[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Wed Feb 21 18:03:02 UTC 2018
The branch, master has been updated
via 5d113f8 s4:rpc_server: fix call_id truncation in dcesrv_find_fragmented_call()
via 65e8edb tests:dcerpc/raw_protocol: reproduce call_id truncation bug
via 3a7ebd0 heimdal_build: use closefrom from libreplace
via e9d5b8b s4:rpc_server/lsa: implement forwarding lsa_Lookup{Sids,Names}() requests to winbindd
via 3ffebee winbindd: implement wb_irpc_lsa_{LookupNames4,LookupSids3}()
via 3801c41 s4:rpc_server/lsa: rewrite lookup sids/names code to honor the given lookup level
via 475a761 test_trust_ntlm.sh: add lookup name tests
via d7780c6 libcli/security: add dom_sid_lookup_predefined_{sid,name}()
via e9ace18 s4:dsdb: add dsdb_trust_domain_by_{sid,name}()
via 9b6a0b1 s4:rpc_server/lsa: prepare dcesrv_lsa_LookupNames* for async processing
via ab7988a s4:rpc_server/lsa: prepare dcesrv_lsa_LookupSids* for async processing
via e6c9984 s4:rpc_server/lsa: base dcesrv_lsa_LookupNames2() on dcesrv_lsa_LookupNames_common()
via 37cb34d s4:rpc_server/lsa: base dcesrv_lsa_LookupNames() on dcesrv_lsa_LookupNames_common()
via ec55c18 s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupNames2()
via c78c17d s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids2()
via c0f6103 s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids_common()
via 7c1c9bf s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupNames()
via 5d868fd s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupSids()
via e8a0223 s4:rpc_server/lsa: remove unused 'status' variable in dcesrv_lsa_LookupSids_common()
via fe43dd8 s4:rpc_server/lsa: make sure dcesrv_lsa_LookupNames2() gets prepared [ref] pointers
via 3339a1c s4:rpc_server/lsa: expect prepared [ref] pointers in dcesrv_lsa_LookupNames_common()
via f6e60d2 s4:rpc_server/lsa: make sure dcesrv_lsa_LookupSids_common() gets prepared [ref] pointers
via 3909f8f s4:rpc_server/lsa: use LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES/LSA_CLIENT_REVISION_1 in compat code
via 7686881 rpcclient: add lookupsids_level command
via 9ccc6ee rpcclient: fix variable initialisation and add parenthesis to if clauses
via b02de5a provision: fix the 'dnsdomain' for the local sam of a domain member
via 1a258b6 traffic_packets.py: let Lookup{Sids,Names}() work against a sane server
via da78430 nsswitch: fix double free errors in nsstest.c
via 7b86b94 s4:torture: zero initialize variables in test_LookupSidsReply()
via c376ab2 winbindd: make use of talloc_zero_array() in wb_lookupsids*()
via 569c910 s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_names_generic()
via 5cae7da s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_sids_generic()
via b5ffa0e winbindd: initialize type = SID_NAME_UNKNOWN in wb_lookupsids_single_done()
via 17c48f2 winbindd: don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids
via 86e63d2 replace: remove some duplicate checks
via 29aa5c9 wscript: drop checks for setnetgrent/endnetgrent/getnetgrent
via 14f798c s3: remove dead already commented code
from 0b63f26 selftest: change technique for running specific envs
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5d113f80944f2e1d2a7e80f73aea7a4cfdfbd140
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 21 00:49:55 2018 +0100
s4:rpc_server: fix call_id truncation in dcesrv_find_fragmented_call()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Feb 21 19:02:56 CET 2018 on sn-devel-144
commit 65e8edb382fbc7450919aad8b42cfcae9e779d11
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 21 00:50:26 2018 +0100
tests:dcerpc/raw_protocol: reproduce call_id truncation bug
We need to make sure the server handles call_id values > UINT16_MAX.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3a7ebd0e940e80b185a9240c093e1fee6795fd5b
Author: Bjoern Jacke <bjacke at samba.org>
Date: Wed Feb 21 01:51:42 2018 -0800
heimdal_build: use closefrom from libreplace
this silences a lot of "... has been redefined" compiler warnings on
platforms that don't have closefrom
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e9d5b8b6b41155a8a043275ae497bdb87044d476
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 19 13:42:40 2018 +0100
s4:rpc_server/lsa: implement forwarding lsa_Lookup{Sids,Names}() requests to winbindd
This might not be perfect yet, but it's enough to allow names from trusted
forests/domain to be resolved, which is very important for samba based
domain members.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3ffebee3de4aa313027779bc98cb6326fa17be85
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 13:19:37 2018 +0100
winbindd: implement wb_irpc_lsa_{LookupNames4,LookupSids3}()
This will be used by the LSA Server on an AD DC to request remote views
from trusts.
