From 981e6b51e6a4ceb8166fe9cadc48d2b374c6c1b1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 12 Aug 2020 17:08:14 +0200
Subject: [PATCH] libcli/security: let dom_sid_lookup_predefined_sid() behave
 like Windows 2008R2

Windows 2008R2 (172.31.9.133) returns the following:

 #> rpcclient 172.31.9.133 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 S-1-22-1 *unknown*\*unknown* (8)
 S-1-22-1-0 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID

While the current Samba (172.31.9.163) returns the following:

 #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 result was NT_STATUS_INVALID_SID
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 S-1-3 *unknown*\*unknown* (8)

With this change also return the same as Windows 2008R2:

 #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 S-1-22-1 *unknown*\*unknown* (8)
 S-1-22-1-0 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID

This is a minimal fix in order to avoid crashes in the Windows Explorer.
The real fix needs more work and additional tests, as the behavior seems
to be different in newer Windows releases.

The following patch will let us behave like Windows 2022/2025...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 9f369c62317d74615834f99a088caababef685fc)
---
 libcli/security/util_sid.c                  | 5 +----
 selftest/knownfail.d/samba.tests.dcerpc.lsa | 1 +
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 54a2fc35fda..d7631374af1 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -1068,7 +1068,6 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
 				       const char **authority_name)
 {
 	size_t di;
-	bool match_domain = false;
 
 	*name = NULL;
 	*type = SID_NAME_UNKNOWN;
@@ -1090,8 +1089,6 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
 			continue;
 		}
 
-		match_domain = true;
-
 		for (ni = 0; ni < d->num_names; ni++) {
 			const struct predefined_name_mapping *n =
 				&d->names[ni];
@@ -1109,7 +1106,7 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
 		}
 	}
 
-	if (!match_domain) {
+	if (sid->num_auths == 0) {
 		return NT_STATUS_INVALID_SID;
 	}
 
diff --git a/selftest/knownfail.d/samba.tests.dcerpc.lsa b/selftest/knownfail.d/samba.tests.dcerpc.lsa
index 1cd75e20d84..a0cc4ec1b37 100644
--- a/selftest/knownfail.d/samba.tests.dcerpc.lsa
+++ b/selftest/knownfail.d/samba.tests.dcerpc.lsa
@@ -1 +1,2 @@
 ^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_invalid_sid
+^samba.tests.dcerpc.lsa.*.LsaTests.test_lsa_LookupSids2_some_not_mapped
-- 
2.47.2