[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-473-g44ff392
Andrew Bartlett
abartlet at samba.org
Mon Sep 8 04:22:28 GMT 2008
The branch, v4-0-test has been updated
via 44ff392ffea52e89a3ac096a6d381ae540d3473c (commit)
via a057c3ed9df2670e5cad5f1807e280d77eb58cb0 (commit)
via 07cb8db799cc22685af4bb63285fa10115790ce1 (commit)
via 5c3d237a6d721dc75166bdc5ac0c6e76a4495bf7 (commit)
via fa3f3bab33001770a9d7e33875bf212636f6c128 (commit)
via d87b655e20b7c38756774cec2e5898af38c46786 (commit)
via 80f31c3272b8bc803629c27357033fd325529db1 (commit)
via d55602e23e7947462cb402b20b2d354b96aa7ba3 (commit)
via b52fba5b2c63a24acbfc7e3e989c16b691d98162 (commit)
via edea162a0e11f03b4b6069388abbca099f097386 (commit)
via 842ab594124198453fc88f46ab83b712a7d34dc1 (commit)
via 468bf839c500ed1a26ab9a358ee64a4c0a695797 (commit)
via a89f9818180e8fb868975c444c4d0e5aaa8d4e79 (commit)
via 99a3abda09716c064b3e9a37c4a79a8f62444eca (commit)
via b599b83a13db90b50a5422ff73daa63648b1e8cd (commit)
via 9590805bcbdd1924eda5a69978ffac7ec7603451 (commit)
via 91ae8dca254aa8c032daf0c87fa2a47760d32586 (commit)
via e5520706c88911c66b3ce5817e371900212ca083 (commit)
via b55a1b63cc2f7de889f046e975e3414bc5000613 (commit)
from 1432a96d37e367d9d97d48b69c6f16351a9ad066 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 44ff392ffea52e89a3ac096a6d381ae540d3473c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 8 14:18:04 2008 +1000
Move blackbox.smbclient to test against the member server.
The DC is now using smb signing, so testing for the old SMB versions
won't work.
Add a new test script to check 'net join' independent of
blackbox.smbclient.
Andrew Bartlett
commit a057c3ed9df2670e5cad5f1807e280d77eb58cb0
Merge: 07cb8db799cc22685af4bb63285fa10115790ce1 1432a96d37e367d9d97d48b69c6f16351a9ad066
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 8 12:54:13 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into trusted-domains
commit 07cb8db799cc22685af4bb63285fa10115790ce1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 8 12:46:04 2008 +1000
Simplfy SetSecrets behaviour in line with RPC-LSA and Win2008.
commit 5c3d237a6d721dc75166bdc5ac0c6e76a4495bf7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 8 11:10:24 2008 +1000
Try to implement the right logic for systemFlags
The MS-ADTS document has quite detailed instrucitons on how these
flags should be processed. This change also causes the correct
sign-wrapping to occour, as these are declared as signed integers.
Andrew Bartlett
commit fa3f3bab33001770a9d7e33875bf212636f6c128
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 8 11:09:02 2008 +1000
Don't expose passwords, even to the administrator.
This ensures they don't leak over LDAP, but does not prevent access,
as ldbsearch locally still bypasses these controls.
Andrew Bartlett
commit d87b655e20b7c38756774cec2e5898af38c46786
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 8 10:55:34 2008 +1000
More work towards trusted domains support in Samba4's LSA
Make 'lsar_CreateTrustedDomain' consistant with
lsar_CreateTrustedDomainEx{,2} by renaming handle -> policy_handle
Implement LSA server logic to create the cn=users trust account for
incoming trusts.
Andrew Bartlett
commit 80f31c3272b8bc803629c27357033fd325529db1
Author: Oliver Liebel <oliver at itc.li>
Date: Sat Sep 6 13:12:19 2008 +1000
Remove <tab> in OpenLDAP MMR config
Signed-of-by: Andrew Bartlett <abartlet at samba.org>
commit d55602e23e7947462cb402b20b2d354b96aa7ba3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 6 09:07:41 2008 +1000
Make SMB signing work with Windows 2008 and kerberos.
Pinched from b53e6387e30010509034835acf88b91b380ff44a by metze.
