[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Mon Mar 30 08:19:05 MDT 2015
The branch, master has been updated
via 9bcd27d s4-torture: add test to verify nbt_name with "." ending handling.
via 9842a5d s4-torture: use torture_comment instead of printf in raw notify test.
via c6f18b9 s4-torture: use tctx variable name in raw notify test consistently.
via b3a688c s4:torture:raw:notify: torture_assert on creation of secondary tcon
via 65504bc s4:torture:raw:notify: use torture_assert instead of printf in test_notify_tree
via 8e4d146 s4:torture:raw:notify: let NOTIFY_MASK_TEST use torture_assert macros
via cf2f75c s4:torture:raw:notify: remove extra do-loop in NOTIFY_MASK_TEST macro.
via 0aebd5f s4:torture:raw:notify: use torture_assert instead of printf in failure case
via 60b7a60 s4:torture:raw:notify: remove superfluous conditional goto
via 967a0cd s4:torture:raw:notify: treat torture_open_connection calls with torture_assert
via 47d75aa s4:torture:raw:notify: use torture_assert with torture_setup_dir
via 1529f44 s4:torture:raw:notify: add a few comments to torture_assert calls
via 1b305c8 s4:torture:raw:notify: improve the CHECK_WSTR() macro
via 17ce9f4 s4:torture:raw:notify: make check_rename_reply() properly use torture_result
via d9e01f1 s4:torture:raw:notify: remove CHECK_WSTR2.
via 8d1d1e0 s4:torture:raw:notify: remove CHECK_VAL.
via f0a113a s4:torture:raw:notify: remove CHECK_STATUS.
via 4de622b torture: add torture_assert_not_null[_goto]
via bc858fd torture: add torture_assert_int_not_equal_goto
via 54e68e9 s3:trusts_util: generate completely random passwords in trust_pw_change()
via 3e1e587 s3:trusts_util: pass new_trust_version to netlogon_creds_cli_ServerPasswordSet() in trust_pw_change()
via 99ebb92 s3:trusts_util: make use of pdb_get_trust_credentials() and pdb_get_trusted_domain() in trust_pw_change()
via 50605dd s3:trusts_util: add support for SEC_CHAN_DNS_DOMAIN in trust_pw_change()
via df13bf7 s3:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
via 6f8b868 s4:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
via 73a4387 s4:rpc_server/lsa: notify winbindd about new trusted domains
via dda25b0 s3:winbindd: add MSG_WINBIND_NEW_TRUSTED_DOMAIN that takes a lsa_TrustDomainInfoInfoEx
via 3c7c981 lsa.idl: mark lsa_TrustDomainInfoInfoEx as public
via 345e2fe s4:selftest: run dbcheck against the ad_dc environment too
via 654d63b s4:rpc_server/lsa: implement the policy security descriptor
via a09f9cf s4:rpc_server/lsa: normalize the access_mask for lsa account objects
via 2dcef48 libcli/security: add security_descriptor_for_client() helper function
via 77f0763 libcli/security: support "IS" in SDDL for SID_NT_IUSR
via 337d86f s3:rpcclient: only require netlogon_creds for specified netlogon calls
from c3747f9 Check for third party Python modules during configure.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9bcd27df5d4620d869d3314ee4d47fbb55d29097
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 27 15:31:36 2015 +0100
s4-torture: add test to verify nbt_name with "." ending handling.
Windows uses a username of 'domain.example.com.' and we need to return it that
way in the NETLOGON_SAM_LOGON_RESPONSE_EX.
