[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Wed Aug 31 06:28:03 MDT 2011
The branch, master has been updated
via 485da3e s3-waf: allow unresolved symbols in some idmap and nss_info modules.
via 54d8af9 s3-waf: add missing tdb dependency to idmap_tdb2 module.
via fea278b s3-waf: convert nss_info subsystem into a private library.
via d292bc0 s4-smbtorture: For now, skip trusted domain auth validation tests against the sambas.
via 247851d s4-smbtorture: Add trust password to CreateTrust test
via 1473e64 s3-lsa: Add _lsa_SetInformationTrustedDomain() and related calls
via 34d5705 s4-smbtorture: Add tests for lsaQueryTrustedDomainInfoByName() and lsaSetTrustedDomainInfoByName()
via 579cb3d s3-lsa: Update _lsa_QueryTrustedDomainInfo()
via 751e7d4 s3-pdb_ipa: Add supprted encryption types to struct pdb_trusted_domain
via 4f6de78 s3-pdb_ipa: Add posix offset to struct pdb_trusted_domain
via f864767 s3-ldap: Add Posix offset and encryption types to LDAP schema
via 1744be0 s3-ldap: Add sambaTrustForestTrustInfo to NDS LDAP schema (again)
via 3e2711c s3-lsa: Fix access mapping in_lsa_OpenTrustedDomain_base()
via 15c7a87 s3-lsa: Fix typo and use right pdb interface
via bb86062 s3-pdb_ipa: Derive domain GUID from SID
from 59e8db0 s3:modules make perfcount_test loadable again
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 485da3ecff87edc47cc6b99ada588d6113541a3f
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 31 12:45:10 2011 +0200
s3-waf: allow unresolved symbols in some idmap and nss_info modules.
Guenther
Autobuild-User: Günther Deschner <gd at samba.org>
Autobuild-Date: Wed Aug 31 14:27:31 CEST 2011 on sn-devel-104
commit 54d8af972231adf05e0f1482d23ce1a449f4e6ee
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 31 12:44:35 2011 +0200
s3-waf: add missing tdb dependency to idmap_tdb2 module.
Guenther
commit fea278bbed50cda5a41abae2ee750b3be889fc4c
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 31 12:43:57 2011 +0200
s3-waf: convert nss_info subsystem into a private library.
Guenther
commit d292bc07104fe6dc90fb143e630f2e259fbcb7c7
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 31 12:42:51 2011 +0200
s4-smbtorture: For now, skip trusted domain auth validation tests against the sambas.
Guenther
commit 247851d6be428f73170e315121c335190c780736
Author: Sumit Bose <sbose at redhat.com>
Date: Mon Aug 22 12:34:36 2011 +0200
s4-smbtorture: Add trust password to CreateTrust test
Instead of using empty authinfo and authinfo_internal structures a trust
password is added to these structures. After creating the trust the trust
account is used to validate that the trust password is set correctly.
Signed-off-by: Günther Deschner <gd at samba.org>
commit 1473e64c7f54146a000075604410ddc84f7e2889
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Jun 28 14:37:44 2011 +0200
s3-lsa: Add _lsa_SetInformationTrustedDomain() and related calls
The following LSA calls are added:
- _lsa_SetInformationTrustedDomain()
- _lsa_SetTrustedDomainInfo()
-_lsa_SetTrustedDomainInfoByName()
Signed-off-by: Günther Deschner <gd at samba.org>
commit 34d57058ff014d073bbd5443a83e22bcb2abf0b2
Author: Sumit Bose <sbose at redhat.com>
Date: Mon Jun 20 14:39:01 2011 +0200
s4-smbtorture: Add tests for lsaQueryTrustedDomainInfoByName() and lsaSetTrustedDomainInfoByName()
Signed-off-by: Günther Deschner <gd at samba.org>
commit 579cb3dd339c340470daecc3c39eab156a28894d
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Jul 6 16:06:54 2011 +0200
s3-lsa: Update _lsa_QueryTrustedDomainInfo()
Signed-off-by: Günther Deschner <gd at samba.org>
commit 751e7d4d33414d60971cdc9546d4d58e1b42a794
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Jun 23 17:52:06 2011 +0200
s3-pdb_ipa: Add supprted encryption types to struct pdb_trusted_domain
Signed-off-by: Günther Deschner <gd at samba.org>
commit 4f6de78a12a2b9adf4532e7e54637bf29c5d1067
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Jun 23 17:42:52 2011 +0200
s3-pdb_ipa: Add posix offset to struct pdb_trusted_domain
Signed-off-by: Günther Deschner <gd at samba.org>
commit f864767034f5e463ce3f06e13920dedf55f494e4
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Aug 12 17:46:23 2011 +0200
s3-ldap: Add Posix offset and encryption types to LDAP schema
Signed-off-by: Günther Deschner <gd at samba.org>
