[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Thu Mar 12 12:50:02 MDT 2015
The branch, master has been updated
via f0a6935 s3:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
via ac45921 s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
via b6292d8 s4-torture: add ndr test for lsa_lsaRQueryForestTrustInformation().
via aea5537 drsblobs.idl: improve idl for ForestTrustInfoRecord*
via 080db5f lsa.idl: improve idl for lsa_ForestTrust*Record*
via 701ed11 lsa.idl: use 'boolean8 check_only' instead of 'uint8 check_only'
via cdf6373 lsa.idl: fix idl for lsa_ForestTrustRecordType
via 1d299f1 security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
via 2c1f948 netlogon.idl: remove netr_SupportedEncTypes and use kerb_EncTypes instead
via a0700dd netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR.
via 4810f47 netlogon.idl: improve idl for netr_ServerTrustPasswordsGet()
via 19e4a10 ldb-samba: implement --show-binary for msDS-RevealedUsers
via 5abb9ac drsblobs.idl: make replPropertyMetaData1 public
via 450dc02 s4:py_net: make domain and address fully optional to py_net_finddc
via 79b1041 s4:librpc: add auth_type=ncalrpc_as_system as binding option
via 29b173d s4:trust_utils: store new trust/machine passwords before trying it remotely.
via 1623992 s3:winbindd: make open_internal_lsa_conn() non static
via f126eeb s3:winbindd_cm: improve detection for the anonymous fallback.
via 7391416 s3:pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusteddom_pw()
via e0a4f43 s3:pdb_samba_dsdb: return the domain sid in pdb_samba_dsdb_get_trusteddom_pw()
via 2a2cec6 s3:pdb_samba_dsdb: return the previous password and the kvno in pdb_samba_dsdb_get_trusteddom_creds()
via 7d36141 s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key()
via 0f3e322 s3:libnet: use cli_credentials based functions in libnet_join_ok()
via 484adf4 s3:auth_domain: make use of cli_rpc_pipe_open_schannel()
via 91e4cbc s3:auth_domain: fix talloc problem in connect_to_domain_password_server()
via 9af336c s3:rpcclient: make use of rpccli_[create|setup]_netlogon_creds_with_creds()
via 6d31763 s3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel()
via c3b7e6e s3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel()
via 0994e0a s3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel()
via 8d73127 s3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_with_creds()
via 33fcfb3 auth/credentials: add cli_credentials_set_old_utf16_password()
via 016c4ce auth/credentials: add cli_credentials_[g|s]et_old_nt_hash()
via 3abccce auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash()
via 3098a43 s4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID
via 4bebab2 selftest: Change testsuite to use a samAccountName with a space in it
via 7f5740f kdc: Ensure we cope with a samAccountName with a space in it
via 7ed2492 dsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName()
via d3e0d7e selftest: Change testsuite to use a UPN with a space in it
via 979385c selftest: fix the basedn for local accounts in non-DC environments e.g. s4member
via 3cd8713 dsdb: Allow spaces in userPrincipalName values
via da99f8a heimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY
via b7cc8c1 heimdal:lib/krb5: allow enterprise principals in verify_logonname()
via a1b4a5d torture-krb5: Test accepting the ticket to ensure PAC is well-formed
via bc8b580 auth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac()
via e48d136 auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison
via 8909961 heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
via 9ebd10b heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
via 76f6633 heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
from 6e2f4c7 selftest: also test python.samba.tests.posixacl against plugin_s4_dc_no_nss
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f0a6935b1e0c140cc100036e5945fe6a7b95a45e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 11 16:39:05 2015 +0100
s3:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
If there're no collisions we should not fill the collision_info pointer.
Otherwise Windows fails to create a forest trust.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Thu Mar 12 19:49:33 CET 2015 on sn-devel-104
commit ac459219813992de33ef2ece06c30e7ee4155713
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 28 10:02:54 2015 +0000
s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
If there're no collisions we should not fill the collision_info pointer.
Otherwise Windows fails to create a forest trust.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit b6292d8be48f6def099404319e439ca600e9331e
Author: Günther Deschner <gd at samba.org>
Date: Wed Mar 11 12:09:42 2015 +0100
s4-torture: add ndr test for lsa_lsaRQueryForestTrustInformation().
