Discussion:
wbinfo -i output domain realm vs. ntdomain before login
Heiner Lesaar via samba-technical
2018-04-18 16:31:01 UTC
Permalink
Dear all,

I have posted on ***@lists before and got a hint towards a change of
winbind behaviour since samba 4.7 from a kind subscriber, but unfortunately
the hint towards a change in group membership calculation does not really
(seem to) relate to my question.

I would like to be able to get a consistent result when running wbinfo -i
so that it does not differ between user creation and after first login.

For reference, please see my original request below and thanks a lot for
your help and suggestions!

Heiner


On CentOs7 based linux w. different versions of Samba (4.6.x from CentOS
repos, but also Sernet-Samba-4.7.4 and also compiled from source), "wbinfo
-i ***@domain.tld" returns different results before the first successful
authentication of the user.

Server joined as member to Active Directory, idmapping via tdb2 and rid or
ad - does not seem to make a difference.

On first attempt, the result returns "DOMAIN-REALM+Username", but after 1st
login it switches to "NTDOMAIN+Username" (which is also the correct output).
The tdb files also show the "wrong" info until the login is done (according
to tdbdump comparison). It does not matter if the login happens on a client
or like in my example "locally" via smbclient.


See command output examples:

#########
1st execution after user creation in AD:

# $ wbinfo -i ***@test.intern

# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
INTERN/newuser:/bin/false

Authentication (e.g. here via smbclient):

# $ smbclient \\\\127.0.0.1\\sharename -U ***@test.intern

Execution after 1st login:

# $ wbinfo -i ***@test.intern

# TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false

#########

We use the command output to create database entries in a in-house
developed database / application to centrally manage client logins from
various operating systems.

My questions are:

1) Is this expected behaviour or is it influenced by some smb.conf or
krb5.conf option that we are not aware of?

2) Is there a way to query the domain "prefix" of a user which will not
change depending on the fact if the user has ever tried to login to the
server or not?
Does it maybe depend on some command line option?

FYI: getent passwd shows the same behaviour.



Thank you very much for your help and assistance!
Rowland Penny via samba-technical
2018-04-18 16:51:21 UTC
Permalink
On Wed, 18 Apr 2018 18:31:01 +0200
Post by Heiner Lesaar via samba-technical
Dear all,
winbind behaviour since samba 4.7 from a kind subscriber,
I am a bit more than a subscriber ;-)
But what I said, as far as group membership is concerned, is correct.
Post by Heiner Lesaar via samba-technical
but
unfortunately the hint towards a change in group membership
calculation does not really (seem to) relate to my question.
I would like to be able to get a consistent result when running
wbinfo -i so that it does not differ between user creation and after
first login.
For reference, please see my original request below and thanks a lot
for your help and suggestions!
Heiner
On CentOs7 based linux w. different versions of Samba (4.6.x from
CentOS repos, but also Sernet-Samba-4.7.4 and also compiled from
the first successful authentication of the user.
Server joined as member to Active Directory, idmapping via tdb2 and
rid or ad - does not seem to make a difference.
On first attempt, the result returns "DOMAIN-REALM+Username", but
after 1st login it switches to "NTDOMAIN+Username"
Now this is the strange part, I never see this, what are you connecting
from and if it is a Unix machine, can we see your smb.conf.

Rowland
Heiner Lesaar via samba-technical
2018-04-19 10:34:16 UTC
Permalink
Adding to my message from yesterday. The output from "wbinfo --group-info"
is also broken but unfortunately doesn´t even get corrected after the first
login of the user.

Please see below for explanation. All this on sernet-samba 4.7.4 (but also
same behaviour if tested on samba.org source-build)

## New created user that never logged in to Samba:
## (see how it returns "full domain" in result, which is "wrong" - expected
is NTDOMAIN name)

root ~ $ wbinfo -i ***@domain.intern

DOMAIN.INTERN+newuser11:*:43555590:43554944::/home/DOMAIN.INTERN/newuser11:/bin/false

## Same is true for result in group info, user is listed with wrong domain
info:

root ~ $ wbinfo --group-info DOMAIN+newgroup

NTDOMAIN+newgroup:x:43555589:DOMAIN.INTERN+newuser11

## Logging in user once seems to fix this, at least for user info:

root ~ $ smbclient \\\\127.0.0.1\\snfs1 -U ***@domain.intern

WARNING: The "auth methods" option is deprecated
Enter ***@domain.intern's password:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME


