From e7ebd291a81f2b0bd12cac1221e379c49406a858 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 30 Mar 2017 23:41:59 +0200
Subject: [PATCH 1/5] winbindd: use passdb backend for well-known SIDs

On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:

$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1

localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0

On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6b7a14b4b9c3411bd2e05383917e8fdedae51c90)
---
 selftest/knownfail               |  2 --
 source3/winbindd/winbindd_util.c | 13 +++++++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 6ca0244..d16d723 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -22,14 +22,12 @@
 ^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
-^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index d9a0d51..8a97e80 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1030,12 +1030,19 @@ struct winbindd_domain *find_root_domain(void)
 
 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 {
-	/* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
+	DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid));
+
+	/*
+	 * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
+	 * by our passdb.
+	 */
 
 	if ( sid_check_is_in_unix_groups(sid) ||
 	     sid_check_is_unix_groups(sid) ||
 	     sid_check_is_in_unix_users(sid) ||
-	     sid_check_is_unix_users(sid) )
+	     sid_check_is_unix_users(sid) ||
+	     sid_check_is_wellknown_domain(sid, NULL) ||
+	     sid_check_is_in_wellknown_domain(sid) )
 	{
 		return find_domain_from_sid(get_global_sam_sid());
 	}
@@ -1044,8 +1051,6 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 	 * one to contact the external DC's. On member servers the internal
 	 * domains are different: These are part of the local SAM. */
 
-	DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
-
 	if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
 		DEBUG(10, ("calling find_domain_from_sid\n"));
 		return find_domain_from_sid(sid);
-- 
2.9.3


From 005cd2d88c8e48638313d5e52f41c3e2314fbe00 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 31 Mar 2017 16:06:18 +0200
Subject: [PATCH 2/5] selftest: wbinfo -s tests for wellknown SIDs

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 2150de3a73527850547263e853faf4f3fedca6e6)
---
 nsswitch/tests/test_wbinfo.sh | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index cfe582d..819bc98 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -88,6 +88,26 @@ else
 	echo "success: wbinfo -s check for sane mapping"
 fi
 
+WELL_KNOWN_SIDS="S-1-1-0\n /EVERYONE 5\n S-1-3-1\n /CREATOR GROUP 5\n S-1-5-1\n NT AUTHORITY/DIALUP 5"
+
+printf "$WELL_KNOWN_SIDS" | while read SID ; do
+    read NAME
+
+    testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1`
+
+    RESOLVED_NAME=`$wbinfo -s $SID | tr a-z A-Z`
+    echo "$SID resolved to $RESOLVED_NAME"
+
+    echo "test: wbinfo -s $SID against $TARGET"
+    if test x"$RESOLVED_NAME" != x"$NAME" ; then
+        echo "$RESOLVED_NAME does not match $NAME"
+	echo "failure: wbinfo -s $SID against $TARGET"
+	failed=`expr $failed + 1`
+    else
+        echo "success: wbinfo -s $SID against $TARGET"
+    fi
+done
+
 testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1`
 test_sid=`$wbinfo -n $tested_name | cut -d " " -f1`
 
-- 
2.9.3


From d9e150efd9254d21d17a50a2934a22d7b3390012 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 31 Mar 2017 16:24:05 +0200
Subject: [PATCH 3/5] selftest: wbinfo --sids-to-unix-ids tests for wellknown
 SIDs

This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 8bd5f774fdc1f4ea012885262eb0f40640504de8)
---
 source3/script/tests/test_wbinfo_sids2xids_int.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/script/tests/test_wbinfo_sids2xids_int.py b/source3/script/tests/test_wbinfo_sids2xids_int.py
index f3dbed8..3ad3156 100755
--- a/source3/script/tests/test_wbinfo_sids2xids_int.py
+++ b/source3/script/tests/test_wbinfo_sids2xids_int.py
@@ -29,7 +29,7 @@ domsid = domsid.split(' ')[0]
 #print domain
 #print domsid
 
-sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513' ]
+sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513', 'S-1-1-0', 'S-1-3-1', 'S-1-5-1' ]
 
 flush_cache()
 
-- 
2.9.3


From 39768bef2146f817a268b164c6d58b38600da4c6 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Sun, 2 Apr 2017 13:42:45 +0200
Subject: [PATCH 4/5] winbindd: explicit check for well-known SIDs in
 wb_lookupsids_bulk()

Those are implicitly already catched by the

  if (sid->num_auths != 5)

check, but I'd like to make the desired behaviour more obvious.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 167bb5ead8c7193d173fdba8a453279d422fa7ea)
---
 source3/winbindd/wb_lookupsids.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
index c395f54..1cbc4f7 100644
--- a/source3/winbindd/wb_lookupsids.c
+++ b/source3/winbindd/wb_lookupsids.c
@@ -292,7 +292,10 @@ static bool wb_lookupsids_bulk(const struct dom_sid *sid)
 	    sid_check_is_in_unix_users(sid) ||
 	    sid_check_is_unix_users(sid) ||
 	    sid_check_is_in_builtin(sid) ||
-	    sid_check_is_builtin(sid)) {
+	    sid_check_is_builtin(sid) ||
+	    sid_check_is_wellknown_domain(sid, NULL) ||
+	    sid_check_is_in_wellknown_domain(sid))
+	{
 		/*
 		 * These are locally done piece by piece anyway, no
 		 * need for bulk optimizations.
-- 
2.9.3


From f5954691adc3909f382b0e172b9cc681fac30c1c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 31 Mar 2017 16:06:18 +0200
Subject: [PATCH 5/5] selftest: fix for wbinfo -s tests for wellknown SIDs

Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d8fd56a8244a3010469c27eaa3b73a2c5fbbc41f)
---
 nsswitch/tests/test_wbinfo.sh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 819bc98..ff99a96 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -88,9 +88,7 @@ else
 	echo "success: wbinfo -s check for sane mapping"
 fi
 
-WELL_KNOWN_SIDS="S-1-1-0\n /EVERYONE 5\n S-1-3-1\n /CREATOR GROUP 5\n S-1-5-1\n NT AUTHORITY/DIALUP 5"
-
-printf "$WELL_KNOWN_SIDS" | while read SID ; do
+while read SID ; do
     read NAME
 
     testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1`
@@ -106,7 +104,14 @@ printf "$WELL_KNOWN_SIDS" | while read SID ; do
     else
         echo "success: wbinfo -s $SID against $TARGET"
     fi
-done
+done <<EOF
+S-1-1-0
+/EVERYONE 5
+S-1-3-1
+/CREATOR GROUP 5
+S-1-5-1
+NT AUTHORITY/DIALUP 5
+EOF
 
 testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1`
 test_sid=`$wbinfo -n $tested_name | cut -d " " -f1`
-- 
2.9.3