1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00

cracknames: Add support for SID string format

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Joseph Sutton 2021-03-30 16:00:04 +13:00 committed by Andrew Bartlett
parent 3e531bb885
commit 6b57583830
4 changed files with 31 additions and 7 deletions
selftest/knownfail.d
source4
dsdb/samdb
torture

View File

@ -1 +0,0 @@
^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind\(fl2008r2dc\)

View File

@ -889,6 +889,9 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
const char * const _domain_attrs_sid[] = { "ncName", "dnsRoot", NULL};
const char * const _result_attrs_sid[] = { "objectSid", NULL};
const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
const char * const _result_attrs_none[] = { NULL};
@ -923,6 +926,10 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
domain_attrs = _domain_attrs_spn;
result_attrs = _result_attrs_spn;
break;
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:
domain_attrs = _domain_attrs_sid;
result_attrs = _result_attrs_sid;
break;
default:
domain_attrs = _domain_attrs_none;
result_attrs = _result_attrs_none;
@ -1271,12 +1278,25 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
}
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN: {
info1->dns_domain_name = NULL;
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
if (sid == NULL) {
info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
return WERR_OK;
}
info1->result_name = dom_sid_string(mem_ctx, sid);
W_ERROR_HAVE_NO_MEMORY(info1->result_name);
info1->status = DRSUAPI_DS_NAME_STATUS_OK;
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
info1->result_name = ldb_msg_find_attr_as_string(result, "userPrincipalName", NULL);
if (!info1->result_name) {
@ -1487,6 +1507,12 @@ NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
/*
* Here we only consider a subset of the possible name forms listed in
* [MS-ADTS] 5.1.1.1.1, and we don't retry with a different name form if
* the first attempt fails.
*/
if (strchr_m(name, '=')) {
format_offered = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
} else if (strchr_m(name, '@')) {
@ -1495,6 +1521,8 @@ NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
} else if (strchr_m(name, '/')) {
format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
} else if ((name[0] == 'S' || name[0] == 's') && name[1] == '-') {
format_offered = DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
} else {
return NT_STATUS_NO_SUCH_USER;
}

View File

@ -60,8 +60,7 @@ class DrsCracknamesTestCase(drs_base.DrsBaseTestCase):
drsuapi.DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
drsuapi.DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
drsuapi.DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
# We currently don't support this
# drsuapi.DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
drsuapi.DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
# This format is not supported by Windows (or us)
# drsuapi.DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN,
}

View File

@ -129,7 +129,6 @@ static bool test_DsCrackNamesMatrix(struct torture_context *tctx,
break;
case DRSUAPI_DS_NAME_FORMAT_UNKNOWN: /* should fail as we ask server to convert to Unknown format */
case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:
if (r.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR) {
err_msg = talloc_asprintf(mem_ctx,
"Unexpected error (%d): This name lookup should fail",
@ -156,7 +155,6 @@ static bool test_DsCrackNamesMatrix(struct torture_context *tctx,
n_from[i] = service_principal_name;
break;
case DRSUAPI_DS_NAME_FORMAT_UNKNOWN:
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:
case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:
n_from[i] = NULL;
break;