Skip to content

Use cli_credentials API in lookup_name to allow lookup by realm

Alexander Bokovoy requested to merge samba-team/devel/samba:abbra-cli_credentials-lookup_name into master

When using a security tab in Windows Explorer, a lookup over a trusted forest might come as realm\name instead of NetBIOS domain name:

    --------------------------------------------------------------------
    [2020/01/13 11:12:39.859134,  1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
           lsa_LookupNames3: struct lsa_LookupNames3
              in: struct lsa_LookupNames3
                  handle                   : *
                      handle: struct policy_handle
                          handle_type              : 0x00000000 (0)
                          uuid                     : 0000000e-0000-0000-1c5e-a750e5810000
                  num_names                : 0x00000001 (1)
                  names: ARRAY(1)
                      names: struct lsa_String
                          length                   : 0x001e (30)
                          size                     : 0x0020 (32)
                          string                   : *
                              string                   : 'ipa.test\admins'
                  sids                     : *
                      sids: struct lsa_TransSidArray3
                          count                    : 0x00000000 (0)
                          sids                     : NULL
                  level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
                  count                    : *
                      count                    : 0x00000000 (0)
                  lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
                  client_revision          : LSA_CLIENT_REVISION_2 (2)
    --------------------------------------------------------------------

Allow this lookup using realm to be done against primary domain.

Refactor user name parsing code to reuse cli_credentials_* API to be consistent with other places. cli_credentials_parse_string() handles both domain and realm-based user name variants.

Ensure cli_credentials test suite validates that expected user and group name formats parsed properly.

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Alexander Bokovoy

Merge request reports