[SCM] Samba Shared Repository - branch master updated - e0a4d7f467d9727563adaaa97961edd06886490e

Andrew Bartlett abartlet at samba.org
Mon Oct 6 22:19:22 GMT 2008


The branch, master has been updated
       via  e0a4d7f467d9727563adaaa97961edd06886490e (commit)
       via  c3b28c7a81c04a0f019b6c1e543a65d6d48b0b2c (commit)
       via  6a5547742f0b87017e4d21c80ec8facece6688d0 (commit)
       via  912209ac84395ef0e2fca0556b1e4bec34367b5c (commit)
       via  320d402180ac2d8505aec2664feaddbd63e5b17e (commit)
       via  1a29fd1cf5436c850c7de180668a7a33f9b034d8 (commit)
       via  99d0eb4fb701c500f0175ca9a38482160bdb08e4 (commit)
       via  8e1c0470d72ca85d837bbdd4aec0ca2f27a7a29f (commit)
       via  8cdb3ebe27814629cb17d2a438c89780c5cecfdf (commit)
       via  8256717c766fb8e145c2f4b5acb3502f4d7c57d9 (commit)
      from  c0240d78351e489c5aca7e729aac045157080088 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e0a4d7f467d9727563adaaa97961edd06886490e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Oct 3 16:36:49 2008 -0700

    Set default trust kvno to -1

commit c3b28c7a81c04a0f019b6c1e543a65d6d48b0b2c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Oct 2 11:30:14 2008 -0700

    Fix cross-realm authentication in Samba4's KDC.

commit 6a5547742f0b87017e4d21c80ec8facece6688d0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Oct 2 11:29:34 2008 -0700

    Allow the PAC to be passed along during cross-realm authentication

commit 912209ac84395ef0e2fca0556b1e4bec34367b5c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Oct 1 16:00:33 2008 -0700

    Use the trust password version as kvno for trusts in Kerberos.

commit 320d402180ac2d8505aec2664feaddbd63e5b17e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Oct 1 13:31:22 2008 -0700

    Start implementing AD-style trusted domains in Samba4's NETLOGON server

commit 1a29fd1cf5436c850c7de180668a7a33f9b034d8
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Oct 1 13:12:15 2008 -0700

    Store trusted domain passwords in the LSA server

commit 99d0eb4fb701c500f0175ca9a38482160bdb08e4
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Oct 1 13:11:11 2008 -0700

    Make RPC-LSA test for enumeration conditions more strict

commit 8e1c0470d72ca85d837bbdd4aec0ca2f27a7a29f
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Oct 1 13:10:35 2008 -0700

    Add in secure channel type used by AD trusts

commit 8cdb3ebe27814629cb17d2a438c89780c5cecfdf
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Oct 1 13:10:11 2008 -0700

    Clarify use of manual parsers in trustInOutBlob (drsblobs.idl)

commit 8256717c766fb8e145c2f4b5acb3502f4d7c57d9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Sep 30 14:24:58 2008 -0700

    Implement 'type unknown' names in the CrackNames code.
    
    This guesses the type by running each of the possible options.
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/cracknames.c               |   58 +++++++++++++++++----
 source4/heimdal/kdc/krb5tgs.c                 |   34 ++++++-------
 source4/kdc/hdb-samba4.c                      |   15 ++++-
 source4/librpc/idl/drsblobs.idl               |   10 ++--
 source4/librpc/idl/drsuapi.idl                |    2 +-
 source4/librpc/idl/misc.idl                   |    8 ++-
 source4/rpc_server/lsa/dcesrv_lsa.c           |   68 +++++++++++++++++++++++--
 source4/rpc_server/netlogon/dcerpc_netlogon.c |   52 ++++++++++++++++++-
 source4/torture/rpc/drsuapi_cracknames.c      |    1 +
 source4/torture/rpc/lsa.c                     |   17 +++++-
 10 files changed, 217 insertions(+), 48 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index e02e8d8..ca87159 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -356,15 +356,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 	const char *result_filter = NULL;
 	struct ldb_dn *name_dn = NULL;
 