Thanks to Alexander for providing the binary blobs.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit aea55377f948e54e014f330c8e2b59926128d3db
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 4 18:00:44 2015 +0000
drsblobs.idl: improve idl for ForestTrustInfoRecord*
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 080db5f60a5536160bcfa9283673ee1a4c4d524e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 4 18:00:44 2015 +0000
lsa.idl: improve idl for lsa_ForestTrust*Record*
The meaning of lsa_ForestTrustRecordFlags is based lsa_ForestTrustRecordType,
but the type is not always available so it's not possible to use an union.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 701ed1117ba531430cbc845412a2dee79ad62054
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 08:01:58 2015 +0000
lsa.idl: use 'boolean8 check_only' instead of 'uint8 check_only'
This is only a cosmetic change to make the idl more verbose,
the resulting C code will still use 'uint8_t'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit cdf6373c3b03b8946fbe142d4930c2f4d21d6145
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 08:01:58 2015 +0000
lsa.idl: fix idl for lsa_ForestTrustRecordType
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1d299f1d7b0544c5e1ea5a8a89c96554fc619fb7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 23:14:38 2015 +0100
security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
These are not encryption types, but flags for specific kerberos features.
See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 2c1f948150f16fb77b59bf02bece34f5c75dd39d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 23:14:38 2015 +0100
netlogon.idl: remove netr_SupportedEncTypes and use kerb_EncTypes instead
These are the same.
We keep the old defines arround in order to avoid a lot of changes
in the callers.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit a0700dd2753bf7ba106feca4002e74dad134a991
Author: Günther Deschner <gd at samba.org>
Date: Tue Dec 18 15:27:06 2012 +0100
netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 4810f47c44b86b4d33a067c2a5e7ed56bf7e58ae
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 9 13:18:38 2015 +0100
netlogon.idl: improve idl for netr_ServerTrustPasswordsGet()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 19e4a101dbeee251cfe7e63f3febcb2075065b36
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 6 18:07:15 2015 +0100
ldb-samba: implement --show-binary for msDS-RevealedUsers
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 5abb9acc9bea99b2bc95f622492137e5720615c2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 5 16:21:18 2015 +0100
drsblobs.idl: make replPropertyMetaData1 public
This is used as binary data for the msDS-RevealedUsers attribute.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 450dc02d6dd0e405aaacddef03e37ff5f2829219
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 27 21:46:06 2015 +0000
s4:py_net: make domain and address fully optional to py_net_finddc
E.g. address=None is now also possible.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 79b10416519376899d94802b0ecfb815eaaac527
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 26 16:02:20 2015 +0100
s4:librpc: add auth_type=ncalrpc_as_system as binding option
In future we may want another way to trigger this,
but our current rpc libraries need a lot of cleanup before.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 29b173d2a70745922d8345bfc6bd1da08951dfd3
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 31 10:42:09 2015 +0000
s4:trust_utils: store new trust/machine passwords before trying it remotely.
If this fails we can still fallback to the old password...
Before trying the password change we verify the dc knows our current password.
This should make the password changes much more robust.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1623992105854e84c552305feebac939e97f627e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 3 16:22:25 2015 +0100
s3:winbindd: make open_internal_lsa_conn() non static
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit f126eeb2a1b1c68b9687f2da1d1ce854226d0c43
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 11 15:05:55 2015 +0100
s3:winbindd_cm: improve detection for the anonymous fallback.
