[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-392-gd94c7bb
Andrew Bartlett
abartlet at samba.org
Tue Aug 26 05:59:13 GMT 2008
The branch, v4-0-test has been updated
via d94c7bbcd6eee6d975eac32a1d172f4164c97137 (commit)
via 914e1865aa9fba417f74a3abdd8b4b2659feb001 (commit)
via da200ac64485fd9531b1aa048570c682b680b012 (commit)
via 1f12c368b2566b378a6c521c389b8b1bafbcf916 (commit)
via 2c7195429411d68bc66f4100659c622df4f5a20a (commit)
via a17cb558c23142e522de3ed56d65c7694477395f (commit)
via a555334db67527b57bc6172e3d08f65caf1e6760 (commit)
via a6146cc14ba950b1911094b1525c7d06b50ecec6 (commit)
via 3e9f5c28165e66d78c020d10b97b9dc4a0038cd8 (commit)
via 3731f7eaea6e5ed89d24e383dae0531cb58d77dc (commit)
via b337369d5c86b37d93ee1c62880068e14d6c09f6 (commit)
via 0a8080d0f245ddf0177195dd8e7fb3e1cdc0785f (commit)
via b5dbe815e5dd3f865c7735bc76e02017a869f09b (commit)
via 0819922a0c7f48c2517d3572f98cd1359749c4ae (commit)
via ce7b1424c711949e6feb0181d3759133b77391ff (commit)
via c87d732b23ad7de8dc2f824bf11c9310fb4184e1 (commit)
via 931890e028da8da756b7c7c62e2552a9fc04f7bc (commit)
via 8aba7c36231e58a91fbc6b4fc24c5693353aeef9 (commit)
from 3441ea5df5b750442d17b90de73d392d2d802ab1 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit d94c7bbcd6eee6d975eac32a1d172f4164c97137
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 12:18:26 2008 +1000
More LSA server and testuite work.
- Implement QueryDomainInformationPolicy in Samba4
- Allow RPC-LSA to pass against Windows 2008 (which does not allow
the Audit privilage to be removed)
Andrew Bartlett
commit 914e1865aa9fba417f74a3abdd8b4b2659feb001
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 10:56:16 2008 +1000
Make RPC-LSA test deterministic with an msleep(200).
commit da200ac64485fd9531b1aa048570c682b680b012
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 10:33:41 2008 +1000
Implement matching logic to Windows 2008 on handling of secrets.
This is enforced by the new RPC-LSA test.
Andrew Bartlett
commit 1f12c368b2566b378a6c521c389b8b1bafbcf916
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 10:32:49 2008 +1000
Fix LSA server to pass more of RPC-LSA and match Windows 2008
This fixes some info levels in the QueryTrustedDomainInfo call, and
changes from implementing lsa_Delete to lsa_DeleteObject (which has an
explicit close and reutrns a NULL handle).
Andrew Bartlett
commit 2c7195429411d68bc66f4100659c622df4f5a20a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 10:27:00 2008 +1000
Only allow the trust in the correct direction (per the flags).
commit a17cb558c23142e522de3ed56d65c7694477395f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 26 09:49:54 2008 +1000
Update RPC-LSA to (almost) pass against Windows 2008.
commit a555334db67527b57bc6172e3d08f65caf1e6760
Merge: a6146cc14ba950b1911094b1525c7d06b50ecec6 3441ea5df5b750442d17b90de73d392d2d802ab1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 25 08:27:06 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
commit a6146cc14ba950b1911094b1525c7d06b50ecec6
Merge: 3e9f5c28165e66d78c020d10b97b9dc4a0038cd8 fc6b4f03ebba015a13a6ab93221b0bc3ef8ef2ed
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 19 14:54:30 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
commit 3e9f5c28165e66d78c020d10b97b9dc4a0038cd8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 15 21:16:20 2008 +1000
Trusted domains implementation for the KDC.
At this stage, only arcfour-hmac-md5 trusts are used, and all trusts
are presumed bi-directional. Much more work still to be done.
Andrew Bartlett
commit 3731f7eaea6e5ed89d24e383dae0531cb58d77dc
Merge: b337369d5c86b37d93ee1c62880068e14d6c09f6 b4b14b748e6babc93faee23fe8f5c03ec2d25cbb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 15 20:47:52 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
commit b337369d5c86b37d93ee1c62880068e14d6c09f6
Merge: 0a8080d0f245ddf0177195dd8e7fb3e1cdc0785f d548f5dee5980eae0aea25f1314238eb4f963568
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 15 07:58:03 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
commit 0a8080d0f245ddf0177195dd8e7fb3e1cdc0785f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 14 11:54:19 2008 +1000
Assert on failure to join domain in NBT-DGRAM
commit b5dbe815e5dd3f865c7735bc76e02017a869f09b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 13 16:16:59 2008 +1000
Rework the trustAuthInOutBlob with the help of a hand parser.