See e6e2ec0001fe3c010445e26cc0efddbc1f73416b for further details.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Mon Mar 30 16:18:04 CEST 2015 on sn-devel-104
commit 9842a5d1d2b8740ab533c550d10d069707fc2122
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 27 17:47:42 2015 +0100
s4-torture: use torture_comment instead of printf in raw notify test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit c6f18b953543af2fbdc4bffdf35833d342aa78ff
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 27 17:40:16 2015 +0100
s4-torture: use tctx variable name in raw notify test consistently.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit b3a688c1b7f3d40dd7e1732dce609e0c93ebd0c9
Author: Michael Adam <obnox at samba.org>
Date: Fri Mar 27 10:34:34 2015 +0100
s4:torture:raw:notify: torture_assert on creation of secondary tcon
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 65504bc8e472d2cf936a04be19bfc9b11a53a686
Author: Michael Adam <obnox at samba.org>
Date: Fri Mar 27 10:25:17 2015 +0100
s4:torture:raw:notify: use torture_assert instead of printf in test_notify_tree
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 8e4d1463cbba45dcb103f1ed828562caae9a1858
Author: Michael Adam <obnox at samba.org>
Date: Fri Mar 27 10:19:26 2015 +0100
s4:torture:raw:notify: let NOTIFY_MASK_TEST use torture_assert macros
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit cf2f75ca4a3601af00454a6d1270561532fa51ab
Author: Michael Adam <obnox at samba.org>
Date: Fri Mar 27 00:43:30 2015 +0100
s4:torture:raw:notify: remove extra do-loop in NOTIFY_MASK_TEST macro.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 0aebd5f0fe421c51ed6976389ffd82775871141b
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 19:41:06 2015 +0100
s4:torture:raw:notify: use torture_assert instead of printf in failure case
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 60b7a6057d170df2a604b8a055bee39860ec54ee
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 19:36:52 2015 +0100
s4:torture:raw:notify: remove superfluous conditional goto
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 967a0cdbeba9211044ddc36f7e729a83bafe7c31
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 19:22:08 2015 +0100
s4:torture:raw:notify: treat torture_open_connection calls with torture_assert
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 47d75aa1e5caca41d1c7bd0ef217ae601ff461f6
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 19:18:43 2015 +0100
s4:torture:raw:notify: use torture_assert with torture_setup_dir
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1529f44ae318e78d23814b7d5fea15713a6d7d84
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 19:13:58 2015 +0100
s4:torture:raw:notify: add a few comments to torture_assert calls
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1b305c8a358c495ab69d01d84ae4ff0326812bfa
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 19:11:16 2015 +0100
s4:torture:raw:notify: improve the CHECK_WSTR() macro
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 17ce9f428c580fbba61641350de8b56b3e9da785
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 19:08:26 2015 +0100
s4:torture:raw:notify: make check_rename_reply() properly use torture_result
Only change currently: the CHECK_WSTR calls report the line
number of this function now instead of the handed in
line of the callers. This could be fixed by turning this
function into a macro...
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit d9e01f1d77c2ff87a9dc31cdf1789a3df785cd4c
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 18:58:05 2015 +0100
s4:torture:raw:notify: remove CHECK_WSTR2.
The original CHECK_WSTR() macro was not setting torture failure,
leading to errors instead of propoer failures.
The original CHECK_WSTR2() macro was exactly like the CHECK_WSTR
macro but using propoer torture_result() calls.
This patch removes the original CHECK_WSTR(), renames CHECK_WSTR2
to CHECK_WSTR and adapts the callers, hence removing the source
of many potential missing torture_assert messages.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 8d1d1e0f06860170697dbe0132df76b00a8ca9f5
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 18:45:47 2015 +0100
s4:torture:raw:notify: remove CHECK_VAL.
This macro is not setting torture failure, leading to errors instead
of failures. Use torture_assert_ntstatus_(ok|equal)* macros.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit f0a113a06eded57bbf8067e965d900ed06b6e41a
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 12:00:15 2015 +0100
s4:torture:raw:notify: remove CHECK_STATUS.
This macro is not setting torture failure, leading to errors instead
of failures. Use torture_assert_ntstatus_(ok|equal)* macros.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 4de622b6b1a6b5eb1d4984872fbcfd94666a84db
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 26 21:20:23 2015 +0100
torture: add torture_assert_not_null[_goto]
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit bc858fda4237dd75934ab6c29ae68ba4b0aa04cc
Author: Michael Adam <obnox at samba.org>
Date: Fri Mar 27 10:02:28 2015 +0100
torture: add torture_assert_int_not_equal_goto
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 54e68e94ee878878df394e596ca5ea118b105bba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 09:21:59 2015 +0000
s3:trusts_util: generate completely random passwords in trust_pw_change()
Instead of having every 2nd byte as '\0' in the utf16 password,
because the utf8 form is based on an ascii subset, we convert
the random buffer from CH_UTF16MUNGED to CH_UTF8.
