[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Dec 12 06:35:03 MST 2011
The branch, master has been updated
via 8581f0b HEIMDAL: Supply krb5_context to _krb5_internal_hmac to allow logging
via 47a4388 s4-torture Do not use a fixed password for forest trust tests
via 29635c9 s4-torture cope with servers earlier than Windows 2008
via 8d3e86d s4-torture Modify rpc.lsa.forest.trust test to progress further FL Win2003 R2
via 5ae24e1 s4-torture: Fix comment
via 62a66b0 testsuite: Remove unused and unlikely to be revived DejaGNU tests
via c9d929a s4-lsarpc handle more info levels in SetInfoTrustedDomain calls
via c79db40 torture: do not reuse bindings between pipes
via e42e1ac s4-lsarpc Fix segfaults found by the samba4.rpc.lsa.forest test
from 3d7521c s3:smbd: call sub_set_socket_ids() in smbd_process() again
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8581f0b429e225406ab09e83be20e732c1424fca
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 17 19:13:02 2011 +1100
HEIMDAL: Supply krb5_context to _krb5_internal_hmac to allow logging
Without this, log messages from any abort are not printed to
the samba logs.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Mon Dec 12 14:34:16 CET 2011 on sn-devel-104
commit 47a4388b91db76879716d57a2615303f94c559b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 12 22:52:46 2011 +1100
s4-torture Do not use a fixed password for forest trust tests
It is much better to always use random passwords.
Andrew Bartlett
commit 29635c93d7a3e7d6297c065b56ece9650f6e4ee8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 10 15:02:52 2011 +1100
s4-torture cope with servers earlier than Windows 2008
Only Win2008 started to support new encryption types.
Andrew Bartlett
commit 8d3e86d6ae6300ae427cc9104edbcc1193b5e892
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 10 14:17:57 2011 +1100
s4-torture Modify rpc.lsa.forest.trust test to progress further FL Win2003 R2
This modification is required to pass against a domain in functional
level Windows 2003 or later.
Andrew Bartlett
commit 5ae24e1cc084b48e46e0c7e355c262962eaa0b39
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 10 13:33:06 2011 +1100
s4-torture: Fix comment
commit 62a66b00b61cf4f85a81cca78e1432007b47ea11
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 9 07:35:37 2011 +1100
testsuite: Remove unused and unlikely to be revived DejaGNU tests
commit c9d929af8ba018816df69734bed1c197d0c3b7f2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 7 16:03:04 2011 +1100
s4-lsarpc handle more info levels in SetInfoTrustedDomain calls
This uses the very helpful conversion functions written for the s3 lsa server
and places these in common.
Andrew Bartlett
commit c79db40040e27e1f7853db322d7c7460895d57bc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 9 18:10:17 2011 +1100
torture: do not reuse bindings between pipes
This avoids connecting to the netlogon server over \pipe\lsarpc
This works against windows because all pipes are implemented in the same
process, but not Samba4, and relying on this is not recommended in the WSPP docs.
Andrew Bartlett
commit e42e1ac089b3eca988848f3763ba54820192cb24
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 7 14:38:56 2011 +1100
s4-lsarpc Fix segfaults found by the samba4.rpc.lsa.forest test
This allows us to move this test to knownfail from skip
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/wscript_build | 2 +-
.../rpc_client => libcli/lsarpc}/util_lsarpc.c | 36 ++-
.../rpc_client => libcli/lsarpc}/util_lsarpc.h | 13 +-
libcli/lsarpc/wscript_build | 5 +
selftest/knownfail | 1 +
selftest/skip | 1 -
source3/Makefile.in | 4 +-