commit 1744be0a84d2e8a12725b6db01099000792194e6
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Aug 19 11:49:21 2011 +0200
s3-ldap: Add sambaTrustForestTrustInfo to NDS LDAP schema (again)
The related attributes and objectclass were accidentally remove by commit
d4c30a5ffbeab75506bf1ad5d8d5da48e3f4d41c
Signed-off-by: Günther Deschner <gd at samba.org>
commit 3e2711c7e009ddd0488f19305667c042ecc72d70
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Jul 6 16:05:38 2011 +0200
s3-lsa: Fix access mapping in_lsa_OpenTrustedDomain_base()
Signed-off-by: Günther Deschner <gd at samba.org>
commit 15c7a873c21411d214ce1b81c123d5e63a5b6626
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Jun 3 15:31:40 2011 +0200
s3-lsa: Fix typo and use right pdb interface
Signed-off-by: Günther Deschner <gd at samba.org>
commit bb86062f61b9ae0387c33023f792a05a24734b23
Author: Sumit Bose <sbose at redhat.com>
Date: Tue May 31 15:31:51 2011 +0200
s3-pdb_ipa: Derive domain GUID from SID
Signed-off-by: Günther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
examples/LDAP/samba-nds.schema | 61 +++++-
examples/LDAP/samba-schema-FDS.ldif | 6 +-
examples/LDAP/samba-schema-netscapeds5.x | 4 +-
examples/LDAP/samba.ldif | 9 +-
examples/LDAP/samba.schema | 12 +-
examples/LDAP/samba.schema.at.IBM-DS | 4 +
examples/LDAP/samba.schema.oc.IBM-DS | 2 +-
source3/include/passdb.h | 2 +
source3/passdb/pdb_ipa.c | 70 +++++-
source3/rpc_server/lsa/srv_lsa_nt.c | 408 +++++++++++++++++++++++++++---
source3/winbindd/wscript_build | 18 +-
source4/torture/rpc/forest_trust.c | 102 ++++++++
source4/torture/rpc/lsa.c | 283 ++++++++++++++++++---
13 files changed, 905 insertions(+), 76 deletions(-)
Changeset truncated at 500 lines:
diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema
index 369670b..8b427b5 100644
--- a/examples/LDAP/samba-nds.schema
+++ b/examples/LDAP/samba-nds.schema
@@ -293,7 +293,61 @@ dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' DESC 'Previous clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC 'Authentication information for the outgoing portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
## objectClasses used by Samba 3.0 schema ##
@@ -379,3 +433,8 @@ dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' DESC 'Samba Privilege' SUP top AUXILIARY MUST ( sambaSID ) MAY ( sambaPrivilegeList ))
+
+dn: cn=schema
+changetype: modify
+add: objectClasses
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncryptionTypes ) )
diff --git a/examples/LDAP/samba-schema-FDS.ldif b/examples/LDAP/samba-schema-FDS.ldif
index 7513a49..fdfdab6 100644
--- a/examples/LDAP/samba-schema-FDS.ldif
+++ b/examples/LDAP/samba-schema-FDS.ldif
@@ -137,6 +137,10 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Au
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
#
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+#
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+#
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
#######################################################################
## objectClasses: used by Samba 3.0 schema ##
@@ -183,4 +187,4 @@ objectClasses: ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP t
##
## used for IPA_ldapsam
##
-objectClasses: ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncryptionTypes) )
diff --git a/examples/LDAP/samba-schema-netscapeds5.x b/examples/LDAP/samba-schema-netscapeds5.x
index 55c2aff..8175eb2 100644
--- a/examples/LDAP/samba-schema-netscapeds5.x
+++ b/examples/LDAP/samba-schema-netscapeds5.x
@@ -36,7 +36,7 @@ objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL DESC 'Samba Trusted Domain Password' MUST ( sambaDomainName $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY ( sambaPreviousClearTextPassword ) X-ORIGIN 'user defined')
-objectClasses: ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo ) X-ORIGIN 'user defined' )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncryptionTypes ) X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE X-ORIGIN 'user defined' )
@@ -75,3 +75,5 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC 'Au
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
diff --git a/examples/LDAP/samba.ldif b/examples/LDAP/samba.ldif
index b820602..be6433c 100644
--- a/examples/LDAP/samba.ldif
+++ b/examples/LDAP/samba.ldif
@@ -169,6 +169,12 @@ olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier
olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustIn
fo' DESC 'Forest trust information for a trusted domain object' EQUALITY case
ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset'
+ DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptio
+ nTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SY
+ NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY (
cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
@@ -214,4 +220,5 @@ olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC
'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp
e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla
tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti
- fier $ sambaTrustForestTrustInfo ) )
+ fier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncr
+ yptionTypes) )
diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema
index 716c191..2c6b214 100644
--- a/examples/LDAP/samba.schema
+++ b/examples/LDAP/samba.schema
@@ -514,6 +514,15 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+attributetype ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset'
+ DESC 'POSIX offset of a trust'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes'
+ DESC 'Supported encryption types of a trust'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
## objectClasses used by Samba 3.0 schema ##
@@ -627,4 +636,5 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTUR
MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $
sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $
sambaTrustAuthIncoming $ sambaSecurityIdentifier $
- sambaTrustForestTrustInfo) )
+ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $
+ sambaSupportedEncryptionTypes) )
diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS
index a375284..77ddef8 100644
--- a/examples/LDAP/samba.schema.at.IBM-DS
+++ b/examples/LDAP/samba.schema.at.IBM-DS
@@ -110,3 +110,7 @@ attributetypes=( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Aut
attributetypes=( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetypes=( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+
+attributetypes=( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetypes=( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
diff --git a/examples/LDAP/samba.schema.oc.IBM-DS b/examples/LDAP/samba.schema.oc.IBM-DS
index 1301ad4..c3ed05b 100644
--- a/examples/LDAP/samba.schema.oc.IBM-DS
+++ b/examples/LDAP/samba.schema.oc.IBM-DS
@@ -20,4 +20,4 @@ objectclasses=( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTU
objectclasses=( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ))
-objectclasses=( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo ) )
+objectclasses=( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL DESC 'Samba Trusted Domain Object' MUST ( cn ) MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncryptionTypes ) )
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 546bcb0..1d0f2f3 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -267,6 +267,8 @@ struct pdb_trusted_domain {
uint32_t trust_direction;
uint32_t trust_type;
uint32_t trust_attributes;
+ uint32_t *trust_posix_offset;
+ uint32_t *supported_enc_type;
DATA_BLOB trust_forest_trust_info;
};
diff --git a/source3/passdb/pdb_ipa.c b/source3/passdb/pdb_ipa.c
index 02f7bb6..15e65e0 100644
--- a/source3/passdb/pdb_ipa.c
+++ b/source3/passdb/pdb_ipa.c
@@ -23,6 +23,7 @@
#include "libcli/security/dom_sid.h"
#include "../librpc/ndr/libndr.h"
#include "librpc/gen_ndr/samr.h"
+#include "secrets.h"
#include "smbldap.h"
@@ -34,6 +35,8 @@
#define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
#define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
#define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
+#define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
+#define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
#define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
#define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
#define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
@@ -363,6 +366,29 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
return false;
}
+ td->trust_posix_offset = talloc(td, uint32_t);
+ if (td->trust_posix_offset == NULL) {
+ return false;
+ }
+ res = get_uint32_t_from_ldap_msg(ldap_state, entry,
+ LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
