Am 04.11.20 um 17:24 schrieb Alexander Bokovoy: > The branch, master has been updated > via f9016912098 lookup_name: allow lookup for own realm > via 00f4262ed0b cli_credentials: add a helper to parse user or group > names > via eb0474d27ba cli_credentials_parse_string: fix parsing of > principals > from a1b021200e3 selftest: add test for new "samba-tool user unlock" > command > > https://git.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit f901691209867b32c2d7c5c9274eee196f541654 > Author: Alexander Bokovoy <a...@samba.org> > Date: Wed Nov 4 14:21:33 2020 +0200 > > lookup_name: allow lookup for own realm > > When using a security tab in Windows Explorer, a lookup over a trusted > forest might come as realm\name instead of NetBIOS domain name: > > -------------------------------------------------------------------- > [2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, > 1732401004), real(1732401004, 0), class=rpc_parse] > ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) > lsa_LookupNames3: struct lsa_LookupNames3 > in: struct lsa_LookupNames3 > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 0000000e-0000-0000-1c5e-a750e5810000 > num_names : 0x00000001 (1) > names: ARRAY(1) > names: struct lsa_String > length : 0x001e (30) > size : 0x0020 (32) > string : * > string : 'ipa.test\admins' > sids : * > sids: struct lsa_TransSidArray3 > count : 0x00000000 (0) > sids : NULL > level : > LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6) > count : * > count : 0x00000000 (0) > lookup_options : > LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0) > client_revision : LSA_CLIENT_REVISION_2 (2) > > ... > > diff --git a/auth/credentials/tests/test_creds.c > b/auth/credentials/tests/test_creds.c > index d2d3d30d73d..38550d6ecf9 100644 > --- a/auth/credentials/tests/test_creds.c > +++ b/auth/credentials/tests/test_creds.c > @@ -187,7 +187,7 @@ static void torture_creds_parse_string(void **state) > assert_string_equal(creds->domain, ""); > assert_int_equal(creds->domain_obtained, CRED_SPECIFIED); > > - assert_string_equal(creds->username, "wurst@brot.realm"); > + assert_string_equal(creds->username, "wurst");
I'm sorry but this is wrong! I'm wondering why this wasn't covered by any high level test. This needs to result in domain="" and username="wurst@brot.realm" and that's exactly what we need to use for NTLMSSP. Also note that "brot.realm" may not be a realm and "wurst" may not be a sAMAccountName. A userPrincipalName can be anything@anydomain-of-msDS-SPNSuffixes. I fear we need to revert these changes. From the merge request (https://gitlab.com/samba-team/samba/-/merge_requests/1658) I didn't really look at the whole patchset (with behavior change) I only focused on CRED_NO_PASSWORD. I think we need to logic we have in wb_irpc_lsa_LookupNames4_call() and/or parse_domain_user() here. metze
signature.asc
Description: OpenPGP digital signature