libcli/security: let dom_sid_lookup_predefined_sid() behave like Windows 2008R2

Windows 2008R2 (172.31.9.133) returns the following:

 #> rpcclient 172.31.9.133 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 S-1-22-1 *unknown*\*unknown* (8)
 S-1-22-1-0 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID

While the current Samba (172.31.9.163) returns the following:

 #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 result was NT_STATUS_INVALID_SID
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 S-1-3 *unknown*\*unknown* (8)

With this change also return the same as Windows 2008R2:

 #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 S-1-22-1 *unknown*\*unknown* (8)
 S-1-22-1-0 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID

This is a minimal fix in order to avoid crashes in the Windows Explorer.
The real fix needs more work and additional tests, as the behavior seems
to be different in newer Windows releases.

The following patch will let us behave like Windows 2022/2025...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 9f369c62317d74615834f99a088caababef685fc)

diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 54a2fc35fda7493e0383b7adc3eabb208107c360..d7631374af110456beccebe297b7d299e6845904 100644 (file)
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -1068,7 +1068,6 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
                                       const char **authority_name)
 {
        size_t di;
-       bool match_domain = false;
 
        *name = NULL;
        *type = SID_NAME_UNKNOWN;
@@ -1090,8 +1089,6 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
                        continue;
                }
 
-               match_domain = true;
-
                for (ni = 0; ni < d->num_names; ni++) {
                        const struct predefined_name_mapping *n =
                                &d->names[ni];
@@ -1109,7 +1106,7 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
                }
        }
 
-       if (!match_domain) {
+       if (sid->num_auths == 0) {
                return NT_STATUS_INVALID_SID;
        }
 

diff --git a/selftest/knownfail.d/samba.tests.dcerpc.lsa b/selftest/knownfail.d/samba.tests.dcerpc.lsa
index 1cd75e20d8472b9132681f342b729ba0992d17a4..a0cc4ec1b37a8a05180d4fb4a2d1bc581677c18e 100644 (file)
--- a/selftest/knownfail.d/samba.tests.dcerpc.lsa
+++ b/selftest/knownfail.d/samba.tests.dcerpc.lsa
@@ -1 +1,2 @@
 ^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_invalid_sid
+^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_some_not_mapped