This produces a C structure that is sane, while still parsing the wire
blobs (as far as I can tell).
Andrew Bartlett
commit 0819922a0c7f48c2517d3572f98cd1359749c4ae
Merge: ce7b1424c711949e6feb0181d3759133b77391ff 9246924effd4d0b08ca1ef87e45ad510020df93e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 13 10:08:23 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
commit ce7b1424c711949e6feb0181d3759133b77391ff
Merge: c87d732b23ad7de8dc2f824bf11c9310fb4184e1 54b873e49ff363609632fa2862208bf6b4c1b6ed
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 12 17:46:17 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
commit c87d732b23ad7de8dc2f824bf11c9310fb4184e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 8 10:35:57 2008 +1000
More work towards trusted domain support in the KDC.
commit 931890e028da8da756b7c7c62e2552a9fc04f7bc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 8 10:32:21 2008 +1000
We can't use ndr_pull_struct_blob_all in combinatin with relative pointers
commit 8aba7c36231e58a91fbc6b4fc24c5693353aeef9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 31 07:47:01 2008 +1000
Start implementind domain trusts in our KDC.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source/kdc/hdb-ldb.c | 339 +++++++++++++++++++++++---
source/libcli/config.mk | 8 +
source/libcli/drsblobs.c | 179 ++++++++++++++
source/{smbd/service.h => libcli/drsblobs.h} | 16 +-
source/librpc/config.mk | 2 +-
source/librpc/idl/drsblobs.idl | 33 +--
source/librpc/idl/lsa.idl | 111 +++++++--
source/librpc/idl/security.idl | 8 +
source/rpc_server/lsa/dcesrv_lsa.c | 112 ++++++---
source/torture/nbt/dgram.c | 4 +
source/torture/rpc/lsa.c | 151 +++++++-----
11 files changed, 781 insertions(+), 182 deletions(-)
create mode 100644 source/libcli/drsblobs.c
copy source/{smbd/service.h => libcli/drsblobs.h} (70%)
Changeset truncated at 500 lines:
diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index 8f8ce30..ef3a0bc 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -45,14 +45,22 @@
#include "dsdb/samdb/samdb.h"
#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "librpc/gen_ndr/lsa.h"
#include "libcli/auth/libcli_auth.h"
#include "param/param.h"
#include "events/events.h"
#include "kdc/kdc.h"
+#include "lib/crypto/md4.h"
enum hdb_ldb_ent_type
{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER,
- HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
+ HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_TRUST, HDB_LDB_ENT_TYPE_ANY };
+
+enum trust_direction {
+ UNKNOWN = 0,
+ INBOUND = LSA_TRUST_DIRECTION_INBOUND,
+ OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
+};
static const char *realm_ref_attrs[] = {
"nCName",
@@ -60,6 +68,18 @@ static const char *realm_ref_attrs[] = {
NULL
};
+static const char *trust_attrs[] = {
+ "trustPartner",
+ "trustAuthIncoming",
+ "trustAuthOutgoing",
+ "whenCreated",
+ "msDS-SupportedEncryptionTypes",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ NULL
+};
+
static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
{
const char *tmp;
@@ -675,6 +695,187 @@ out:
return ret;
}
+/*
+ * Construct an hdb_entry from a directory entry.
