[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Fri Jul 15 11:58:03 MDT 2011


The branch, master has been updated
       via  e898ad3 s4-lsa: prepare dcesrv_lsa_CreateTrustedDomain_base() to deal with unencrypted auth info.
       via  7f52cd3 s4-smbtorture: add very basic tests for lsa_CreateTrustedDomainEx.
       via  ee1f25d lsa: lsa_CreateTrustedDomainEx takes lsa_TrustDomainInfoAuthInfo, not lsa_TrustDomainInfoAuthInfoInternal.
       via  3af3e48 lsa: rename auth info argument in lsa_CreateTrustedDomainEx2
      from  7acc1a7 s4:kdc: set *_strongest_*_key to true to restore the old behavior

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e898ad3ffecff5714f381f540753a2b745614995
Author: Günther Deschner <gd at samba.org>
Date:   Fri Jul 15 18:38:21 2011 +0200

    s4-lsa: prepare dcesrv_lsa_CreateTrustedDomain_base() to deal with unencrypted auth info.
    
    Guenther
    
    Autobuild-User: Günther Deschner <gd at samba.org>
    Autobuild-Date: Fri Jul 15 19:57:48 CEST 2011 on sn-devel-104

commit 7f52cd3b358c4a33606f222b4c59acb2f33d9235
Author: Günther Deschner <gd at samba.org>
Date:   Fri Jul 15 15:38:12 2011 +0200

    s4-smbtorture: add very basic tests for lsa_CreateTrustedDomainEx.
    
    Guenther

commit ee1f25dc2ae715fa76417419010131861f95d8bf
Author: Günther Deschner <gd at samba.org>
Date:   Fri Jul 15 11:18:00 2011 +0200

    lsa: lsa_CreateTrustedDomainEx takes lsa_TrustDomainInfoAuthInfo, not
    lsa_TrustDomainInfoAuthInfoInternal.
    
    Guenther

commit 3af3e4843fbcfcc35594e0c681f4713ebb5b76e4
Author: Günther Deschner <gd at samba.org>
Date:   Fri Jul 15 17:26:16 2011 +0200

    lsa: rename auth info argument in lsa_CreateTrustedDomainEx2
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 librpc/idl/lsa.idl                  |    4 +-
 source3/rpc_server/lsa/srv_lsa_nt.c |   13 +++--
 source3/utils/net_rpc_trust.c       |    2 +-
 source4/rpc_server/lsa/dcesrv_lsa.c |   30 ++++++----
 source4/torture/rpc/forest_trust.c  |    2 +-
 source4/torture/rpc/lsa.c           |  100 +++++++++++++++++++++++++++-------
 6 files changed, 109 insertions(+), 42 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index c8aaa47..d8f2649 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -1052,7 +1052,7 @@ import "misc.idl", "security.idl";
 	NTSTATUS lsa_CreateTrustedDomainEx(
 		[in]  policy_handle               *policy_handle,
 		[in]  lsa_TrustDomainInfoInfoEx   *info,
-		[in]  lsa_TrustDomainInfoAuthInfoInternal *auth_info,
+		[in]  lsa_TrustDomainInfoAuthInfo *auth_info,
 		[in]  lsa_TrustedAccessMask access_mask,
 		[out] policy_handle               *trustdom_handle
 		);
@@ -1186,7 +1186,7 @@ import "misc.idl", "security.idl";
 	NTSTATUS lsa_CreateTrustedDomainEx2(
 		[in]  policy_handle               *policy_handle,
 		[in]  lsa_TrustDomainInfoInfoEx   *info,
-		[in]  lsa_TrustDomainInfoAuthInfoInternal *auth_info,
+		[in]  lsa_TrustDomainInfoAuthInfoInternal *auth_info_internal,
 		[in]  lsa_TrustedAccessMask access_mask,
 		[out] policy_handle               *trustdom_handle
 		);
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index c6f45ea..2342a0e 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1746,9 +1746,9 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
 	td.trust_type = r->in.info->trust_type;
 	td.trust_attributes = r->in.info->trust_attributes;
 
-	if (r->in.auth_info->auth_blob.size != 0) {
-		auth_blob.length = r->in.auth_info->auth_blob.size;
-		auth_blob.data = r->in.auth_info->auth_blob.data;
+	if (r->in.auth_info_internal->auth_blob.size != 0) {
+		auth_blob.length = r->in.auth_info_internal->auth_blob.size;
+		auth_blob.data = r->in.auth_info_internal->auth_blob.data;
 
 		arcfour_crypt_blob(auth_blob.data, auth_blob.length,
 				   &p->session_info->session_key);
@@ -1818,10 +1818,13 @@ NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
 				    struct lsa_CreateTrustedDomainEx *r)
 {
 	struct lsa_CreateTrustedDomainEx2 q;
+	struct lsa_TrustDomainInfoAuthInfoInternal auth_info;
+
+	ZERO_STRUCT(auth_info);
 
 	q.in.policy_handle	= r->in.policy_handle;
 	q.in.info		= r->in.info;
-	q.in.auth_info		= r->in.auth_info;
+	q.in.auth_info_internal	= &auth_info;
 	q.in.access_mask	= r->in.access_mask;
 	q.out.trustdom_handle	= r->out.trustdom_handle;
 