If the kinit results in NT_STATUS_NO_LOGON_SERVERS, we should fallback,
if allowed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 739141639984837fe5e6b527d0ca8511a4ebaa28
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 5 09:26:23 2015 +0000
s3:pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusteddom_pw()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit e0a4f438d17fde962d2b2886776da2b0e7c4cd05
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 5 10:07:46 2015 +0000
s3:pdb_samba_dsdb: return the domain sid in pdb_samba_dsdb_get_trusteddom_pw()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 2a2cec6f9c5922e689cd79c13e9370eda8a396bb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 16:53:40 2015 +0000
s3:pdb_samba_dsdb: return the previous password and the kvno in pdb_samba_dsdb_get_trusteddom_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 7d36141ba3a6a12b71ef6a0b04184d38c4833c99
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 11:33:05 2015 +0100
s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 0f3e32247c503a8156099afa05fbcc9c9cdb489a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 11:29:49 2015 +0100
s3:libnet: use cli_credentials based functions in libnet_join_ok()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 484adf45ede419af85e0e28661f659a548dd5471
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 09:52:45 2015 +0100
s3:auth_domain: make use of cli_rpc_pipe_open_schannel()
This simplifies a lot and allows the previous password to be used.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 91e4cbc46f0f54570f27a829b7c7c71da657030b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 10:33:01 2015 +0100
s3:auth_domain: fix talloc problem in connect_to_domain_password_server()
return values of connect_to_domain_password_server() need to be exported
to the callers memory context.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 9af336cce7b6adc76421dcf3ff4d237700a741c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 09:25:35 2015 +0100
s3:rpcclient: make use of rpccli_[create|setup]_netlogon_creds_with_creds()
This passing struct cli_credentials allows the usage of the previous password.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 6d31763de14adaf00b4b28c31a19d462adc1aea3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 10:05:37 2015 +0100
s3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel()
This is only allowed with special config options ("client schannel = no",
"require strong key = no" and "reject md5 servers = no").
By default we require NETLOGON_NEG_AUTHENTICATED_RPC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit c3b7e6e2185b3e09d70326914e70eac314de9b63
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 09:34:45 2015 +0100
s3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel()
This simplifies the code and allows the previous password to be passed
through the stack.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 0994e0a3e30b447eb44e7701207de9a3c13e63cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 09:49:16 2015 +0100
s3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 8d731274626614a0679ff25f7e939bf34caa9440
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 16:54:06 2015 +0000
s3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_with_creds()
This way we'll fallback to use the previous machine/trust account password
if required.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 33fcfb37c476fc836836c344165abc1cba79130e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 16:20:27 2015 +0000
auth/credentials: add cli_credentials_set_old_utf16_password()
This is required to set the previous trust account password.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 016c4ce84f2a34abb705b85d0abd1e17aa1325db
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 09:04:42 2015 +0100
auth/credentials: add cli_credentials_[g|s]et_old_nt_hash()
The machine and trust accounts it's important to retry
netr_Authenticate3() with the previous (old) nt_hash.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 3abccced8cf057ce0768a5acf7e828db3823fae2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 9 09:06:32 2015 +0100
auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 3098a432665b54b3e578b6e6b04b9fde5de43b72
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 21 14:44:44 2015 +0100
s4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 4bebab21463825c22cced6e8c59b99c525172911
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 12 13:43:49 2015 +1300
selftest: Change testsuite to use a samAccountName with a space in it
This shows that the previous patch is correct
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 7f5740f34226301e2172c7e2024fd8c6c4ededf5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 12 13:29:56 2015 +1300
kdc: Ensure we cope with a samAccountName with a space in it
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 7ed24924d2917556a03c51eadcb65b3e3c1e8af6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 12 13:29:56 2015 +1300
dsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit d3e0d7e2b0ee9fb72a8c602c86aee1d2f2755236
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 12 12:56:56 2015 +1300
selftest: Change testsuite to use a UPN with a space in it
This shows that the previous patch is correct
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 979385cd0fd20957d552e64edc07ea2fa0edc0fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 12 10:43:57 2015 +0100
selftest: fix the basedn for local accounts in non-DC environments e.g. s4member
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
doesn't generate an error if the command fails...
'testallowed' is a local account here, with a dn of
CN=testallowed,CN=Users,DC=S4MEMBER instead of domain user
CN=testallowed,CN=Users,DC=samba,DC=example,DC=com
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 3cd871321667045635d8236d91386070e84770a4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 12 12:50:23 2015 +1300
dsdb: Allow spaces in userPrincipalName values
This is needed to enable a kinit with a UPN that has a space in it
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit da99f8a5b9e492406b5d64bb53f090de3fd93957
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 15:33:14 2015 +0100
heimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY
An ENTERPRISE principal should result in 'administrator at S4XDOM.BASE'
instead of 'administrator\@S4XDOM.BASE'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit b7cc8c1187ff967e44587cd0d09185330378f366
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 15:36:01 2015 +0100
heimdal:lib/krb5: allow enterprise principals in verify_logonname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit a1b4a5d977862bda48819d3f0b33eccbd10ca4fd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 11 15:58:36 2015 +1300
torture-krb5: Test accepting the ticket to ensure PAC is well-formed
A future test will ask for impersonation to a different user, and
validate returned principal and the PAC matches that user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit bc8b580659d429690f6b54f17368526fc8c845e3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 12 11:27:57 2015 +1300
auth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac()
This ensures that in the all-Samba PAC creation code, we do not escape a space character if present
in the logon name. This matches what we do in the Heimdal code in the KDC.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit e48d136e3a5c89c9bab8ea898775fad1449d2f96
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 11 15:57:06 2015 +1300
auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison
This ensures that if an enterprise principal is used, we do the
comparison properly
This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.