Andrew Bartlett
commit b52fba5b2c63a24acbfc7e3e989c16b691d98162
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 5 16:46:12 2008 +1000
Add a new error code
commit edea162a0e11f03b4b6069388abbca099f097386
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 5 16:45:58 2008 +1000
Update copyright
commit 842ab594124198453fc88f46ab83b712a7d34dc1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 5 16:45:37 2008 +1000
Update copyright, I've been working here many long years...
commit 468bf839c500ed1a26ab9a358ee64a4c0a695797
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 5 16:45:10 2008 +1000
Move our DC to implement mandetory signing.
(this does not change the file server role, and only really changes
what 'server signing = auto' means)
Optional signing really isn't any benifit to network security.
In doing so, allow anonymous clients (if permitted by policy) to log
in without signing, as Samba3 does not sign these connections (which
would use an all-zero key, so pointless).
Andrew Bartlett
commit a89f9818180e8fb868975c444c4d0e5aaa8d4e79
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 5 16:24:44 2008 +1000
With a windows 2008 client, even anonymous requires signing...
Andrew Bartlett
commit 99a3abda09716c064b3e9a37c4a79a8f62444eca
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 4 16:06:38 2008 +1000
More work to implement LSA CreateTrustedDomainEx2
We still don't get the format inside the encrypted blob correct
however.
Andrew Bartlett
commit b599b83a13db90b50a5422ff73daa63648b1e8cd
Merge: 9590805bcbdd1924eda5a69978ffac7ec7603451 e8ba65c4db986fcedf7008d05d8f8846f78a98f1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 4 11:32:32 2008 +1000
Merge commit 'origin/v4-0-test' into trusted-domains
commit 9590805bcbdd1924eda5a69978ffac7ec7603451
Merge: 91ae8dca254aa8c032daf0c87fa2a47760d32586 82fcd7941f5c54da2d994c8bd99dd8d86299a296
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 3 15:34:44 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
commit 91ae8dca254aa8c032daf0c87fa2a47760d32586
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 11:31:46 2008 +1000
Start testing CreateTrustedDomainEx2
Andrew Bartlett
commit e5520706c88911c66b3ce5817e371900212ca083
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 11:31:17 2008 +1000
Share IDL between the LSA and drsblob representations of trusts
commit b55a1b63cc2f7de889f046e975e3414bc5000613
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 1 14:43:00 2008 +1000
Follow MS-LSAD 3.1.4.7.12 and set defaults when creating a trust.
Also check we get the defaults correct with a query in the torture
suite.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source/client/tests/test_smbclient.sh | 6 -
source/dsdb/samdb/ldb_modules/kludge_acl.c | 15 +-
source/dsdb/samdb/ldb_modules/objectclass.c | 37 ++
source/kdc/kdc.c | 2 +-
source/libcli/raw/smb_signing.c | 5 +-
source/libcli/util/nterr.c | 1 +
source/libcli/util/ntstatus.h | 1 +
source/librpc/idl/drsblobs.idl | 62 ++--
source/librpc/idl/lsa.idl | 66 +++-
source/rpc_server/lsa/dcesrv_lsa.c | 488 ++++++++++++++++++++-----
source/rpc_server/netlogon/dcerpc_netlogon.c | 2 +-
source/selftest/samba4_tests.sh | 3 +-
source/setup/mmr_syncrepl.conf | 1 -
source/smb_server/smb/sesssetup.c | 12 +-
source/smb_server/smb/signing.c | 8 +-
source/torture/rpc/lsa.c | 166 +++++++++-
source/utils/tests/test_net.sh | 39 ++
17 files changed, 736 insertions(+), 178 deletions(-)