## See how now NTDOMAIN is shown as result, problem is that results are
"inconsistent" before and after first login.

root ~ $ wbinfo -i ***@domain.intern

NTDOMAIN+newuser11:*:43555590:43554944::/home/NTDOMAIN/newuser11:/bin/false


## Even more problematic is that --group-info still has the wrong syntax
in its listing:

root ~ exitcode 1 $ wbinfo --group-info NTDOMAIN+newgroup

NTDOMAIN+newgroup:x:43555589:DOMAIN.INTERN+newuser11
Post by Heiner Lesaar via samba-technical
Dear all,
winbind behaviour since samba 4.7 from a kind subscriber, but unfortunately
the hint towards a change in group membership calculation does not really
(seem to) relate to my question.
I would like to be able to get a consistent result when running wbinfo -i
so that it does not differ between user creation and after first login.
For reference, please see my original request below and thanks a lot for
your help and suggestions!
Heiner
On CentOs7 based linux w. different versions of Samba (4.6.x from CentOS
repos, but also Sernet-Samba-4.7.4 and also compiled from source), "wbinfo
authentication of the user.
Server joined as member to Active Directory, idmapping via tdb2 and rid or
ad - does not seem to make a difference.
On first attempt, the result returns "DOMAIN-REALM+Username", but after 1st
login it switches to "NTDOMAIN+Username" (which is also the correct
output).
The tdb files also show the "wrong" info until the login is done (according
to tdbdump comparison). It does not matter if the login happens on a client
or like in my example "locally" via smbclient.
#########
# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
INTERN/newuser:/bin/false
# TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
#########
We use the command output to create database entries in a in-house
developed database / application to centrally manage client logins from
various operating systems.
1) Is this expected behaviour or is it influenced by some smb.conf or
krb5.conf option that we are not aware of?
2) Is there a way to query the domain "prefix" of a user which will not
change depending on the fact if the user has ever tried to login to the
server or not?
Does it maybe depend on some command line option?
FYI: getent passwd shows the same behaviour.
Thank you very much for your help and assistance!
Heiner Lesaar via samba-technical
2018-04-19 12:23:25 UTC
Permalink
Thanks a lot, Rowland!


I didn´t check who was replying - apologies for the "kind subscriber"
comment - at least I used "kind" ;)

To answer your question, we are connecting from various clients (Win7,
Win10, OSX) and see this behaviour on several machines (not just one
particular) and it is reproducible.

The smb.conf file:

#####

[global]

log level=7

realm=DOMAIN.INTERN

netbios name=EXAMPLE

workgroup=ELEMENTS

server string=EXAMPLE SMB

log file=/var/log/samba/log.%m

max log size=5000

security=ads

passdb backend=tdbsam

load printers=no

printing=bsd

printcap name=/dev/null

map to guest=bad user

enable core files=no

server signing=disabled

client signing=disabled

nt acl support=no

max xmit=1048576

block size=4096

aio read size=1

aio write size=1

map system=no

map archive=no

map read only=no

dns proxy=no

wins proxy=no

hide dot files=yes

ntlm auth=yes

idmap config * : range=16777216-33554431

idmap config * : backend=tdb2

idmap config NTDOMAIN : range=43554431-56666666

idmap config NTDOMAIN : backend=rid

winbind offline logon=false

winbind separator=+

winbind enum users=yes

winbind enum groups=yes

winbind use default domain=no

winbind nested groups=yes

winbind refresh tickets=yes

winbind expand groups=1

auth methods=sam winbind


[benchmark]

comment=

path=/data/snfs1/benchmark

guest ok=yes

browseable=yes

create mask=0777

directory mask=0777

read only=no

follow symlinks=yes

wide links=no

###

####################################


Thank you very much for your help and assistance! This behaviour is driving
us mad already for a couple of weeks :D

Many regards,

Heiner

---------- Weitergeleitete Nachricht ----------
From: Rowland Penny <***@samba.org>
To: samba-***@lists.samba.org
Cc:
Bcc:
Date: Wed, 18 Apr 2018 17:51:21 +0100
Subject: Re: wbinfo -i output domain realm vs. ntdomain before login
On Wed, 18 Apr 2018 18:31:01 +0200
Post by Heiner Lesaar via samba-technical
Dear all,
winbind behaviour since samba 4.7 from a kind subscriber,
I am a bit more than a subscriber ;-)
But what I said, as far as group membership is concerned, is correct.
Post by Heiner Lesaar via samba-technical
but
unfortunately the hint towards a change in group membership
calculation does not really (seem to) relate to my question.
I would like to be able to get a consistent result when running
wbinfo -i so that it does not differ between user creation and after
first login.
For reference, please see my original request below and thanks a lot
for your help and suggestions!
Heiner
On CentOs7 based linux w. different versions of Samba (4.6.x from
CentOS repos, but also Sernet-Samba-4.7.4 and also compiled from
the first successful authentication of the user.
Server joined as member to Active Directory, idmapping via tdb2 and
rid or ad - does not seem to make a difference.
On first attempt, the result returns "DOMAIN-REALM+Username", but
after 1st login it switches to "NTDOMAIN+Username"
Now this is the strange part, I never see this, what are you connecting
from and if it is a Unix machine, can we see your smb.conf.

