[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Thu Mar 26 21:03:03 MDT 2015
The branch, master has been updated
via 14b6e0a s4:kdc/db-glue: samba_kdc_trust_message2entry() should use the normalized principal as salt
via 0dbf1d4 libcli/util: remove unused WERR_BAD_PASSWORD
via 6e5d9c2 libcli/auth: use WERR_INVALID_PASSWORD instead of WERR_BAD_PASSWORD
via 17e8ad5 docs-xml/Samba3-HOWTO: add reference to WERR_INVALID_PASSWORD were we had only WERR_BAD_PASSWORD
via cb786df selftest: use dns_lookup_* = true in krb5.conf
via 4b12fce s4-kdc/db_glue: avoid accessing private struct members when there are accessor funcs.
via e2eef86 s4-kdc/db_glue: use smb_krb5_principal_set_type().
via 212a9e0 krb5_wrap: fix documentation for smb_krb5_principal_get_comp_string().
via e38acb3 krb5_wrap: add smb_krb5_principal_set_type().
via 34ef6b8 s4-auth: fix DEBUG statement.
via de60211 gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
via ac23b7d s4-kdc/db-glue: make sure to use smb_krb5_get_pw_salt and smb_krb5_create_key_from_string.
via 023b5af lib/krb5_wrap: use krb5_const_principal in smb_krb5_get_pw_salt().
via a616df1 lib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string.
via b7abdbb s4-auth: avoid double free of krb5 kt_entries when compiling with MIT kerberos library.
via f05fbc1 s4-gensec: Check if we have delegated credentials.
via cebecff s4-kdc/db-glue: use smb_krb5_principal_get_comp_string in dbglue.
via 2a0e2dd s4-kdc/db-glue: use principal_comp_str{case}cmp.
via 6d6e411 s4-kdc/db-glue: add principal_comp_str{case}cmp
via 714862d s4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db().
via 0501db1 s4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob().
via 78c0cf2 s4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac().
via ba18383 s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy().
via f4b087b s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_match().
via 7afd9e6 s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2self().
via 1afd3d3 s4-kdc: build some kdc components only for Heimdal KDCs.
via 77ede58 lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT.
via 9a0263a s4-kdc/db_glue: workaround different CLIENT_NAME_MISMATCH error codes.
via e6e2ec0 librpc/ndr_nbt: we need to keep a trailing '.' in the last component of an nbt_string
via 1a78713 lsa.idl: add LSA_POLICY_NOTIFICATION to LSA_POLICY_ALL_ACCESS
via c9f68df s4:selftest: run rpc.netlogon.admin against also ad_dc
via 2ec4a62 torture: Run lsa.trusted.domains auth tests against samba4
via f13f75f torture-lsa: Allow rpc.lsa.trusted.domains to run successfully
via e5163df s4:torture/rpc: use torture_skip() if torture:Forest_Trust_Dom2_Binding isn't specified for rpc.lsa.forest.trust
via 9b5c699 s4:torture/rpc: test the old password in test_validate_trust() for rpc.lsa.forest.trust
via 0133841 s4:torture/rpc: really use LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE in rpc.lsa.forest.trust
via 8094bfa s4:torture/rpc: use torture_assert*() macros for rpc.lsa.forest.trust
via 281969d s4:torture/rpc: fix test_EnumTrustDomEx() with existing domains
via a156007 s4:rpc_server/lsa: correctly set *r->out.resume_handle with NT_STATUS_OK in lsa_EnumTrustedDomainsEx()
via 08f91a1 s4:torture/rpc: use unique sids and names for trusted domains
via 1e782d9 s4:torture/rpc: sync test_LogonControl2Ex with test_LogonControl2
via 30cb12e s4:torture/rpc: let rpc.netlogon.admin pass against windows 2012r2
via 038659d s3:rpc_server/netlogon: improve the netr_LogonControl*() error returns
via 9134681 s4:torture/rpc: let test_LogonControl() also accept WERR_NOT_SUPPORTED for NETLOGON_CONTROL_TRUNCATE_LOG
via 01cb90a s4:torture/rpc: don't use the same names for 3 different tests
via d620f46 libcli/util: let WERR_UNKNOWN_LEVEL be an alias to WERR_INVALID_LEVEL
via da4f31e nsswitch: improve error messages in wbinfo calls
via dcb2259 s4:heimdal_build: remove allow_warnings=True from HEIMDAL_ASN1()
from f0e9ba9 Rename SMB2_OP_FIND to SMB2_OP_QUERY_DIRECTORY so that it conforms with the MS document MS-SMB2.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 14b6e0a599298696d48cbae54d9543f131a3ab95
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 26 09:24:05 2015 +0000