This way we have a random but valid utf8 string,
which is almost like what Windows is doing.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 3e1e58711c7fb8047cb90d61ee0d0402f5aa0be8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 09:21:59 2015 +0000
s3:trusts_util: pass new_trust_version to netlogon_creds_cli_ServerPasswordSet() in trust_pw_change()
We should maintain current and previous passwords on both sides of the trust,
which mean we need to pass our view of the new version to the remote DC.
This avoid problems with replication delays and make sure the kvno
for cross-realm tickets is in sync.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 99ebb92d4633f8577921497063b4feff114b090c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 09:21:59 2015 +0000
s3:trusts_util: make use of pdb_get_trust_credentials() and pdb_get_trusted_domain() in trust_pw_change()
Using pdb_get_trust_credentials() works for all kind of trusts
and gives us much more details regarding the credentials.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 50605ddd1ce722656da616723500555360e4e1b8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 09:21:59 2015 +0000
s3:trusts_util: add support for SEC_CHAN_DNS_DOMAIN in trust_pw_change()
SEC_CHAN_DNS_DOMAIN trusts use longer passwords, Windows uses 240 UTF16 bytes.
Some trustAttribute flags may also make impact on the length on Windows,
but we could be better if we know that the remote domain is an AD domain.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit df13bf7b055cc0f3a759273f6a277f3c27e3d13c
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 31 11:45:12 2015 +0100
s3:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
The number of current and previous elements need to match and we have to
fill TRUST_AUTH_TYPE_NONE if needed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 6f8b868a29fe47a3b589616fde97099829933ce0
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 31 11:45:12 2015 +0100
s4:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
The number of current and previous elements need to match and we have to
fill TRUST_AUTH_TYPE_NONE if needed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 73a4387ab9be4a91d688beae091381453aa7b65c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 23 16:59:27 2015 +0100
s4:rpc_server/lsa: notify winbindd about new trusted domains
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit dda25b0bc6a43a5e1c466b7867c89d49aa1bef0f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 23 16:59:07 2015 +0100
s3:winbindd: add MSG_WINBIND_NEW_TRUSTED_DOMAIN that takes a lsa_TrustDomainInfoInfoEx
When a new trusted domain is added in the LSA server, we need to immediately
have the domain within winbindd. This notification is done via a
MSG_WINBIND_NEW_TRUSTED_DOMAIN message.
In future we might want just a "rescan direct trusts" message,
but that requires a lot of redesign within winbindd.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 3c7c981fad4346bbcf7e56116846a7d34c94b9dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 24 11:22:54 2015 +0100
lsa.idl: mark lsa_TrustDomainInfoInfoEx as public
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 345e2fe3b122ee836d9b750ec85b50a029a93901
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 27 10:45:58 2015 +0100
s4:selftest: run dbcheck against the ad_dc environment too
This is the environment that is configured like real world configurations.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 654d63b94b8f5802a6efe1db6c1367dd8cf8cf04
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 25 19:11:12 2015 +0000
s4:rpc_server/lsa: implement the policy security descriptor
We now check the requested access mask in OpenPolicy*()
and return NT_STATUS_ACCESS_DENIED if the request is not granted.
E.g. validating a domain trust via the Windows gui requires this
in order prompt the user for the credentials. Otherwise
we fail any other call with ACCESS_DENIED later and the
gui just displays a strange error message.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit a09f9cfd2f95667dae96f34b81023360d40a1783
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 26 21:52:27 2015 +0100
s4:rpc_server/lsa: normalize the access_mask for lsa account objects
We still grant all access in the access_mask, but we don't check the
mask at all yet...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 2dcef48f242ffdcd980a4f6385ed07996ea915f4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 26 14:39:35 2015 +0100
libcli/security: add security_descriptor_for_client() helper function
This prepares a possibly stripped security descriptor for a client.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 77f0763c842a0653610a6fbc7f40bd8e54e38376
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 25 19:10:48 2015 +0000
libcli/security: support "IS" in SDDL for SID_NT_IUSR
TODO: we should import the whole lists from [MS-DTYP].