+ td->trust_posix_offset);
+ if (!res) {
+ return false;
+ }
+
+ td->supported_enc_type = talloc(td, uint32_t);
+ if (td->supported_enc_type == NULL) {
+ return false;
+ }
+ res = get_uint32_t_from_ldap_msg(ldap_state, entry,
+ LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
+ td->supported_enc_type);
+ if (!res) {
+ return false;
+ }
+
+
get_data_blob_from_ldap_msg(td, ldap_state, entry,
LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
&td->trust_forest_trust_info);
@@ -519,6 +545,26 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
}
}
+ if (td->trust_posix_offset != NULL) {
+ res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
+ &mods,
+ LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
+ *td->trust_posix_offset);
+ if (!res) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+
+ if (td->supported_enc_type != NULL) {
+ res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
+ &mods,
+ LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
+ *td->supported_enc_type);
+ if (!res) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+
if (td->trust_auth_outgoing.data != NULL) {
smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
@@ -717,9 +763,11 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd
TALLOC_CTX *mem_ctx)
{
struct pdb_domain_info *info;
- NTSTATUS status;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)pdb_methods->private_data;
+ char sid_buf[24];
+ DATA_BLOB sid_blob;
+ NTSTATUS status;
info = talloc(mem_ctx, struct pdb_domain_info);
if (info == NULL) {
@@ -738,9 +786,27 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd
}
strlower_m(info->dns_domain);
info->dns_forest = talloc_strdup(info, info->dns_domain);
+
+ /* we expect a domain SID to have 4 sub IDs */
+ if (ldap_state->domain_sid.num_auths != 4) {
+ goto fail;
+ }
+
sid_copy(&info->sid, &ldap_state->domain_sid);
- status = GUID_from_string("testguid", &info->guid);
+ if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
+ goto fail;
+ }
+
+ /* the first 8 bytes of the linearized SID are not random,
+ * so we skip them */
+ sid_blob.data = (uint8_t *) sid_buf + 8 ;
+ sid_blob.length = 16;
+
+ status = GUID_from_ndr_blob(&sid_blob, &info->guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
return info;
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 2843162..ec87bd6 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1567,7 +1567,7 @@ static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p,
&access_mask);
/* map the generic bits to the lsa account ones */
- se_map_generic(&access_mask, &lsa_account_mapping);
+ se_map_generic(&access_mask, &lsa_trusted_domain_mapping);
/* get the generic lsa account SD until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
@@ -1862,7 +1862,7 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
psd,
r->out.trustdom_handle);
if (!NT_STATUS_IS_OK(status)) {
- pdb_del_trusteddom_pw(r->in.info->netbios_name.string);
+ pdb_del_trusted_domain(r->in.info->netbios_name.string);
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
@@ -1997,6 +1997,47 @@ NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
_lsa_QueryTrustedDomainInfo
***************************************************************************/
+static NTSTATUS pdb_trusted_domain_2_info_ex(TALLOC_CTX *mem_ctx,
+ struct pdb_trusted_domain *td,
+ struct lsa_TrustDomainInfoInfoEx *info_ex)
+{
+ if (td->domain_name == NULL ||
+ td->netbios_name == NULL ||
+ is_null_sid(&td->security_identifier)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ info_ex->domain_name.string = talloc_strdup(mem_ctx, td->domain_name);
+ info_ex->netbios_name.string = talloc_strdup(mem_ctx, td->netbios_name);
+ info_ex->sid = dom_sid_dup(mem_ctx, &td->security_identifier);
+ if (info_ex->domain_name.string == NULL ||
+ info_ex->netbios_name.string == NULL ||
+ info_ex->sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ info_ex->trust_direction = td->trust_direction;
+ info_ex->trust_type = td->trust_type;
+ info_ex->trust_attributes = td->trust_attributes;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_trusted_domain_2_auth_info(struct pdb_trusted_domain *td,
+ struct lsa_TrustDomainInfoAuthInfo *auth_info)
+{
+/* If I understand it correctly lsa_TrustDomainInfoAuthInfo is send unencrypted
