[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Mon Sep 12 07:53:02 MDT 2011
The branch, master has been updated
via 456aee8 s3-lsa: Add conversion for auth info structs
from 368ad28 doc: suggest samba-tool dbcheck in upgrading-samba4.txt
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 456aee80f584e136a4e1decb6c53fbe019ead6b8
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Sep 1 18:18:31 2011 +0200
s3-lsa: Add conversion for auth info structs
struct lsa_TrustDomainInfoAuthInfo and struct
trustAuthInOutBlob can store the same information for different usage. The added
routines can convert one struct into the other.
Signed-off-by: Günther Deschner <gd at samba.org>
Autobuild-User: Günther Deschner <gd at samba.org>
Autobuild-Date: Mon Sep 12 15:52:17 CEST 2011 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 7 +-
source3/rpc_client/util_lsarpc.c | 334 ++++++++++++++++++++
.../rpc_client/{util_netlogon.h => util_lsarpc.h} | 19 +-
source3/rpc_server/lsa/srv_lsa_nt.c | 47 +--
source3/torture/proto.h | 1 +
source3/torture/test_authinfo_structs.c | 218 +++++++++++++
source3/torture/torture.c | 1 +
source3/wscript_build | 5 +-
8 files changed, 587 insertions(+), 45 deletions(-)
create mode 100644 source3/rpc_client/util_lsarpc.c
copy source3/rpc_client/{util_netlogon.h => util_lsarpc.h} (57%)
create mode 100644 source3/torture/test_authinfo_structs.c
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index bf66af4..1b79637 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -688,7 +688,8 @@ LIB_EVENTLOG_OBJ = lib/eventlog/eventlog.o
DCE_RPC_EP_OBJ = librpc/rpc/dcerpc_ep.o
RPC_LSARPC_OBJ = rpc_server/lsa/srv_lsa_nt.o \
- librpc/gen_ndr/srv_lsa.o
+ librpc/gen_ndr/srv_lsa.o \
+ rpc_client/util_lsarpc.o
RPC_NETLOGON_OBJ = rpc_server/netlogon/srv_netlog_nt.o \
librpc/gen_ndr/srv_netlogon.o
@@ -1255,13 +1256,15 @@ SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/uta
torture/test_addrchange.o \
torture/test_case_insensitive.o \
torture/test_posix_append.o \
- torture/test_smb2.o
+ torture/test_smb2.o \
+ torture/test_authinfo_structs.o
SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) $(PARAM_OBJ) $(TLDAP_OBJ) \
$(LIBSMB_OBJ) $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) \
@LIBWBCLIENT_STATIC@ \
torture/wbc_async.o \
../nsswitch/wb_reqtrans.o \
+ rpc_client/util_lsarpc.o \
$(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(LIBCLI_ECHO_OBJ)
MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
diff --git a/source3/rpc_client/util_lsarpc.c b/source3/rpc_client/util_lsarpc.c
new file mode 100644
index 0000000..e607a0c
--- /dev/null
+++ b/source3/rpc_client/util_lsarpc.c
@@ -0,0 +1,334 @@
+/*
+ Unix SMB/CIFS implementation.