Rowland
Rowland Penny via samba-technical
2018-04-19 12:44:25 UTC
Permalink
On Thu, 19 Apr 2018 14:23:25 +0200
Post by Heiner Lesaar via samba-technical
Thanks a lot, Rowland!
I didn´t check who was replying - apologies for the "kind subscriber"
comment - at least I used "kind" ;)
To answer your question, we are connecting from various clients (Win7,
Win10, OSX) and see this behaviour on several machines (not just one
particular) and it is reproducible.
Yes it is reproducible, but only on a Unix domain member, it works as
expected on a DC:

***@devstation:~$ wbinfo -i ***@samdom.example.com
SAMDOM.EXAMPLE.COM\unix1:*:10024:10000::/home/unix1:/bin/bash

***@dc4:~# wbinfo -i ***@samdom.example.com
SAMDOM\unix1:*:10024:10000::/home/unix1:/bin/bash

Rowland
Heiner Lesaar via samba-technical
2018-04-19 12:56:44 UTC
Permalink
Ahh, yes! I understood you wrong maybe.

The Samba is a domain member, joined to a Windows DC.

wbinfo is executed on this domain member.

Do you have an idea what we have to change to get rid of this behaviour or is it a bug?

Thanks a lot again!

Heiner

Von meinem iPhone gesendet
Post by Rowland Penny via samba-technical
On Thu, 19 Apr 2018 14:23:25 +0200
Post by Heiner Lesaar via samba-technical
Thanks a lot, Rowland!
I didn´t check who was replying - apologies for the "kind subscriber"
comment - at least I used "kind" ;)
To answer your question, we are connecting from various clients (Win7,
Win10, OSX) and see this behaviour on several machines (not just one
particular) and it is reproducible.
Yes it is reproducible, but only on a Unix domain member, it works as
SAMDOM.EXAMPLE.COM\unix1:*:10024:10000::/home/unix1:/bin/bash
SAMDOM\unix1:*:10024:10000::/home/unix1:/bin/bash
Rowland
Andreas Schneider via samba-technical
2018-04-19 12:29:38 UTC
Permalink
On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via samba-technical
Post by Heiner Lesaar via samba-technical
Dear all,
winbind behaviour since samba 4.7 from a kind subscriber, but unfortunately
the hint towards a change in group membership calculation does not really
(seem to) relate to my question.
I would like to be able to get a consistent result when running wbinfo -i
so that it does not differ between user creation and after first login.
For reference, please see my original request below and thanks a lot for
your help and suggestions!
Heiner
On CentOs7 based linux w. different versions of Samba (4.6.x from CentOS
repos, but also Sernet-Samba-4.7.4 and also compiled from source), "wbinfo
authentication of the user.
Server joined as member to Active Directory, idmapping via tdb2 and rid or
ad - does not seem to make a difference.
On first attempt, the result returns "DOMAIN-REALM+Username", but after 1st
login it switches to "NTDOMAIN+Username" (which is also the correct output).
The tdb files also show the "wrong" info until the login is done (according
to tdbdump comparison). It does not matter if the login happens on a client
or like in my example "locally" via smbclient.
#########
# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
INTERN/newuser:/bin/false
# TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
#########
We use the command output to create database entries in a in-house
developed database / application to centrally manage client logins from
various operating systems.
1) Is this expected behaviour or is it influenced by some smb.conf or
krb5.conf option that we are not aware of?
2) Is there a way to query the domain "prefix" of a user which will not
change depending on the fact if the user has ever tried to login to the
server or not?
Does it maybe depend on some command line option?
FYI: getent passwd shows the same behaviour.
Thank you very much for your help and assistance!
This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team ***@samba.org
www.samba.org
Rowland Penny via samba-technical
2018-04-19 12:48:35 UTC
Permalink
On Thu, 19 Apr 2018 14:29:38 +0200
Post by Andreas Schneider via samba-technical
On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via
Post by Heiner Lesaar via samba-technical
Dear all,
of winbind behaviour since samba 4.7 from a kind subscriber, but
unfortunately the hint towards a change in group membership
calculation does not really (seem to) relate to my question.
I would like to be able to get a consistent result when running
wbinfo -i so that it does not differ between user creation and
after first login.
For reference, please see my original request below and thanks a
lot for your help and suggestions!
Heiner
On CentOs7 based linux w. different versions of Samba (4.6.x from
CentOS repos, but also Sernet-Samba-4.7.4 and also compiled from
before the first successful authentication of the user.
Server joined as member to Active Directory, idmapping via tdb2 and
rid or ad - does not seem to make a difference.
On first attempt, the result returns "DOMAIN-REALM+Username", but
after 1st login it switches to "NTDOMAIN+Username" (which is also
the correct output). The tdb files also show the "wrong" info until
the login is done (according to tdbdump comparison). It does not
matter if the login happens on a client or like in my example
"locally" via smbclient.
#########
# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
INTERN/newuser:/bin/false
# TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
#########
We use the command output to create database entries in a in-house
developed database / application to centrally manage client logins
from various operating systems.
1) Is this expected behaviour or is it influenced by some smb.conf
or krb5.conf option that we are not aware of?
2) Is there a way to query the domain "prefix" of a user which will
not change depending on the fact if the user has ever tried to
login to the server or not?
Does it maybe depend on some command line option?
FYI: getent passwd shows the same behaviour.
Thank you very much for your help and assistance!
This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369
It also does the same if you only use the username:

