From e989105922d62a1a254a7696c95cf59855c806c6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Aug 16 2019 09:43:38 +0000 Subject: Allow Windows to resolve IPA users and groups over LSA RPC Fixes: https://bugzilla.samba.org/show_bug.cgi?id=14091 (cherry picked from commit e9d6c3ff337143c3c8289d9ccaed7351e28529dd) --- diff --git a/samba-bz14091-v4.10-backport.patch b/samba-bz14091-v4.10-backport.patch new file mode 100644 index 0000000..104e78e --- /dev/null +++ b/samba-bz14091-v4.10-backport.patch @@ -0,0 +1,650 @@ +From 536df2c1070d516ab95ad96b606fcc1f92c3668d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 1 Aug 2019 21:08:52 +0300 +Subject: [PATCH 1/3] torture/rpc/lsa: allow testing different lookup levels + +Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing +different LSA_LOOKUP_NAMES_* levels. Keep existing level 1 +(LSA_LOOKUP_NAMES_ALL) for the current set of tests. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider + +(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9) +--- + source4/torture/rpc/lsa.c | 118 ++++++++++++++++++--------------- + source4/torture/rpc/schannel.c | 2 +- + 2 files changed, 67 insertions(+), 53 deletions(-) + +diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c +index bc1e9553039..b7dd0dc8c91 100644 +--- a/source4/torture/rpc/lsa.c ++++ b/source4/torture/rpc/lsa.c +@@ -270,6 +270,7 @@ static bool test_OpenPolicy2_fail(struct dcerpc_binding_handle *b, + static bool test_LookupNames(struct dcerpc_binding_handle *b, + struct torture_context *tctx, + struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level, + struct lsa_TransNameArray *tnames) + { + struct lsa_LookupNames r; +@@ -302,7 +303,7 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, + r.in.handle = handle; + r.in.names = names; + r.in.sids = &sids; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.out.count = &count; + r.out.sids = &sids; +@@ -358,7 +359,8 @@ static bool test_LookupNames(struct dcerpc_binding_handle *b, + + static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, + struct torture_context *tctx, +- struct policy_handle *handle) ++ struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level) + { + struct lsa_LookupNames r; + struct lsa_TransSidArray sids; +@@ -377,7 +379,7 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, + r.in.num_names = 1; + r.in.names = names; + r.in.sids = &sids; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.out.count = &count; + r.out.sids = &sids; +@@ -398,7 +400,8 @@ static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b, + + static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, + struct torture_context *tctx, +- struct policy_handle *handle) ++ struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level) + { + struct lsa_LookupNames r; + struct lsa_TransSidArray sids; +@@ -417,7 +420,7 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, + r.in.num_names = 1; + r.in.names = names; + r.in.sids = &sids; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.out.count = &count; + r.out.sids = &sids; +@@ -442,7 +445,8 @@ static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b, + + static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b, + struct torture_context *tctx, +- struct policy_handle *handle) ++ struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level) + { + struct lsa_TranslatedName name; + struct lsa_TransNameArray tnames; +@@ -454,45 +458,46 @@ static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b, + tnames.count = 1; + name.name.string = "NT AUTHORITY\\SYSTEM"; + name.sid_type = SID_NAME_WKN_GRP; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + + name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON"; + name.sid_type = SID_NAME_WKN_GRP; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + + name.name.string = "NT AUTHORITY\\Authenticated Users"; + name.sid_type = SID_NAME_WKN_GRP; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + + #if 0 + name.name.string = "NT AUTHORITY"; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + + name.name.string = "NT AUTHORITY\\"; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + #endif + + name.name.string = "BUILTIN\\"; + name.sid_type = SID_NAME_DOMAIN; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + + name.name.string = "BUILTIN\\Administrators"; + name.sid_type = SID_NAME_ALIAS; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + + name.name.string = "SYSTEM"; + name.sid_type = SID_NAME_WKN_GRP; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + + name.name.string = "Everyone"; + name.sid_type = SID_NAME_WKN_GRP; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, level, &tnames); + return ret; + } + + static bool test_LookupNames2(struct dcerpc_binding_handle *b, + struct torture_context *tctx, + struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level, + struct lsa_TransNameArray2 *tnames, + bool check_result) + { +@@ -525,7 +530,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b, + r.in.handle = handle; + r.in.names = names; + r.in.sids = &sids; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.in.lookup_options = 0; + r.in.client_revision = 0; +@@ -554,6 +559,7 @@ static bool test_LookupNames2(struct dcerpc_binding_handle *b, + static bool test_LookupNames3(struct dcerpc_binding_handle *b, + struct torture_context *tctx, + struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level, + struct lsa_TransNameArray2 *tnames, + bool check_result) + { +@@ -585,7 +591,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b, + r.in.handle = handle; + r.in.names = names; + r.in.sids = &sids; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.in.lookup_options = 0; + r.in.client_revision = 0; +@@ -613,6 +619,7 @@ static bool test_LookupNames3(struct dcerpc_binding_handle *b, + + static bool test_LookupNames4(struct dcerpc_binding_handle *b, + struct torture_context *tctx, ++ enum lsa_LookupNamesLevel level, + struct lsa_TransNameArray2 *tnames, + bool check_result) + { +@@ -644,7 +651,7 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b, + r.in.num_names = tnames->count; + r.in.names = names; + r.in.sids = &sids; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.in.lookup_options = 0; + r.in.client_revision = 0; +@@ -682,7 +689,8 @@ static bool test_LookupNames4(struct dcerpc_binding_handle *b, + } + + static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, +- struct torture_context *tctx) ++ struct torture_context *tctx, ++ enum lsa_LookupNamesLevel level) + { + struct lsa_LookupNames4 r; + struct lsa_TransSidArray3 sids; +@@ -701,7 +709,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, + r.in.num_names = count; + r.in.names = names; + r.in.sids = &sids; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.in.lookup_options = 0; + r.in.client_revision = 0; +@@ -749,6 +757,7 @@ static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b, + static bool test_LookupSids(struct dcerpc_binding_handle *b, + struct torture_context *tctx, + struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level, + struct lsa_SidArray *sids) + { + struct lsa_LookupSids r; +@@ -764,7 +773,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, + r.in.handle = handle; + r.in.sids = sids; + r.in.names = &names; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.out.count = &count; + r.out.names = &names; +@@ -779,7 +788,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, + + torture_comment(tctx, "\n"); + +- if (!test_LookupNames(b, tctx, handle, &names)) { ++ if (!test_LookupNames(b, tctx, handle, level, &names)) { + return false; + } + +@@ -790,6 +799,7 @@ static bool test_LookupSids(struct dcerpc_binding_handle *b, + static bool test_LookupSids2(struct dcerpc_binding_handle *b, + struct torture_context *tctx, + struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level, + struct lsa_SidArray *sids) + { + struct lsa_LookupSids2 r; +@@ -805,7 +815,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, + r.in.handle = handle; + r.in.sids = sids; + r.in.names = &names; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.in.lookup_options = 0; + r.in.client_revision = 0; +@@ -824,11 +834,11 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, + + torture_comment(tctx, "\n"); + +- if (!test_LookupNames2(b, tctx, handle, &names, false)) { ++ if (!test_LookupNames2(b, tctx, handle, level, &names, false)) { + return false; + } + +- if (!test_LookupNames3(b, tctx, handle, &names, false)) { ++ if (!test_LookupNames3(b, tctx, handle, level, &names, false)) { + return false; + } + +@@ -837,6 +847,7 @@ static bool test_LookupSids2(struct dcerpc_binding_handle *b, + + static bool test_LookupSids3(struct dcerpc_binding_handle *b, + struct torture_context *tctx, ++ enum lsa_LookupNamesLevel level, + struct lsa_SidArray *sids) + { + struct lsa_LookupSids3 r; +@@ -851,7 +862,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, + + r.in.sids = sids; + r.in.names = &names; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.in.lookup_options = 0; + r.in.client_revision = 0; +@@ -880,7 +891,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, + + torture_comment(tctx, "\n"); + +- if (!test_LookupNames4(b, tctx, &names, true)) { ++ if (!test_LookupNames4(b, tctx, level, &names, true)) { + return false; + } + +@@ -889,6 +900,7 @@ static bool test_LookupSids3(struct dcerpc_binding_handle *b, + + static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, + struct torture_context *tctx, ++ enum lsa_LookupNamesLevel level, + struct lsa_SidArray *sids) + { + struct lsa_LookupSids3 r; +@@ -904,7 +916,7 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, + + r.in.sids = sids; + r.in.names = &names; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &count; + r.in.lookup_options = 0; + r.in.client_revision = 0; +@@ -948,7 +960,8 @@ static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b, + + bool test_many_LookupSids(struct dcerpc_pipe *p, + struct torture_context *tctx, +- struct policy_handle *handle) ++ struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level) + { + uint32_t count; + struct lsa_SidArray sids; +@@ -979,7 +992,7 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, + r.in.handle = handle; + r.in.sids = &sids; + r.in.names = &names; +- r.in.level = 1; ++ r.in.level = level; + r.in.count = &names.count; + r.out.count = &count; + r.out.names = &names; +@@ -995,16 +1008,16 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, + + torture_comment(tctx, "\n"); + +- if (!test_LookupNames(b, tctx, handle, &names)) { ++ if (!test_LookupNames(b, tctx, handle, level, &names)) { + return false; + } + } + + if (transport == NCACN_NP) { +- if (!test_LookupSids3_fail(b, tctx, &sids)) { ++ if (!test_LookupSids3_fail(b, tctx, level, &sids)) { + return false; + } +- if (!test_LookupNames4_fail(b, tctx)) { ++ if (!test_LookupNames4_fail(b, tctx, level)) { + return false; + } + } else if (transport == NCACN_IP_TCP) { +@@ -1020,10 +1033,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL && + auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) { +- if (!test_LookupSids3(b, tctx, &sids)) { ++ if (!test_LookupSids3(b, tctx, level, &sids)) { + return false; + } +- if (!test_LookupNames4(b, tctx, &names, true)) { ++ if (!test_LookupNames4(b, tctx, level, &names, true)) { + return false; + } + } else { +@@ -1031,10 +1044,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, + * If we don't have a secure channel these tests must + * fail with ACCESS_DENIED. + */ +- if (!test_LookupSids3_fail(b, tctx, &sids)) { ++ if (!test_LookupSids3_fail(b, tctx, level, &sids)) { + return false; + } +- if (!test_LookupNames4_fail(b, tctx)) { ++ if (!test_LookupNames4_fail(b, tctx, level)) { + return false; + } + } +@@ -1066,7 +1079,8 @@ static void lookupsids_cb(struct tevent_req *subreq) + + static bool test_LookupSids_async(struct dcerpc_binding_handle *b, + struct torture_context *tctx, +- struct policy_handle *handle) ++ struct policy_handle *handle, ++ enum lsa_LookupNamesLevel level) + { + struct lsa_SidArray sids; + struct lsa_SidPtr sidptr; +@@ -1101,7 +1115,7 @@ static bool test_LookupSids_async(struct dcerpc_binding_handle *b, + r[i].in.handle = handle; + r[i].in.sids = &sids; + r[i].in.names = &names[i]; +- r[i].in.level = 1; ++ r[i].in.level = level; + r[i].in.count = &names[i].count; + r[i].out.count = &count[i]; + r[i].out.names = &names[i]; +@@ -1912,11 +1926,11 @@ static bool test_EnumAccounts(struct dcerpc_binding_handle *b, + torture_assert_ntstatus_ok(tctx, r.out.result, + "EnumAccounts failed"); + +- if (!test_LookupSids(b, tctx, handle, &sids1)) { ++ if (!test_LookupSids(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) { + return false; + } + +- if (!test_LookupSids2(b, tctx, handle, &sids1)) { ++ if (!test_LookupSids2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) { + return false; + } + +@@ -4811,7 +4825,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, + tnames.names[12].sid_type = SID_NAME_USER; + tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string); + tnames.names[13].sid_type = SID_NAME_USER; +- ret &= test_LookupNames(b, tctx, handle, &tnames); ++ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames); + + } + } +@@ -4977,7 +4991,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) + ret = false; + } + +- if (!test_many_LookupSids(p, tctx, handle)) { ++ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { + ret = false; + } + +@@ -4998,7 +5012,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) + ret = false; + } + +- if (!test_LookupSids_async(b, tctx, handle)) { ++ if (!test_LookupSids_async(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { + ret = false; + } + +@@ -5022,7 +5036,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) + ret = false; + } + +- if (!test_many_LookupSids(p, tctx, handle)) { ++ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { + ret = false; + } + +@@ -5033,7 +5047,7 @@ bool torture_rpc_lsa(struct torture_context *tctx) + torture_leave_domain(tctx, join); + + } else { +- if (!test_many_LookupSids(p, tctx, handle)) { ++ if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { + ret = false; + } + } +@@ -5108,7 +5122,7 @@ static bool testcase_LookupNames(struct torture_context *tctx, + tnames.names[0].name.string = "BUILTIN"; + tnames.names[0].sid_type = SID_NAME_DOMAIN; + +- if (!test_LookupNames(b, tctx, handle, &tnames)) { ++ if (!test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames)) { + ret = false; + } + +@@ -5118,23 +5132,23 @@ static bool testcase_LookupNames(struct torture_context *tctx, + tnames2.names[0].name.string = "BUILTIN"; + tnames2.names[0].sid_type = SID_NAME_DOMAIN; + +- if (!test_LookupNames2(b, tctx, handle, &tnames2, true)) { ++ if (!test_LookupNames2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) { + ret = false; + } + +- if (!test_LookupNames3(b, tctx, handle, &tnames2, true)) { ++ if (!test_LookupNames3(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) { + ret = false; + } + +- if (!test_LookupNames_wellknown(b, tctx, handle)) { ++ if (!test_LookupNames_wellknown(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { + ret = false; + } + +- if (!test_LookupNames_NULL(b, tctx, handle)) { ++ if (!test_LookupNames_NULL(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { + ret = false; + } + +- if (!test_LookupNames_bogus(b, tctx, handle)) { ++ if (!test_LookupNames_bogus(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) { + ret = false; + } + +diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c +index de3a36eaa4f..c237c82bbe7 100644 +--- a/source4/torture/rpc/schannel.c ++++ b/source4/torture/rpc/schannel.c +@@ -471,7 +471,7 @@ static bool test_schannel(struct torture_context *tctx, + "failed to connect lsarpc with schannel"); + + torture_assert(tctx, +- test_many_LookupSids(p_lsa, tctx, NULL), ++ test_many_LookupSids(p_lsa, tctx, NULL, LSA_LOOKUP_NAMES_ALL), + "LsaLookupSids3 failed!\n"); + + status = dcerpc_binding_set_transport(b, transport); +-- +2.21.0 + + +From e76b56290c2be142c43a3fd68584d51b9dc0efb7 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 1 Aug 2019 15:48:58 +0300 +Subject: [PATCH 2/3] lookup_name: allow own domain lookup when flags == 0 + +In 2007, we've added support for multiple lookup levels for LSA +LookupNames family of calls. However, forest-wide lookups, as described +in MS-LSAT 2.2.16, never worked because flags passed to lookup_name() +were always set to zero, expecting at least default lookup on a DC to +apply. lookup_name() was instead treating zero flags as 'skip all +checks'. + +Allow at least own domain lookup in case domain name is the same. +This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a +trusted AD DC side. + +For the reference, below is a request Windows Server 2016 domain +controller sends to FreeIPA domain controller when attempting to look up +a user from a trusted forest root domain that attemps to login to the +domain controller. Notice the level in the lsa_LookupNames3 call and +resulting flags in lookup_name(). + +[2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) + lsa_LookupNames3: struct lsa_LookupNames3 + in: struct lsa_LookupNames3 + handle : * + handle: struct policy_handle + handle_type : 0x00000000 (0) + uuid : 0000004c-0000-0000-455d-3018575c0000 + num_names : 0x00000001 (1) + names: ARRAY(1) + names: struct lsa_String + length : 0x000a (10) + size : 0x000c (12) + string : * + string : 