In future we should implement wb_lookupnames_send/recv similar to
wb_lookupsids_send/recv, but for now using wb_lookupname_send/recv in a loop
works as a first step.
We also need to make use of req->in.level and req->in.client_revision
once we want to support more than one domain within our own forest.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3801c417db5891ee4a45b09e8841d8f1ff4500f9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 00:52:50 2018 +0100
s4:rpc_server/lsa: rewrite lookup sids/names code to honor the given lookup level
[MS-LSAT] 2.2.16 LSAP_LOOKUP_LEVEL defines the which views each level should
consult.
Up to now we support some wellknown sids, the builtin domain and our
account domain, but all levels query all views.
This commit implements 3 views (predefined, builtin, account domain)
+ a dummy winbind view (which will later be used to implement the
gc, forest and trust views)..
Depending on the level we select the required views.
This might not be perfect in all details, but it's enough
to pass all existing tests, which already revealed bugs
during the development of this patch.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 475a761637bbcc93edbe8d83fc13037e1087941a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 15 10:30:28 2018 +0100
test_trust_ntlm.sh: add lookup name tests
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d7780c66866144eba59408c03af50256825165ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:55:44 2017 +0100
libcli/security: add dom_sid_lookup_predefined_{sid,name}()
This basically implements [MS-LSAT] 3.1.1.1.1 Predefined Translation Database
and Corresponding View.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e9ace1852ff88ebb7778e8db9a49bc5c61512d16
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 16 01:14:00 2018 +0100
s4:dsdb: add dsdb_trust_domain_by_{sid,name}()
This gets the lsa_ForestTrustDomainInfo for the searched
domain as well as the lsa_TrustDomainInfoInfoEx for the
direct trust (which might be the same for external trust or
the forest root domain).
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9b6a0b1a63f2ebfbd578047401dfbe38606c8c44
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 19 13:42:40 2018 +0100
s4:rpc_server/lsa: prepare dcesrv_lsa_LookupNames* for async processing
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ab7988aa2fd1a43f576a4b73a6893c61c7ef1957
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 19 13:42:40 2018 +0100
s4:rpc_server/lsa: prepare dcesrv_lsa_LookupSids* for async processing
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e6c9984bd563525dc312b67fe69ea7e4be04ee4e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 22 20:21:14 2018 +0100
s4:rpc_server/lsa: base dcesrv_lsa_LookupNames2() on dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 37cb34d16406d27831be74e952ee744e58b79fb4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 22 20:21:14 2018 +0100
s4:rpc_server/lsa: base dcesrv_lsa_LookupNames() on dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ec55c18ceda5c430eaec97c5d7e594941e3a31fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 22 09:27:49 2018 +0100
s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupNames2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c78c17dc2fbaf523d1957bb748aa75ecd81e793b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 22 09:27:49 2018 +0100
s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c0f6103ddea9a825f0f0dcf169e70a5f6a55c2e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 22 09:27:49 2018 +0100
s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7c1c9bf53ffc24a25038326767e33f008c7a5552
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:56:00 2017 +0100
s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupNames()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5d868fd875803e361653ccca4e61c5c25dc114aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:56:00 2017 +0100
s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e8a0223633fd2e6ebb3d864570b76932bc3e293a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:56:00 2017 +0100
s4:rpc_server/lsa: remove unused 'status' variable in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fe43dd8678e4f598e0ae802e3d93ad9b28988783