***@devstation:~$ wbinfo -i unix1
SAMDOM.EXAMPLE.COM\unix1:*:10024:10000::/home/unix1:/bin/bash

Rowland
Andreas Schneider via samba-technical
2018-04-19 13:55:57 UTC
Permalink
On Thursday, 19 April 2018 14:48:35 CEST Rowland Penny via samba-technical
Post by Rowland Penny via samba-technical
On Thu, 19 Apr 2018 14:29:38 +0200
Post by Andreas Schneider via samba-technical
On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via
Post by Heiner Lesaar via samba-technical
Dear all,
of winbind behaviour since samba 4.7 from a kind subscriber, but
unfortunately the hint towards a change in group membership
calculation does not really (seem to) relate to my question.
I would like to be able to get a consistent result when running
wbinfo -i so that it does not differ between user creation and
after first login.
For reference, please see my original request below and thanks a
lot for your help and suggestions!
Heiner
On CentOs7 based linux w. different versions of Samba (4.6.x from
CentOS repos, but also Sernet-Samba-4.7.4 and also compiled from
before the first successful authentication of the user.
Server joined as member to Active Directory, idmapping via tdb2 and
rid or ad - does not seem to make a difference.
On first attempt, the result returns "DOMAIN-REALM+Username", but
after 1st login it switches to "NTDOMAIN+Username" (which is also
the correct output). The tdb files also show the "wrong" info until
the login is done (according to tdbdump comparison). It does not
matter if the login happens on a client or like in my example
"locally" via smbclient.
#########
# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
INTERN/newuser:/bin/false
# TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
#########
We use the command output to create database entries in a in-house
developed database / application to centrally manage client logins
from various operating systems.
1) Is this expected behaviour or is it influenced by some smb.conf
or krb5.conf option that we are not aware of?
2) Is there a way to query the domain "prefix" of a user which will
not change depending on the fact if the user has ever tried to
login to the server or not?
Does it maybe depend on some command line option?
FYI: getent passwd shows the same behaviour.
Thank you very much for your help and assistance!
This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369
SAMDOM.EXAMPLE.COM\unix1:*:10024:10000::/home/unix1:/bin/bash
I think I have the correct fix now:

