Fix UPNs handling in lookup_name*() calls

resolves: rhbz#2078838

samba-4-15-smbd-upn.patch

@@ -0,0 +1,273 @@
+From 25465d0bc77dd712b3d94e488f2cf0583fd7ac04 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:10:56 +0200
+Subject: [PATCH 1/5] s3:passdb: Remove trailing spaces in lookup_sid.c
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 756cd0eed30322ae6dbd5402ec11441387475884)
+---
+ source3/passdb/lookup_sid.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index a551bcfd24a..3a28cdc68a6 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -1,4 +1,4 @@
+-/* 
++/*
+    Unix SMB/CIFS implementation.
+    uid/user handling
+    Copyright (C) Andrew Tridgell         1992-1998
+@@ -72,7 +72,7 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid)
+  If an explicit domain name was given in the form domain\user, it
+  has to try that. If no explicit domain name was given, we have
+  to do guesswork.
+-*****************************************************************/  
++*****************************************************************/
+ 
+ bool lookup_name(TALLOC_CTX *mem_ctx,
+ 		 const char *full_name, int flags,
+@@ -300,7 +300,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
+ 		goto ok;
+ 	}
+ 
+-	/* 6. Builtin aliases */	
++	/* 6. Builtin aliases */
+ 
+ 	if ((flags & LOOKUP_NAME_BUILTIN) &&
+ 	    lookup_builtin_name(name, &rid))
+@@ -882,7 +882,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
+ 	}
+ 
+ 	/* First build up the data structures:
+-	 * 
++	 *
+ 	 * dom_infos is a list of domains referenced in the list of
+ 	 * SIDs. Later we will walk the list of domains and look up the RIDs
+ 	 * in bulk.
+@@ -1070,7 +1070,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
+ 
+ /*****************************************************************
+  *THE CANONICAL* convert SID to name function.
+-*****************************************************************/  
++*****************************************************************/
+ 
+ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ 		const char **ret_domain, const char **ret_name,
+@@ -1104,7 +1104,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ 		goto done;
+ 	}
+ 
+-	if ((ret_name != NULL) && 
++	if ((ret_name != NULL) &&
+ 	    !(*ret_name = talloc_strdup(mem_ctx, name->name))) {
+ 		goto done;
+ 	}
+@@ -1130,7 +1130,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ 
+ /*****************************************************************
+  *THE LEGACY* convert SID to id function.
+-*****************************************************************/  
++*****************************************************************/
+ 
+ static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id)
+ {
+@@ -1465,7 +1465,7 @@ fail:
+ 
+ /*****************************************************************
+  *THE CANONICAL* convert SID to uid function.
+-*****************************************************************/  
++*****************************************************************/
+ 
+ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
+ {
+@@ -1527,7 +1527,7 @@ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
+ /*****************************************************************
+  *THE CANONICAL* convert SID to gid function.
+  Group mapping is used for gids that maps to Wellknown SIDs
+-*****************************************************************/  
++*****************************************************************/
+ 
+ bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid)
+ {
+-- 
+2.36.0
+
+
+From e884efce61290ad6f4125ab4e3adb08bcc1a800d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:12:02 +0200
+Subject: [PATCH 2/5] s3:passdb: Add support to handle UPNs in lookup_name()
+
+This address an issue if sssd is running and handling nsswitch. If we look up
+a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd
+structure. We need to be able to deal with that.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 2a03fb91c1120718ada9d4b8421044cb7eae7b83)
+---
+ source3/passdb/lookup_sid.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index 3a28cdc68a6..c14d7a7b123 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -100,8 +100,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
+ 					PTR_DIFF(p, full_name));
+ 		name = talloc_strdup(tmp_ctx, p+1);
+ 	} else {
+-		domain = talloc_strdup(tmp_ctx, "");
+-		name = talloc_strdup(tmp_ctx, full_name);
++		char *q = strchr_m(full_name, '@');
++
++		/* Set the domain for UPNs */
++		if (q != NULL) {
++			name = talloc_strndup(tmp_ctx,
++					      full_name,
++					      PTR_DIFF(q, full_name));