-	struct smb_krb5_context *smb_krb5_context;
-	ret = smb_krb5_init_context(mem_ctx, 
-				    ldb_get_event_context(sam_ctx),
-				    (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"), 
-				    &smb_krb5_context);
-				
-	if (ret) {
-		return WERR_NOMEM;
-	}
+	struct smb_krb5_context *smb_krb5_context = NULL;
 
 	info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 	info1->dns_domain_name = NULL;
@@ -380,6 +372,30 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 
 	/* here we need to set the domain_filter and/or the result_filter */
 	switch (format_offered) {
+	case DRSUAPI_DS_NAME_FORMAT_UNKNOWN:
+	{
+		int i;
+		enum drsuapi_DsNameFormat formats[] = {
+			DRSUAPI_DS_NAME_FORMAT_FQDN_1779, DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
+			DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT, DRSUAPI_DS_NAME_FORMAT_CANONICAL,
+			DRSUAPI_DS_NAME_FORMAT_GUID, DRSUAPI_DS_NAME_FORMAT_DISPLAY,
+			DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
+			DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
+			DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX
+		};
+		WERROR werr;
+		for (i=0; i < ARRAY_SIZE(formats); i++) {
+			werr = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, formats[i], format_desired, name, info1);
+			if (!W_ERROR_IS_OK(werr)) {
+				return werr;
+			}
+			if (info1->status != DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
+				return werr;
+			}
+		}
+		return werr;
+	}
+
 	case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
 	case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
 	{
@@ -534,6 +550,16 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 	case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
 		krb5_principal principal;
 		char *unparsed_name;
+
+		ret = smb_krb5_init_context(mem_ctx, 
+					    ldb_get_event_context(sam_ctx),
+					    (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"), 
+					    &smb_krb5_context);
+		
+		if (ret) {
+			return WERR_NOMEM;
+		}
+
 		ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
 		if (ret) {
 			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
@@ -560,6 +586,16 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 		krb5_principal principal;
 		char *unparsed_name_short;
 		char *service;
+
+		ret = smb_krb5_init_context(mem_ctx, 
+					    ldb_get_event_context(sam_ctx),
+					    (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"), 
+					    &smb_krb5_context);
+		
+		if (ret) {
+			return WERR_NOMEM;
+		}
+
 		ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
 		if (ret == 0 && principal->name.name_string.len < 2) {
 			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
@@ -1265,7 +1301,7 @@ NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
 				     const char **nt4_domain,
 				     const char **nt4_account)
 {
-	uint32_t format_offered = DRSUAPI_DS_NAME_FORMAT_UKNOWN;
+	uint32_t format_offered = DRSUAPI_DS_NAME_FORMAT_UNKNOWN;
 
 	/* Handle anonymous bind */
 	if (!name || !*name) {
@@ -1282,6 +1318,8 @@ NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
 		format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
 	} else if (strchr_m(name, '/')) {
 		format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
+	} else {
+		return NT_STATUS_NO_SUCH_USER;
 	}
 
 	return crack_name_to_nt4_name(mem_ctx, ev_ctx, lp_ctx, format_offered, name, nt4_domain, nt4_account);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 19dff5e..d557da2 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1393,6 +1393,8 @@ tgs_build_reply(krb5_context context,
     char opt_str[128];
     int signedpath = 0;
 
+    Key *tkey;
+
     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
     krb5_data_zero(&rspac);
@@ -1630,26 +1632,22 @@ server_lookup:
     }
 
     /* check PAC if not cross realm and if there is one */
-    if (!cross_realm) {
-	Key *tkey;
-
-	ret = hdb_enctype2key(context, &krbtgt->entry,
-			      krbtgt_etype, &tkey);
-	if(ret) {
-	    kdc_log(context, config, 0,
+    ret = hdb_enctype2key(context, &krbtgt->entry,
+			  krbtgt_etype, &tkey);
+    if(ret) {
+	kdc_log(context, config, 0,
 		    "Failed to find key for krbtgt PAC check");
-	    goto out;
-	}
+	goto out;
+    }
 