source3/rpc_server/lsa/srv_lsa_nt.c | 2 +-
source3/torture/test_authinfo_structs.c | 2 +-
source3/wscript_build | 4 +-
source4/heimdal/lib/krb5/crypto-arcfour.c | 12 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 51 ++-
source4/rpc_server/wscript_build | 2 +-
source4/torture/rpc/forest_trust.c | 55 ++-
testsuite/README | 4 -
testsuite/config/unix.exp | 26 --
testsuite/lib/compile.exp | 78 ----
testsuite/lib/default-nt-names.exp | 20 -
testsuite/lib/env-single.exp | 36 --
testsuite/lib/nsswitch-config.exp | 21 -
testsuite/lib/smbclient.exp | 54 ---
testsuite/printing/Makefile.psec | 22 -
testsuite/printing/psec.c | 438 --------------------
testsuite/server/ipc.exp | 44 --
testsuite/server/masktest.exp | 57 ---
testsuite/server/rename.exp | 59 ---
testsuite/server/xfer.exp | 48 ---
wscript_build | 1 +
28 files changed, 133 insertions(+), 965 deletions(-)
rename {source3/rpc_client => libcli/lsarpc}/util_lsarpc.c (92%)
rename {source3/rpc_client => libcli/lsarpc}/util_lsarpc.h (72%)
create mode 100644 libcli/lsarpc/wscript_build
delete mode 100644 testsuite/config/unix.exp
delete mode 100644 testsuite/lib/compile.exp
delete mode 100644 testsuite/lib/default-nt-names.exp
delete mode 100644 testsuite/lib/env-single.exp
delete mode 100644 testsuite/lib/nsswitch-config.exp
delete mode 100644 testsuite/lib/smbclient.exp
delete mode 100644 testsuite/printing/Makefile.psec
delete mode 100644 testsuite/printing/psec.c
delete mode 100644 testsuite/server/ipc.exp
delete mode 100644 testsuite/server/masktest.exp
delete mode 100644 testsuite/server/rename.exp
delete mode 100644 testsuite/server/xfer.exp
Changeset truncated at 500 lines:
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index a140df2..ff8b82e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -2,7 +2,7 @@
bld.SAMBA_LIBRARY('cliauth',
source='',
- deps='NTLMSSP_COMMON MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE KRB5_WRAP errors NTLM_CHECK',
+ deps='NTLMSSP_COMMON MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE KRB5_WRAP errors NTLM_CHECK UTIL_LSARPC',
private_library=True,
grouping_library=True)
diff --git a/source3/rpc_client/util_lsarpc.c b/libcli/lsarpc/util_lsarpc.c
similarity index 92%
rename from source3/rpc_client/util_lsarpc.c
rename to libcli/lsarpc/util_lsarpc.c
index d67144b..0243e09 100644
--- a/source3/rpc_client/util_lsarpc.c
+++ b/libcli/lsarpc/util_lsarpc.c
@@ -20,7 +20,7 @@
#include "includes.h"
#include "../librpc/gen_ndr/ndr_drsblobs.h"
#include "../librpc/gen_ndr/ndr_lsa.h"
-#include "rpc_client/util_lsarpc.h"
+#include "libcli/lsarpc/util_lsarpc.h"
static NTSTATUS ai_array_2_trust_domain_info_buffer(TALLOC_CTX *mem_ctx,
uint32_t count,
@@ -186,9 +186,9 @@ NTSTATUS auth_blob_2_auth_info(TALLOC_CTX *mem_ctx,
}
static NTSTATUS trust_domain_info_buffer_2_ai_array(TALLOC_CTX *mem_ctx,
- uint32_t count,
- struct lsa_TrustDomainInfoBuffer *b,
- struct AuthenticationInformationArray *ai)
+ uint32_t count,
+ struct lsa_TrustDomainInfoBuffer *b,
+ struct AuthenticationInformationArray *ai)
{
NTSTATUS status;
int i;
@@ -250,11 +250,11 @@ fail:
return status;
}
-static NTSTATUS auth_info_2_trustauth_inout_blob(TALLOC_CTX *mem_ctx,
+NTSTATUS auth_info_2_trustauth_inout(TALLOC_CTX *mem_ctx,
uint32_t count,
struct lsa_TrustDomainInfoBuffer *current,
struct lsa_TrustDomainInfoBuffer *previous,
- DATA_BLOB *inout_blob)
+ struct trustAuthInOutBlob **iopw_out)
{
NTSTATUS status;
struct trustAuthInOutBlob *iopw;
@@ -284,6 +284,30 @@ static NTSTATUS auth_info_2_trustauth_inout_blob(TALLOC_CTX *mem_ctx,
iopw->previous.array = NULL;
}
+ *iopw_out = iopw;
+
+ status = NT_STATUS_OK;