@@ -1850,7 +1853,7 @@ NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
 
 	c.in.policy_handle	= r->in.policy_handle;
 	c.in.info		= &info;
-	c.in.auth_info		= &auth_info;
+	c.in.auth_info_internal	= &auth_info;
 	c.in.access_mask	= r->in.access_mask;
 	c.out.trustdom_handle	= r->out.trustdom_handle;
 
diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
index 318c06f..82cc8a5 100644
--- a/source3/utils/net_rpc_trust.c
+++ b/source3/utils/net_rpc_trust.c
@@ -128,7 +128,7 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx,
 
 	r.in.policy_handle = pol_hnd;
 	r.in.info = &trustinfo;
-	r.in.auth_info = authinfo;
+	r.in.auth_info_internal = authinfo;
 	r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH |
 			   LSA_TRUSTED_QUERY_DOMAIN_NAME;
 	r.out.trustdom_handle = &trustdom_handle;
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 1acde1c..d5c1b61 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -874,7 +874,8 @@ static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx,
 static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dce_call,
 						    TALLOC_CTX *mem_ctx,
 						    struct lsa_CreateTrustedDomainEx2 *r,
-						    int op)
+						    int op,
+						    struct lsa_TrustDomainInfoAuthInfo *unencrypted_auth_info)
 {
 	struct dcesrv_handle *policy_handle;
 	struct lsa_policy_state *policy_state;
@@ -931,20 +932,26 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
 		/* No secrets are created at this time, for this function */
 		auth_struct.outgoing.count = 0;
 		auth_struct.incoming.count = 0;
-	} else {
-		auth_blob = data_blob_const(r->in.auth_info->auth_blob.data,
-					    r->in.auth_info->auth_blob.size);
+	} else if (op == NDR_LSA_CREATETRUSTEDDOMAINEX2) {
+		auth_blob = data_blob_const(r->in.auth_info_internal->auth_blob.data,
+					    r->in.auth_info_internal->auth_blob.size);
 		nt_status = get_trustdom_auth_blob(dce_call, mem_ctx,
 						   &auth_blob, &auth_struct);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			return nt_status;
 		}
+	} else if (op == NDR_LSA_CREATETRUSTEDDOMAINEX) {
 
-		if (op == NDR_LSA_CREATETRUSTEDDOMAINEX) {
-			if (auth_struct.incoming.count > 1) {
-				return NT_STATUS_INVALID_PARAMETER;
-			}
+		if (unencrypted_auth_info->incoming_count > 1) {
+			return NT_STATUS_INVALID_PARAMETER;
 		}
+
+		/* more investigation required here, do not create secrets for
+		 * now */
+		auth_struct.outgoing.count = 0;
+		auth_struct.incoming.count = 0;
+	} else {
+		return NT_STATUS_INVALID_PARAMETER;
 	}
 
 	if (auth_struct.incoming.count) {
@@ -1126,7 +1133,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx2(struct dcesrv_call_state *dce_
 					   TALLOC_CTX *mem_ctx,
 					   struct lsa_CreateTrustedDomainEx2 *r)
 {
-	return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, r, NDR_LSA_CREATETRUSTEDDOMAINEX2);
+	return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, r, NDR_LSA_CREATETRUSTEDDOMAINEX2, NULL);
 }
 /*
   lsa_CreateTrustedDomainEx
@@ -1139,9 +1146,8 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx(struct dcesrv_call_state *dce_c
 
 	r2.in.policy_handle = r->in.policy_handle;
 	r2.in.info = r->in.info;
-	r2.in.auth_info = r->in.auth_info;
 	r2.out.trustdom_handle = r->out.trustdom_handle;
-	return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAINEX);
+	return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAINEX, r->in.auth_info);
 }
 
 /* 
@@ -1168,7 +1174,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_cal
 	r2.in.access_mask = r->in.access_mask;
 	r2.out.trustdom_handle = r->out.trustdom_handle;
 
-	return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAIN);
+	return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAIN, NULL);
 			 
 }
 
diff --git a/source4/torture/rpc/forest_trust.c b/source4/torture/rpc/forest_trust.c
index 5e3efeb..1c5c177 100644
--- a/source4/torture/rpc/forest_trust.c
+++ b/source4/torture/rpc/forest_trust.c
@@ -122,7 +122,7 @@ static bool test_create_trust_and_set_info(struct dcerpc_pipe *p,
 
 	r.in.policy_handle = handle;
 	r.in.info = &trustinfo;
-	r.in.auth_info = authinfo;
+	r.in.auth_info_internal = authinfo;
 	/* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following
 	 * QueryTrustedDomainInfo call, although it seems that Windows does not
 	 * expect this */
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index aee0264..4fbf36c 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -2394,16 +2394,19 @@ static bool test_CreateTrustedDomain(struct dcerpc_binding_handle *b,
 	return ret;
 }
 