-	ret = check_PAC(context, config, cp,
-			client, server, ekey, &tkey->key,
-			tgt, &rspac, &signedpath);
-	if (ret) {
-	    kdc_log(context, config, 0,
-		    "Verify PAC failed for %s (%s) from %s with %s",
-		    spn, cpn, from, krb5_get_err_text(context, ret));
-	    goto out;
-	}
+    ret = check_PAC(context, config, cp,
+		    client, server, ekey, &tkey->key,
+		    tgt, &rspac, &signedpath);
+    if (ret) {
+	kdc_log(context, config, 0,
+		"Verify PAC failed for %s (%s) from %s with %s",
+		spn, cpn, from, krb5_get_err_text(context, ret));
+	goto out;
     }
 
     /* also check the krbtgt for signature */
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index d7317f1..51f464c 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -757,13 +757,20 @@ static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db,
 		goto out;
 	}
 
-	ndr_err = ndr_pull_struct_blob_all(password_val, mem_ctx, private->iconv_convenience, &password_blob,
+	ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, private->iconv_convenience, &password_blob,
 					   (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		ret = EINVAL;
 		goto out;
 	}
 
+	entry_ex->entry.kvno = -1;
+	for (i=0; i < password_blob.count; i++) {
+		if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_VERSION) {
+			entry_ex->entry.kvno = password_blob.current->array[i].AuthInfo.version.version;
+		}
+	}
+
 	for (i=0; i < password_blob.count; i++) {
 		if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
 			password_utf16 = data_blob_const(password_blob.current->array[i].AuthInfo.clear.password,
@@ -806,6 +813,8 @@ static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db,
 		entry_ex->entry.keys.len++;
 	}
 		
+	entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
+
 	ret = copy_Principal(principal, entry_ex->entry.principal);
 	if (ret) {
 		krb5_clear_error_string(context);
@@ -1148,7 +1157,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
 					principal, HDB_SAMBA4_ENT_TYPE_KRBTGT, 
 					msg[0], realm_ref_msg_1[0], entry_ex);
 		if (ret != 0) {
-			krb5_warnx(context, "LDB_fetch: message2entry failed");	
+			krb5_warnx(context, "LDB_fetch: self krbtgt message2entry failed");	
 		}
 		return ret;
 
@@ -1186,7 +1195,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
 					      principal, direction, 
 					      msg[0], entry_ex);
 		if (ret != 0) {
-			krb5_warnx(context, "LDB_fetch: message2entry failed");	
+			krb5_warnx(context, "LDB_fetch: trust_message2entry failed");	
 		}
 		return ret;
 
diff --git a/source4/librpc/idl/drsblobs.idl b/source4/librpc/idl/drsblobs.idl
index 31fe8a3..4274d20 100644
--- a/source4/librpc/idl/drsblobs.idl
+++ b/source4/librpc/idl/drsblobs.idl
@@ -409,21 +409,23 @@ interface drsblobs {
 		[size_is(1)] AuthenticationInformation array[];
 	} AuthenticationInformationArray;
 
+	/* This is nopull,nopush because we pass count down to the
+	 * manual parser of AuthenticationInformationArray */
 	typedef [public,nopull,nopush,noprint,gensize] struct {
 		uint32 count;
 		[relative] AuthenticationInformationArray *current;
 		[relative] AuthenticationInformationArray *previous;
 	} trustAuthInOutBlob;
 
+	void decode_trustAuthInOut(
+		[in] trustAuthInOutBlob blob
+		);
+
 	typedef [public,gensize] struct {
 		uint32 count;
 		[relative] AuthenticationInformation *current[count];
 	} trustCurrentPasswords;
 
-	void decode_trustAuthInOut(
-		[in] trustAuthInOutBlob blob
-		);
-
 	typedef [public,nopull] struct {
 		uint8 confounder[512];
 		[subcontext(0),subcontext_size(outgoing_size)] trustCurrentPasswords outgoing;
diff --git a/source4/librpc/idl/drsuapi.idl b/source4/librpc/idl/drsuapi.idl
index 76858b2..a41bc9c 100644
--- a/source4/librpc/idl/drsuapi.idl
+++ b/source4/librpc/idl/drsuapi.idl
@@ -877,7 +877,7 @@ interface drsuapi
 	} drsuapi_DsNameFlags;
 