+
+done:
+ return status;
+}
+
+static NTSTATUS auth_info_2_trustauth_inout_blob(TALLOC_CTX *mem_ctx,
+ uint32_t count,
+ struct lsa_TrustDomainInfoBuffer *current,
+ struct lsa_TrustDomainInfoBuffer *previous,
+ DATA_BLOB *inout_blob)
+{
+ NTSTATUS status;
+ struct trustAuthInOutBlob *iopw = NULL;
+ enum ndr_err_code ndr_err;
+
+ status = auth_info_2_trustauth_inout(mem_ctx, count, current, previous, &iopw);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
ndr_err = ndr_push_struct_blob(inout_blob, mem_ctx,
iopw,
(ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
diff --git a/source3/rpc_client/util_lsarpc.h b/libcli/lsarpc/util_lsarpc.h
similarity index 72%
rename from source3/rpc_client/util_lsarpc.h
rename to libcli/lsarpc/util_lsarpc.h
index 0aa5e25..2b47174 100644
--- a/source3/rpc_client/util_lsarpc.h
+++ b/libcli/lsarpc/util_lsarpc.h
@@ -17,16 +17,21 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _RPC_CLIENT_UTIL_LSARPC_H_
-#define _RPC_CLIENT_UTIL_LSARPC_H_
+#ifndef _LIBCLI_AUTH_UTIL_LSARPC_H_
+#define _LIBCLI_AUTH_UTIL_LSARPC_H_
-/* The following definitions come from rpc_client/util_lsarpc.c */
+/* The following definitions come from libcli/auth/util_lsarpc.c */
NTSTATUS auth_blob_2_auth_info(TALLOC_CTX *mem_ctx,
DATA_BLOB incoming, DATA_BLOB outgoing,
struct lsa_TrustDomainInfoAuthInfo *auth_info);
+NTSTATUS auth_info_2_trustauth_inout(TALLOC_CTX *mem_ctx,
+ uint32_t count,
+ struct lsa_TrustDomainInfoBuffer *current,
+ struct lsa_TrustDomainInfoBuffer *previous,
+ struct trustAuthInOutBlob **iopw_out);
NTSTATUS auth_info_2_auth_blob(TALLOC_CTX *mem_ctx,
struct lsa_TrustDomainInfoAuthInfo *auth_info,
DATA_BLOB *incoming, DATA_BLOB *outgoing);
-#endif /* _RPC_CLIENT_UTIL_LSARPC_H_ */
+#endif /* _LIBCLI_AUTH_UTIL_LSARPC_H_ */
diff --git a/libcli/lsarpc/wscript_build b/libcli/lsarpc/wscript_build
new file mode 100644
index 0000000..feb3970
--- /dev/null
+++ b/libcli/lsarpc/wscript_build
@@ -0,0 +1,5 @@
+#!/usr/bin/env python
+
+bld.SAMBA_SUBSYSTEM('UTIL_LSARPC',
+ source='util_lsarpc.c',
+ deps='NDR_LSA');
diff --git a/selftest/knownfail b/selftest/knownfail
index 754ffb3..9e52fa8 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -106,3 +106,4 @@
^samba4.ldap.acl.*.AclSearchTests.test_search4$ # ACL search behaviour not enabled by default
^samba4.ldap.acl.*.AclSearchTests.test_search5$ # ACL search behaviour not enabled by default
^samba4.ldap.acl.*.AclSearchTests.test_search6$ # ACL search behaviour not enabled by default
+^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
diff --git a/selftest/skip b/selftest/skip
index 8771b67..8ff2e60 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -75,7 +75,6 @@
^samba4.rpc.frsapi # Not provided by Samba 4
^samba4.rpc.ntsvcs # Not provided by Samba 4
^samba4.rpc.dfs # Not provided by Samba 4
-^samba4.rpc.lsa.forest # Not provided by Samba 4
^samba4.*.base.samba3.* # Samba3-specific test
^samba4.*.raw.samba3.* # Samba3-specific test
^samba4.rpc..*samba3.* # Samba3-specific test
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 0d89c14..b0c17f6 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -704,7 +704,7 @@ DCE_RPC_EP_OBJ = librpc/rpc/dcerpc_ep.o
RPC_LSARPC_OBJ = rpc_server/lsa/srv_lsa_nt.o \
librpc/gen_ndr/srv_lsa.o \
- rpc_client/util_lsarpc.o
+ ../libcli/lsarpc/util_lsarpc.o
RPC_NETLOGON_OBJ = rpc_server/netlogon/srv_netlog_nt.o \
librpc/gen_ndr/srv_netlogon.o
@@ -1271,7 +1271,7 @@ SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) $(PARAM_OBJ) $(TLDAP_OBJ) \
@LIBWBCLIENT_STATIC@ \
torture/wbc_async.o \
../nsswitch/wb_reqtrans.o \
- rpc_client/util_lsarpc.o \