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 337d86f87e4f35bb2b2b4d858c3cb835a7a5da79
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 26 14:41:09 2015 +0100
s3:rpcclient: only require netlogon_creds for specified netlogon calls
A lot of calls on the netlogon pipe doesn't require netlogon credentials,
e.g. netr_LogonControl*() should work just with administrator credentials.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/torture/torture.h | 32 +
libcli/security/sddl.c | 1 +
libcli/security/security_descriptor.c | 70 +++
libcli/security/security_descriptor.h | 5 +
librpc/idl/lsa.idl | 2 +-
librpc/idl/messaging.idl | 1 +
source3/libsmb/trusts_util.c | 104 +++-
source3/rpc_server/lsa/srv_lsa_nt.c | 45 ++
source3/rpcclient/cmd_netlogon.c | 12 +-
source3/rpcclient/rpcclient.c | 5 +-
source3/rpcclient/rpcclient.h | 1 +
source3/winbindd/winbindd_util.c | 77 +++
source4/rpc_server/lsa/dcesrv_lsa.c | 149 ++++-
source4/rpc_server/lsa/lsa.h | 3 +-
source4/rpc_server/lsa/lsa_init.c | 81 ++-
source4/rpc_server/lsa/lsa_lookup.c | 8 +-
source4/selftest/tests.py | 2 +-
source4/torture/ndr/nbt.c | 55 ++
source4/torture/raw/notify.c | 1073 +++++++++++++++++++--------------
19 files changed, 1221 insertions(+), 505 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/torture/torture.h b/lib/torture/torture.h
index d6a9217..b90af84 100644
--- a/lib/torture/torture.h
+++ b/lib/torture/torture.h
@@ -424,6 +424,17 @@ void torture_result(struct torture_context *test,
} \
} while(0)
+#define torture_assert_int_not_equal_goto(torture_ctx,got,not_expected,ret,label,cmt)\
+ do { int __got = (got), __not_expected = (not_expected); \
+ if (__got == __not_expected) { \
+ torture_result(torture_ctx, TORTURE_FAIL, \
+ __location__": "#got" was %d (0x%X), expected a different number: %s", \
+ __got, __got, cmt); \
+ ret = false; \
+ goto label; \
+ } \
+ } while(0)
+
#define torture_assert_u64_equal(torture_ctx,got,expected,cmt)\
do { uint64_t __got = (got), __expected = (expected); \
if (__got != __expected) { \
@@ -489,6 +500,27 @@ void torture_result(struct torture_context *test,
}\
} while(0)
+#define torture_assert_not_null(torture_ctx,got,cmt)\
+ do { void *__got = (got); \
+ if (__got == NULL) { \
+ torture_result(torture_ctx, TORTURE_FAIL, \
+ __location__": "#got" was NULL, expected != NULL: %s", \
+ cmt); \
+ return false; \
+ } \
+ } while(0)
+
+#define torture_assert_not_null_goto(torture_ctx,got,ret,label,cmt)\
+ do { void *__got = (got); \
+ if (__got == NULL) { \
+ torture_result(torture_ctx, TORTURE_FAIL, \
+ __location__": "#got" was NULL, expected != NULL: %s", \
+ cmt); \
+ ret = false; \
+ goto label; \
+ } \
+ } while(0)
+
#define torture_skip(torture_ctx,cmt) do {\
torture_result(torture_ctx, TORTURE_SKIP, __location__": %s", cmt);\
return true; \
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index c1f2e96..47e5934 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -81,6 +81,7 @@ static const struct {
{ "SY", SID_NT_SYSTEM },
{ "LS", SID_NT_LOCAL_SERVICE },
{ "NS", SID_NT_NETWORK_SERVICE },
+ { "IS", SID_NT_IUSR },
{ "BA", SID_BUILTIN_ADMINISTRATORS },
{ "BU", SID_BUILTIN_USERS },
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
index a75942c..0a2bb95 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -182,6 +182,76 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
return NULL;
}
+NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
+ const struct security_descriptor *ssd,
+ uint32_t sec_info,
+ uint32_t access_granted,
+ struct security_descriptor **_csd)
+{
+ struct security_descriptor *csd = NULL;
+ uint32_t access_required = 0;
+
+ *_csd = NULL;
+
+ if (sec_info & (SECINFO_OWNER|SECINFO_GROUP)) {
+ access_required |= SEC_STD_READ_CONTROL;
+ }
+ if (sec_info & SECINFO_DACL) {
+ access_required |= SEC_STD_READ_CONTROL;
+ }
+ if (sec_info & SECINFO_SACL) {
+ access_required |= SEC_FLAG_SYSTEM_SECURITY;
+ }
+
+ if (access_required & (~access_granted)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ /*
+ * make a copy...