create mode 100755 source/utils/tests/test_net.sh
Changeset truncated at 500 lines:
diff --git a/source/client/tests/test_smbclient.sh b/source/client/tests/test_smbclient.sh
index 27a3488..7ff03ba 100755
--- a/source/client/tests/test_smbclient.sh
+++ b/source/client/tests/test_smbclient.sh
@@ -43,8 +43,6 @@ testit "share and server list" $VALGRIND $smbclient -L $SERVER $CONFIGURATION -
testit "share and server list anonymously" $VALGRIND $smbclient -N -L $SERVER $CONFIGURATION $@ || failed=`expr $failed + 1`
-testit "domain join" $VALGRIND bin/net join $DOMAIN $CONFIGURATION -W "$DOMAIN" -U"$USERNAME%$PASSWORD" $@ || failed=`expr $failed + 1`
-
# Generate random file
cat >tmpfile<<EOF
foo
@@ -128,10 +126,6 @@ runcmd "List directory with LANMAN2" 'ls' -m LANMAN2 || failed=`expr $failed + 1
runcmd "Print current working directory" 'pwd'|| failed=`expr $failed + 1`
-testit "Test login with --machine-pass without kerberos" $VALGRIND $smbclient -c 'ls' $CONFIGURATION //$SERVER/tmp --machine-pass -k no || failed=`expr $failed + 1`
-
-testit "Test login with --machine-pass and kerberos" $VALGRIND $smbclient -c 'ls' $CONFIGURATION //$SERVER/tmp --machine-pass -k yes || failed=`expr $failed + 1`
-
(
echo "password=$PASSWORD"
echo "username=$USERNAME"
diff --git a/source/dsdb/samdb/ldb_modules/kludge_acl.c b/source/dsdb/samdb/ldb_modules/kludge_acl.c
index 2c01594..bc998a8 100644
--- a/source/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -238,7 +238,6 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
{
switch (ac->user_type) {
case SECURITY_SYSTEM:
- case SECURITY_ADMINISTRATOR:
if (ac->allowedAttributesEffective) {
ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
if (ret != LDB_SUCCESS) {
@@ -252,6 +251,20 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
}
}
break;
+ case SECURITY_ADMINISTRATOR:
+ if (ac->allowedAttributesEffective) {
+ ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ if (ac->allowedChildClassesEffective) {
+ ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ /* fall though */
default:
/* remove password attributes */
for (i = 0; data->password_attrs[i]; i++) {
diff --git a/source/dsdb/samdb/ldb_modules/objectclass.c b/source/dsdb/samdb/ldb_modules/objectclass.c
index 4d4ef58..b048a8d 100644
--- a/source/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source/dsdb/samdb/ldb_modules/objectclass.c
@@ -534,6 +534,8 @@ static int objectclass_do_add(struct ldb_handle *h)
}
/* Last one is the critical one */
if (!current->next) {
+ struct ldb_message_element *el;
+ int32_t systemFlags = 0;
if (!ldb_msg_find_element(msg, "objectCategory")) {
ldb_msg_add_string(msg, "objectCategory",
current->objectclass->defaultObjectCategory);
@@ -548,6 +550,41 @@ static int objectclass_do_add(struct ldb_handle *h)
ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
}
}
+
+ /* There are very special rules for systemFlags, see MS-ADTS 3.1.1.5.2.4 */
+ el = ldb_msg_find_element(msg, "systemFlags");
+
+ systemFlags = ldb_msg_find_attr_as_int(msg, "systemFlags", 0);
+
+ if (el) {
+ /* Only these flags may be set by a client, but we can't tell between a client and our provision at this point */
+ /* systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_MOVE | SYSTEM_FLAG_CONFIG_LIMITED_MOVE); */
+ ldb_msg_remove_element(msg, el);
+ }
+
+ /* This flag is only allowed on attributeSchema objects */
+ if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "attributeSchema") == 0) {
