_sid: looking up %s\\%s\n", domain,
name));
for (i=0; special_domains[i].sid != NULL; i++) {
const struct rid_name_map *users =
special_domains[i].known_users;
+ if (domain[0] != '\0') {
+ if (!strequal(domain, special_domains[i].name)) {
+ continue;
+ }
+ }
+
if (users == NULL)
continue;
@@ -171,7 +178,7 @@ bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char
*name,
if ( strequal(users[j].name, name) ) {
sid_compose(sid, special_domains[i].sid,
users[j].rid);
- *domain = talloc_strdup(
+ *pdomain = talloc_strdup(
mem_ctx, special_domains[i].name);
return True;
}
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 3f99ee1..1ffd657 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -140,7 +140,31 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
return false;
}
- if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
+ /*
+ * Finally check for a well known domain name ("NT Authority"),
+ * this is taken care if in lookup_wellknown_name().
+ */
+ if ((domain[0] != '\0') &&
+ (flags & LOOKUP_NAME_WKN) &&
+ lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
+ {
+ type = SID_NAME_WKN_GRP;
+ goto ok;
+ }
+
+ /*
+ * If we're told not to look up 'isolated' names then we're
+ * done.
+ */
+ if (!(flags & LOOKUP_NAME_ISOLATED)) {
+ TALLOC_FREE(tmp_ctx);
+ return false;
+ }
+
+ /*
+ * No domain names beyond this point
+ */
+ if (domain[0] != '\0') {
TALLOC_FREE(tmp_ctx);
return false;
}
@@ -152,6 +176,11 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 1. well-known names */
+ /*
+ * Check for well known names without a domain name.
+ * e.g. \Creator Owner.
+ */
+
if ((flags & LOOKUP_NAME_WKN) &&
lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
{
--
Samba Shared Repository