Otherwise, we get errors like:
Name in PAC [TESTALLOWED at WIN2012R2] does not match principal name in ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 89099611fd3a30286fe50dfa57e16452ea6c8940
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 12:38:55 2015 +0100
heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 9ebd10b3432c271625db9fbc1987759c02b23f83
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 12:38:55 2015 +0100
heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 76f66332a1be0a26760e82c39edb2cfdd892b367
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 12:38:55 2015 +0100
heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 42 +++
auth/credentials/credentials.h | 6 +
auth/credentials/credentials_internal.h | 1 +
auth/credentials/credentials_ntlm.c | 67 +++++
auth/kerberos/kerberos_pac.c | 23 +-
lib/ldb-samba/ldif_handlers.c | 71 +++++
lib/ldb-samba/ldif_handlers.h | 1 +
librpc/idl/drsblobs.idl | 12 +-
librpc/idl/lsa.idl | 64 ++---
librpc/idl/netlogon.idl | 24 +-
librpc/idl/security.idl | 9 +-
selftest/target/Samba4.pm | 24 +-
source3/auth/auth_domain.c | 108 ++------
source3/libnet/libnet_join.c | 65 ++---
source3/libsmb/trusts_util.c | 39 ++-
source3/passdb/pdb_samba_dsdb.c | 383 ++++++++++++++++++++++++--
source3/rpc_client/cli_netlogon.c | 3 +
source3/rpc_client/cli_pipe.c | 96 -------
source3/rpc_client/cli_pipe.h | 8 -
source3/rpc_client/cli_pipe_schannel.c | 85 +++---
source3/rpc_server/lsa/srv_lsa_nt.c | 6 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +-
source3/rpcclient/rpcclient.c | 58 ++--
source3/utils/net_rpc.c | 2 +-
source3/winbindd/winbindd_cm.c | 3 +
source3/winbindd/winbindd_proto.h | 3 +
source3/winbindd/winbindd_samr.c | 6 +-
source4/auth/kerberos/kerberos_pac.c | 4 +-
source4/dsdb/pydsdb.c | 1 +
source4/dsdb/samdb/cracknames.c | 24 +-
source4/heimdal/kdc/kerberos5.c | 52 ----
source4/heimdal/lib/asn1/krb5.asn1 | 11 -
source4/heimdal/lib/krb5/pac.c | 8 +-
source4/heimdal/lib/krb5/ticket.c | 81 ------
source4/kdc/db-glue.c | 5 +-
source4/libnet/py_net.c | 2 +-
source4/librpc/rpc/dcerpc_util.c | 16 ++
source4/rpc_server/lsa/dcesrv_lsa.c | 6 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +-
source4/selftest/tests.py | 4 +-
source4/torture/krb5/kdc-canon.c | 135 ++++++++-
source4/torture/ndr/lsa.c | 46 ++++
source4/torture/rpc/lsa.c | 2 +-
source4/torture/rpc/netlogon.c | 5 +-
44 files changed, 1022 insertions(+), 597 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index a9e4fc8..42aa2a3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -70,6 +70,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->bind_dn = NULL;
cred->nt_hash = NULL;
+ cred->old_nt_hash = NULL;
cred->lm_response.data = NULL;
cred->lm_response.length = 0;
@@ -481,6 +482,7 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
/* Don't print the actual password in talloc memory dumps */
talloc_set_name_const(cred->old_password, "password set via cli_credentials_set_old_password");
}
+ cred->old_nt_hash = NULL;
return true;
}
@@ -525,6 +527,46 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credential
}
/**
+ * Obtain the old password, in the form MD4(unicode(password)) for this credentials context.
+ *
+ * Sometimes we only have this much of the password, while the rest of
+ * the time this call avoids calling E_md4hash themselves.