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:56:00 2017 +0100
s4:rpc_server/lsa: make sure dcesrv_lsa_LookupNames2() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3339a1c57266181570d5ca5e389719951f26b41d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:56:00 2017 +0100
s4:rpc_server/lsa: expect prepared [ref] pointers in dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f6e60d2c2e1f0a4eb6426c7da683abaa11babd05
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:56:00 2017 +0100
s4:rpc_server/lsa: make sure dcesrv_lsa_LookupSids_common() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3909f8fcfe6b82575ad8974acacde3270ce849fe
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:56:00 2017 +0100
s4:rpc_server/lsa: use LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES/LSA_CLIENT_REVISION_1 in compat code
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 76868818e8b98a0cd4881d319e0735de5091b8b1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 25 11:24:25 2018 +0100
rpcclient: add lookupsids_level command
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9ccc6eef145c1f67e24cbb1c21402714f612c607
Author: Ralph Boehme <slow at samba.org>
Date: Tue Feb 20 15:57:37 2018 +0100
rpcclient: fix variable initialisation and add parenthesis to if clauses
Just a few README.Coding fixes.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b02de5ad3e04babe1565868c69422cfc778458d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 21:06:38 2018 +0100
provision: fix the 'dnsdomain' for the local sam of a domain member
A member has a local AD database, which should not use the 'dnsdomain'
as the one on domain controllers.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13285
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1a258b6b0f667ec077639a7cfe826e5e25f46768
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 25 18:04:29 2018 +0100
traffic_packets.py: let Lookup{Sids,Names}() work against a sane server
In order to resolve predefined sids or names we need to use
level = LSA_LOOKUP_NAMES_ALL (1).
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13284
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit da784305e7b306664b79d30a734d45582f5bf4dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 10 23:54:33 2018 +0100
nsswitch: fix double free errors in nsstest.c
We need to zero out static pointers on free.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13283
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7b86b94c71268cdab434ced74caedcdd5eb20e12
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 26 00:38:32 2018 +0100
s4:torture: zero initialize variables in test_LookupSidsReply()
This avoids crashes if the server returns unexpected results. The test
should just report the failure in that case.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13282
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c376ab29d1d9f4b06fbb3a713029d79ecac80b59
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 23:52:37 2018 +0100
winbindd: make use of talloc_zero_array() in wb_lookupsids*()
It just feels better for such a complex function.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 569c910b950df24b22777c545fe9f6427a19b035
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 12:07:11 2018 +0100
s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_names_generic()
It just feels better for such a complex function.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5cae7da1de302b38ee0059590b1e93a3d60ee42c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 12:07:11 2018 +0100
s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_sids_generic()
It just feels better for such a complex function.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b5ffa0e21f74fa0c452df38cf50e542eb278562d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 23:52:59 2018 +0100
winbindd: initialize type = SID_NAME_UNKNOWN in wb_lookupsids_single_done()
We check for !NT_STATUS_LOOKUP_ERR(), but wb_lookupsid_recv()
only initializes the results together with NT_STATUS_OK.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13280
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 17c48f26dea5701feed1c24769348f332695391c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 14:34:45 2018 +0100