+ systemFlags &= ~SYSTEM_FLAG_ATTR_IS_RDN;
+ }
+
+ if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "server") == 0) {
+ systemFlags |= (int32_t)(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE | SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE);
+ } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "site") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "serverContainer") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "ntDSDSA") == 0) {
+ systemFlags |= (int32_t)(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
+
+ } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLink") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLinkBridge") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "nTDSConnection") == 0) {
+ systemFlags |= (int32_t)(SYSTEM_FLAG_CONFIG_ALLOW_RENAME);
+ }
+
+ /* TODO: If parent object is site or subnet, also add (SYSTEM_FLAG_CONFIG_ALLOW_RENAME) */
+
+ if (el || systemFlags != 0) {
+ samdb_msg_add_int(ac->module->ldb, msg, msg, "systemFlags", systemFlags);
+ }
}
}
}
diff --git a/source/kdc/kdc.c b/source/kdc/kdc.c
index 5d7b48a..b7009b0 100644
--- a/source/kdc/kdc.c
+++ b/source/kdc/kdc.c
@@ -3,7 +3,7 @@
KDC Server startup
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005-2008
Copyright (C) Andrew Tridgell 2005
Copyright (C) Stefan Metzmacher 2005
diff --git a/source/libcli/raw/smb_signing.c b/source/libcli/raw/smb_signing.c
index 97bb688..1d03686 100644
--- a/source/libcli/raw/smb_signing.c
+++ b/source/libcli/raw/smb_signing.c
@@ -263,7 +263,6 @@ bool smbcli_set_signing_off(struct smb_signing_context *sign_info)
{
DEBUG(5, ("Shutdown SMB signing\n"));
sign_info->doing_signing = false;
- sign_info->next_seq_num = 0;
data_blob_free(&sign_info->mac_key);
sign_info->signing_state = SMB_SIGNING_ENGINE_OFF;
return true;
@@ -350,9 +349,6 @@ bool smbcli_simple_set_signing(TALLOC_CTX *mem_ctx,
dump_data_pw("Started Signing with key:\n", sign_info->mac_key.data, sign_info->mac_key.length);
- /* Initialise the sequence number */
- sign_info->next_seq_num = 0;
-
sign_info->signing_state = SMB_SIGNING_ENGINE_ON;
return true;
@@ -379,6 +375,7 @@ bool smbcli_transport_simple_set_signing(struct smbcli_transport *transport,
bool smbcli_init_signing(struct smbcli_transport *transport)
{
+ transport->negotiate.sign_info.next_seq_num = 0;
transport->negotiate.sign_info.mac_key = data_blob(NULL, 0);
if (!smbcli_set_signing_off(&transport->negotiate.sign_info)) {
return false;
diff --git a/source/libcli/util/nterr.c b/source/libcli/util/nterr.c
index ef4055a..4e046c7 100644
--- a/source/libcli/util/nterr.c
+++ b/source/libcli/util/nterr.c
@@ -545,6 +545,7 @@ static const nt_err_code_struct nt_errs[] =
{ "NT_STATUS_NO_MORE_ENTRIES", NT_STATUS_NO_MORE_ENTRIES },
{ "NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED", NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED },
{ "NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX", NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX },
+ { "NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED", NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED },
{ "NT_STATUS_OBJECTID_NOT_FOUND", NT_STATUS_OBJECTID_NOT_FOUND },
{ "NT_STATUS_DOWNGRADE_DETECTED", NT_STATUS_DOWNGRADE_DETECTED },
{ "STATUS_MORE_ENTRIES", STATUS_MORE_ENTRIES },
diff --git a/source/libcli/util/ntstatus.h b/source/libcli/util/ntstatus.h
index 527a95b..9c7bee0 100644