+ */
+static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx, krb5_const_principal principal,
+ enum trust_direction direction,
+ struct ldb_message *msg,
+ hdb_entry_ex *entry_ex)
+{
+
+ const char *dnsdomain;
+ char *realm;
+ char *strdup_realm;
+ DATA_BLOB password_utf16;
+ struct samr_Password password_hash;
+ const struct ldb_val *password_val;
+ struct trustAuthInOutBlob password_blob;
+ struct hdb_ldb_private *private;
+
+ enum ndr_err_code ndr_err;
+ int i, ret, trust_direction_flags;
+
+ private = talloc(mem_ctx, struct hdb_ldb_private);
+ if (!private) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ private->entry_ex = entry_ex;
+ private->iconv_convenience = lp_iconv_convenience(lp_ctx);
+ private->netbios_name = lp_netbios_name(lp_ctx);
+
+ talloc_set_destructor(private, hdb_ldb_destrutor);
+
+ entry_ex->ctx = private;
+ entry_ex->free_entry = hdb_ldb_free_entry;
+
+ /* use 'whenCreated' */
+ entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
+ /* use '???' */
+ entry_ex->entry.created_by.principal = NULL;
+
+ entry_ex->entry.valid_start = NULL;
+
+ trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
+
+ if (direction == INBOUND) {
+ realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
+ password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+
+ } else { /* OUTBOUND */
+ dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+ realm = strupper_talloc(mem_ctx, dnsdomain);
+ password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+ }
+
+ if (!password_val || !(trust_direction_flags & direction)) {
+ ret = ENOENT;
+ goto out;
+ }
+
+ ndr_err = ndr_pull_struct_blob_all(password_val, mem_ctx, private->iconv_convenience, &password_blob,
+ (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ ret = EINVAL;
+ goto out;
+ }
+
+ for (i=0; i < password_blob.count; i++) {
+ if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
+ password_utf16 = data_blob_const(password_blob.current->array[i].AuthInfo.clear.password,
+ password_blob.current->array[i].AuthInfo.clear.size);
+ /* In the future, generate all sorts of
+ * hashes, but for now we can't safely convert
+ * the random strings windows uses into
+ * utf8 */
+
+ /* but as it is utf16 already, we can get the NT password/arcfour-hmac-md5 key */
+ mdfour(password_hash.hash, password_utf16.data, password_utf16.length);
+ break;
+ } else if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
+ password_hash = password_blob.current->array[i].AuthInfo.nt4owf.password;
+ break;
+ }
+ }
+ entry_ex->entry.keys.len = 0;
+ entry_ex->entry.keys.val = NULL;
+
+ if (i < password_blob.count) {
+ Key key;
+ /* Must have found a cleartext or MD4 password */
+ entry_ex->entry.keys.val = calloc(1, sizeof(Key));
+
+ key.mkvno = 0;
+ key.salt = NULL; /* No salt for this enc type */
+
+ if (entry_ex->entry.keys.val == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ ret = krb5_keyblock_init(context,
+ ENCTYPE_ARCFOUR_HMAC_MD5,
+ password_hash.hash, sizeof(password_hash.hash),
+ &key.key);
+
+ entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
+ entry_ex->entry.keys.len++;
+ }
+
+ ret = copy_Principal(principal, entry_ex->entry.principal);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
+ }
+
+ /* While we have copied the client principal, tests
+ * show that Win2k3 returns the 'corrected' realm, not
+ * the client-specified realm. This code attempts to
+ * replace the client principal's realm with the one
+ * we determine from our records */
+
+ /* this has to be with malloc() */
+ strdup_realm = strdup(realm);
+ if (!strdup_realm) {
+ ret = ENOMEM;
+ krb5_clear_error_string(context);
+ goto out;
+ }
+ free(*krb5_princ_realm(context, entry_ex->entry.principal));
+ krb5_princ_set_realm(context, entry_ex->entry.principal, &strdup_realm);
+
+ entry_ex->entry.flags = int2HDBFlags(0);
+ entry_ex->entry.flags.immutable = 1;
+ entry_ex->entry.flags.invalid = 0;
+ entry_ex->entry.flags.server = 1;
+ entry_ex->entry.flags.require_preauth = 1;
+
+ entry_ex->entry.pw_end = NULL;
+
+ entry_ex->entry.max_life = NULL;
+
+ entry_ex->entry.max_renew = NULL;
+
+ entry_ex->entry.generation = NULL;
+
+ entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
+ if (entry_ex->entry.etypes == NULL) {
+ krb5_clear_error_string(context);
+ ret = ENOMEM;
+ goto out;
+ }
+ entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
+ entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