winbindd: don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13279
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 86e63d25ecfc1b4ca5f1555299ad72c8ade7b6f3
Author: Björn Jacke <bjacke at samba.org>
Date: Wed Jan 24 01:28:25 2018 +0100
replace: remove some duplicate checks
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 29aa5c93d751384829175a3ac0cc42e6905fe8b1
Author: Björn Jacke <bjacke at samba.org>
Date: Wed Jan 24 10:02:13 2018 +0100
wscript: drop checks for setnetgrent/endnetgrent/getnetgrent
we don't use setnetgrent/endnetgrent/getnetgrent since security share passed
away.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 14f798cbcccb5712d8b31bc891c49a00a7483a95
Author: Björn Jacke <bjacke at samba.org>
Date: Thu Jan 11 22:13:20 2018 +0100
s3: remove dead already commented code
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/replace/system/wscript_configure | 8 -
libcli/security/dom_sid.h | 13 +
libcli/security/util_sid.c | 499 ++++++
nsswitch/nsstest.c | 18 +-
python/samba/emulate/traffic_packets.py | 16 +-
python/samba/provision/__init__.py | 16 +
python/samba/tests/dcerpc/raw_protocol.py | 2 +-
selftest/knownfail.d/s3-lsa-server | 1 +
source3/rpc_client/cli_lsarpc.c | 17 +-
source3/rpcclient/cmd_lsarpc.c | 103 +-
source3/smbd/password.c | 11 -
source3/smbd/sesssetup.c | 5 +-
source3/winbindd/wb_lookupsids.c | 16 +-
source3/winbindd/winbindd_irpc.c | 408 +++++
source3/wscript | 23 +-
source4/dsdb/common/util_trusts.c | 222 +++
source4/heimdal_build/config.h | 5 +
source4/rpc_server/dcerpc_server.c | 2 +-
source4/rpc_server/lsa/lsa_lookup.c | 2651 ++++++++++++++++++++---------
source4/torture/rpc/lsa_lookup.c | 12 +-
testprogs/blackbox/test_trust_ntlm.sh | 77 +-
21 files changed, 3232 insertions(+), 893 deletions(-)
create mode 100644 selftest/knownfail.d/s3-lsa-server
Changeset truncated at 500 lines:
diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure
index 2035474..ecd9964 100644
--- a/lib/replace/system/wscript_configure
+++ b/lib/replace/system/wscript_configure
@@ -1,8 +1,5 @@
#!/usr/bin/env python
-conf.CHECK_HEADERS('sys/capability.h')
-conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r')
-
# solaris varients of getXXent_r
conf.CHECK_C_PROTOTYPE('getpwent_r',
'struct passwd *getpwent_r(struct passwd *src, char *buf, int buflen)',
@@ -19,8 +16,3 @@ conf.CHECK_C_PROTOTYPE('getgrent_r',
'struct group *getgrent_r(struct group *src, char *buf, size_t buflen)',
define='SOLARIS_GETGRENT_R', headers='grp.h')
-conf.CHECK_FUNCS('getgrouplist')
-conf.CHECK_HEADERS('ctype.h locale.h langinfo.h')
-conf.CHECK_HEADERS('fnmatch.h locale.h langinfo.h')
-conf.CHECK_HEADERS('sys/ipc.h sys/mman.h sys/shm.h')
-conf.CHECK_HEADERS('termios.h termio.h sys/termio.h')
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index bdcec94..6c3225e 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -62,6 +62,19 @@ extern const struct dom_sid global_sid_Unix_NFS_Groups;
extern const struct dom_sid global_sid_Unix_NFS_Mode;
extern const struct dom_sid global_sid_Unix_NFS_Other;
+enum lsa_SidType;
+
+NTSTATUS dom_sid_lookup_predefined_name(const char *name,
+ const struct dom_sid **sid,
+ enum lsa_SidType *type,
+ const struct dom_sid **authority_sid,
+ const char **authority_name);
+NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
+ const char **name,
+ enum lsa_SidType *type,
+ const struct dom_sid **authority_sid,
+ const char **authority_name);
+
int dom_sid_compare_auth(const struct dom_sid *sid1,
const struct dom_sid *sid2);
int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2);
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index e84cfb4..4e4a8fa 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -434,3 +434,502 @@ bool is_null_sid(const struct dom_sid *sid)
const struct dom_sid null_sid = {0};
return dom_sid_equal(sid, &null_sid);
}
+
+/*
+ * See [MS-LSAT] 3.1.1.1.1 Predefined Translation Database and Corresponding View
+ */
+struct predefined_name_mapping {
+ const char *name;
+ enum lsa_SidType type;
+ struct dom_sid sid;
+};
+
+struct predefined_domain_mapping {
+ const char *domain;
+ struct dom_sid sid;
+ size_t num_names;
+ const struct predefined_name_mapping *names;
+};
+
+/* S-1-${AUTHORITY} */
