From e783324f43df4e9de954e8aee6297996c672a42b Mon Sep 17 00:00:00 2001
From: Andrew Walker <awalker@ixsystems.com>
Date: Thu, 15 Jun 2023 10:58:25 -0700
Subject: [PATCH] s3/winbindd - prevent lookup_name recursion

If username is not lowercase then uncached wb_lookupname
will enter into recursive loop in which it tries to look up
a lowercase version of the name until the request hits the
winbind request timeout.
---
 source3/winbindd/wb_lookupname.c      | 16 ++++++++++++++++
 source3/winbindd/winbindd_getgroups.c |  2 +-
 source3/winbindd/winbindd_getpwnam.c  |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/source3/winbindd/wb_lookupname.c b/source3/winbindd/wb_lookupname.c
index 12dbfbef2d2..bb39f01a087 100644
--- a/source3/winbindd/wb_lookupname.c
+++ b/source3/winbindd/wb_lookupname.c
@@ -20,6 +20,8 @@
 #include "includes.h"
 #include "winbindd.h"
 #include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "passdb/lookup_sid.h" /* only for LOOKUP flags */
+#include "passdb/machine_sid.h"
 #include "../libcli/security/security.h"
 
 struct wb_lookupname_state {
@@ -74,6 +76,20 @@ struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+	if (flags == (LOOKUP_NAME_NO_NSS | LOOKUP_NAME_REMOTE)) {
+		if (dom_sid_compare_domain(&domain->sid,
+		    get_global_sam_sid()) == 0) {
+			D_NOTICE("Domain [%s] is our local domain, "
+				 "skipping recursive lookup\n",
+				 dom_name);
+
+			tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
+			return tevent_req_post(req, ev);
+		}
+
+		flags &= ~LOOKUP_NAME_REMOTE;
+	}
+
 	subreq = dcerpc_wbint_LookupName_send(
 		state, ev, dom_child_handle(domain),
 		state->dom_name, state->name,
diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index c2603cc7026..3e0a8381454 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -90,7 +90,7 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
 				    state->namespace,
 				    state->domname,
 				    state->username,
-				    LOOKUP_NAME_NO_NSS);
+				    LOOKUP_NAME_NO_NSS | LOOKUP_NAME_REMOTE);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
 	}
diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c
index da162a4b77b..f26afb505eb 100644
--- a/source3/winbindd/winbindd_getpwnam.c
+++ b/source3/winbindd/winbindd_getpwnam.c
@@ -87,7 +87,7 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
 				    state->namespace,
 				    state->domname,
 				    state->username,
-				    LOOKUP_NAME_NO_NSS);
+				    LOOKUP_NAME_NO_NSS | LOOKUP_NAME_REMOTE);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
 	}