samba-cli01:~ # killall -TERM winbindd; sleep 0.5; rm -f /var/log/samba/log.*;
rm -f /var/lib/samba/*cache*; winbindd
samba-cli01:~ # wbinfo -i EARTH+bob1
EARTH+bob1:*:100001107:100000513::/home/EARTH/bob1:/bin/bash
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team ***@samba.org
www.samba.org
Samuel Cabrero via samba-technical
2018-04-19 16:32:36 UTC
Permalink
On Thu, 2018-04-19 at 15:55 +0200, Andreas Schneider via samba-
Post by Andreas Schneider via samba-technical
On Thursday, 19 April 2018 14:48:35 CEST Rowland Penny via samba-
technical
Post by Rowland Penny via samba-technical
On Thu, 19 Apr 2018 14:29:38 +0200
org>
Post by Andreas Schneider via samba-technical
On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via
Post by Heiner Lesaar via samba-technical
Dear all,
of winbind behaviour since samba 4.7 from a kind subscriber, but
unfortunately the hint towards a change in group membership
calculation does not really (seem to) relate to my question.
I would like to be able to get a consistent result when running
wbinfo -i so that it does not differ between user creation and
after first login.
For reference, please see my original request below and thanks a
lot for your help and suggestions!
Heiner
On CentOs7 based linux w. different versions of Samba (4.6.x from
CentOS repos, but also Sernet-Samba-4.7.4 and also compiled from
before the first successful authentication of the user.
Server joined as member to Active Directory, idmapping via tdb2 and
rid or ad - does not seem to make a difference.
On first attempt, the result returns "DOMAIN-REALM+Username", but
after 1st login it switches to "NTDOMAIN+Username" (which is also
the correct output). The tdb files also show the "wrong" info until
the login is done (according to tdbdump comparison). It does not
matter if the login happens on a client or like in my example
"locally" via smbclient.
#########
# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
INTERN/newuser:/bin/false
#
TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
#########
We use the command output to create database entries in a in-
house
developed database / application to centrally manage client logins
from various operating systems.
1) Is this expected behaviour or is it influenced by some smb.conf
or krb5.conf option that we are not aware of?
2) Is there a way to query the domain "prefix" of a user which will
not change depending on the fact if the user has ever tried to
login to the server or not?
Does it maybe depend on some command line option?
FYI: getent passwd shows the same behaviour.
Thank you very much for your help and assistance!
This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369
SAMDOM.EXAMPLE.COM\unix1:*:10024:10000::/home/unix1:/bin/bash
samba-cli01:~ # killall -TERM winbindd; sleep 0.5; rm -f
/var/log/samba/log.*;
rm -f /var/lib/samba/*cache*; winbindd
samba-cli01:~ # wbinfo -i EARTH+bob1
EARTH+bob1:*:100001107:100000513::/home/EARTH/bob1:/bin/bash
Hi Andreas,

I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?

What do you think about this patch?

Cheers.
Stefan Metzmacher via samba-technical
2018-04-20 04:52:58 UTC
Permalink
Hi Samuel,
Post by Samuel Cabrero via samba-technical
I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?
What do you think about this patch?
It guess it doesn't handle a case the following:

userPrincipalName: ***@example.com
sAMAccountName: some

REALM: AD.EXAMPLE.PRIVATE
DOMAIN: ADDOM

If you ask for '***@example.com' you should get
back 'ADDOM\some' instead of 'ADDOM\some.one'.

We may need to avoid using wcache_save_sid_to_name()
within wb_cache_name_to_sid().

metze
Andreas Schneider via samba-technical
2018-04-20 11:53:05 UTC
Permalink
Post by Stefan Metzmacher via samba-technical
Hi Samuel,
Post by Samuel Cabrero via samba-technical
I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?
What do you think about this patch?
sAMAccountName: some
REALM: AD.EXAMPLE.PRIVATE
DOMAIN: ADDOM
back 'ADDOM\some' instead of 'ADDOM\some.one'.
We may need to avoid using wcache_save_sid_to_name()
within wb_cache_name_to_sid().
I've started to write tests for this issue and fixed the looking up the user
if the UPN name doesn't match the account name.

Samuel, I thinks we should first have a minimal fix which is easy to backport
to 4.7. We could look into your rewrite it once we have tests.


Makes sense?


Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team ***@samba.org
www.samba.org
Andreas Schneider via samba-technical
2018-04-23 14:44:37 UTC
Permalink
Post by Stefan Metzmacher via samba-technical
Hi Samuel,
Post by Samuel Cabrero via samba-technical
I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?
What do you think about this patch?
sAMAccountName: some
REALM: AD.EXAMPLE.PRIVATE
DOMAIN: ADDOM
back 'ADDOM\some' instead of 'ADDOM\some.one'.
We may need to avoid using wcache_save_sid_to_name()
within wb_cache_name_to_sid().
Attached are tests for UPNs and fixes for it.


Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team ***@samba.org
www.samba.org
Jeremy Allison via samba-technical
2018-04-25 22:45:05 UTC
Permalink
Post by Andreas Schneider via samba-technical
Post by Stefan Metzmacher via samba-technical
Hi Samuel,
Post by Samuel Cabrero via samba-technical
I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?
What do you think about this patch?
sAMAccountName: some
REALM: AD.EXAMPLE.PRIVATE
DOMAIN: ADDOM
back 'ADDOM\some' instead of 'ADDOM\some.one'.
We may need to avoid using wcache_save_sid_to_name()
within wb_cache_name_to_sid().
Attached are tests for UPNs and fixes for it.
OK Andreas, I'm reviewing this and I'd like some clarification
on the changes in:

[PATCH 4/5] winbind: Fix looking up the user via the UPN

source3/winbindd/winbindd_lookupname.c
source3/winbindd/winbindd_util.c

In my understanding both of these fixes are ensuring that
a upn name passed in as:

***@realm

is not being split into domname=realm, name=user
components, but instead passed to winbindd as:

domname=realm, name=***@realm

Yes ? Can you add a comment explaining what
is being passed to winbindd and why that change
is needed, as well as a comment for the change
in parse_domain_user() that explains why returning
the upn user name is correct.

I believe you're right :-), but this stuff is
tricky enough that more comments here might help
in future.

Thanks !