+ Authentication utility functions
+ Copyright (C) Sumit Bose 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "../librpc/gen_ndr/ndr_drsblobs.h"
+#include "../librpc/gen_ndr/ndr_lsa.h"
+#include "rpc_client/util_lsarpc.h"
+
+static NTSTATUS ai_array_2_trust_domain_info_buffer(TALLOC_CTX *mem_ctx,
+ uint32_t count,
+ struct AuthenticationInformationArray *ai,
+ struct lsa_TrustDomainInfoBuffer **_b)
+{
+ NTSTATUS status;
+ struct lsa_TrustDomainInfoBuffer *b;
+ int i;
+
+ b = talloc_array(mem_ctx, struct lsa_TrustDomainInfoBuffer, count);
+ if (b == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for(i = 0; i < count; i++) {
+ size_t size = 0;
+ b[i].last_update_time = ai->array[i].LastUpdateTime;
+ b[i].AuthType = ai->array[i].AuthType;
+ switch(ai->array[i].AuthType) {
+ case TRUST_AUTH_TYPE_NONE:
+ b[i].data.size = 0;
+ b[i].data.data = NULL;
+ break;
+ case TRUST_AUTH_TYPE_NT4OWF:
+ if (ai->array[i].AuthInfo.nt4owf.size != 16) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+ b[i].data.data = talloc_memdup(b,
+ &ai->array[i].AuthInfo.nt4owf.password.hash,
+ 16);
+ if (b[i].data.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ break;
+ case TRUST_AUTH_TYPE_CLEAR:
+ if (!convert_string_talloc(b,
+ CH_UTF16LE, CH_UNIX,
+ ai->array[i].AuthInfo.clear.password,
+ ai->array[i].AuthInfo.clear.size,
+ &b[i].data.data,
+ &size)) {
+ goto fail;
+ }
+ b[i].data.size = size;
+ break;
+ case TRUST_AUTH_TYPE_VERSION:
+ if (ai->array[i].AuthInfo.version.size != 4) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+ b[i].data.size = 4;
+ b[i].data.data = talloc_memdup(b,
+ &ai->array[i].AuthInfo.version.version, 4);
+ if (b[i].data.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ break;
+ default:
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+ }
+
+ *_b = b;
+
+ return NT_STATUS_OK;
+
+fail:
+ talloc_free(b);
+ return status;
+}
+
+static NTSTATUS trustauth_inout_blob_2_auth_info(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *inout_blob,
+ uint32_t *count,
+ struct lsa_TrustDomainInfoBuffer **current,
+ struct lsa_TrustDomainInfoBuffer **previous)
+{
+ NTSTATUS status;
+ struct trustAuthInOutBlob iopw;
+ enum ndr_err_code ndr_err;
+ TALLOC_CTX *tmp_ctx;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ndr_err = ndr_pull_struct_blob(inout_blob, tmp_ctx, &iopw,
+ (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ *count = iopw.count;
+
+ status = ai_array_2_trust_domain_info_buffer(mem_ctx, iopw.count,
+ &iopw.current, current);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (iopw.previous.count > 0) {
+ status = ai_array_2_trust_domain_info_buffer(mem_ctx, iopw.count,
+ &iopw.previous, previous);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ } else {
+ *previous = NULL;
+ }
+
+ status = NT_STATUS_OK;
+
+done:
+ talloc_free(tmp_ctx);
+ return status;
+}
+
+NTSTATUS auth_blob_2_auth_info(TALLOC_CTX *mem_ctx,
+ DATA_BLOB incoming, DATA_BLOB outgoing,
+ struct lsa_TrustDomainInfoAuthInfo *auth_info)
+{
+ NTSTATUS status;
+
+ if (incoming.length != 0) {
+ status = trustauth_inout_blob_2_auth_info(mem_ctx,
+ &incoming,
+ &auth_info->incoming_count,
+ &auth_info->incoming_current_auth_info,
+ &auth_info->incoming_previous_auth_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else {
+ auth_info->incoming_count = 0;
+ auth_info->incoming_current_auth_info = NULL;
+ auth_info->incoming_previous_auth_info = NULL;
+ }
+
+ if (outgoing.length != 0) {
+ status = trustauth_inout_blob_2_auth_info(mem_ctx,
+ &outgoing,
+ &auth_info->outgoing_count,
+ &auth_info->outgoing_current_auth_info,
+ &auth_info->outgoing_previous_auth_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else {
+ auth_info->outgoing_count = 0;
+ auth_info->outgoing_current_auth_info = NULL;