s4:kdc/db-glue: samba_kdc_trust_message2entry() should use the normalized principal as salt
smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator at S4XDOM.BASE%A1b2C3d4
worked while
smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator at s4xdom.base
failed, if aes keys are used across the trust.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Mar 27 04:02:05 CET 2015 on sn-devel-104
commit 0dbf1d4c40ac2c6d3856a29738f1b12023d73578
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 26 11:00:10 2015 +0100
libcli/util: remove unused WERR_BAD_PASSWORD
The values are the same, but WERR_INVALID_PASSWORD matches the documentation.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 6e5d9c2a3d57576303cec75ee5806b5e8bf28c87
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 26 11:00:10 2015 +0100
libcli/auth: use WERR_INVALID_PASSWORD instead of WERR_BAD_PASSWORD
The values are the same, but WERR_INVALID_PASSWORD matches the documentation.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 17e8ad537967f8f5de73c70c79bc06d259bba4ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 26 11:00:10 2015 +0100
docs-xml/Samba3-HOWTO: add reference to WERR_INVALID_PASSWORD were we had only WERR_BAD_PASSWORD
The values are the same, but WERR_INVALID_PASSWORD matches the documentation
and the new win_errstr() output.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit cb786dfd7c4022aaf26210e36dd64b36ba44af68
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 24 19:05:10 2015 +0100
selftest: use dns_lookup_* = true in krb5.conf
We only need to specify explicit entries for the local realm
in order to provision the server.
Everything else is handled by real dns or faked dns via resolv wrapper.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 4b12fcebaf375d1b622dc624cc16efc1459d635e
Author: Günther Deschner <gd at samba.org>
Date: Tue Feb 10 13:23:14 2015 +0100
s4-kdc/db_glue: avoid accessing private struct members when there are accessor funcs.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e2eef864316037657996255327e6e47a8e1dc407
Author: Günther Deschner <gd at samba.org>
Date: Tue Feb 10 13:14:21 2015 +0100
s4-kdc/db_glue: use smb_krb5_principal_set_type().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 212a9e06c67b7cb234481e49edbd002164b34a96
Author: Günther Deschner <gd at samba.org>
Date: Tue Feb 10 13:38:41 2015 +0100
krb5_wrap: fix documentation for smb_krb5_principal_get_comp_string().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e38acb344ac5a5c8197dfd333566df29db826f7d
Author: Günther Deschner <gd at samba.org>
Date: Tue Feb 10 13:13:01 2015 +0100
krb5_wrap: add smb_krb5_principal_set_type().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 34ef6b8d20a2aa1552910e6568afc5019937ad42
Author: Günther Deschner <gd at samba.org>
Date: Sat Feb 7 15:12:45 2015 +0100
s4-auth: fix DEBUG statement.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit de6021127d2d666280d11ebcf41dd2a64f6591f3
Author: Günther Deschner <gd at samba.org>
Date: Sat Feb 7 10:48:30 2015 +0100
gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ac23b7dd52c4bd2649577a25fc41c94998ec8f88
Author: Günther Deschner <gd at samba.org>
Date: Fri Dec 19 16:35:48 2014 +0100
s4-kdc/db-glue: make sure to use smb_krb5_get_pw_salt and smb_krb5_create_key_from_string.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 023b5af63976558de5de5f6e949ec1ec47a0adb6
Author: Günther Deschner <gd at samba.org>
Date: Thu Mar 26 11:31:34 2015 +0100
lib/krb5_wrap: use krb5_const_principal in smb_krb5_get_pw_salt().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a616df1848d65bcbfec745823e312baf230887ee
Author: Günther Deschner <gd at samba.org>
Date: Thu Mar 26 11:21:06 2015 +0100
lib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b7abdbb0a1686b09aa5d8e833c54c9d575922f85
Author: Günther Deschner <gd at samba.org>
Date: Tue Jul 29 18:32:20 2014 +0200
s4-auth: avoid double free of krb5 kt_entries when compiling with MIT kerberos library.
Guenther
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f05fbc14105096da9c9ecd75a6913d57e58c218f
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 29 12:33:49 2014 +0200
s4-gensec: Check if we have delegated credentials.