+ if (entry_ex->entry.etypes->val == NULL) {
+ krb5_clear_error_string(context);
+ ret = ENOMEM;
+ goto out;
+ }
+ for (i=0; i < entry_ex->entry.etypes->len; i++) {
+ entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
+ }
+
+
+ private->msg = talloc_steal(private, msg);
+ private->realm_ref_msg = NULL;
+ private->samdb = (struct ldb_context *)db->hdb_db;
+
+out:
+ if (ret != 0) {
+ /* This doesn't free ent itself, that is for the eventual caller to do */
+ hdb_free_entry(context, entry_ex);
+ } else {
+ talloc_steal(db, entry_ex->ctx);
+ }
+
+ return ret;
+
+}
+
static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_context *ldb_ctx,
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
@@ -709,8 +910,7 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
switch (ent_type) {
case HDB_LDB_ENT_TYPE_CLIENT:
- /* Can't happen */
- return EINVAL;
+ case HDB_LDB_ENT_TYPE_TRUST:
case HDB_LDB_ENT_TYPE_ANY:
/* Can't happen */
return EINVAL;
@@ -745,6 +945,40 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
return 0;
}
+static krb5_error_code LDB_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
+ TALLOC_CTX *mem_ctx,
+ const char *realm,
+ struct ldb_dn *realm_dn,
+ struct ldb_message ***pmsg)
+{
+ int lret;
+ char *filter = NULL;
+ const char * const *attrs = trust_attrs;
+
+ struct ldb_result *res = NULL;
+ filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))", realm, realm);
+
+ if (!filter) {
+ krb5_set_error_string(context, "talloc_asprintf: out of memory");
+ return ENOMEM;
+ }
+
+ lret = ldb_search(ldb_ctx, ldb_get_default_basedn(ldb_ctx), LDB_SCOPE_SUBTREE, filter, attrs, &res);
+
+ if (lret != LDB_SUCCESS) {
+ DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
+ return HDB_ERR_NOENTRY;
+ } else if (res->count == 0 || res->count > 1) {
+ DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
+ talloc_free(res);
+ return HDB_ERR_NOENTRY;
+ }
+ talloc_steal(mem_ctx, res->msgs);
+ *pmsg = res->msgs;
+ talloc_free(res);
+ return 0;
+}
+
static krb5_error_code LDB_lookup_realm(krb5_context context, struct ldb_context *ldb_ctx,
TALLOC_CTX *mem_ctx,
const char *realm,
@@ -853,8 +1087,10 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
{
krb5_error_code ret;
struct ldb_message **msg = NULL;
- struct ldb_message **realm_ref_msg = NULL;
+ struct ldb_message **realm_ref_msg_1 = NULL;
+ struct ldb_message **realm_ref_msg_2 = NULL;
struct ldb_dn *realm_dn;
+ const char *realm;
krb5_principal alloc_principal = NULL;
if (principal->name.name_string.len != 2
@@ -864,14 +1100,18 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
}
/* krbtgt case. Either us or a trusted realm */
+
if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
- mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
+ mem_ctx, principal->realm, &realm_ref_msg_1) == 0)
+ && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx, principal->name.name_string.val[1], &realm_ref_msg_2) == 0)
+ && (ldb_dn_compare(realm_ref_msg_1[0]->dn, realm_ref_msg_1[0]->dn) == 0)) {
/* us */
/* Cludge, cludge cludge. If the realm part of krbtgt/realm,
* is in our db, then direct the caller at our primary
- * krgtgt */
+ * krbtgt */
- const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
+ const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg_1[0], "dnsRoot", NULL);
char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
if (!realm_fixed) {
krb5_set_error_string(context, "strupper_talloc: out of memory");
@@ -891,31 +1131,69 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
return ENOMEM;
}
principal = alloc_principal;
- realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
+ realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg_1[0], "nCName", NULL);
+
+ ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx,
+ principal, HDB_LDB_ENT_TYPE_KRBTGT, realm_dn, &msg);
+
+ if (ret != 0) {
+ krb5_warnx(context, "LDB_fetch: could not find principal in DB");
+ krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
+ return ret;
+ }
+
+ ret = LDB_message2entry(context, db, mem_ctx,
+ principal, HDB_LDB_ENT_TYPE_KRBTGT,
+ msg[0], realm_ref_msg_1[0], entry_ex);
+ if (ret != 0) {
+ krb5_warnx(context, "LDB_fetch: message2entry failed");
+ }
+ return ret;
+
} else {
- /* we should lookup trusted domains */
- return HDB_ERR_NOENTRY;
- }
+ enum trust_direction direction = UNKNOWN;
- realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
-
- ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