+ */
+ csd = security_descriptor_copy(mem_ctx, ssd);
+ if (csd == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * ... and remove everthing not wanted
+ */
+
+ if (!(sec_info & SECINFO_OWNER)) {
+ TALLOC_FREE(csd->owner_sid);
+ csd->type &= ~SEC_DESC_OWNER_DEFAULTED;
+ }
+ if (!(sec_info & SECINFO_GROUP)) {
+ TALLOC_FREE(csd->group_sid);
+ csd->type &= ~SEC_DESC_GROUP_DEFAULTED;
+ }
+ if (!(sec_info & SECINFO_DACL)) {
+ TALLOC_FREE(csd->dacl);
+ csd->type &= ~(
+ SEC_DESC_DACL_PRESENT |
+ SEC_DESC_DACL_DEFAULTED|
+ SEC_DESC_DACL_AUTO_INHERIT_REQ |
+ SEC_DESC_DACL_AUTO_INHERITED |
+ SEC_DESC_DACL_PROTECTED |
+ SEC_DESC_DACL_TRUSTED);
+ }
+ if (!(sec_info & SECINFO_SACL)) {
+ TALLOC_FREE(csd->sacl);
+ csd->type &= ~(
+ SEC_DESC_SACL_PRESENT |
+ SEC_DESC_SACL_DEFAULTED |
+ SEC_DESC_SACL_AUTO_INHERIT_REQ |
+ SEC_DESC_SACL_AUTO_INHERITED |
+ SEC_DESC_SACL_PROTECTED |
+ SEC_DESC_SERVER_SECURITY);
+ }
+
+ *_csd = csd;
+ return NT_STATUS_OK;
+}
+
/*
add an ACE to an ACL of a security_descriptor
*/
diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h
index 87643bc..dd5d5f3 100644
--- a/libcli/security/security_descriptor.h
+++ b/libcli/security/security_descriptor.h
@@ -26,6 +26,11 @@
struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx);
struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
const struct security_descriptor *osd);
+NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
+ const struct security_descriptor *ssd,
+ uint32_t sec_info,
+ uint32_t access_granted,
+ struct security_descriptor **_csd);
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace);
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 7c96a89..4ab7bc2 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -734,7 +734,7 @@ import "misc.idl", "security.idl";
dom_sid2 *sid;
} lsa_TrustDomainInfoBasic;
- typedef struct {
+ typedef [public] struct {
lsa_StringLarge domain_name;
lsa_StringLarge netbios_name;
dom_sid2 *sid;
diff --git a/librpc/idl/messaging.idl b/librpc/idl/messaging.idl
index 99b2af2..04dfa1e 100644
--- a/librpc/idl/messaging.idl
+++ b/librpc/idl/messaging.idl
@@ -109,6 +109,7 @@ interface messaging
MSG_WINBIND_IP_DROPPED = 0x040A,
MSG_WINBIND_DOMAIN_ONLINE = 0x040B,
MSG_WINBIND_DOMAIN_OFFLINE = 0x040C,
+ MSG_WINBIND_NEW_TRUSTED_DOMAIN = 0x040D,
/* event messages */
MSG_DUMP_EVENT_LIST = 0x0500,
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 48db393..c56949e 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -55,18 +55,24 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
{
TALLOC_CTX *frame = talloc_stackframe();
struct trust_pw_change_state *state;
- struct samr_Password current_nt_hash;
+ struct cli_credentials *creds = NULL;
+ const struct samr_Password *current_nt_hash = NULL;
const struct samr_Password *previous_nt_hash = NULL;
enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
- const char *account_name;
- char *new_trust_passwd;
- char *pwd;
- struct dom_sid sid;
time_t pass_last_set_time;
+ uint32_t old_version = 0;