'XS\ab' + sids : * + sids: struct lsa_TransSidArray3 + count : 0x00000000 (0) + sids : NULL + level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6) + count : * + count : 0x00000000 (0) + lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0) + client_revision : LSA_CLIENT_REVISION_2 (2) +[2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) + Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0. + [0010] 57 5C 00 00 W\.. +[2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) + push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2 +[2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx) + push_conn_ctx(0) : conn_ctx_stack_ndx = 0 +[2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) + setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 +[2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug) + Security token: (NULL) +[2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token) + UNIX token of user 0 + Primary group is 0 and contains 0 supplementary groups +[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids) + lookup_lsa_sids: looking up name XS\ab +[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name) + lookup_name: XS\ab => domain=[XS], name=[ab] +[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name) + lookup_name: flags = 0x00 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider + +(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d) +--- + source3/passdb/lookup_sid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index 2281bd0b64d..1bb15ccb8b4 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -113,7 +113,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, + full_name, domain, name)); + DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); + +- if ((flags & LOOKUP_NAME_DOMAIN) && ++ if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) && + strequal(domain, get_global_sam_name())) + { + +-- +2.21.0 + + +From 03d1a9f4f07f6e06c125875fe454925f4c1f6c2b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 10 Aug 2019 11:53:12 +0300 +Subject: [PATCH 3/3] smbtorture: extend rpc.lsa to lookup machine over + forest-wide LookupNames + +Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3 +using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass +zero lookup flags to lookup_name(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Alexander Bokovoy +Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184 + +(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6) +--- + source4/torture/rpc/lsa.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c +index b7dd0dc8c91..21cc16afbaf 100644 +--- a/source4/torture/rpc/lsa.c ++++ b/source4/torture/rpc/lsa.c +@@ -4794,7 +4794,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, + || i == LSA_POLICY_INFO_DNS_INT)) { + /* Let's look up some of these names */ + +- struct lsa_TransNameArray tnames; ++ struct lsa_TransNameArray tnames, dnames; + tnames.count = 14; + tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count); + tnames.names[0].name.string = info->dns.name.string; +@@ -4827,6 +4827,12 @@ static bool test_QueryInfoPolicyCalls( bool version2, + tnames.names[13].sid_type = SID_NAME_USER; + ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames); + ++ /* Try to use in-forest search for the test machine */ ++ dnames.count = 1; ++ dnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, dnames.count); ++ dnames.names[0].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string); ++ dnames.names[0].sid_type = SID_NAME_USER; ++ ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2, &dnames); + } + } + +-- +2.21.0 + diff --git a/samba.spec b/samba.spec index 36ebe0b..26ebc55 100644 --- a/samba.spec +++ b/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 0 +%define main_release 1 %define samba_version 4.10.6 %define talloc_version 2.1.16 @@ -119,6 +119,7 @@ Source14: samba.pamd Source201: README.downgrade Patch0: samba-4.10.x-waf_update.patch +Patch1: samba-bz14091-v4.10-backport.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -3410,6 +3411,10 @@ fi %endif # with_clustering_support %changelog +* Fri Aug 16 2019 Alexander Bokovoy - 4.10.6-1 +- Fix Samba bug https://bugzilla.samba.org/show_bug.cgi?id=14091 +- Fixes: Windows systems cannot resolve IPA users and groups over LSA RPC + * Mon Jul 08 2019 Guenther Deschner - 4.10.6-0 - Update to Samba 4.10.6