s4:rpc_server/lsa: let dcesrv_lsa_lookup_name_account() handle uPNSuffixes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index bcbedb4f90311a8fabb62ed3c704df6ed1a8fa1e..7527da4cc42827c644d82fb8adc166c551ffb60c 100644 (file)
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,5 +1,3 @@
-^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
-^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
 ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
 ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
 ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc

diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index b211d312d591221f88399dd78c6175398fc57162..a5d62726a86a33ea2673ed028026dba10e114a72 100644 (file)
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -1819,7 +1819,6 @@ static NTSTATUS dcesrv_lsa_lookup_name_account(
 
        if (!try_lookup) {
                const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
-               const struct lsa_ForestTrustDomainInfo *di = NULL;
 
                if (state->routing_table == NULL) {
                        status = dsdb_trust_routing_table_load(policy_state->sam_ldb,
@@ -1830,9 +1829,19 @@ static NTSTATUS dcesrv_lsa_lookup_name_account(
                        }
                }
 
-               tdo = dsdb_trust_domain_by_name(state->routing_table,
-                                               item->hints.namespace,
-                                               &di);
+               if (item->hints.domain != item->hints.namespace) {
+                       /*
+                        * This means the client asked for an UPN,
+                        * we need to find the domain by toplevel
+                        * name in order to handle uPNSuffixes too.
+                        */
+                       tdo = dsdb_trust_routing_by_name(state->routing_table,
+                                                        item->hints.namespace);
+               } else {
+                       tdo = dsdb_trust_domain_by_name(state->routing_table,
+                                                       item->hints.namespace,
+                                                       NULL);
+               }
                if (tdo == NULL) {
                        /*
                         * The name is not resolvable at all...