With MIT Kerberos it is possible that the GSS_C_DELEG_FLAG is set, but
the delegated_cred_handle is NULL which results in a NULL-pointer
dereference. This way we fix it.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cebecffd987d45dc9decd69d10c1dd8f671206bd
Author: Günther Deschner <gd at samba.org>
Date: Fri May 16 11:44:49 2014 +0200
s4-kdc/db-glue: use smb_krb5_principal_get_comp_string in dbglue.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2a0e2dd52a9e4b140e0986844db31c040aa32cc8
Author: Günther Deschner <gd at samba.org>
Date: Fri May 16 11:44:02 2014 +0200
s4-kdc/db-glue: use principal_comp_str{case}cmp.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6d6e411fb8f118dcbc3b77f88b9d19121b29b806
Author: Günther Deschner <gd at samba.org>
Date: Thu May 15 15:57:06 2014 +0200
s4-kdc/db-glue: add principal_comp_str{case}cmp
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 714862defd5dc318e3ff4360165ce92be4098cb8
Author: Günther Deschner <gd at samba.org>
Date: Sat May 10 00:49:44 2014 +0200
s4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0501db1a6767eac7066d6bd67e0c93b0ac4143ec
Author: Günther Deschner <gd at samba.org>
Date: Sat May 10 00:26:21 2014 +0200
s4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 78c0cf292b138f122e198037646bfdf19e1584fd
Author: Günther Deschner <gd at samba.org>
Date: Fri May 9 23:26:42 2014 +0200
s4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ba1838300cab30ca42bf2226e00be84067078fff
Author: Günther Deschner <gd at samba.org>
Date: Fri May 9 14:58:08 2014 +0200
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f4b087b4833cde5b20310f46d16020bef87b46c6
Author: Günther Deschner <gd at samba.org>
Date: Fri May 9 14:56:22 2014 +0200
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_match().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7afd9e6aca49e78d25d1415ad5739df873c17d94
Author: Günther Deschner <gd at samba.org>
Date: Fri May 9 14:54:23 2014 +0200
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2self().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1afd3d32623336b178a90d6cd4ef395a5c6b3c19
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 15:15:40 2014 +0200
s4-kdc: build some kdc components only for Heimdal KDCs.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 77ede580e98bbebaa1707201f3520912e6bccf5c
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 14:47:05 2014 +0200
lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9a0263a7c316112caf0265237bfb2cfb3a3d370d
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 14:42:20 2014 +0200
s4-kdc/db_glue: workaround different CLIENT_NAME_MISMATCH error codes.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e6e2ec0001fe3c010445e26cc0efddbc1f73416b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 25 15:04:06 2015 +0000
librpc/ndr_nbt: we need to keep a trailing '.' in the last component of an nbt_string
Windows uses a username of 'domain.example.com.' as username and we need to
return it that way in the NETLOGON_SAM_LOGON_RESPONSE_EX reply.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1a787135526f2b4d4c4a51595ac7db115b597e37
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 25 20:15:42 2015 +0100
lsa.idl: add LSA_POLICY_NOTIFICATION to LSA_POLICY_ALL_ACCESS
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit c9f68df7987ad17c83217c7fad46cd7ee59ecde2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 20:37:23 2015 +0100
s4:selftest: run rpc.netlogon.admin against also ad_dc
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 2ec4a626b7b82596926c9d1cd45407d0859d5643
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 10 16:23:40 2015 +1300
torture: Run lsa.trusted.domains auth tests against samba4
We only need to skip th CreateTrustedDomainEx, which the docs strongly suggested not to use
in any case.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit f13f75f7f0098de3ce9e82f02265740e65089033
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 10 16:04:30 2015 +1300
torture-lsa: Allow rpc.lsa.trusted.domains to run successfully
We need to create a new binding, as the old binding has the wrong pipe in it (lsa, not netlogon).