+ ../libcli/lsarpc/util_lsarpc.o \
$(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(LIBCLI_ECHO_OBJ)
MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index a83938a..0a5cda5 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -48,7 +48,7 @@
#include "rpc_server/srv_access_check.h"
#include "../librpc/gen_ndr/ndr_wkssvc.h"
#include "../libcli/auth/libcli_auth.h"
-#include "rpc_client/util_lsarpc.h"
+#include "../libcli/lsarpc/util_lsarpc.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
diff --git a/source3/torture/test_authinfo_structs.c b/source3/torture/test_authinfo_structs.c
index eea253d..0b5cff7 100644
--- a/source3/torture/test_authinfo_structs.c
+++ b/source3/torture/test_authinfo_structs.c
@@ -21,7 +21,7 @@
#include "includes.h"
#include "torture/proto.h"
#include "librpc/gen_ndr/lsa.h"
-#include "rpc_client/util_lsarpc.h"
+#include "libcli/lsarpc/util_lsarpc.h"
static bool cmp_TrustDomainInfoBuffer(struct lsa_TrustDomainInfoBuffer a,
struct lsa_TrustDomainInfoBuffer b)
diff --git a/source3/wscript_build b/source3/wscript_build
index 8ca98b3..b07539f 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -32,7 +32,7 @@ DRSUAPI_SRC = '''${COMPRESSION_SRC}'''
LIBCLI_SPOOLSS_SRC = '''rpc_client/cli_spoolss.c
rpc_client/init_spoolss.c'''
-LIBCLI_LSA_SRC = '''rpc_client/cli_lsarpc.c rpc_client/util_lsarpc.c'''
+LIBCLI_LSA_SRC = '''rpc_client/cli_lsarpc.c'''
LIBCLI_SAMR_SRC = 'rpc_client/cli_samr.c'
@@ -1077,7 +1077,7 @@ bld.SAMBA3_SUBSYSTEM('LIBCLI_SAMR',
bld.SAMBA3_LIBRARY('libcli_lsa3',
source=LIBCLI_LSA_SRC,
- deps='RPC_NDR_LSA INIT_LSA',
+ deps='RPC_NDR_LSA INIT_LSA UTIL_LSARPC',
private_library=True)
bld.SAMBA3_LIBRARY('libcli_netlogon3',
diff --git a/source4/heimdal/lib/krb5/crypto-arcfour.c b/source4/heimdal/lib/krb5/crypto-arcfour.c
index 1d4f946..0a51316 100644
--- a/source4/heimdal/lib/krb5/crypto-arcfour.c
+++ b/source4/heimdal/lib/krb5/crypto-arcfour.c
@@ -147,7 +147,7 @@ ARCFOUR_subencrypt(krb5_context context,
k1_c.checksum.length = sizeof(k1_c_data);
k1_c.checksum.data = k1_c_data;
- ret = _krb5_internal_hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
+ ret = _krb5_internal_hmac(context, c, t, sizeof(t), 0, key, &k1_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -162,7 +162,7 @@ ARCFOUR_subencrypt(krb5_context context,
cksum.checksum.length = 16;
cksum.checksum.data = data;
- ret = _krb5_internal_hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
+ ret = _krb5_internal_hmac(context, c, cdata + 16, len - 16, 0, &ke, &cksum);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -172,7 +172,7 @@ ARCFOUR_subencrypt(krb5_context context,
k3_c.checksum.length = sizeof(k3_c_data);
k3_c.checksum.data = k3_c_data;
- ret = _krb5_internal_hmac(NULL, c, data, 16, 0, &ke, &k3_c);
+ ret = _krb5_internal_hmac(context, c, data, 16, 0, &ke, &k3_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -215,7 +215,7 @@ ARCFOUR_subdecrypt(krb5_context context,
k1_c.checksum.length = sizeof(k1_c_data);
k1_c.checksum.data = k1_c_data;
- ret = _krb5_internal_hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
+ ret = _krb5_internal_hmac(context, c, t, sizeof(t), 0, key, &k1_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -230,7 +230,7 @@ ARCFOUR_subdecrypt(krb5_context context,
k3_c.checksum.length = sizeof(k3_c_data);
k3_c.checksum.data = k3_c_data;
- ret = _krb5_internal_hmac(NULL, c, cdata, 16, 0, &ke, &k3_c);
+ ret = _krb5_internal_hmac(context, c, cdata, 16, 0, &ke, &k3_c);
if (ret)
krb5_abortx(context, "hmac failed");
@@ -245,7 +245,7 @@ ARCFOUR_subdecrypt(krb5_context context,
cksum.checksum.length = 16;
cksum.checksum.data = cksum_data;