 	typedef [v1_enum] enum {
-		DRSUAPI_DS_NAME_FORMAT_UKNOWN			= 0,
+		DRSUAPI_DS_NAME_FORMAT_UNKNOWN			= 0,
 		DRSUAPI_DS_NAME_FORMAT_FQDN_1779		= 1,
 		DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT		= 2,
 		DRSUAPI_DS_NAME_FORMAT_DISPLAY			= 3,
diff --git a/source4/librpc/idl/misc.idl b/source4/librpc/idl/misc.idl
index 8331977..791b864 100644
--- a/source4/librpc/idl/misc.idl
+++ b/source4/librpc/idl/misc.idl
@@ -30,9 +30,11 @@ interface misc
 	/* Only SEC_CHAN_WKSTA can forward requests to other domains. */
 
 	typedef [public] enum {
-		SEC_CHAN_WKSTA   = 2,
-		SEC_CHAN_DOMAIN  = 4,
-		SEC_CHAN_BDC     = 6
+		SEC_CHAN_NULL        = 0,
+		SEC_CHAN_WKSTA       = 2,
+		SEC_CHAN_DNS_DOMAIN  = 3,
+		SEC_CHAN_DOMAIN      = 4,
+		SEC_CHAN_BDC         = 6
 	} netr_SchannelType;
 
 	/* SAM database types */
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 5e3be84..836fd8d 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -727,13 +727,46 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
 		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}				
+
+		if (op == NDR_LSA_CREATETRUSTEDDOMAINEX) {
+			if (auth_struct.incoming.count > 1) {
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+		}
 	}
 
 	if (auth_struct.incoming.count) {
+		int i;
+		struct trustAuthInOutBlob incoming;
+		
+		incoming.count = auth_struct.incoming.count;
+		incoming.current = talloc(mem_ctx, struct AuthenticationInformationArray);
+		if (!incoming.current) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+		incoming.current->array = *auth_struct.incoming.current;
+		if (!incoming.current->array) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		incoming.previous = talloc(mem_ctx, struct AuthenticationInformationArray);
+		if (!incoming.previous) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		incoming.previous->array = talloc_array(mem_ctx, struct AuthenticationInformation, incoming.count);
+		if (!incoming.previous->array) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		for (i = 0; i < incoming.count; i++) {
+			incoming.previous->array[i].LastUpdateTime = 0;
+			incoming.previous->array[i].AuthType = 0;
+		}
 		ndr_err = ndr_push_struct_blob(&trustAuthIncoming, mem_ctx, 
 					       lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
-					       &auth_struct.incoming,
-					       (ndr_push_flags_fn_t)ndr_push_trustDomainPasswords);
+					       &incoming,
+					       (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
 		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
@@ -742,10 +775,37 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
 	}
 	
 	if (auth_struct.outgoing.count) {
+		int i;
+		struct trustAuthInOutBlob outgoing;
+		
+		outgoing.count = auth_struct.outgoing.count;
+		outgoing.current = talloc(mem_ctx, struct AuthenticationInformationArray);
+		if (!outgoing.current) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+		outgoing.current->array = *auth_struct.outgoing.current;
+		if (!outgoing.current->array) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		outgoing.previous = talloc(mem_ctx, struct AuthenticationInformationArray);
+		if (!outgoing.previous) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		outgoing.previous->array = talloc_array(mem_ctx, struct AuthenticationInformation, outgoing.count);
+		if (!outgoing.previous->array) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		for (i = 0; i < outgoing.count; i++) {
+			outgoing.previous->array[i].LastUpdateTime = 0;
+			outgoing.previous->array[i].AuthType = 0;
+		}
 		ndr_err = ndr_push_struct_blob(&trustAuthOutgoing, mem_ctx, 
 					       lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
-					       &auth_struct.outgoing,
-					       (ndr_push_flags_fn_t)ndr_push_trustDomainPasswords);
+					       &outgoing,
+					       (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
 		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index d5f7d2a..b948d12 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -87,6 +87,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	const char *attrs[] = {"unicodePwd", "userAccountControl", 
 			       "objectSid", NULL};
 