Otherwise, we try to bind using the LSA UUID on the netlogon pipe, and Samba rejects that
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit e5163dfd57694351bf556565e92f74b71221db29
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 10:14:29 2015 +0100
s4:torture/rpc: use torture_skip() if torture:Forest_Trust_Dom2_Binding isn't specified for rpc.lsa.forest.trust
We should exit 0 in this case, as it's not really an error.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 9b5c699ef0217ae544043cc4bcd824f69317603d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 10:14:29 2015 +0100
s4:torture/rpc: test the old password in test_validate_trust() for rpc.lsa.forest.trust
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 0133841da09a94fd4d738e5f28891ba0b01bfed7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 10:14:29 2015 +0100
s4:torture/rpc: really use LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE in rpc.lsa.forest.trust
We really want to test forest trust and not external trusts here!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 8094bfa2f445f79de9baeecd2994025ddd55caa2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 10 10:14:29 2015 +0100
s4:torture/rpc: use torture_assert*() macros for rpc.lsa.forest.trust
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 281969ddb20a0a54f831ab8f2f9ad578e7759daf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 24 00:16:29 2015 +0100
s4:torture/rpc: fix test_EnumTrustDomEx() with existing domains
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit a15600727f83c14e54d3991a07e37a1e0b977cb3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 24 02:13:10 2015 +0100
s4:rpc_server/lsa: correctly set *r->out.resume_handle with NT_STATUS_OK in lsa_EnumTrustedDomainsEx()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 08f91a1f29a31f7193d0e7c0d80c85d3d0c31082
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 23:15:45 2015 +0100
s4:torture/rpc: use unique sids and names for trusted domains
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1e782d96956f7baca911343252ce2079e9d7c6da
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 13:30:11 2015 +0100
s4:torture/rpc: sync test_LogonControl2Ex with test_LogonControl2
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 30cb12e7d22280d05dafe7258eb3ab47cf1f648f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 16:01:31 2015 +0100
s4:torture/rpc: let rpc.netlogon.admin pass against windows 2012r2
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 038659dcbbcb241fa7193c9cc575a999d2b8c764
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 24 13:29:14 2015 +0100
s3:rpc_server/netlogon: improve the netr_LogonControl*() error returns
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 9134681e9fb8fe1e04cd62592560d6a9961407ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 15:32:59 2015 +0100
s4:torture/rpc: let test_LogonControl() also accept WERR_NOT_SUPPORTED for NETLOGON_CONTROL_TRUNCATE_LOG
There's no reason to have this implemented in samba.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 01cb90ad121bd6fcf3516c12e53fccb1c97f246c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 16:02:19 2015 +0100
s4:torture/rpc: don't use the same names for 3 different tests
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit d620f462ffe551e7720efc18e48866eed4b97d41
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 23 11:32:55 2015 +0100
libcli/util: let WERR_UNKNOWN_LEVEL be an alias to WERR_INVALID_LEVEL
WERR_INVALID_LEVEL is the documented name that should be printed
in logs.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit da4f31e1c96d98052687bed6f55d21767440bf91
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 21 17:31:30 2015 +0100
nsswitch: improve error messages in wbinfo calls
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit dcb22590ca6067a32d60b81fac3749fc6fdf7853
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 21 10:00:22 2015 +0100
s4:heimdal_build: remove allow_warnings=True from HEIMDAL_ASN1()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml | 2 +-
lib/krb5_wrap/krb5_samba.c | 31 +-
lib/krb5_wrap/krb5_samba.h | 8 +-
libcli/auth/smbencrypt.c | 6 +-
libcli/util/doserr.c | 3 -
libcli/util/werror.h | 5 +-
librpc/idl/lsa.idl | 3 +-
librpc/ndr/ndr_nbt.c | 4 +
nsswitch/wbinfo.c | 27 +-
selftest/knownfail | 10 +-
selftest/target/Samba.pm | 7 +-
selftest/target/Samba4.pm | 14 +-
source3/libads/kerberos.c | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 62 ++--
source4/auth/gensec/gensec_gssapi.c | 12 +-
source4/auth/gensec/gensec_krb5.c | 2 +-
source4/auth/kerberos/srv_keytab.c | 11 +-
source4/heimdal_build/wscript_build | 2 +-
source4/heimdal_build/wscript_configure | 1 +
source4/kdc/db-glue.c | 141 +++++---
source4/kdc/db-glue.h | 6 +-
source4/kdc/hdb-samba4.c | 17 +-
source4/kdc/mit_samba.c | 16 +-
source4/kdc/pac-glue.c | 20 +-
source4/kdc/pac-glue.h | 8 +-
source4/kdc/wdc-samba4.c | 24 +-
source4/kdc/wscript_build | 6 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 2 +
source4/selftest/tests.py | 2 +-
source4/torture/rpc/forest_trust.c | 432 ++++++++++--------------
source4/torture/rpc/lsa.c | 75 +++-
source4/torture/rpc/netlogon.c | 88 ++++-
wscript_configure_system_mitkrb5 | 1 +
33 files changed, 601 insertions(+), 449 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml b/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml
index 807334e..17ed170 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-CUPS-printing.xml
@@ -4847,7 +4847,7 @@ cupsomatic</link> show how CUPS handles print jobs.
<para>
If <command>cupsaddsmb</command>, or <command>rpcclient addriver</command> emit the error message
- WERR_BAD_PASSWORD, refer to <link linkend="root-ask-loop">the previous common error</link>.
+ WERR_BAD_PASSWORD/WERR_INVALID_PASSWORD, refer to <link linkend="root-ask-loop">the previous common error</link>.