+ *
+ * @param cred credentials context
+ * @retval If set, the cleartext password, otherwise NULL
+ */
+_PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx)
+{
+ const char *old_password = NULL;
+
+ if (cred->old_nt_hash != NULL) {
+ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
+ if (!nt_hash) {
+ return NULL;
+ }
+
+ *nt_hash = *cred->old_nt_hash;
+
+ return nt_hash;
+ }
+
+ old_password = cli_credentials_get_old_password(cred);
+ if (old_password) {
+ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
+ if (!nt_hash) {
+ return NULL;
+ }
+
+ E_md4hash(old_password, nt_hash->hash);
+
+ return nt_hash;
+ }
+
+ return NULL;
+}
+
+/**
* Obtain the 'short' or 'NetBIOS' domain for this credentials context.
* @param cred credentials context
* @retval The domain set on this context.
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 814f016..fdedd63 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -146,6 +146,8 @@ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx);
+struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx);
bool cli_credentials_set_realm(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
@@ -194,9 +196,13 @@ void cli_credentials_set_kvno(struct cli_credentials *cred,
bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
const DATA_BLOB *password_utf16,
enum credentials_obtained obtained);
+bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB *password_utf16);
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
+bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
+ const struct samr_Password *nt_hash);
bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
const DATA_BLOB *lm_response,
const DATA_BLOB *nt_response,
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index d05d153..aa01ccc 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -60,6 +60,7 @@ struct cli_credentials {
/* Allows authentication from a keytab or similar */
struct samr_Password *nt_hash;
+ struct samr_Password *old_nt_hash;
/* Allows NTLM pass-though authentication */
DATA_BLOB lm_response;
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 5e9aeed..4e12277 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -268,6 +268,53 @@ _PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
return false;
}
+/*
+ * Set a old utf16 password on the credentials context.
+ *
+ * This is required because the nt_hash is calculated over the raw utf16 blob,
+ * which might not be completely valid utf16, which means the conversion
+ * from CH_UTF16MUNGED to CH_UTF8 might loose information.
+ */
+_PUBLIC_ bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB *password_utf16)
+{
+ struct samr_Password *nt_hash = NULL;
+ char *password_talloc = NULL;
+ size_t password_len = 0;
+ bool ok;
+
+ if (password_utf16 == NULL) {
+ return cli_credentials_set_old_password(cred, NULL, CRED_SPECIFIED);
+ }
+
+ nt_hash = talloc(cred, struct samr_Password);
+ if (nt_hash == NULL) {
+ return false;
+ }
+
+ ok = convert_string_talloc(cred,
+ CH_UTF16MUNGED, CH_UTF8,
+ password_utf16->data,
+ password_utf16->length,
+ (void *)&password_talloc,
+ &password_len);
+ if (!ok) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+
+ ok = cli_credentials_set_old_password(cred, password_talloc, CRED_SPECIFIED);
+ TALLOC_FREE(password_talloc);
+ if (!ok) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+
+ mdfour(nt_hash->hash, password_utf16->data, password_utf16->length);
+ cred->old_nt_hash = nt_hash;
+ return true;
+}
+
_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained)
@@ -276,6 +323,9 @@ _PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
cli_credentials_set_password(cred, NULL, obtained);
if (nt_hash) {