+ auth_info->outgoing_previous_auth_info = NULL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS trust_domain_info_buffer_2_ai_array(TALLOC_CTX *mem_ctx,
+ uint32_t count,
+ struct lsa_TrustDomainInfoBuffer *b,
+ struct AuthenticationInformationArray *ai)
+{
+ NTSTATUS status;
+ int i;
+
+ ai->count = count;
+ ai->array = talloc_zero_array(mem_ctx, struct AuthenticationInformation,
+ count);
+ if (ai->array == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for(i = 0; i < count; i++) {
+ size_t size = 0;
+ ai->array[i].LastUpdateTime = b[i].last_update_time;
+ ai->array[i].AuthType = b[i].AuthType;
+ switch(ai->array[i].AuthType) {
+ case TRUST_AUTH_TYPE_NONE:
+ ai->array[i].AuthInfo.none.size = 0;
+ break;
+ case TRUST_AUTH_TYPE_NT4OWF:
+ if (b[i].data.size != 16) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+ memcpy(&ai->array[i].AuthInfo.nt4owf.password.hash,
+ b[i].data.data, 16);
+ break;
+ case TRUST_AUTH_TYPE_CLEAR:
+ if (!convert_string_talloc(ai->array,
+ CH_UNIX, CH_UTF16,
+ b[i].data.data,
+ b[i].data.size,
+ &ai->array[i].AuthInfo.clear.password,
+ &size)) {
+ goto fail;
+ }
+ ai->array[i].AuthInfo.clear.size = size;
+ break;
+ case TRUST_AUTH_TYPE_VERSION:
+ if (b[i].data.size != 4) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+ ai->array[i].AuthInfo.version.size = 4;
+ memcpy(&ai->array[i].AuthInfo.version.version,
+ b[i].data.data, 4);
+ break;
+ default:
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+ }
+
+ return NT_STATUS_OK;
+
+fail:
+ talloc_free(ai->array);
+ return status;
+}
+
+static NTSTATUS auth_info_2_trustauth_inout_blob(TALLOC_CTX *mem_ctx,
+ uint32_t count,
+ struct lsa_TrustDomainInfoBuffer *current,
+ struct lsa_TrustDomainInfoBuffer *previous,
+ DATA_BLOB *inout_blob)
+{
+ NTSTATUS status;
+ struct trustAuthInOutBlob *iopw;
+ enum ndr_err_code ndr_err;
+
+ iopw = talloc_zero(mem_ctx, struct trustAuthInOutBlob);
+ if (iopw == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ iopw->count = count;
+ status = trust_domain_info_buffer_2_ai_array(iopw, count, current,
+ &iopw->current);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (previous != NULL) {
+ status = trust_domain_info_buffer_2_ai_array(iopw, count,
+ previous,
+ &iopw->previous);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ } else {
+ iopw->previous.count = 0;
+ iopw->previous.array = NULL;
+ }
+
+ ndr_err = ndr_push_struct_blob(inout_blob, mem_ctx,
+ iopw,
+ (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = NT_STATUS_OK;
+
+done:
+ talloc_free(iopw);
+ return status;
+}
+
+NTSTATUS auth_info_2_auth_blob(TALLOC_CTX *mem_ctx,
+ struct lsa_TrustDomainInfoAuthInfo *auth_info,
+ DATA_BLOB *incoming, DATA_BLOB *outgoing)
+{
+ NTSTATUS status;
+
+ if (auth_info->incoming_count == 0) {
+ incoming->length = 0;
+ incoming->data = NULL;
+ } else {
+ status = auth_info_2_trustauth_inout_blob(mem_ctx,
+ auth_info->incoming_count,
+ auth_info->incoming_current_auth_info,
+ auth_info->incoming_previous_auth_info,
+ incoming);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ if (auth_info->outgoing_count == 0) {
+ outgoing->length = 0;
+ outgoing->data = NULL;
+ } else {
+ status = auth_info_2_trustauth_inout_blob(mem_ctx,
+ auth_info->outgoing_count,
+ auth_info->outgoing_current_auth_info,
+ auth_info->outgoing_previous_auth_info,
+ outgoing);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/rpc_client/util_netlogon.h b/source3/rpc_client/util_lsarpc.h
similarity index 57%
copy from source3/rpc_client/util_netlogon.h
copy to source3/rpc_client/util_lsarpc.h
index cea9787..0aa5e25 100644
--- a/source3/rpc_client/util_netlogon.h
+++ b/source3/rpc_client/util_lsarpc.h
@@ -1,7 +1,7 @@
/*
Unix SMB/CIFS implementation.