--- a/source/libcli/util/ntstatus.h
+++ b/source/libcli/util/ntstatus.h
@@ -591,6 +591,7 @@ typedef uint32_t NTSTATUS;
#define NT_STATUS_QUOTA_LIST_INCONSISTENT NT_STATUS(0xC0000000 | 0x0266)
#define NT_STATUS_FILE_IS_OFFLINE NT_STATUS(0xC0000000 | 0x0267)
#define NT_STATUS_NOT_A_REPARSE_POINT NT_STATUS(0xC0000000 | 0x0275)
+#define NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED NT_STATUS(0xC0000000 | 0x02E9)
#define NT_STATUS_OBJECTID_NOT_FOUND NT_STATUS(0xC0000000 | 0x02F0)
#define NT_STATUS_NO_SUCH_JOB NT_STATUS(0xC0000000 | 0xEDE) /* scheduler */
#define NT_STATUS_DOWNGRADE_DETECTED NT_STATUS(0xC0000000 | 0x0388)
diff --git a/source/librpc/idl/drsblobs.idl b/source/librpc/idl/drsblobs.idl
index eb85989..196423c 100644
--- a/source/librpc/idl/drsblobs.idl
+++ b/source/librpc/idl/drsblobs.idl
@@ -1,6 +1,6 @@
#include "idl_types.h"
-import "drsuapi.idl", "misc.idl", "samr.idl";
+import "drsuapi.idl", "misc.idl", "samr.idl", "lsa.idl";
[
uuid("12345778-1234-abcd-0001-00000001"),
@@ -12,7 +12,7 @@ interface drsblobs {
typedef bitmap drsuapi_DsReplicaSyncOptions drsuapi_DsReplicaSyncOptions;
typedef bitmap drsuapi_DsReplicaNeighbourFlags drsuapi_DsReplicaNeighbourFlags;
typedef [v1_enum] enum drsuapi_DsAttributeId drsuapi_DsAttributeId;
-
+ typedef [v1_enum] enum lsa_TrustAuthType lsa_TrustAuthType;
/*
* replPropertyMetaData
* w2k uses version 1
@@ -357,25 +357,6 @@ interface drsblobs {
);
typedef struct {
- NTTIME time1;
- uint32 unknown1;
- DATA_BLOB value;
- [flag(NDR_ALIGN4)] DATA_BLOB _pad;
- } trustAuthInOutSecret1;
-
- typedef struct {
- [relative] trustAuthInOutSecret1 *value1;
- [relative] trustAuthInOutSecret1 *value2;
- } trustAuthInOutCtr1;
-
- typedef [v1_enum] enum {
- TRUST_AUTH_TYPE_NONE = 0,
- TRUST_AUTH_TYPE_NT4OWF = 1,
- TRUST_AUTH_TYPE_CLEAR = 2,
- TRUST_AUTH_TYPE_VERSION = 3
- } trustAuthType;
-
- typedef struct {
[value(0)] uint32 size;
} AuthInfoNone;
@@ -384,6 +365,20 @@ interface drsblobs {
samr_Password password;
} AuthInfoNT4Owf;
+ /*
+ * the secret value is encoded as UTF16 if it's a string
+ * but depending the AuthType, it might also be krb5 trusts have random bytes here, so converting to UTF16
+ * mayfail...
+ *
+ * TODO: We should try handle the case of a random buffer in all places
+ * we deal with cleartext passwords from windows
+ *
+ * so we don't use this:
+ *
+ * uint32 value_len;
+ * [charset(UTF16)] uint8 value[value_len];
+ */
+
typedef struct {
uint32 size;
uint8 password[size];
@@ -403,21 +398,8 @@ interface drsblobs {
typedef [public] struct {
NTTIME LastUpdateTime;
- trustAuthType AuthType;
+ lsa_TrustAuthType AuthType;
- /*
- * the secret value is encoded as UTF16 if it's a string
- * but depending the AuthType, it might also be krb5 trusts have random bytes here, so converting to UTF16
- * mayfail...
- *
- * TODO: We should try handle the case of a random buffer in all places
- * we deal with cleartext passwords from windows
- *
- * so we don't use this:
- *
- * uint32 value_len;
- * [charset(UTF16)] uint8 value[value_len];
- */
[switch_is(AuthType)] AuthInfo AuthInfo;
[flag(NDR_ALIGN4)] DATA_BLOB _pad;
} AuthenticationInformation;
@@ -427,12 +409,20 @@ interface drsblobs {
[size_is(1)] AuthenticationInformation array[];
} AuthenticationInformationArray;
- typedef [public,nopull,nopush,noprint] struct {
+ typedef [public,nopull,nopush,noprint,gensize] struct {
uint32 count;
[relative] AuthenticationInformationArray *current;