- ret = _krb5_internal_hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
+ ret = _krb5_internal_hmac(context, c, cdata + 16, len - 16, 0, &ke, &cksum);
if (ret)
krb5_abortx(context, "hmac failed");
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 5acdfe8..609fb65 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -32,6 +32,7 @@
#include "dsdb/common/util.h"
#include "libcli/security/session.h"
#include "kdc/kdc-policy.h"
+#include "libcli/lsarpc/util_lsarpc.h"
/*
this type allows us to distinguish handle types
@@ -1525,7 +1526,7 @@ static NTSTATUS update_trust_user(TALLOC_CTX *mem_ctx,
}
/* entry exists, just modify secret if any */
- if (in->count == 0) {
+ if (in == NULL || in->count == 0) {
return NT_STATUS_OK;
}
@@ -1601,6 +1602,7 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
uint32_t *enc_types = NULL;
DATA_BLOB trustAuthIncoming, trustAuthOutgoing, auth_blob;
struct trustDomainPasswords auth_struct;
+ struct trustAuthInOutBlob *current_passwords = NULL;
NTSTATUS nt_status;
struct ldb_message **msgs;
struct ldb_message *msg;
@@ -1643,8 +1645,23 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
}
if (auth_info) {
- /* FIXME: not handled yet */
- return NT_STATUS_INVALID_PARAMETER;
+ nt_status = auth_info_2_auth_blob(mem_ctx, auth_info,
+ &trustAuthIncoming,
+ &trustAuthOutgoing);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ if (trustAuthIncoming.data) {
+ /* This does the decode of some of this twice, but it is easier that way */
+ nt_status = auth_info_2_trustauth_inout(mem_ctx,
+ auth_info->incoming_count,
+ auth_info->incoming_current_auth_info,
+ NULL,
+ ¤t_passwords);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ }
}
/* decode auth_info_int if set */
@@ -1695,18 +1712,21 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
/* TODO: should we fetch previous values from the existing entry
* and append them ? */
- if (auth_struct.incoming.count) {
+ if (auth_info_int && auth_struct.incoming.count) {
nt_status = get_trustauth_inout_blob(dce_call, mem_ctx,
&auth_struct.incoming,
&trustAuthIncoming);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+
+ current_passwords = &auth_struct.incoming;
+
} else {
trustAuthIncoming = data_blob(NULL, 0);
}
- if (auth_struct.outgoing.count) {
+ if (auth_info_int && auth_struct.outgoing.count) {
nt_status = get_trustauth_inout_blob(dce_call, mem_ctx,
&auth_struct.outgoing,
&trustAuthOutgoing);
@@ -1831,17 +1851,15 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
}
in_transaction = true;
- ret = ldb_modify(p_state->sam_ldb, msg);
- if (ret != LDB_SUCCESS) {
- DEBUG(1,("Failed to modify trusted domain record %s: %s\n",
- ldb_dn_get_linearized(msg->dn),
- ldb_errstring(p_state->sam_ldb)));
- if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- nt_status = NT_STATUS_ACCESS_DENIED;
- } else {
- nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ if (msg->num_elements) {
+ ret = ldb_modify(p_state->sam_ldb, msg);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1,("Failed to modify trusted domain record %s: %s\n",
+ ldb_dn_get_linearized(msg->dn),
+ ldb_errstring(p_state->sam_ldb)));
+ nt_status = dsdb_ldb_err_to_ntstatus(ret);
+ goto done;
}
- goto done;
}
if (add_incoming || del_incoming) {
@@ -1854,12 +1872,13 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
goto done;
}
+ /* We use trustAuthIncoming.data to incidate that auth_struct.incoming is valid */
nt_status = update_trust_user(mem_ctx,
p_state->sam_ldb,
p_state->domain_dn,
del_incoming,
netbios_name,
- &auth_struct.incoming);
+ current_passwords);
if (!NT_STATUS_IS_OK(nt_status)) {
goto done;
}