Jeremy.
Post by Andreas Schneider via samba-technical
--
Andreas Schneider GPG-ID: CC014E3D
www.samba.org
From 4e2a4957e2e8f807ac2f73646bcb10946bdbfc96 Mon Sep 17 00:00:00 2001
Date: Fri, 20 Apr 2018 11:24:30 +0200
Subject: [PATCH 1/5] nsswitch: Add a test looking up the user using the upn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
---
nsswitch/tests/test_wbinfo_name_lookup.sh | 9 +++++++--
source3/selftest/tests.py | 2 +-
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh
index 696e25b3a2a..a8fd5ec4d99 100755
--- a/nsswitch/tests/test_wbinfo_name_lookup.sh
+++ b/nsswitch/tests/test_wbinfo_name_lookup.sh
@@ -8,8 +8,9 @@ exit 1;
fi
DOMAIN=$1
-DC_USERNAME=$2
-shift 2
+REALM=$2
+DC_USERNAME=$3
+shift 3
failed=0
sambabindir="$BINDIR"
@@ -22,6 +23,10 @@ testit "name-to-sid.single-separator" \
$wbinfo -n $DOMAIN/$DC_USERNAME || \
failed=$(expr $failed + 1)
+testit "name-to-sid.upn" \
+ failed=$(expr $failed + 1)
+
# Two separator characters should fail
testit_expect_failure "name-to-sid.double-separator" \
$wbinfo -n $DOMAIN//$DC_USERNAME || \
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 06bda707ddb..5522f4b35d1 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -214,7 +214,7 @@ plantestsuite("samba3.wbinfo_simple.(%s:local).%s" % (env, t), "%s:local" % env,
plantestsuite("samba3.wbinfo_name_lookup", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_name_lookup.sh"),
- '$DOMAIN', '$DC_USERNAME' ])
+ '$DOMAIN', '$REALM', '$DC_USERNAME' ])
t = "WBCLIENT-MULTI-PING"
plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
--
2.16.3
From 2887602b86e89f5a102513b78fc3d91f143fd896 Mon Sep 17 00:00:00 2001
Date: Fri, 20 Apr 2018 09:38:24 +0200
Subject: [PATCH 2/5] selftest: Add a user with a different userPrincipalName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
---
selftest/target/Samba4.pm | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 51a175b25e8..5353779292e 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -877,7 +877,7 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
}
# Create to users alice and bob!
- my $user_account_array = ["alice", "bob"];
+ my $user_account_array = ["alice", "bob", "jane"];
my $samba_tool_cmd = "";
@@ -892,6 +892,23 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
}
}
+ my $ldbmodify = "";
+ $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
+ $ldbmodify .= Samba::bindir_path($self, "ldbmodify");
+
+ my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
+ my $user_dn = "cn=jane,cn=users,$base_dn";
+
+ open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+ print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+-
+";
+ close(LDIF);
+
return $ret;
}
--
2.16.3
From f54859bf99e5984013e73a80a171104858692339 Mon Sep 17 00:00:00 2001
Date: Fri, 20 Apr 2018 11:20:44 +0200
Subject: [PATCH 3/5] nsswitch:tests: Add test for wbinfo --user-info
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
---
nsswitch/tests/test_wbinfo_user_info.sh | 77 +++++++++++++++++++++++++++++++++
source3/selftest/tests.py | 4 ++
2 files changed, 81 insertions(+)
create mode 100755 nsswitch/tests/test_wbinfo_user_info.sh
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
new file mode 100755
index 00000000000..8d49b2a4f22
--- /dev/null
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+# Blackbox test for wbinfo lookup for account name and upn
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
+EOF
+exit 1;
+fi
+
+DOMAIN=$1
+REALM=$2
+USERNAME1=$3
+UPN_NAME1=$4
+USERNAME2=$5
+UPN_NAME2=$6
+shift 6
+
+failed=0
+
+samba_bindir="$BINDIR"
+wbinfo_tool="$VALGRIND $samba_bindir/wbinfo"
+
+
+. $(dirname $0)/../../testprogs/blackbox/subunit.sh
+
+test_user_info()
+{
+ local cmd out ret user domain upn userinfo
+
+ domain="$1"
+ user="$2"
+ upn="$3"
+
+ if [ $# -lt 3 ]; then
+ userinfo="$domain/$user"
+ else
+ userinfo="$upn"
+ fi
+
+ cmd='$wbinfo_tool --user-info $userinfo'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "failed to lookup $userinfo"
+ echo "$out"
+ return 1
+ fi
+
+ echo "$out" | grep "$domain/$user:.*:.*:.*::/home/$domain/Domain Users/$user"
+ ret=$?
+ if [ $ret != 0 ]; then
+ echo "failed to lookup $userinfo"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
+testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
+
+testit "user_info.domain.$USERNAME1" test_user_info $DOMAIN $USERNAME1 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME1" test_user_info $DOMAIN $USERNAME1 $UPN1 || failed=$(expr $failed + 1)
+
+testit "name_to_sid.domain.$USERNAME2" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME2 || failed=$(expr $failed + 1)
+testit_expect_failure "name_to_sid.upn.$UPN_NAME2" $wbinfo_tool --name-to-sid $UPN2 || failed=$(expr $failed + 1)
+
+testit "user_info.domain.$USERNAME2" test_user_info $DOMAIN $USERNAME2 || failed=$(expr $failed + 1)
+testit_expect_failure "user_info.upn.$UPN_NAME2" test_user_info $DOMAIN $USERNAME2 $UPN2 || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 5522f4b35d1..b836a9a1a95 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -215,6 +215,10 @@ plantestsuite("samba3.wbinfo_name_lookup", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_name_lookup.sh"),
'$DOMAIN', '$REALM', '$DC_USERNAME' ])
+plantestsuite("samba3.wbinfo_user_info", env,
+ [ os.path.join(srcdir(),
+ "nsswitch/tests/test_wbinfo_user_info.sh"),
+ '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
t = "WBCLIENT-MULTI-PING"
plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""])
plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"])
--
2.16.3
From 1a544bcec42ad0bebdc3ade403e110d8c8c60acb Mon Sep 17 00:00:00 2001
Date: Fri, 20 Apr 2018 10:46:14 +0200
Subject: [PATCH 4/5] winbind: Fix looking up the user via the UPN
This fixes the lookup if the userPrincipalName is different from the
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
---
nsswitch/tests/test_wbinfo_user_info.sh | 4 ++--
source3/winbindd/winbindd_lookupname.c | 4 +---
source3/winbindd/winbindd_util.c | 1 -
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