cred->nt_hash = talloc(cred, struct samr_Password);
+ if (cred->nt_hash == NULL) {
+ return false;
+ }
*cred->nt_hash = *nt_hash;
} else {
cred->nt_hash = NULL;
@@ -286,6 +336,23 @@ _PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
return false;
}
+_PUBLIC_ bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
+ const struct samr_Password *nt_hash)
+{
+ cli_credentials_set_old_password(cred, NULL, CRED_SPECIFIED);
+ if (nt_hash) {
+ cred->old_nt_hash = talloc(cred, struct samr_Password);
+ if (cred->old_nt_hash == NULL) {
+ return false;
+ }
+ *cred->old_nt_hash = *nt_hash;
+ } else {
+ cred->old_nt_hash = NULL;
+ }
+
+ return true;
+}
+
_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
const DATA_BLOB *lm_response,
const DATA_BLOB *nt_response,
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 8f55c8f..32d9d7f 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -106,7 +106,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DATA_BLOB modified_pac_blob;
NTTIME tgs_authtime_nttime;
- krb5_principal client_principal_pac = NULL;
int i;
struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
@@ -357,28 +356,30 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
}
if (client_principal) {
- ret = smb_krb5_parse_name_norealm(context,
- logon_name->account_name,
- &client_principal_pac);
+ char *client_principal_string;
+ ret = krb5_unparse_name_flags(context, client_principal,
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+ &client_principal_string);
if (ret) {
- DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
+ DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
logon_name->account_name, error_message(ret)));
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
- bool_ret = smb_krb5_principal_compare_any_realm(context,
- client_principal,
- client_principal_pac);
-
- krb5_free_principal(context, client_principal_pac);
+ bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
if (!bool_ret) {
DEBUG(2, ("Name in PAC [%s] does not match principal name "
- "in ticket\n", logon_name->account_name));
+ "in ticket [%s]\n",
+ logon_name->account_name,
+ client_principal_string));
+ SAFE_FREE(client_principal_string);
talloc_free(tmp_ctx);
return NT_STATUS_ACCESS_DENIED;
}
+ SAFE_FREE(client_principal_string);
+
}
DEBUG(3,("Found account name from PAC: %s [%s]\n",
diff --git a/lib/ldb-samba/ldif_handlers.c b/lib/ldb-samba/ldif_handlers.c
index ea62bf9..3b84084 100644
--- a/lib/ldb-samba/ldif_handlers.c
+++ b/lib/ldb-samba/ldif_handlers.c
@@ -906,6 +906,69 @@ static int ldif_write_replUpToDateVector(struct ldb_context *ldb, void *mem_ctx,
true);
}
+static int ldif_write_dn_binary_NDR(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out,
+ size_t struct_size,
+ ndr_pull_flags_fn_t pull_fn,
+ ndr_print_fn_t print_fn,
+ bool mask_errors)
+{
+ uint8_t *p = NULL;
+ enum ndr_err_code err;
+ struct dsdb_dn *dsdb_dn = NULL;
+ char *dn_str = NULL;
+ char *str = NULL;
+
+ if (!(ldb_get_flags(ldb) & LDB_FLG_SHOW_BINARY)) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ dsdb_dn = dsdb_dn_parse(mem_ctx, ldb, in, DSDB_SYNTAX_BINARY_DN);
+ if (dsdb_dn == NULL) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ p = talloc_size(dsdb_dn, struct_size);
+ if (p == NULL) {
+ TALLOC_FREE(dsdb_dn);
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ err = ndr_pull_struct_blob(&dsdb_dn->extra_part, p, p, pull_fn);
+ if (err != NDR_ERR_SUCCESS) {
+ /* fail in not in mask_error mode */
+ if (!mask_errors) {
+ return -1;
+ }
+ TALLOC_FREE(dsdb_dn);
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ dn_str = ldb_dn_get_extended_linearized(dsdb_dn, dsdb_dn->dn, 1);
+ if (dn_str == NULL) {
+ TALLOC_FREE(dsdb_dn);