Authentication utility functions
- Copyright (C) Volker Lendecke 2010
+ Copyright (C) Sumit Bose 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -17,13 +17,16 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _RPC_CLIENT_UTIL_NETLOGON_H_
-#define _RPC_CLIENT_UTIL_NETLOGON_H_
+#ifndef _RPC_CLIENT_UTIL_LSARPC_H_
+#define _RPC_CLIENT_UTIL_LSARPC_H_
-/* The following definitions come from rpc_client/util_netlogon.c */
+/* The following definitions come from rpc_client/util_lsarpc.c */
-NTSTATUS copy_netr_SamBaseInfo(TALLOC_CTX *mem_ctx,
- const struct netr_SamBaseInfo *in,
- struct netr_SamBaseInfo *out);
+NTSTATUS auth_blob_2_auth_info(TALLOC_CTX *mem_ctx,
+ DATA_BLOB incoming, DATA_BLOB outgoing,
+ struct lsa_TrustDomainInfoAuthInfo *auth_info);
+NTSTATUS auth_info_2_auth_blob(TALLOC_CTX *mem_ctx,
+ struct lsa_TrustDomainInfoAuthInfo *auth_info,
+ DATA_BLOB *incoming, DATA_BLOB *outgoing);
-#endif /* _RPC_CLIENT_UTIL_NETLOGON_H_ */
+#endif /* _RPC_CLIENT_UTIL_LSARPC_H_ */
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index ec87bd6..17f873b 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -48,6 +48,7 @@
#include "rpc_server/srv_access_check.h"
#include "../librpc/gen_ndr/ndr_wkssvc.h"
#include "../libcli/auth/libcli_auth.h"
+#include "rpc_client/util_lsarpc.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -2023,21 +2024,6 @@ static NTSTATUS pdb_trusted_domain_2_info_ex(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-static NTSTATUS pdb_trusted_domain_2_auth_info(struct pdb_trusted_domain *td,
- struct lsa_TrustDomainInfoAuthInfo *auth_info)
-{
-/* If I understand it correctly lsa_TrustDomainInfoAuthInfo is send unencrypted
- * and related calls should not be used. If there is a use case, it can be
- * implemented later. */
- auth_info->incoming_count = 0;
- auth_info->incoming_current_auth_info = NULL;
- auth_info->incoming_previous_auth_info = NULL;
- auth_info->outgoing_count = 0;
- auth_info->outgoing_current_auth_info = NULL;
- auth_info->outgoing_previous_auth_info = NULL;
- return NT_STATUS_OK;
-}
-
NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
struct lsa_QueryTrustedDomainInfo *r)
{
@@ -2148,7 +2134,9 @@ NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
return status;
}
info->full_info.posix_offset.posix_offset = *td->trust_posix_offset;
- status = pdb_trusted_domain_2_auth_info(td,
+ status = auth_blob_2_auth_info(p->mem_ctx,
+ td->trust_auth_incoming,
+ td->trust_auth_outgoing,
&info->full_info.auth_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -2162,7 +2150,9 @@ NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
return NT_STATUS_INVALID_PARAMETER;
case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
info->full_info2_internal.posix_offset.posix_offset = *td->trust_posix_offset;
- status = pdb_trusted_domain_2_auth_info(td,
+ status = auth_blob_2_auth_info(p->mem_ctx,
+ td->trust_auth_incoming,
+ td->trust_auth_outgoing,
&info->full_info2_internal.auth_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -3571,20 +3561,6 @@ static NTSTATUS info_ex_2_pdb_trusted_domain(
return NT_STATUS_OK;
}
-static NTSTATUS auth_info_2_pdb_trusted_domain(struct lsa_TrustDomainInfoAuthInfo *auth_info,
- struct pdb_trusted_domain *td)
-{
-/* If I understand it correctly lsa_TrustDomainInfoAuthInfo is send unencrypted
- * and related calls should not be used. If there is a use case, it can be
- * implemented later. */
- td->trust_auth_incoming.length = 0;
- td->trust_auth_incoming.data = NULL;
- td->trust_auth_outgoing.length = 0;
- td->trust_auth_outgoing.data = NULL;
-
- return NT_STATUS_OK;
-}
-
static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
TALLOC_CTX *mem_ctx, DATA_BLOB *auth_blob,
struct trustDomainPasswords *auth_struct)
@@ -3658,7 +3634,9 @@ static NTSTATUS setInfoTrustedDomain_base(struct pipes_struct *p,
if (!(policy->access & LSA_TRUSTED_SET_AUTH)) {
return NT_STATUS_ACCESS_DENIED;
}
- nt_status = auth_info_2_pdb_trusted_domain(&info->auth_info, td);
+ nt_status = auth_info_2_auth_blob(td, &info->auth_info,
+ &td->trust_auth_incoming,
+ &td->trust_auth_outgoing);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
@@ -3673,7 +3651,10 @@ static NTSTATUS setInfoTrustedDomain_base(struct pipes_struct *p,
--
Samba Shared Repository
More information about the samba-cvs
mailing list