s3:lib: validate domain name in lookup_wellknown_name()

If domain argument is not an empty string, only search the matching
wellknown domain name.

As the only wellknown domain with a name is "NT Authority", passing ""
to lookup_wellknown_name() will search all domains inlcuding "NT
Authority".

Passing "NT Authority" otoh will obviously only search that domain.

This change makes lookup_wellknown_name() behave like this:

in domain         | in name       | ok | out sid | out domain
========================================================
                    Dialup          +    S-1-5-1   NT Authority
NT Authority        Dialup          +    S-1-5-1   NT Authority
Creator Authority   Dialup          -    -         -
                    Creator Owner   +    S-1-3-0   ""
Creator Authority   Creator Owner   -    -         -
NT Authority        Creator Owner   -    -         -

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

diff --git a/source3/lib/util_wellknown.c b/source3/lib/util_wellknown.c
index 0f627d1443cd7da53d78e4e1c6602a4f60cb1a0e..a3db9ab5b445b5026e4a45ada35b1375eec717ca 100644 (file)
--- a/source3/lib/util_wellknown.c
+++ b/source3/lib/util_wellknown.c
@@ -154,16 +154,23 @@ bool lookup_wellknown_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
 ***************************************************************************/
 
 bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char *name,
-                          struct dom_sid *sid, const char **domain)
+                          struct dom_sid *sid, const char **pdomain)
 {
        int i, j;
+       const char *domain = *pdomain;
 
-       DEBUG(10,("map_name_to_wellknown_sid: looking up %s\n", name));
+       DEBUG(10,("map_name_to_wellknown_sid: looking up %s\\%s\n", domain, name));
 
        for (i=0; special_domains[i].sid != NULL; i++) {
                const struct rid_name_map *users =
                        special_domains[i].known_users;
 
+               if (domain[0] != '\0') {
+                       if (!strequal(domain, special_domains[i].name)) {
+                               continue;
+                       }
+               }
+
                if (users == NULL)
                        continue;
 
@@ -171,7 +178,7 @@ bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char *name,
                        if ( strequal(users[j].name, name) ) {
                                sid_compose(sid, special_domains[i].sid,
                                            users[j].rid);
-                               *domain = talloc_strdup(
+                               *pdomain = talloc_strdup(
                                        mem_ctx, special_domains[i].name);
                                return True;
                        }