+ struct pdb_trusted_domain *td = NULL;
struct timeval g_timeout = { 0, };
int timeout = 0;
struct timeval tv = { 0, };
+ size_t new_len = DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH;
+ uint8_t new_password_buffer[256 * 2] = { 0, };
+ char *new_trust_passwd = NULL;
+ size_t len = 0;
+ uint32_t new_version = 0;
+ uint32_t *new_trust_version = NULL;
NTSTATUS status;
+ bool ok;
state = talloc_zero(frame, struct trust_pw_change_state);
if (state == NULL) {
@@ -101,31 +107,53 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
talloc_set_destructor(state, trust_pw_change_state_destructor);
- if (!get_trust_pw_hash(domain, current_nt_hash.hash,
- &account_name,
- &sec_channel_type)) {
- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
+ status = pdb_get_trust_credentials(domain, NULL, frame, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("could not fetch domain creds for domain %s - %s!\n",
+ domain, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+ }
+
+ current_nt_hash = cli_credentials_get_nt_hash(creds, frame);
+ if (current_nt_hash == NULL) {
+ DEBUG(0, ("cli_credentials_get_nt_hash failed for domain %s!\n",
+ domain));
TALLOC_FREE(frame);
return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
}
+ old_version = cli_credentials_get_kvno(creds);
+ pass_last_set_time = cli_credentials_get_password_last_changed_time(creds);
+ sec_channel_type = cli_credentials_get_secure_channel_type(creds);
+
+ new_version = old_version + 1;
+
switch (sec_channel_type) {
case SEC_CHAN_WKSTA:
case SEC_CHAN_BDC:
- pwd = secrets_fetch_machine_password(domain,
- &pass_last_set_time,
- NULL);
- if (pwd == NULL) {
- TALLOC_FREE(frame);
- return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
- }
- free(pwd);
break;
+ case SEC_CHAN_DNS_DOMAIN:
+ /*
+ * new_len * 2 = 498 bytes is the largest possible length
+ * NL_PASSWORD_VERSION consumes the rest of the possible 512 bytes
+ * and a confounder with at least 2 bytes is required.
+ *
+ * Windows uses new_len = 120 => 240 bytes.
+ */
+ new_len = 120;
+
+ /* fall through */
case SEC_CHAN_DOMAIN:
- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
+ status = pdb_get_trusted_domain(frame, domain, &td);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("pdb_get_trusted_domain() failed for domain %s - %s!\n",
+ domain, nt_errstr(status)));
TALLOC_FREE(frame);
- return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+ return status;
}
+
+ new_trust_version = &new_version;
break;
default:
TALLOC_FREE(frame);
@@ -153,12 +181,19 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
return NT_STATUS_OK;
}
- /* Create a random machine account password */
- new_trust_passwd = generate_random_password(frame,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
- if (new_trust_passwd == NULL) {
- DEBUG(0, ("generate_random_password failed\n"));
+ /*
+ * Create a random machine account password
+ * We create a random buffer and convert that to utf8.
+ * This is similar to what windows is doing.