</para>
</sect2>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 5f0378b..22975c1 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -153,7 +153,7 @@ bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
* @return krb5_error_code
*/
int smb_krb5_create_key_from_string(krb5_context context,
- krb5_principal *host_princ,
+ krb5_const_principal host_princ,
krb5_data *salt,
krb5_data *password,
krb5_enctype enctype,
@@ -170,7 +170,7 @@ int smb_krb5_create_key_from_string(krb5_context context,
krb5_data _salt;
if (salt == NULL) {
- ret = krb5_principal2salt(context, *host_princ, &_salt);
+ ret = krb5_principal2salt(context, host_princ, &_salt);
if (ret) {
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
return ret;
@@ -188,7 +188,7 @@ int smb_krb5_create_key_from_string(krb5_context context,
krb5_salt _salt;
if (salt == NULL) {
- ret = krb5_get_pw_salt(context, *host_princ, &_salt);
+ ret = krb5_get_pw_salt(context, host_princ, &_salt);
if (ret) {
DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
return ret;
@@ -223,7 +223,7 @@ int smb_krb5_create_key_from_string(krb5_context context,
*/
int smb_krb5_get_pw_salt(krb5_context context,
- krb5_principal host_princ,
+ krb5_const_principal host_princ,
krb5_data *psalt)
#if defined(HAVE_KRB5_GET_PW_SALT)
/* Heimdal */
@@ -925,7 +925,7 @@ done:
*
*/
-/* caller has to free returned string with free() */
+/* caller has to free returned string with talloc_free() */
char *smb_krb5_principal_get_comp_string(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal,
@@ -2603,6 +2603,27 @@ int smb_krb5_principal_get_type(krb5_context context,
}
/**
+* @brief Set the type of a krb5_principal
+*
+* @param context The krb5_context
+* @param principal The const krb5_principal
+* @param type The principal type
+*
+*/
+void smb_krb5_principal_set_type(krb5_context context,
+ krb5_principal principal,
+ int type)
+{
+#ifdef HAVE_KRB5_PRINCIPAL_SET_TYPE /* Heimdal */
+ krb5_principal_set_type(context, principal, type);
+#elif defined(krb5_princ_type) /* MIT */
+ krb5_princ_type(context, principal) = type;
+#else
+#error UNKNOWN_PRINC_SET_TYPE_FUNCTION
+#endif
+}
+
+/**
* @brief Generate a krb5 warning, forwarding to com_err
*
* @param context The krb5_context
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 189dcf9..12711e8 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -263,6 +263,10 @@ krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
char *smb_krb5_principal_get_realm(krb5_context context,
krb5_const_principal principal);
+void smb_krb5_principal_set_type(krb5_context context,
+ krb5_principal principal,
+ int type);
+
krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
krb5_principal principal,
const char *realm);
@@ -309,11 +313,11 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
uint32_t enctype_bitmap,
krb5_enctype **enctypes);
int smb_krb5_get_pw_salt(krb5_context context,
- krb5_principal host_princ,
+ krb5_const_principal host_princ,
krb5_data *psalt);
int smb_krb5_create_key_from_string(krb5_context context,
- krb5_principal *host_princ,
+ krb5_const_principal host_princ,
krb5_data *salt,
krb5_data *password,
krb5_enctype enctype,
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index ec819cd..e9eaadf 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -766,12 +766,12 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
*pwd = NULL;
if (!pwd_buf) {
- return WERR_BAD_PASSWORD;
+ return WERR_INVALID_PASSWORD;
}
if (session_key->length != 16) {
DEBUG(10,("invalid session key\n"));
- return WERR_BAD_PASSWORD;
+ return WERR_INVALID_PASSWORD;
}
confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
@@ -788,7 +788,7 @@ WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
if (!decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, CH_UTF16)) {