+	const char *trust_dom_attrs[] = {"flatname", NULL};
+	const char *account_name;
+
 	ZERO_STRUCTP(r->out.credentials);
 	*r->out.rid = 0;
 	*r->out.negotiate_flags = *r->in.negotiate_flags;
@@ -101,10 +104,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
+
+	if (r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+		char *encoded_account = ldb_binary_encode_string(mem_ctx, r->in.account_name);
+		char *flatname;
+		if (!encoded_account) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		/* Kill the trailing dot */
+		if (encoded_account[strlen(encoded_account)-1] == '.') {
+			encoded_account[strlen(encoded_account)-1] = '\0';
+		}
+
+		/* pull the user attributes */
+		num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, trust_dom_attrs,
+					   "(&(trustPartner=%s)(objectclass=trustedDomain))", 
+					   encoded_account);
+		
+		if (num_records == 0) {
+			DEBUG(3,("Couldn't find trust [%s] in samdb.\n", 
+				 encoded_account));
+			return NT_STATUS_ACCESS_DENIED;
+		}
+		
+		if (num_records > 1) {
+			DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+		
+		flatname = ldb_msg_find_attr_as_string(msgs[0], "flatname", NULL);
+		if (!flatname) {
+			/* No flatname for this trust - we can't proceed */
+			return NT_STATUS_ACCESS_DENIED;
+		}
+		account_name = talloc_asprintf(mem_ctx, "%s$", flatname);
+
+		if (!account_name) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+	} else {
+		account_name = r->in.account_name;
+	}
+	
 	/* pull the user attributes */
 	num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
 				   "(&(sAMAccountName=%s)(objectclass=user))", 
-				   r->in.account_name);
+				   ldb_binary_encode_string(mem_ctx, account_name));
 
 	if (num_records == 0) {
 		DEBUG(3,("Couldn't find user [%s] in samdb.\n", 
@@ -130,7 +177,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 			DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", user_account_control));
 			return NT_STATUS_ACCESS_DENIED;
 		}
-	} else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) {
+	} else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN || 
+		   r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
 		if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
 			DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", user_account_control));
 			
diff --git a/source4/torture/rpc/drsuapi_cracknames.c b/source4/torture/rpc/drsuapi_cracknames.c
index fbda69d..a9a6149 100644
--- a/source4/torture/rpc/drsuapi_cracknames.c
+++ b/source4/torture/rpc/drsuapi_cracknames.c
@@ -39,6 +39,7 @@ static bool test_DsCrackNamesMatrix(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 	bool ret = true;
 	struct drsuapi_DsCrackNames r;
 	enum drsuapi_DsNameFormat formats[] = {
+		DRSUAPI_DS_NAME_FORMAT_UNKNOWN,
 		DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
 		DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
 		DRSUAPI_DS_NAME_FORMAT_DISPLAY,
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index efbdeca..245ed1e 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -1899,7 +1899,11 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
 		
 		/* NO_MORE_ENTRIES is allowed */
 		if (NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES)) {
-			return true;
+			if (domains.count == 0) {
+				return true;
+			}
+			printf("EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
+			return false;
 		} else if (NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) {
 			/* Windows 2003 gets this off by one on the first run */
 			if (r.out.domains->count < 3 || r.out.domains->count > 4) {
@@ -1950,7 +1954,11 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
 		
 		/* NO_MORE_ENTRIES is allowed */
 		if (NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES)) {
-			return true;
+			if (domains_ex.count == 0) {
+				return true;
+			}
+			printf("EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
+			return false;
 		} else if (NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) {
 			/* Windows 2003 gets this off by one on the first run */
 			if (r_ex.out.domains->count < 3 || r_ex.out.domains->count > 4) {
@@ -2115,7 +2123,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
 
 		/* Try different trust types too */
 
-		/* 1 == downleven (NT4), 2 == uplevel (ADS), 3 == MIT (kerberos but not AD) */
+		/* 1 == downlevel (NT4), 2 == uplevel (ADS), 3 == MIT (kerberos but not AD) */
 		trustinfo.trust_type = (((i / 3) + 1) % 3) + 1;
 
 		trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;
@@ -2160,6 +2168,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list