Revert "lookup_name: allow lookup for own realm"

This reverts commit f901691209867b32c2d7c5c9274eee196f541654.

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Nov  5 07:53:03 UTC 2020 on sn-devel-184

1 files changed, 21 insertions, 55 deletions

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index dc32cd9753b..ff8a16619a8 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -29,7 +29,6 @@
 #include "../libcli/security/security.h"
 #include "lib/winbind_util.h"
 #include "../librpc/gen_ndr/idmap.h"
-#include "auth/credentials/credentials.h"
 
 static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
 {
@@ -79,85 +78,52 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 		 const char **ret_domain, const char **ret_name,
 		 struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
 {
+	char *p;
 	const char *tmp;
 	const char *domain = NULL;
 	const char *name = NULL;
-	const char *realm = NULL;
 	uint32_t rid;
 	struct dom_sid sid;
 	enum lsa_SidType type;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-	struct cli_credentials *creds = NULL;
 
 	if (tmp_ctx == NULL) {
 		DEBUG(0, ("talloc_new failed\n"));
 		return false;
 	}
 
-	creds = cli_credentials_init(tmp_ctx);
-	if (creds == NULL) {
-		DEBUG(0, ("cli_credentials_init failed\n"));
-		return false;
-	}
-
-	cli_credentials_parse_name(creds, full_name, CRED_SPECIFIED);
-	name = cli_credentials_get_username(creds);
-	domain = cli_credentials_get_domain(creds);
-	realm = cli_credentials_get_realm(creds);
+	p = strchr_m(full_name, '\\');
 
-	/* At this point we have:
-	 * - name -- normal name or empty string
-	 * - domain -- either NULL or domain name
-	 * - realm -- either NULL or realm name
-	 *
-	 * domain and realm are exclusive to each other
-	 * the code below in lookup_name assumes domain
-	 * to be at least empty string, not NULL
-	*/
+	if (p != NULL) {
+		domain = talloc_strndup(tmp_ctx, full_name,
+					PTR_DIFF(p, full_name));
+		name = talloc_strdup(tmp_ctx, p+1);
+	} else {
+		domain = talloc_strdup(tmp_ctx, "");
+		name = talloc_strdup(tmp_ctx, full_name);
+	}
 
-	if (name == NULL) {
-		DEBUG(0, ("lookup_name with empty name, exit\n"));
+	if ((domain == NULL) || (name == NULL)) {
+		DEBUG(0, ("talloc failed\n"));
 		TALLOC_FREE(tmp_ctx);
 		return false;
 	}
 
-	if ((domain == NULL) && (realm == NULL)) {
-		domain = talloc_strdup(creds, "");
-	}
-
 	DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
 		full_name, domain, name));
 	DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
 
-	/* Windows clients may send a LookupNames request with both NetBIOS
-	 * domain name- and realm-qualified user names. Thus, we need to check
-	 * both against both of the SAM domain name and realm, if set. Since
-	 * domain name and realm in the request are exclusive, test the one
-	 * that is specified.  cli_credentials_parse_string() will either set
-	 * realm or wouldn't so we can use it to detect if realm was specified.
-	 */
-	if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
-		const char *domain_name = realm ? realm : domain;
-		bool check_global_sam = false;
-
-		if (domain_name[0] != '\0') {
-			check_global_sam = strequal(domain_name, get_global_sam_name());
-			if (!check_global_sam && lp_realm() != NULL) {
-				/* Only consider realm when we are DC
-				 * otherwise use lookup through winbind */
-				check_global_sam = strequal(domain_name, lp_realm()) && IS_DC;
-			}
-		}
+	if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
+	    strequal(domain, get_global_sam_name()))
+	{
 
-		if (check_global_sam) {
-			/* It's our own domain, lookup the name in passdb */
-			if (lookup_global_sam_name(name, flags, &rid, &type)) {
-				sid_compose(&sid, get_global_sam_sid(), rid);
-				goto ok;
-			}
-			TALLOC_FREE(tmp_ctx);
-			return false;
+		/* It's our own domain, lookup the name in passdb */
+		if (lookup_global_sam_name(name, flags, &rid, &type)) {
+			sid_compose(&sid, get_global_sam_sid(), rid);
+			goto ok;
 		}
+		TALLOC_FREE(tmp_ctx);
+		return false;
 	}
 
 	if ((flags & LOOKUP_NAME_BUILTIN) &&