data_blob_free(&confounded_session_key);
- return WERR_BAD_PASSWORD;
+ return WERR_INVALID_PASSWORD;
}
data_blob_free(&confounded_session_key);
diff --git a/libcli/util/doserr.c b/libcli/util/doserr.c
index f16db42..5076c37 100644
--- a/libcli/util/doserr.c
+++ b/libcli/util/doserr.c
@@ -43,10 +43,8 @@ static const struct werror_code_struct dos_errs[] =
{ "WERR_INVALID_PARAM", WERR_INVALID_PARAM },
{ "WERR_NOT_SUPPORTED", WERR_NOT_SUPPORTED },
{ "WERR_DUP_NAME", WERR_DUP_NAME },
- { "WERR_BAD_PASSWORD", WERR_BAD_PASSWORD },
{ "WERR_NOMEM", WERR_NOMEM },
{ "WERR_INVALID_NAME", WERR_INVALID_NAME },
- { "WERR_UNKNOWN_LEVEL", WERR_UNKNOWN_LEVEL },
{ "WERR_OBJECT_PATH_INVALID", WERR_OBJECT_PATH_INVALID },
{ "WERR_ALREADY_EXISTS", WERR_ALREADY_EXISTS },
{ "WERR_NO_MORE_ITEMS", WERR_NO_MORE_ITEMS },
@@ -2707,7 +2705,6 @@ const struct werror_str_struct dos_err_strs[] = {
{ WERR_ACCESS_DENIED, "Access is denied" },
{ WERR_INVALID_PARAM, "Invalid parameter" },
{ WERR_NOT_SUPPORTED, "Not supported" },
- { WERR_BAD_PASSWORD, "A bad password was supplied" },
{ WERR_NOMEM, "Out of memory" },
{ WERR_NO_LOGON_SERVERS, "No logon servers found" },
{ WERR_NO_SUCH_LOGON_SESSION, "No such logon session" },
diff --git a/libcli/util/werror.h b/libcli/util/werror.h
index 4c14b7f..c23de4c 100644
--- a/libcli/util/werror.h
+++ b/libcli/util/werror.h
@@ -98,13 +98,11 @@ typedef uint32_t WERROR;
#define WERR_NO_SPOOL_SPACE W_ERROR(0x0000003E)
#define WERR_NO_SUCH_SHARE W_ERROR(0x00000043)
#define WERR_FILE_EXISTS W_ERROR(0x00000050)
-#define WERR_BAD_PASSWORD W_ERROR(0x00000056)
#define WERR_INVALID_PARAM W_ERROR(0x00000057)
#define WERR_CALL_NOT_IMPLEMENTED W_ERROR(0x00000078)
#define WERR_SEM_TIMEOUT W_ERROR(0x00000079)
#define WERR_INSUFFICIENT_BUFFER W_ERROR(0x0000007A)
#define WERR_INVALID_NAME W_ERROR(0x0000007B)
-#define WERR_UNKNOWN_LEVEL W_ERROR(0x0000007C)
#define WERR_OBJECT_PATH_INVALID W_ERROR(0x000000A1)
#define WERR_ALREADY_EXISTS W_ERROR(0x000000B7)
#define WERR_MORE_DATA W_ERROR(0x000000EA)
@@ -261,6 +259,9 @@ typedef uint32_t WERROR;
/* Generic error code aliases */
#define WERR_FOOBAR WERR_GENERAL_FAILURE
+/* TODO: remove WERR_UNKNOWN_LEVEL in all callers */
+#define WERR_UNKNOWN_LEVEL WERR_INVALID_LEVEL
+
/*****************************************************************************
Auto-generated Win32 error from:
http://msdn.microsoft.com/en-us/library/cc231199%28PROT.10%29.aspx
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 09ddf71..7c96a89 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -157,7 +157,8 @@ import "misc.idl", "security.idl";
LSA_POLICY_SET_AUDIT_REQUIREMENTS |
LSA_POLICY_AUDIT_LOG_ADMIN |
LSA_POLICY_SERVER_ADMIN |
- LSA_POLICY_LOOKUP_NAMES);
+ LSA_POLICY_LOOKUP_NAMES |
+ LSA_POLICY_NOTIFICATION);
const int LSA_POLICY_READ =
(STANDARD_RIGHTS_READ_ACCESS |
diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c
index 842e972..ada1335 100644
--- a/librpc/ndr/ndr_nbt.c
+++ b/librpc/ndr/ndr_nbt.c
@@ -179,6 +179,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_nbt_string(struct ndr_push *ndr, int ndr_fla
(unsigned)complen, (unsigned)complen);
}
+ if (s[complen] == '.' && s[complen+1] == '\0') {
+ complen++;
+ }
+
compname = talloc_asprintf(ndr, "%c%*.*s",
(unsigned char)complen,
(unsigned char)complen,
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 18c7209..bde0d43 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -752,8 +752,8 @@ static bool wbinfo_check_secret(const char *domain)
WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
if (wbc_status == WBC_ERR_AUTH_ERROR) {
- d_fprintf(stderr, "error code was %s (0x%x)\n",
- error->nt_string, error->nt_status);
+ d_fprintf(stderr, "wbcCheckTrustCredentials(%s): error code was %s (0x%x)\n",
+ domain_name, error->nt_string, error->nt_status);