[relative] AuthenticationInformationArray *previous;
} trustAuthInOutBlob;
+ typedef [public] struct {
+ uint8 confounder[512];
+ trustAuthInOutBlob outgoing;
+ trustAuthInOutBlob incoming;
+ [value(ndr_size_trustAuthInOutBlob(&outgoing, ndr->flags))] uint32 outgoing_size;
+ [value(ndr_size_trustAuthInOutBlob(&incoming, ndr->flags))] uint32 incoming_size;
+ } trustAuthInAndOutBlob;
+
void decode_trustAuthInOut(
[in] trustAuthInOutBlob blob
);
diff --git a/source/librpc/idl/lsa.idl b/source/librpc/idl/lsa.idl
index 408956b..b26d50c 100644
--- a/source/librpc/idl/lsa.idl
+++ b/source/librpc/idl/lsa.idl
@@ -311,7 +311,7 @@ import "misc.idl", "security.idl";
/* Function: 0x0c */
[public] NTSTATUS lsa_CreateTrustedDomain(
- [in] policy_handle *handle,
+ [in] policy_handle *policy_handle,
[in] lsa_DomainInfo *info,
[in] uint32 access_mask,
[out] policy_handle *trustdom_handle
@@ -578,9 +578,16 @@ import "misc.idl", "security.idl";
lsa_TrustAttributes trust_attributes;
} lsa_TrustDomainInfoInfoEx;
+ typedef [public,v1_enum] enum {
+ TRUST_AUTH_TYPE_NONE = 0,
+ TRUST_AUTH_TYPE_NT4OWF = 1,
+ TRUST_AUTH_TYPE_CLEAR = 2,
+ TRUST_AUTH_TYPE_VERSION = 3
+ } lsa_TrustAuthType;
+
typedef struct {
NTTIME_hyper last_update_time;
- uint32 secret_type;
+ lsa_TrustAuthType AuthType;
lsa_DATA_BUF2 data;
} lsa_TrustDomainInfoBuffer;
@@ -600,16 +607,26 @@ import "misc.idl", "security.idl";
} lsa_TrustDomainInfoFullInfo;
typedef struct {
+ lsa_DATA_BUF2 auth_blob;
+ } lsa_TrustDomainInfoAuthInfoInternal;
+
+ typedef struct {
+ lsa_TrustDomainInfoInfoEx info_ex;
+ lsa_TrustDomainInfoPosixOffset posix_offset;
+ lsa_TrustDomainInfoAuthInfoInternal auth_info;
+ } lsa_TrustDomainInfoFullInfoInternal;
+
+ typedef struct {
lsa_TrustDomainInfoInfoEx info_ex;
- lsa_DATA_BUF2 data1;
+ uint32 forest_trust_length;
+ [size_is(forest_trust_length)] uint8 *forest_trust_data;
} lsa_TrustDomainInfoInfoEx2Internal;
typedef struct {
- lsa_TrustDomainInfoInfoEx info_ex;
- lsa_DATA_BUF2 data1;
+ lsa_TrustDomainInfoInfoEx2Internal info;
lsa_TrustDomainInfoPosixOffset posix_offset;
lsa_TrustDomainInfoAuthInfo auth_info;
- } lsa_TrustDomainInfoInfo2Internal;
+ } lsa_TrustDomainInfoFullInfo2Internal;
typedef struct {
kerb_EncTypes enc_types;
@@ -633,13 +650,13 @@ import "misc.idl", "security.idl";
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]
lsa_TrustDomainInfoFullInfo full_info;
[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL)]
- lsa_TrustDomainInfoAuthInfo auth_info_internal;
+ lsa_TrustDomainInfoAuthInfoInternal auth_info_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL)]
- lsa_TrustDomainInfoFullInfo full_info_internal;
+ lsa_TrustDomainInfoFullInfoInternal full_info_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL)]
lsa_TrustDomainInfoInfoEx2Internal info_ex2_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL)]
- lsa_TrustDomainInfoInfo2Internal info2_internal;
+ lsa_TrustDomainInfoFullInfo2Internal full_info2_internal;
[case(LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES)]
lsa_TrustDomainInfoSupportedEncTypes enc_types;
} lsa_TrustedDomainInfo;
@@ -652,7 +669,11 @@ import "misc.idl", "security.idl";
);
/* Function: 0x1b */
- [todo] NTSTATUS lsa_SetInformationTrustedDomain();
+ NTSTATUS lsa_SetInformationTrustedDomain(
+ [in] policy_handle *trustdom_handle,
+ [in] lsa_TrustDomInfoEnum level,
+ [in,switch_is(level)] lsa_TrustedDomainInfo *info
+ );
/* Function: 0x1c */
[public] NTSTATUS lsa_OpenSecret(