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ str = ndr_print_struct_string(mem_ctx, print_fn, dn_str, p);
+ TALLOC_FREE(dsdb_dn);
+ if (str == NULL) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ *out = data_blob_string_const(str);
+ return 0;
+}
+
+static int ldif_write_msDS_RevealedUsers(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out)
+{
+ return ldif_write_dn_binary_NDR(ldb, mem_ctx, in, out,
+ sizeof(struct replPropertyMetaData1),
+ (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaData1,
+ (ndr_print_fn_t)ndr_print_replPropertyMetaData1,
+ true);
+}
/*
convert a NDR formatted blob to a ldif formatted dnsRecord
@@ -1337,6 +1400,13 @@ static const struct ldb_schema_syntax samba_syntaxes[] = {
.comparison_fn = ldb_comparison_binary,
.operator_fn = samba_syntax_operator_fn
},{
+ .name = LDB_SYNTAX_SAMBA_REVEALEDUSERS,
+ .ldif_read_fn = ldb_handler_copy,
+ .ldif_write_fn = ldif_write_msDS_RevealedUsers,
+ .canonicalise_fn = dsdb_dn_binary_canonicalise,
+ .comparison_fn = dsdb_dn_binary_comparison,
+ .operator_fn = samba_syntax_operator_fn
+ },{
.name = LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_trustAuthInOutBlob,
@@ -1477,6 +1547,7 @@ static const struct {
{ "repsTo", LDB_SYNTAX_SAMBA_REPSFROMTO },
{ "replPropertyMetaData", LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA },
{ "replUpToDateVector", LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR },
+ { "msDS-RevealedUsers", LDB_SYNTAX_SAMBA_REVEALEDUSERS },
{ "trustAuthIncoming", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB },
{ "trustAuthOutgoing", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB },
{ "msDS-TrustForestTrustInfo", LDB_SYNTAX_SAMBA_FORESTTRUSTINFO },
diff --git a/lib/ldb-samba/ldif_handlers.h b/lib/ldb-samba/ldif_handlers.h
index 4e12293..5ba6f12 100644
--- a/lib/ldb-samba/ldif_handlers.h
+++ b/lib/ldb-samba/ldif_handlers.h
@@ -11,6 +11,7 @@
#define LDB_SYNTAX_SAMBA_REPSFROMTO "LDB_SYNTAX_SAMBA_REPSFROMTO"
#define LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA "LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA"
#define LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR "LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR"
+#define LDB_SYNTAX_SAMBA_REVEALEDUSERS "LDB_SYNTAX_SAMBA_REVEALEDUSERS"
#define LDB_SYNTAX_SAMBA_RANGE64 "LDB_SYNTAX_SAMBA_RANGE64"
#define LDB_SYNTAX_SAMBA_DNSRECORD "LDB_SYNTAX_SAMBA_DNSRECORD"
#define LDB_SYNTAX_SAMBA_DNSPROPERTY "LDB_SYNTAX_SAMBA_DNSPROPERTY"
diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl
index 1960716..499febb 100644
--- a/librpc/idl/drsblobs.idl
+++ b/librpc/idl/drsblobs.idl
@@ -18,7 +18,7 @@ interface drsblobs {
* w2k uses version 1
* w2k3 uses version 1
*/
- typedef struct {
+ typedef [public] struct {
drsuapi_DsAttributeId attid;
uint32 version;
NTTIME_1sec originating_change_time;
@@ -632,17 +632,17 @@ interface drsblobs {
[default] ForestTrustDataBinaryData data;
} ForestTrustData;
- /* same as lsa_ForestTrustRecordType */
+ /* same as lsa_ForestTrustRecordType, but only 8 bit */
typedef [enum8bit] enum {
- FOREST_TRUST_TOP_LEVEL_NAME = 0,
- FOREST_TRUST_TOP_LEVEL_NAME_EX = 1,
- FOREST_TRUST_DOMAIN_INFO = 2
+ FOREST_TRUST_TOP_LEVEL_NAME = LSA_FOREST_TRUST_TOP_LEVEL_NAME,
+ FOREST_TRUST_TOP_LEVEL_NAME_EX = LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX,
+ FOREST_TRUST_DOMAIN_INFO = LSA_FOREST_TRUST_DOMAIN_INFO
} ForestTrustInfoRecordType;
/* meaning of flags depends on record type and values are
the same as in lsa.idl, see collision record types */
typedef [public,gensize,flag(NDR_NOALIGN)] struct {
- uint32 flags;
+ lsa_ForestTrustRecordFlags flags;
NTTIME timestamp;
ForestTrustInfoRecordType type;
[switch_is(type)] ForestTrustData data;