wbcFreeMemory(error);
}
if (!WBC_ERROR_IS_OK(wbc_status)) {
@@ -811,8 +811,8 @@ static bool wbinfo_change_secret(const char *domain)
WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
if (wbc_status == WBC_ERR_AUTH_ERROR) {
- d_fprintf(stderr, "error code was %s (0x%x)\n",
- error->nt_string, error->nt_status);
+ d_fprintf(stderr, "wbcChangeTrustCredentials(%s): error code was %s (0x%x)\n",
+ domain_name, error->nt_string, error->nt_status);
wbcFreeMemory(error);
}
if (!WBC_ERROR_IS_OK(wbc_status)) {
@@ -849,8 +849,8 @@ static bool wbinfo_ping_dc(const char *domain)
wbcFreeMemory(dcname);
if (wbc_status == WBC_ERR_AUTH_ERROR) {
- d_fprintf(stderr, "error code was %s (0x%x)\n",
- error->nt_string, error->nt_status);
+ d_fprintf(stderr, "wbcPingDc2(%s): error code was %s (0x%x)\n",
+ domain_name, error->nt_string, error->nt_status);
wbcFreeMemory(error);
return false;
}
@@ -1584,8 +1584,9 @@ static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32_t flags)
if (error) {
d_fprintf(stderr,
- "error code was %s (0x%x)\nerror message was: %s\n",
- error->nt_string,
+ "wbcLogonUser(%s): error code was %s (0x%x)\n"
+ "error message was: %s\n",
+ params.username, error->nt_string,
error->nt_status,
error->display_string);
}
@@ -1756,7 +1757,11 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
if (wbc_status == WBC_ERR_AUTH_ERROR) {
d_fprintf(stderr,
- "error code was %s (0x%x)\nerror message was: %s\n",
+ "wbcAuthenticateUserEx(%s%c%s): error code was %s (0x%x)\n"
+ "error message was: %s\n",
+ name_domain,
+ winbind_separator(),
+ name_user,
err->nt_string,
err->nt_status,
err->display_string);
@@ -1830,7 +1835,9 @@ static bool wbinfo_pam_logon(char *username)
if (!WBC_ERROR_IS_OK(wbc_status) && (error != NULL)) {
d_fprintf(stderr,
- "error code was %s (0x%x)\nerror message was: %s\n",
+ "wbcLogonUser(%s): error code was %s (0x%x)\n"
+ "error message was: %s\n",
+ params.username,
error->nt_string,
(int)error->nt_status,
error->display_string);
diff --git a/selftest/knownfail b/selftest/knownfail
index 598fb4d..1cf34da 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -90,6 +90,7 @@
^samba4.rpc.netlogon.*.DatabaseSync2
^samba4.rpc.netlogon.*.LogonControl\(.*\)$
^samba4.rpc.netlogon.*.LogonControl2\(.*\)$
+^samba4.rpc.netlogon.*.LogonControl2Ex\(.*\)$
^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomains
^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx
^samba4.rpc.netlogon.*.GetPassword
@@ -233,12 +234,9 @@
#
# The Samba4 netlogon server does not implement these LogonControl operations
#
-^samba3.rpc.netlogon.admin.netlogon.LogonControl2\(ad_dc\)
-^samba3.rpc.netlogon.admin.netlogon.LogonControl\(ad_dc\)
-^samba3.rpc.netlogon.admin.netlogon.LogonControl2\(ad_dc\)
-^samba3.rpc.netlogon.admin.netlogon.LogonControl\(ad_dc\)
-^samba3.rpc.netlogon.admin.netlogon.LogonControl2\(ad_dc\)
-^samba3.rpc.netlogon.admin.netlogon.LogonControl\(ad_dc\)
+^samba3.rpc.netlogon.admin.*.LogonControl2Ex\(ad_dc\)
+^samba3.rpc.netlogon.admin.*.LogonControl2\(ad_dc\)
+^samba3.rpc.netlogon.admin.*.LogonControl\(ad_dc\)
#
# The Samba4 winbind does not cover the full winbind protocol, so these are expected
#
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index d8f332c..4b7313b 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -77,7 +77,7 @@ sub nss_wrapper_winbind_so_path($) {
sub mk_krb5_conf($$)
{
- my ($ctx, $other_realms_stanza) = @_;
+ my ($ctx) = @_;
unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
warn("can't open $ctx->{krb5_conf}$?");
@@ -93,15 +93,14 @@ sub mk_krb5_conf($$)
[libdefaults]
default_realm = $ctx->{realm}
- dns_lookup_realm = false
- dns_lookup_kdc = false
+ dns_lookup_realm = true
+ dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = yes
[realms]
$our_realms_stanza
- $other_realms_stanza