+ */
+ generate_secret_buffer(new_password_buffer, new_len * 2);
+ ok = convert_string_talloc(frame,
+ CH_UTF16MUNGED, CH_UTF8,
+ new_password_buffer, new_len * 2,
+ (void *)&new_trust_passwd, &len);
+ ZERO_STRUCT(new_password_buffer);
+ if (!ok) {
+ DEBUG(0, ("convert_string_talloc failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
@@ -177,9 +212,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
* local secrets before doing the change.
*/
status = netlogon_creds_cli_auth(context, b,
- current_nt_hash,
+ *current_nt_hash,
previous_nt_hash);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("netlogon_creds_cli_auth for domain %s - %s!\n",
+ domain, nt_errstr(status)));
TALLOC_FREE(frame);
return status;
}
@@ -193,18 +230,26 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
case SEC_CHAN_WKSTA:
case SEC_CHAN_BDC:
- if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
+ ok = secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type);
+ if (!ok) {
+ DEBUG(0, ("secrets_store_machine_password failed for domain %s!\n",
+ domain));
TALLOC_FREE(frame);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
break;
+ case SEC_CHAN_DNS_DOMAIN:
case SEC_CHAN_DOMAIN:
/*
* we need to get the sid first for the
* pdb_set_trusteddom_pw call
*/
- if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
+ ok = pdb_set_trusteddom_pw(domain, new_trust_passwd,
+ &td->security_identifier);
+ if (!ok) {
+ DEBUG(0, ("pdb_set_trusteddom_pw() failed for domain %s!\n",
+ domain));
TALLOC_FREE(frame);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -219,7 +264,8 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
current_timestring(talloc_tos(), false), __func__, domain));
status = netlogon_creds_cli_ServerPasswordSet(context, b,
- new_trust_passwd, NULL);
+ new_trust_passwd,
+ new_trust_version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("%s : %s(%s) remote password change set failed - %s\n",
current_timestring(talloc_tos(), false), __func__,
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index a989f4b..ef18963 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1706,6 +1706,51 @@ static NTSTATUS get_trustauth_inout_blob(TALLOC_CTX *mem_ctx,
{
enum ndr_err_code ndr_err;
+ if (iopw->current.count != iopw->count) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (iopw->previous.count > iopw->current.count) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (iopw->previous.count == 0) {
+ /*
+ * If the previous credentials are not present
+ * we need to make a copy.
+ */
+ iopw->previous = iopw->current;
+ }
+
+ if (iopw->previous.count < iopw->current.count) {
+ struct AuthenticationInformationArray *c = &iopw->current;
+ struct AuthenticationInformationArray *p = &iopw->previous;
+
+ /*
+ * The previous array needs to have the same size
+ * as the current one.
+ *
+ * We may have to fill with TRUST_AUTH_TYPE_NONE
+ * elements.
+ */
+ p->array = talloc_realloc(mem_ctx, p->array,
+ struct AuthenticationInformation,
+ c->count);
+ if (p->array == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ while (p->count < c->count) {
+ struct AuthenticationInformation *a =
+ &p->array[p->count++];
+
+ *a = (struct AuthenticationInformation) {
+ .LastUpdateTime = p->array[0].LastUpdateTime,
+ .AuthType = TRUST_AUTH_TYPE_NONE,
+ };
+ }
+ }
+
ndr_err = ndr_push_struct_blob(trustauth_blob, mem_ctx,
iopw,
(ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 2d1c351..1af68f9 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -1289,10 +1289,10 @@ struct cmd_set netlogon_commands[] = {
{ "dsr_getsitename", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getsitename, &ndr_table_netlogon, NULL, "Get sitename", "" },
{ "dsr_getforesttrustinfo", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getforesttrustinfo, &ndr_table_netlogon, NULL, "Get Forest Trust Info", "" },
{ "logonctrl", RPC_RTYPE_WERROR, NULL, cmd_netlogon_logon_ctrl, &ndr_table_netlogon, NULL, "Logon Control", "" },
- { "samsync", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync, NULL, &ndr_table_netlogon, NULL, "Sam Synchronisation", "" },