@@ -770,7 +791,12 @@ import "misc.idl", "security.idl";
);
/* Function: 0x28 */
- [todo] NTSTATUS lsa_SetTrustedDomainInfo();
+ NTSTATUS lsa_SetTrustedDomainInfo(
+ [in] policy_handle *handle,
+ [in] dom_sid2 *dom_sid,
+ [in] lsa_TrustDomInfoEnum level,
+ [in,switch_is(level)] lsa_TrustedDomainInfo *info
+ );
/* Function: 0x29 */
NTSTATUS lsa_DeleteTrustedDomain(
[in] policy_handle *handle,
@@ -855,9 +881,15 @@ import "misc.idl", "security.idl";
[in] uint32 max_size
);
-
/* Function 0x33 */
- [todo] NTSTATUS lsa_CreateTrustedDomainEx();
+ NTSTATUS lsa_CreateTrustedDomainEx(
+ [in] policy_handle *policy_handle,
+ [in] lsa_TrustDomainInfoInfoEx *info,
+ [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
+ [in] uint32 access_mask,
+ [out] policy_handle *trustdom_handle
+ );
+
/* Function 0x34 */
NTSTATUS lsa_CloseTrustedDomainEx(
@@ -971,7 +1003,13 @@ import "misc.idl", "security.idl";
);
/* Function 0x3b */
- [todo] NTSTATUS lsa_CreateTrustedDomainEx2();
+ NTSTATUS lsa_CreateTrustedDomainEx2(
+ [in] policy_handle *policy_handle,
+ [in] lsa_TrustDomainInfoInfoEx *info,
+ [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
+ [in] uint32 access_mask,
+ [out] policy_handle *trustdom_handle
+ );
/* Function 0x3c */
[todo] NTSTATUS lsa_CREDRWRITE();
diff --git a/source/rpc_server/lsa/dcesrv_lsa.c b/source/rpc_server/lsa/dcesrv_lsa.c
index f67b5de..a1ca3b4 100644
--- a/source/rpc_server/lsa/dcesrv_lsa.c
+++ b/source/rpc_server/lsa/dcesrv_lsa.c
@@ -4,7 +4,7 @@
endpoint server for the lsarpc pipe
Copyright (C) Andrew Tridgell 2004
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2007
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -25,6 +25,9 @@
#include "libcli/ldap/ldap_ndr.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
+#include "lib/crypto/crypto.h"
/*
this type allows us to distinguish handle types
@@ -58,6 +61,7 @@ struct lsa_trusted_domain_state {
struct lsa_policy_state *policy;
uint32_t access_mask;
struct ldb_dn *trusted_domain_dn;
+ struct ldb_dn *trusted_domain_user_dn;
};
static NTSTATUS dcesrv_lsa_EnumAccountRights(struct dcesrv_call_state *dce_call,
@@ -138,13 +142,32 @@ static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALL
return NT_STATUS_OK;
} else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) {
struct lsa_trusted_domain_state *trusted_domain_state = h->data;
+ ret = ldb_transaction_start(trusted_domain_state->policy->sam_ldb);
+ if (ret != 0) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
ret = ldb_delete(trusted_domain_state->policy->sam_ldb,
trusted_domain_state->trusted_domain_dn);
- talloc_free(h);
if (ret != 0) {
+ ldb_transaction_cancel(trusted_domain_state->policy->sam_ldb);
return NT_STATUS_INVALID_HANDLE;
}
+ if (trusted_domain_state->trusted_domain_user_dn) {
+ ret = ldb_delete(trusted_domain_state->policy->sam_ldb,
+ trusted_domain_state->trusted_domain_user_dn);
+ if (ret != 0) {
+ ldb_transaction_cancel(trusted_domain_state->policy->sam_ldb);
+ return NT_STATUS_INVALID_HANDLE;
+ }
+ }
+
+ ret = ldb_transaction_commit(trusted_domain_state->policy->sam_ldb);
+ if (ret != 0) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ talloc_free(h);
ZERO_STRUCTP(r->out.handle);
return NT_STATUS_OK;
@@ -585,49 +608,45 @@ static NTSTATUS dcesrv_lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALL
/*
lsa_CreateTrustedDomainEx2
*/
--
Samba Shared Repository
More information about the samba-cvs
mailing list