- mem_ctx,
- principal, HDB_LDB_ENT_TYPE_KRBTGT, realm_dn, &msg);
-
- if (ret != 0) {
- krb5_warnx(context, "LDB_fetch: could not find principal in DB");
- krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
+ struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(db->hdb_db, "loadparm"), struct loadparm_context);
+ /* Either an inbound or outbound trust */
+
+ if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) {
+ /* look for inbound trust */
+ direction = INBOUND;
+ realm = principal->name.name_string.val[1];
+ }
+
+ if (strcasecmp(lp_realm(lp_ctx), principal->name.name_string.val[1]) == 0) {
+ /* look for outbound trust */
+ direction = OUTBOUND;
+ realm = principal->realm;
+ }
+
+ /* Trusted domains are under CN=system */
+
+ ret = LDB_lookup_trust(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx,
+ realm, realm_dn, &msg);
+
+ if (ret != 0) {
+ krb5_warnx(context, "LDB_fetch: could not find principal in DB");
+ krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
+ return ret;
+ }
+
+ ret = LDB_trust_message2entry(context, db, lp_ctx, mem_ctx,
+ principal, direction,
+ msg[0], entry_ex);
+ if (ret != 0) {
+ krb5_warnx(context, "LDB_fetch: message2entry failed");
+ }
return ret;
- }
- ret = LDB_message2entry(context, db, mem_ctx,
- principal, HDB_LDB_ENT_TYPE_KRBTGT,
- msg[0], realm_ref_msg[0], entry_ex);
- if (ret != 0) {
- krb5_warnx(context, "LDB_fetch: message2entry failed");
+
+ /* we should lookup trusted domains */
+ return HDB_ERR_NOENTRY;
}
- return ret;
+
}
static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db,
@@ -1022,10 +1300,13 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db,
if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_SERVER) {
- ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex);
- if (ret != HDB_ERR_NOENTRY) goto done;
+ /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex);
if (ret != HDB_ERR_NOENTRY) goto done;
+
+ /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
+ ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex);
+ if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_KRBTGT) {
ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex);
diff --git a/source/libcli/config.mk b/source/libcli/config.mk
index affd8e2..262a2cf 100644
--- a/source/libcli/config.mk
+++ b/source/libcli/config.mk
@@ -73,6 +73,14 @@ LIBCLI_NETLOGON_OBJ_FILES = $(addprefix $(libclisrcdir)/, \
$(eval $(call proto_header_template,$(libclisrcdir)/netlogon_proto.h,$(LIBCLI_NETLOGON_OBJ_FILES:.o=.c)))
+[SUBSYSTEM::LIBCLI_DRSBLOBS]
+PUBLIC_DEPENDENCIES = LIBNDR
+
+LIBCLI_DRSBLOBS_OBJ_FILES = $(addprefix $(libclisrcdir)/, \
+ drsblobs.o)
+
+$(eval $(call proto_header_template,$(libclisrcdir)/drsblobs_proto.h,$(LIBCLI_DRSBLOBS_OBJ_FILES:.o=.c)))
+
[PYTHON::python_netbios]
LIBRARY_REALNAME = samba/netbios.$(SHLIBEXT)
PUBLIC_DEPENDENCIES = LIBCLI_NBT DYNCONFIG LIBSAMBA-HOSTCONFIG
diff --git a/source/libcli/drsblobs.c b/source/libcli/drsblobs.c
new file mode 100644
index 0000000..126f2cc
--- /dev/null
+++ b/source/libcli/drsblobs.c
@@ -0,0 +1,179 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Manually parsed structures found in the DRS protocol
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2008
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "libcli/drsblobs.h"
+
+/* parser auto-generated by pidl, then hand-modified by abartlet */
+
+/* Modified to have 'count' specified */
+static enum ndr_err_code ndr_push_AuthenticationInformationArray_with_count(struct ndr_push *ndr, int ndr_flags, int count,
+ const struct AuthenticationInformationArray *r)
+{
+ uint32_t cntr_array_0;
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_push_align(ndr, 4));
+ for (cntr_array_0 = 0; cntr_array_0 < count; cntr_array_0++) {
+ NDR_CHECK(ndr_push_AuthenticationInformation(ndr, NDR_SCALARS, &r->array[cntr_array_0]));
+ }
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ for (cntr_array_0 = 0; cntr_array_0 < count; cntr_array_0++) {
+ NDR_CHECK(ndr_push_AuthenticationInformation(ndr, NDR_BUFFERS, &r->array[cntr_array_0]));
+ }
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+/* Modified to have 'count' specified, and to allocate the array */
+static enum ndr_err_code ndr_pull_AuthenticationInformationArray_with_count(struct ndr_pull *ndr, int ndr_flags, int count, struct AuthenticationInformationArray *r)
+{
+ uint32_t cntr_array_0;
--
Samba Shared Repository
More information about the samba-cvs
mailing list