++			domain = talloc_strdup(tmp_ctx, q + 1);
++		} else {
++			domain = talloc_strdup(tmp_ctx, "");
++			name = talloc_strdup(tmp_ctx, full_name);
++		}
+ 	}
+ 
+ 	if ((domain == NULL) || (name == NULL)) {
+-- 
+2.36.0
+
+
+From cc548efd5fa1783e8412e7ac695c8d6be3323d67 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 12:26:25 +0200
+Subject: [PATCH 3/5] s3:passdb: Use already defined pointer in
+ lookup_name_smbconf()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit ed8e466854d6d8d6120388716a7b604df7a4db27)
+---
+ source3/passdb/lookup_sid.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index c14d7a7b123..dbea5578f92 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -464,7 +464,7 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ 		 const char **ret_domain, const char **ret_name,
+ 		 struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
+ {
+-	char *qualified_name;
++	char *qualified_name = NULL;
+ 	const char *p;
+ 
+ 	if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
+@@ -472,16 +472,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ 		/* The name is already qualified with a domain. */
+ 
+ 		if (*lp_winbind_separator() != '\\') {
+-			char *tmp;
+-
+ 			/* lookup_name() needs '\\' as a separator */
+ 
+-			tmp = talloc_strdup(mem_ctx, full_name);
+-			if (!tmp) {
++			qualified_name = talloc_strdup(mem_ctx, full_name);
++			if (qualified_name == NULL) {
+ 				return false;
+ 			}
+-			tmp[p - full_name] = '\\';
+-			full_name = tmp;
++			qualified_name[p - full_name] = '\\';
++			full_name = qualified_name;
+ 		}
+ 
+ 		return lookup_name(mem_ctx, full_name, flags,
+-- 
+2.36.0
+
+
+From 3ee3336f4a3fbb80ccabe6c1494a68286af55437 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:24:10 +0200
+Subject: [PATCH 4/5] s3:passdb: Refactor lookup_name_smbconf()
+
+This will be changed to support UPNs too in the next patch.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 2690310743920dfe20ac235c1e3617e0f421eddc)
+---
+ source3/passdb/lookup_sid.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index dbea5578f92..de9dd123239 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -465,13 +465,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ 		 struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
+ {
+ 	char *qualified_name = NULL;
+-	const char *p;
++	const char *p = strchr_m(full_name, *lp_winbind_separator());
++	bool is_qualified = p != NULL;
+ 
+-	if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
++	if (is_qualified) {
+ 
+ 		/* The name is already qualified with a domain. */
+ 
+-		if (*lp_winbind_separator() != '\\') {
++		if (p != NULL && *lp_winbind_separator() != '\\') {
+ 			/* lookup_name() needs '\\' as a separator */
+ 
+ 			qualified_name = talloc_strdup(mem_ctx, full_name);
+-- 
+2.36.0
+
+
+From 1baa5b170c36854eaa0a5f2c9aba29d50194f750 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:39:12 +0200
+Subject: [PATCH 5/5] s3:passdb: Also allow to handle UPNs in
+ lookup_name_smbconf()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 28fc44f2852046d03cada161ed1001d04d9e1554)
+---
+ source3/passdb/lookup_sid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index de9dd123239..426ea3f81bd 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -466,8 +466,9 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ {
+ 	char *qualified_name = NULL;
+ 	const char *p = strchr_m(full_name, *lp_winbind_separator());
+-	bool is_qualified = p != NULL;
++	bool is_qualified = p != NULL || strchr_m(full_name, '@') != NULL;
+ 
++	/* For DOMAIN\user or user@REALM directly call lookup_name(). */
+ 	if (is_qualified) {
+ 
+ 		/* The name is already qualified with a domain. */
+-- 
+2.36.0
+

samba.spec

@@ -132,7 +132,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%global baserelease 107
+%global baserelease 108
 
 %global samba_version 4.15.5
 %global talloc_version 2.3.3
@@ -214,6 +214,7 @@ Patch9:         samba-4-15-fix-winbind-refresh-tickets.patch
 Patch10:        samba-4-15-fix-create-local-krb5-conf.patch
 Patch11:        samba-4-15-username-map.patch
 Patch12:        samba-4-15-kerberos-clock-skew.patch
+Patch13:        samba-4-15-smbd-upn.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -4112,6 +4113,9 @@ fi
 %endif
 
 %changelog
+* Wed Apr 27 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-108
+- resolves: rhbz#2078838 - Fix UPNs handling in lookup_name*() calls
+
 * Wed Apr 20 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-106
 - resolves: rhbz#2065376 - Fix 'create krb5 conf = yes` when a KDC has a single IP address.
 - resolves: rhbz#2076504 - PAM Kerberos authentication fails with a clock skew error