";
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 26d3614..40e13fc 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -697,7 +697,7 @@ sub provision_raw_step1($$)
$ctx->{kdc_ipv6} = $ctx->{ipv6};
}
- Samba::mk_krb5_conf($ctx, "");
+ Samba::mk_krb5_conf($ctx);
open(PWD, ">$ctx->{nsswrap_passwd}");
if ($ctx->{unix_uid} != 0) {
@@ -1388,17 +1388,7 @@ sub provision_subdom_dc($$$)
return undef;
}
- # This ensures we share the krb5.conf with the main DC, so
- # they can find each other. Sadly only works between 'dc' and
- # 'subdom_dc', the other DCs won't see it
-
- my $dc_realms = Samba::mk_realms_stanza($dcvars->{REALM}, lc($dcvars->{REALM}),
- $dcvars->{DOMAIN}, $dcvars->{SERVER_IP});
-
- $ret->{KRB5_CONFIG} = $dcvars->{KRB5_CONFIG};
- $ctx->{krb5_conf} = $dcvars->{KRB5_CONFIG};
-
- Samba::mk_krb5_conf($ctx, $dc_realms);
+ Samba::mk_krb5_conf($ctx);
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d5e0238..d5d8e2a 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -491,7 +491,7 @@ int create_kerberos_key_from_string(krb5_context context,
}
salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
ret = smb_krb5_create_key_from_string(context,
- salt_princ ? &salt_princ : &host_princ,
+ salt_princ ? salt_princ : host_princ,
NULL,
password,
enctype,
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 41cb487..e0c1b85 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -75,6 +75,19 @@ WERROR _netr_LogonControl(struct pipes_struct *p,
return WERR_UNKNOWN_LEVEL;
}
+ switch (r->in.function_code) {
+ case NETLOGON_CONTROL_QUERY:
+ case NETLOGON_CONTROL_REPLICATE:
+ case NETLOGON_CONTROL_SYNCHRONIZE:
+ case NETLOGON_CONTROL_PDC_REPLICATE:
+ case NETLOGON_CONTROL_BREAKPOINT:
+ case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ break;
+ default:
+ return WERR_NOT_SUPPORTED;
+ }
+
l.in.logon_server = r->in.logon_server;
l.in.function_code = r->in.function_code;
l.in.level = r->in.level;
@@ -184,7 +197,6 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
struct netr_NETLOGON_INFO_3 *info3;
struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
- uint32_t acct_ctrl;
NTSTATUS status;
struct netr_DsRGetDCNameInfo *dc_info;
@@ -202,27 +214,41 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
return WERR_INVALID_PARAM;
}
- acct_ctrl = p->session_info->info->acct_flags;
+ switch (r->in.level) {
+ case 1:
+ case 2:
+ case 3:
+ case 4:
+ break;
+ default:
+ return WERR_INVALID_LEVEL;
+ }
switch (r->in.function_code) {
- case NETLOGON_CONTROL_TC_VERIFY:
- case NETLOGON_CONTROL_CHANGE_PASSWORD:
- case NETLOGON_CONTROL_REDISCOVER:
+ case NETLOGON_CONTROL_QUERY:
+ break;
+ default:
if ((geteuid() != sec_initial_uid()) &&
!nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS) &&
- !nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token) &&
- !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
+ !nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token))
+ {
return WERR_ACCESS_DENIED;
}
break;
- default:
- break;
}
tc_status = WERR_NO_SUCH_DOMAIN;
switch (r->in.function_code) {
case NETLOGON_CONTROL_QUERY:
+ switch (r->in.level) {
+ case 1:
+ case 3:
+ break;
+ default:
+ return WERR_INVALID_PARAMETER;
+ }
+
tc_status = WERR_OK;
break;
case NETLOGON_CONTROL_REPLICATE:
@@ -230,26 +256,12 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
case NETLOGON_CONTROL_PDC_REPLICATE:
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
case NETLOGON_CONTROL_BREAKPOINT:
- if (acct_ctrl & ACB_NORMAL) {
- return WERR_NOT_SUPPORTED;
- } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
- return WERR_ACCESS_DENIED;
- } else {
- return WERR_ACCESS_DENIED;
- }
case NETLOGON_CONTROL_TRUNCATE_LOG:
- if (acct_ctrl & ACB_NORMAL) {
- break;
--
Samba Shared Repository
More information about the samba-cvs
mailing list