-static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
-					struct torture_context *tctx,
-					struct policy_handle *handle,
-					uint32_t num_trusts)
+static bool test_CreateTrustedDomainEx_common(struct dcerpc_pipe *p,
+					      struct torture_context *tctx,
+					      struct policy_handle *handle,
+					      uint32_t num_trusts,
+					      bool ex2_call)
 {
 	NTSTATUS status;
 	bool ret = true;
-	struct lsa_CreateTrustedDomainEx2 r;
+	struct lsa_CreateTrustedDomainEx r;
+	struct lsa_CreateTrustedDomainEx2 r2;
 	struct lsa_TrustDomainInfoInfoEx trustinfo;
-	struct lsa_TrustDomainInfoAuthInfoInternal authinfo;
+	struct lsa_TrustDomainInfoAuthInfoInternal authinfo_internal;
+	struct lsa_TrustDomainInfoAuthInfo authinfo;
 	struct trustDomainPasswords auth_struct;
 	DATA_BLOB auth_blob;
 	struct dom_sid **domsid;
@@ -2415,7 +2418,11 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
 	int i;
 	struct dcerpc_binding_handle *b = p->binding_handle;
 
-	torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d domains\n", num_trusts);
+	if (ex2_call) {
+		torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d domains\n", num_trusts);
+	} else {
+		torture_comment(tctx, "\nTesting CreateTrustedDomainEx for %d domains\n", num_trusts);
+	}
 
 	domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
 	trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);
@@ -2475,24 +2482,55 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
 
 		arcfour_crypt_blob(auth_blob.data, auth_blob.length, &session_key);
 
-		authinfo.auth_blob.size = auth_blob.length;
-		authinfo.auth_blob.data = auth_blob.data;
+		ZERO_STRUCT(authinfo);
 
-		r.in.policy_handle = handle;
-		r.in.info = &trustinfo;
-		r.in.auth_info = &authinfo;
-		r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
-		r.out.trustdom_handle = &trustdom_handle[i];
+		authinfo_internal.auth_blob.size = auth_blob.length;
+		authinfo_internal.auth_blob.data = auth_blob.data;
 
-		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r),
-			"CreateTrustedDomainEx2 failed");
-		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
-			test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name);
-			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r),
+		if (ex2_call) {
+
+			r2.in.policy_handle = handle;
+			r2.in.info = &trustinfo;
+			r2.in.auth_info_internal = &authinfo_internal;
+			r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+			r2.out.trustdom_handle = &trustdom_handle[i];
+
+			torture_assert_ntstatus_ok(tctx,
+				dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
 				"CreateTrustedDomainEx2 failed");
+
+			status = r2.out.result;
+		} else {
+
+			r.in.policy_handle = handle;
+			r.in.info = &trustinfo;
+			r.in.auth_info = &authinfo;
+			r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+			r.out.trustdom_handle = &trustdom_handle[i];
+
+			torture_assert_ntstatus_ok(tctx,
+				dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
+				"CreateTrustedDomainEx failed");
+
+			status = r.out.result;
 		}
-		if (!NT_STATUS_IS_OK(r.out.result)) {
-			torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(r.out.result));
+
+		if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
+			test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name);
+			if (ex2_call) {
+				torture_assert_ntstatus_ok(tctx,
+					dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
+					"CreateTrustedDomainEx2 failed");
+				status = r2.out.result;
+			} else {
+				torture_assert_ntstatus_ok(tctx,
+					dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
+					"CreateTrustedDomainEx2 failed");
+				status = r.out.result;
+			}
+		}
+		if (!NT_STATUS_IS_OK(status)) {
+			torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status));
 			ret = false;
 		} else {
 
@@ -2553,6 +2591,22 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
 	return ret;
 }
 
+static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
+					struct torture_context *tctx,
+					struct policy_handle *handle,
+					uint32_t num_trusts)
+{
+	return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, true);
+}
+
+static bool test_CreateTrustedDomainEx(struct dcerpc_pipe *p,
+				       struct torture_context *tctx,
+				       struct policy_handle *handle,
+				       uint32_t num_trusts)
+{
+	return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, false);
+}
+
 static bool test_QueryDomainInfoPolicy(struct dcerpc_binding_handle *b,
 				 struct torture_context *tctx,
 				 struct policy_handle *handle)
@@ -3008,6 +3062,10 @@ static bool testcase_TrustedDomains(struct torture_context *tctx,
 		ret = false;
 	}
 
+	if (!test_CreateTrustedDomainEx(p, tctx, handle, state->num_trusts)) {
+		ret = false;
+	}
+
 	if (!test_CreateTrustedDomainEx2(p, tctx, handle, state->num_trusts)) {
 		ret = false;
 	}


-- 
Samba Shared Repository


More information about the samba-cvs mailing list