index 8d49b2a4f22..d9c90153631 100755
--- a/nsswitch/tests/test_wbinfo_user_info.sh
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -69,9 +69,9 @@ testit "user_info.domain.$USERNAME1" test_user_info $DOMAIN $USERNAME1 || failed
testit "user_info.upn.$UPN_NAME1" test_user_info $DOMAIN $USERNAME1 $UPN1 || failed=$(expr $failed + 1)
testit "name_to_sid.domain.$USERNAME2" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME2 || failed=$(expr $failed + 1)
-testit_expect_failure "name_to_sid.upn.$UPN_NAME2" $wbinfo_tool --name-to-sid $UPN2 || failed=$(expr $failed + 1)
+testit "name_to_sid.upn.$UPN_NAME2" $wbinfo_tool --name-to-sid $UPN2 || failed=$(expr $failed + 1)
testit "user_info.domain.$USERNAME2" test_user_info $DOMAIN $USERNAME2 || failed=$(expr $failed + 1)
-testit_expect_failure "user_info.upn.$UPN_NAME2" test_user_info $DOMAIN $USERNAME2 $UPN2 || failed=$(expr $failed + 1)
+testit "user_info.upn.$UPN_NAME2" test_user_info $DOMAIN $USERNAME2 $UPN2 || failed=$(expr $failed + 1)
exit $failed
diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c
index b02269155f1..79d49e33cef 100644
--- a/source3/winbindd/winbindd_lookupname.c
+++ b/source3/winbindd/winbindd_lookupname.c
@@ -62,12 +62,10 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
if (p != NULL) {
/* upn */
domname = p + 1;
- *p = '\0';
- name = request->data.name.name;
} else {
domname = "";
- name = request->data.name.name;
}
+ name = request->data.name.name;
}
} else {
domname = request->data.name.dom_name;
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 9973c78d00f..afd1df05224 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1589,7 +1589,6 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user)
fstrcpy(domain, lp_workgroup());
} else if (p != NULL) {
fstrcpy(domain, p + 1);
- user[PTR_DIFF(p, domuser)] = 0;
} else {
return False;
}
--
2.16.3
From d251d34d42812e9ef5a9b1be37135d277a016015 Mon Sep 17 00:00:00 2001
Date: Thu, 19 Apr 2018 15:05:27 +0200
Subject: [PATCH 5/5] winbind: Ensure we store correct domain name in the cache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
---
source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++------
1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 9f9e8781c21..5ee59c36ccc 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1838,23 +1838,45 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
if (domain->online &&
(NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) {
enum lsa_SidType save_type = *type;
+ char *real_domain_name = NULL;
+ char *real_name = NULL;
if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
save_type = SID_NAME_UNKNOWN;
}
- wcache_save_name_to_sid(domain, status, domain_name, name, sid,
+ status = domain->backend->sid_to_name(domain,
+ mem_ctx,
+ sid,
+ &real_domain_name,
+ &real_name,
+ type);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ wcache_save_name_to_sid(domain,
+ status,
+ real_domain_name,
+ real_name,
+ sid,
save_type);
/* Only save the reverse mapping if this was not a UPN */
- if (!strupper_m(discard_const_p(char, domain_name))) {
+ if (!strupper_m(real_domain_name)) {
return NT_STATUS_INVALID_PARAMETER;
}
- (void)strlower_m(discard_const_p(char, name));
- wcache_save_sid_to_name(domain, status, sid,
- domain_name, name, save_type);
+ (void)strlower_m(real_name);
+ wcache_save_sid_to_name(domain,
+ status,
+ sid,
+ real_domain_name,
+ real_name,
+ save_type);
}
+ TALLOC_FREE(real_domain_name);
+ TALLOC_FREE(real_name);
}
return status;
--
2.16.3
Andreas Schneider via samba-technical
2018-04-26 05:26:34 UTC
Permalink
On Mon, Apr 23, 2018 at 04:44:37PM +0200, Andreas Schneider via samba-
Post by Andreas Schneider via samba-technical
Post by Stefan Metzmacher via samba-technical
Hi Samuel,
Post by Samuel Cabrero via samba-technical
I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?
What do you think about this patch?
sAMAccountName: some
REALM: AD.EXAMPLE.PRIVATE
DOMAIN: ADDOM
back 'ADDOM\some' instead of 'ADDOM\some.one'.
We may need to avoid using wcache_save_sid_to_name()
within wb_cache_name_to_sid().
Attached are tests for UPNs and fixes for it.
OK Andreas, I'm reviewing this and I'd like some clarification
[PATCH 4/5] winbind: Fix looking up the user via the UPN
source3/winbindd/winbindd_lookupname.c
source3/winbindd/winbindd_util.c
In my understanding both of these fixes are ensuring that
is not being split into domname=realm, name=user
Yes ? Can you add a comment explaining what
is being passed to winbindd and why that change
is needed, as well as a comment for the change
in parse_domain_user() that explains why returning
the upn user name is correct.
I believe you're right :-), but this stuff is
tricky enough that more comments here might help
in future.
Thanks Jeremey, metze wants some changes in this patch and already sent me a
patch he started to work on. I will look into that today and make sure it
works. I will add the comments and send a new patchset.


Andreas

Heiner Lesaar via samba-technical
2018-04-21 12:19:45 UTC
Permalink
Thank you all for replying to my request.

I can confirm that using Samba 4.8 fixed this in our case.

Have a nice weekend and regards,

Heiner



Von meinem iPhone gesendet
Post by Andreas Schneider via samba-technical
Post by Stefan Metzmacher via samba-technical
Hi Samuel,
Post by Samuel Cabrero via samba-technical
I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?
What do you think about this patch?
sAMAccountName: some
REALM: AD.EXAMPLE.PRIVATE
DOMAIN: ADDOM
back 'ADDOM\some' instead of 'ADDOM\some.one'.
We may need to avoid using wcache_save_sid_to_name()
within wb_cache_name_to_sid().
I've started to write tests for this issue and fixed the looking up the user
if the UPN name doesn't match the account name.
Samuel, I thinks we should first have a minimal fix which is easy to backport
to 4.7. We could look into your rewrite it once we have tests.
Makes sense?
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
www.samba.org
Loading...