+ * and related calls should not be used. If there is a use case, it can be
+ * implemented later. */
+ auth_info->incoming_count = 0;
+ auth_info->incoming_current_auth_info = NULL;
+ auth_info->incoming_previous_auth_info = NULL;
+ auth_info->outgoing_count = 0;
+ auth_info->outgoing_current_auth_info = NULL;
+ auth_info->outgoing_previous_auth_info = NULL;
+ return NT_STATUS_OK;
+}
+
NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
struct lsa_QueryTrustedDomainInfo *r)
{
@@ -2086,25 +2127,32 @@ NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS:
return NT_STATUS_INVALID_PARAMETER;
case LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET:
+ info->posix_offset.posix_offset = *td->trust_posix_offset;
break;
case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
return NT_STATUS_INVALID_INFO_CLASS;
case LSA_TRUSTED_DOMAIN_INFO_BASIC:
return NT_STATUS_INVALID_PARAMETER;
case LSA_TRUSTED_DOMAIN_INFO_INFO_EX:
- init_lsa_StringLarge(&info->info_ex.domain_name, td->domain_name);
- init_lsa_StringLarge(&info->info_ex.netbios_name, td->netbios_name);
- info->info_ex.sid = dom_sid_dup(info, &td->security_identifier);
- if (!info->info_ex.sid) {
- return NT_STATUS_NO_MEMORY;
+ status = pdb_trusted_domain_2_info_ex(info, td, &info->info_ex);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- info->info_ex.trust_direction = td->trust_direction;
- info->info_ex.trust_type = td->trust_type;
- info->info_ex.trust_attributes = td->trust_attributes;
break;
case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO:
return NT_STATUS_INVALID_INFO_CLASS;
case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO:
+ status = pdb_trusted_domain_2_info_ex(info, td,
+ &info->full_info.info_ex);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ info->full_info.posix_offset.posix_offset = *td->trust_posix_offset;
+ status = pdb_trusted_domain_2_auth_info(td,
+ &info->full_info.auth_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
break;
case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL:
return NT_STATUS_INVALID_INFO_CLASS;
@@ -2113,8 +2161,15 @@ NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL:
return NT_STATUS_INVALID_PARAMETER;
case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
+ info->full_info2_internal.posix_offset.posix_offset = *td->trust_posix_offset;
+ status = pdb_trusted_domain_2_auth_info(td,
+ &info->full_info2_internal.auth_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
break;
case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES:
+ info->enc_types.enc_types = *td->supported_enc_type;
break;
default:
return NT_STATUS_INVALID_PARAMETER;
@@ -3491,6 +3546,318 @@ NTSTATUS _lsa_Delete(struct pipes_struct *p,
return NT_STATUS_NOT_SUPPORTED;
}
+static NTSTATUS info_ex_2_pdb_trusted_domain(
+ struct lsa_TrustDomainInfoInfoEx *info_ex,
+ struct pdb_trusted_domain *td)
+{
+ if (info_ex->domain_name.string == NULL ||
+ info_ex->netbios_name.string == NULL ||
+ info_ex->sid == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ td->domain_name = talloc_strdup(td, info_ex->domain_name.string);
+ td->netbios_name = talloc_strdup(td, info_ex->netbios_name.string);
+ sid_copy(&td->security_identifier, info_ex->sid);
+ if (td->domain_name == NULL ||
+ td->netbios_name == NULL ||
+ is_null_sid(&td->security_identifier)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ td->trust_direction = info_ex->trust_direction;
+ td->trust_type = info_ex->trust_type;
+ td->trust_attributes = info_ex->trust_attributes;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS auth_info_2_pdb_trusted_domain(struct lsa_TrustDomainInfoAuthInfo *auth_info,
+ struct pdb_trusted_domain *td)
+{
+/* If I understand it correctly lsa_TrustDomainInfoAuthInfo is send unencrypted
+ * and related calls should not be used. If there is a use case, it can be
+ * implemented later. */
+ td->trust_auth_incoming.length = 0;
+ td->trust_auth_incoming.data = NULL;
+ td->trust_auth_outgoing.length = 0;
+ td->trust_auth_outgoing.data = NULL;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
+ TALLOC_CTX *mem_ctx, DATA_BLOB *auth_blob,
+ struct trustDomainPasswords *auth_struct)
+{
+ enum ndr_err_code ndr_err;
+
+ arcfour_crypt_blob(auth_blob->data, auth_blob->length,
+ &p->session_info->session_key);
--
Samba Shared Repository
More information about the samba-cvs
mailing list