winbindd: only use the domain name from lookup sids if the domain matches

Enterprise / Samba - Ralph Boehme [samba.org] - 12 April 2017 10:43 EDT

With the use of sIDHistory it happens that two sids map to the same name: S-1-5-21-1387724271-3540671778-1971508351-1115 DOMAIN2\d1u1 (1) S-1-5-21-3293503978-489118715-2763867031-1106 DOMAIN2\d1u1 (1)

On the net it looks like this:

lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0 sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1387724271-3540671778-1971508351-1115 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-3293503978-489118715-2763867031-1106 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'DOMAIN2' sid : * sid : S-1-5-21-1387724271-3540671778-1971508351 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000002 (2) names : * names: ARRAY(7) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0008 (8) size : 0x0008 (8) string : * string : 'd1u1' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0008 (8) size : 0x0008 (8) string : * string : 'd1u1' sid_index : 0x00000000 (0) count : * count : 0x00000002 (2) result : NT_STATUS_OK

So the name for S-1-5-21-3293503978-489118715-2763867031-1106 has S-1-5-21-1387724271-3540671778-1971508351 in referenced lsa_DomainInfo structure. In that case we should not use the domain name from lsa_DomainInfo, because we would use the wrong idmap backend.

For the case where the domain part of the sIDHistory sid is a still existing domain, which can be found our internal list of trusted domains, we now use the correct idmap backend: the idmap domain from the historic SID.

If the historic domain does no longer exist, we will fallback to the default idmap domain.

The next step would be doing a lookup sid call for the domain sid, which may help with one-way trusts.

The long term goal needs to be that idmap backends are based on sids only and only the smb.conf allows names to be used which will be converted to sids on startup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12702

Pair-Programmed-With: Stefan Metzmacher

9d419c3 winbindd: only use the domain name from lookup sids if the domain matches
source3/winbindd/wb_sids2xids.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

Upstream: gitweb.samba.org


  • Share