s4:rpc_server/lsa: let LookupSids* behave like Windows 2022/2025

The important part is the INVALID_SID should not
cause an early exit of the loop.

We need to return the intact names array with the
correct count. And only return INVALID_SID
if we would otherwise return NONE_MAPPED.

For SOME_NOT_MAPPED we need to ignore invalid sids
and just pretend they are not mapped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 218a0f067c894cbf61cde6183a269c0474d64ddc)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb  3 15:53:33 UTC 2025 on atb-devel-224

diff --git a/selftest/knownfail.d/samba.tests.dcerpc.lsa b/selftest/knownfail.d/samba.tests.dcerpc.lsa
deleted file mode 100644 (file)
index a0cc4ec..0000000
--- a/selftest/knownfail.d/samba.tests.dcerpc.lsa
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_invalid_sid
-^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_some_not_mapped

diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index ca3ad4f961ed3b41648d0421f93313bcb46c096d..6cfbbb3cb3838f5bb79d9f4f6b2d0c7f5f06e7c7 100644 (file)
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -35,6 +35,7 @@ struct dcesrv_lsa_TranslatedItem {
        uint32_t flags;
        uint32_t wb_idx;
        bool done;
+       bool invalid_sid;
        struct {
                const char *domain; /* only $DOMAIN\ */
                const char *namespace; /* $NAMESPACE\ or @$NAMESPACE */
@@ -380,6 +381,10 @@ static NTSTATUS dcesrv_lsa_LookupSids_base_call(struct dcesrv_lsa_LookupSids_bas
                        status = view->lookup_sid(state, item);
                        if (NT_STATUS_IS_OK(status)) {
                                item->done = true;
+                       } else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_SID)) {
+                               item->done = true;
+                               item->invalid_sid = true;
+                               status = NT_STATUS_OK;
                        } else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
                                status = NT_STATUS_OK;
                        } else if (NT_STATUS_EQUAL(status, NT_STATUS_SOME_NOT_MAPPED)) {
@@ -438,6 +443,7 @@ static NTSTATUS dcesrv_lsa_LookupSids_base_finish(
        struct dcesrv_lsa_LookupSids_base_state *state)
 {
        struct lsa_LookupSids3 *r = &state->r;
+       uint32_t num_invalid_sid = 0;
        uint32_t i;
 
        for (i=0;i<r->in.sids->num_sids;i++) {
@@ -470,9 +476,18 @@ static NTSTATUS dcesrv_lsa_LookupSids_base_finish(
                if (item->type != SID_NAME_UNKNOWN) {
                        (*r->out.count)++;
                }
+               if (item->invalid_sid) {
+                       num_invalid_sid++;
+               }
        }
 
        if (*r->out.count == 0) {
+               if (num_invalid_sid != 0) {
+                       for (i=0;i<r->out.names->count;i++) {
+                               r->out.names->names[i].name.string = NULL;
+                       }
+                       return NT_STATUS_INVALID_SID;
+               }
                return NT_STATUS_NONE_MAPPED;
        }
        if (*r->out.count != r->in.sids->num_sids) {