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index cf6d712..ffdee23 100755
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -93,7 +93,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc',
autoproto='lsa/proto.h',
subsystem='dcerpc_server',
init_function='dcerpc_server_lsa_init',
- deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security kdc-policy'
+ deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security kdc-policy UTIL_LSARPC'
)
diff --git a/source4/torture/rpc/forest_trust.c b/source4/torture/rpc/forest_trust.c
index ffd8413..f416054 100644
--- a/source4/torture/rpc/forest_trust.c
+++ b/source4/torture/rpc/forest_trust.c
@@ -36,7 +36,6 @@
#define TEST_DOM_DNS "torturedom.samba.example.com"
#define TEST_DOM_SID "S-1-5-21-97398-379795-10000"
#define TEST_MACHINE_NAME "lsatestmach"
-#define TPASS "1234567890"
static bool test_get_policy_handle(struct torture_context *tctx,
@@ -118,7 +117,13 @@ static bool test_create_trust_and_set_info(struct dcerpc_pipe *p,
trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL;
- trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
+ /* MS-LSAD: Section 3.1.4.7.10 makes it clear that Win2k3
+ * functional level and above return
+ * NT_STATUS_INVALID_DOMAIN_STATE if
+ * TRUST_ATTRIBUTE_FOREST_TRANSITIVE or
+ * TRUST_ATTRIBUTE_CROSS_ORGANIZATION is set here.
+ */
+ trustinfo.trust_attributes = 0;
r.in.policy_handle = handle;
r.in.info = &trustinfo;
@@ -133,7 +138,7 @@ static bool test_create_trust_and_set_info(struct dcerpc_pipe *p,
dcerpc_lsa_CreateTrustedDomainEx2_r(p->binding_handle, tctx, &r),
"CreateTrustedDomainEx2 failed");
if (!NT_STATUS_IS_OK(r.out.result)) {
- torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(r.out.result));
+ torture_comment(tctx, "CreateTrustedDomainEx2 failed - %s\n", nt_errstr(r.out.result));
ret = false;
} else {
@@ -303,6 +308,11 @@ static bool get_and_set_info(struct dcerpc_pipe *p,
"%s but %s\n",
nt_errstr(il[c].get_result),
nt_errstr(qr.out.result));
+
+ /* We may be testing a server without support for this level */
+ if (qr.in.level == LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES && NT_STATUS_EQUAL(qr.out.result, NT_STATUS_INVALID_PARAMETER)) {
+ return true;
+ }
return false;
}
@@ -562,11 +572,12 @@ static bool get_trust_domain_passwords_auth_blob(TALLOC_CTX *mem_ctx,
}
static bool test_validate_trust(struct torture_context *tctx,
- struct dcerpc_binding *binding,
+ const char *binding,
const char *trusting_dom_name,
const char *trusting_dom_dns_name,
const char *trusted_dom_name,
- const char *trusted_dom_dns_name)
+ const char *trusted_dom_dns_name,
+ const char *trust_password)
{
struct netr_ServerGetTrustInfo r;
@@ -580,12 +591,15 @@ static bool test_validate_trust(struct torture_context *tctx,
NTSTATUS status;
struct cli_credentials *credentials;
+ struct dcerpc_binding *b;
struct dcerpc_pipe *pipe;
struct netr_GetForestTrustInformation fr;
struct lsa_ForestTrustInformation *forest_trust_info;
int i;
+ status = dcerpc_parse_binding(tctx, binding, &b);
+ torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
credentials = cli_credentials_init(tctx);
if (credentials == NULL) {
@@ -599,18 +613,18 @@ static bool test_validate_trust(struct torture_context *tctx,
CRED_SPECIFIED);
cli_credentials_set_realm(credentials, trusting_dom_dns_name,
CRED_SPECIFIED);
- cli_credentials_set_password(credentials, TPASS, CRED_SPECIFIED);
+ cli_credentials_set_password(credentials, trust_password, CRED_SPECIFIED);
cli_credentials_set_workstation(credentials,
trusted_dom_name, CRED_SPECIFIED);
--
Samba Shared Repository
More information about the samba-cvs
mailing list