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 251b4e2..09ddf71 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -1255,6 +1255,26 @@ import "misc.idl", "security.idl";
[todo] NTSTATUS lsa_LSARUNREGISTERAUDITEVENT();
/* Function 0x49 */
+ typedef [bitmap32bit,public] bitmap {
+ /* these apply to LSA_FOREST_TRUST_TOP_LEVEL_NAME */
+ LSA_TLN_DISABLED_NEW = 0x00000001,
+ LSA_TLN_DISABLED_ADMIN = 0x00000002,
+ LSA_TLN_DISABLED_CONFLICT = 0x00000004,
+
+ /* these apply to LSA_FOREST_TRUST_DOMAIN_INFO */
+ LSA_SID_DISABLED_ADMIN = 0x00000001,
+ LSA_SID_DISABLED_CONFLICT = 0x00000002,
+ LSA_NB_DISABLED_ADMIN = 0x00000004,
+ LSA_NB_DISABLED_CONFLICT = 0x00000008
+ } lsa_ForestTrustRecordFlags;
+
+ typedef enum {
+ LSA_FOREST_TRUST_TOP_LEVEL_NAME = 0,
+ LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX = 1,
+ LSA_FOREST_TRUST_DOMAIN_INFO = 2,
+ LSA_FOREST_TRUST_RECORD_TYPE_LAST = 3
+ } lsa_ForestTrustRecordType;
+
typedef struct {
[range(0,131072)] uint3264 length;
[size_is(length)] uint8 *data;
@@ -1266,24 +1286,17 @@ import "misc.idl", "security.idl";
lsa_StringLarge netbios_domain_name;
} lsa_ForestTrustDomainInfo;
- typedef [switch_type(uint32)] union {
+ typedef [switch_type(lsa_ForestTrustRecordType)] union {
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME)] lsa_StringLarge top_level_name;
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX)] lsa_StringLarge top_level_name_ex;
[case(LSA_FOREST_TRUST_DOMAIN_INFO)] lsa_ForestTrustDomainInfo domain_info;
[default] lsa_ForestTrustBinaryData data;
} lsa_ForestTrustData;
- typedef [v1_enum] enum {
- LSA_FOREST_TRUST_TOP_LEVEL_NAME = 0,
- LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX = 1,
- LSA_FOREST_TRUST_DOMAIN_INFO = 2,
- LSA_FOREST_TRUST_RECORD_TYPE_LAST = 3
- } lsa_ForestTrustRecordType;
-
typedef struct {
- uint32 flags;
+ lsa_ForestTrustRecordFlags flags;
lsa_ForestTrustRecordType type;
- hyper time;
+ NTTIME_hyper time;
[switch_is(type)] lsa_ForestTrustData forest_trust_data;
} lsa_ForestTrustRecord;
@@ -1292,10 +1305,10 @@ import "misc.idl", "security.idl";
[size_is(count)] lsa_ForestTrustRecord **entries;
} lsa_ForestTrustInformation;
- NTSTATUS lsa_lsaRQueryForestTrustInformation(
+ [public] NTSTATUS lsa_lsaRQueryForestTrustInformation(
[in] policy_handle *handle,
[in,ref] lsa_String *trusted_domain_name,
- [in] uint16 unknown, /* level ? */
+ [in] lsa_ForestTrustRecordType highest_record_type,
[out,ref] lsa_ForestTrustInformation **forest_trust_info
);
@@ -1308,31 +1321,10 @@ import "misc.idl", "security.idl";
LSA_FOREST_TRUST_COLLISION_OTHER = 2
} lsa_ForestTrustCollisionRecordType;
- /* if type is CollisionTdo, flags can be */
- typedef [bitmap32bit] bitmap {
- LSA_TLN_DISABLED_NEW = 0x00000001,
- LSA_TLN_DISABLED_ADMIN = 0x00000002,
- LSA_TLN_DISABLED_CONFLICT = 0x00000004
- } lsa_ForestTrustCollisionTDOFlags;
-
- /* if type is CollisionXref, flags can be */
- typedef [bitmap32bit] bitmap {
- LSA_SID_DISABLED_ADMIN = 0x00000001,
- LSA_SID_DISABLED_CONFLICT = 0x00000002,
- LSA_NB_DISABLED_ADMIN = 0x00000004,
- LSA_NB_DISABLED_CONFLICT = 0x00000008
- } lsa_ForestTrustCollisionXrefFlags;
-
- typedef [nodiscriminant] union {
- [case(LSA_FOREST_TRUST_COLLISION_TDO)] lsa_ForestTrustCollisionTDOFlags flags;
- [case(LSA_FOREST_TRUST_COLLISION_XREF)] lsa_ForestTrustCollisionXrefFlags flags;
- [default] uint32 flags;
- } lsa_ForestTrustCollisionFlags;
-
typedef [public] struct {
uint32 index;
lsa_ForestTrustCollisionRecordType type;
- [switch_is(type)] lsa_ForestTrustCollisionFlags flags;
+ lsa_ForestTrustRecordFlags flags;
lsa_String name;
} lsa_ForestTrustCollisionRecord;
--
Samba Shared Repository
More information about the samba-cvs
mailing list