- { "samdeltas", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas, NULL, &ndr_table_netlogon, NULL, "Query Sam Deltas", "" },
- { "samlogon", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon, NULL, &ndr_table_netlogon, NULL, "Sam Logon", "" },
- { "change_trust_pw", RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw, NULL, &ndr_table_netlogon, NULL, "Change Trust Account Password", "" },
+ { "samsync", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync, NULL, &ndr_table_netlogon, NULL, "Sam Synchronisation", "", .use_netlogon_creds = true, },
+ { "samdeltas", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas, NULL, &ndr_table_netlogon, NULL, "Query Sam Deltas", "", .use_netlogon_creds = true, },
+ { "samlogon", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon, NULL, &ndr_table_netlogon, NULL, "Sam Logon", "", .use_netlogon_creds = true, },
+ { "change_trust_pw", RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw, NULL, &ndr_table_netlogon, NULL, "Change Trust Account Password", "", .use_netlogon_creds = true, },
{ "gettrustrid", RPC_RTYPE_WERROR, NULL, cmd_netlogon_gettrustrid, &ndr_table_netlogon, NULL, "Get trust rid", "" },
{ "dsr_enumtrustdom", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_enumtrustdom, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" },
{ "dsenumdomtrusts", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_enumtrustdom, &ndr_table_netlogon, NULL, "Enumerate all trusted domains in an AD forest", "" },
@@ -1300,8 +1300,8 @@ struct cmd_set netlogon_commands[] = {
{ "netrenumtrusteddomains", RPC_RTYPE_NTSTATUS, cmd_netlogon_enumtrusteddomains, NULL, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" },
{ "netrenumtrusteddomainsex", RPC_RTYPE_WERROR, NULL, cmd_netlogon_enumtrusteddomainsex, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" },
{ "getdcsitecoverage", RPC_RTYPE_WERROR, NULL, cmd_netlogon_getdcsitecoverage, &ndr_table_netlogon, NULL, "Get the Site-Coverage from a DC", "" },
- { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon, NULL, "Replicate single object from a DC", "" },
- { "capabilities", RPC_RTYPE_NTSTATUS, cmd_netlogon_capabilities, NULL, &ndr_table_netlogon, NULL, "Return Capabilities", "" },
+ { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon, NULL, "Replicate single object from a DC", "", .use_netlogon_creds = true, },
+ { "capabilities", RPC_RTYPE_NTSTATUS, cmd_netlogon_capabilities, NULL, &ndr_table_netlogon, NULL, "Return Capabilities", "", .use_netlogon_creds = true, },
{ NULL }
};
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index db89b47..47789f4 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -681,7 +681,6 @@ static NTSTATUS do_cmd(struct cli_state *cli,
{
NTSTATUS ntresult;
WERROR wresult;
- bool ok;
TALLOC_CTX *mem_ctx;
@@ -757,9 +756,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
return ntresult;
}
- ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
- &ndr_table_netlogon.syntax_id);
- if (rpcclient_netlogon_creds == NULL && ok) {
+ if (rpcclient_netlogon_creds == NULL && cmd_entry->use_netlogon_creds) {
const char *dc_name = cmd_entry->rpc_pipe->desthost;
const char *domain = get_cmdline_auth_info_domain(auth_info);
struct cli_credentials *creds = NULL;
diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
index 9cb0323..7697d3d 100644
--- a/source3/rpcclient/rpcclient.h
+++ b/source3/rpcclient/rpcclient.h
@@ -39,6 +39,7 @@ struct cmd_set {
struct rpc_pipe_client *rpc_pipe;
const char *description;
const char *usage;
+ bool use_netlogon_creds;
};
extern struct messaging_context *rpcclient_msg_ctx;
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index a0d42a5..9134bd0 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -27,6 +27,8 @@
#include "../libcli/auth/pam_errors.h"
#include "passdb/machine_sid.h"
#include "passdb.h"
+#include "source4/lib/messaging/messaging.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -631,10 +633,76 @@ enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domai
return WINBINDD_OK;
--
Samba Shared Repository
More information about the samba-cvs
mailing list