From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 10 Mar 2023 14:05:15 +0000 (+0100)
Subject: s4:rpc_server/lsa: let LookupSids* behave like Windows 2022/2025
X-Git-Tag: samba-4.20.8~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=846b8c0d8c7284bd17d175896327f74f644ac636;p=thirdparty%2Fsamba.git

s4:rpc_server/lsa: let LookupSids* behave like Windows 2022/2025

The important part is the INVALID_SID should not
cause an early exit of the loop.

We need to return the intact names array with the
correct count. And only return INVALID_SID
if we would otherwise return NONE_MAPPED.

For SOME_NOT_MAPPED we need to ignore invalid sids
and just pretend they are not mapped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 218a0f067c894cbf61cde6183a269c0474d64ddc)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb  3 15:53:33 UTC 2025 on atb-devel-224
---

diff --git a/selftest/knownfail.d/samba.tests.dcerpc.lsa b/selftest/knownfail.d/samba.tests.dcerpc.lsa
deleted file mode 100644
index a0cc4ec1b37..00000000000
--- a/selftest/knownfail.d/samba.tests.dcerpc.lsa
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_invalid_sid
-^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_some_not_mapped
diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index ca3ad4f961e..6cfbbb3cb38 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -35,6 +35,7 @@ struct dcesrv_lsa_TranslatedItem {
 	uint32_t flags;
 	uint32_t wb_idx;
 	bool done;
+	bool invalid_sid;
 	struct {
 		const char *domain; /* only $DOMAIN\ */
 		const char *namespace; /* $NAMESPACE\ or @$NAMESPACE */
@@ -380,6 +381,10 @@ static NTSTATUS dcesrv_lsa_LookupSids_base_call(struct dcesrv_lsa_LookupSids_bas
 			status = view->lookup_sid(state, item);
 			if (NT_STATUS_IS_OK(status)) {
 				item->done = true;
+			} else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_SID)) {
+				item->done = true;
+				item->invalid_sid = true;
+				status = NT_STATUS_OK;
 			} else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
 				status = NT_STATUS_OK;
 			} else if (NT_STATUS_EQUAL(status, NT_STATUS_SOME_NOT_MAPPED)) {
@@ -438,6 +443,7 @@ static NTSTATUS dcesrv_lsa_LookupSids_base_finish(
 	struct dcesrv_lsa_LookupSids_base_state *state)
 {
 	struct lsa_LookupSids3 *r = &state->r;
+	uint32_t num_invalid_sid = 0;
 	uint32_t i;
 
 	for (i=0;i<r->in.sids->num_sids;i++) {
@@ -470,9 +476,18 @@ static NTSTATUS dcesrv_lsa_LookupSids_base_finish(
 		if (item->type != SID_NAME_UNKNOWN) {
 			(*r->out.count)++;
 		}
+		if (item->invalid_sid) {
+			num_invalid_sid++;
+		}
 	}
 
 	if (*r->out.count == 0) {
+		if (num_invalid_sid != 0) {
+			for (i=0;i<r->out.names->count;i++) {
+				r->out.names->names[i].name.string = NULL;
+			}
+			return NT_STATUS_INVALID_SID;
+		}
 		return NT_STATUS_NONE_MAPPED;
 	}
 	if (*r->out.count != r->in.sids->num_sids) {