+#define _SID0(authority) \
+ { 1, 0, {0,0,0,0,0,authority}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}
+/* S-1-${AUTHORITY}-${SUB1} */
+#define _SID1(authority,sub1) \
+ { 1, 1, {0,0,0,0,0,authority}, {sub1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}
+/* S-1-${AUTHORITY}-${SUB1}-${SUB2} */
+#define _SID2(authority,sub1,sub2) \
+ { 1, 2, {0,0,0,0,0,authority}, {sub1,sub2,0,0,0,0,0,0,0,0,0,0,0,0,0}}
+
+/*
+ * S-1-0
+ */
+static const struct predefined_name_mapping predefined_names_S_1_0[] = {
+ {
+ .name = "NULL SID",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(0, 0), /* S-1-0-0 */
+ },
+};
+
+/*
+ * S-1-1
+ */
+static const struct predefined_name_mapping predefined_names_S_1_1[] = {
+ {
+ .name = "Everyone",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(1, 0), /* S-1-1-0 */
+ },
+};
+
+/*
+ * S-1-2
+ */
+static const struct predefined_name_mapping predefined_names_S_1_2[] = {
+ {
+ .name = "LOCAL",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(2, 0), /* S-1-2-0 */
+ },
+};
+
+/*
+ * S-1-3
+ */
+static const struct predefined_name_mapping predefined_names_S_1_3[] = {
+ {
+ .name = "CREATOR OWNER",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(3, 0), /* S-1-3-0 */
+ },
+ {
+ .name = "CREATOR GROUP",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(3, 1), /* S-1-3-1 */
+ },
+ {
+ .name = "CREATOR OWNER SERVER",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(3, 0), /* S-1-3-2 */
+ },
+ {
+ .name = "CREATOR GROUP SERVER",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(3, 1), /* S-1-3-3 */
+ },
+ {
+ .name = "OWNER RIGHTS",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(3, 4), /* S-1-3-4 */
+ },
+};
+
+/*
+ * S-1-5 only 'NT Pseudo Domain'
+ */
+static const struct predefined_name_mapping predefined_names_S_1_5p[] = {
+ {
+ .name = "NT Pseudo Domain",
+ .type = SID_NAME_DOMAIN,
+ .sid = _SID0(5), /* S-1-5 */
+ },
+};
+
+/*
+ * S-1-5 'NT AUTHORITY'
+ */
+static const struct predefined_name_mapping predefined_names_S_1_5a[] = {
+ {
+ .name = "DIALUP",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 1), /* S-1-5-1 */
+ },
+ {
+ .name = "NETWORK",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 2), /* S-1-5-2 */
+ },
+ {
+ .name = "BATCH",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 3), /* S-1-5-3 */
+ },
+ {
+ .name = "INTERACTIVE",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 4), /* S-1-5-4 */
+ },
+ {
+ .name = "SERVICE",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 6), /* S-1-5-6 */
+ },
+ {
+ .name = "ANONYMOUS LOGON",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 7), /* S-1-5-7 */
+ },
+ {
+ .name = "PROXY",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 8), /* S-1-5-8 */
+ },
+ {
+ .name = "ENTERPRISE DOMAIN CONTROLLERS",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 9), /* S-1-5-9 */
+ },
+ {
+ .name = "SELF",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 10), /* S-1-5-10 */
+ },
+ {
+ .name = "Authenticated Users",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 11), /* S-1-5-11 */
+ },
+ {
+ .name = "RESTRICTED",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 12), /* S-1-5-12 */
+ },
+ {
+ .name = "TERMINAL SERVER USER",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 13), /* S-1-5-13 */
+ },
+ {
+ .name = "REMOTE INTERACTIVE LOGON",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 14), /* S-1-5-14 */
+ },
+ {
+ .name = "This Organization",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 15), /* S-1-5-15 */
+ },
+ {
+ .name = "IUSR",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 17), /* S-1-5-17 */
+ },
+ {
+ .name = "SYSTEM",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 18), /* S-1-5-18 */
+ },
+ {
+ .name = "LOCAL SERVICE",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 19), /* S-1-5-19 */
+ },
+ {
+ .name = "NETWORK SERVICE",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 20), /* S-1-5-20 */
+ },
+ {
+ .name = "WRITE RESTRICTED",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 33), /* S-1-5-33 */
+ },
+ {
+ .name = "Other Organization",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID1(5, 1000), /* S-1-5-1000 */
+ },
+};
+
+/*
+ * S-1-5-32
+ */
+static const struct predefined_name_mapping predefined_names_S_1_5_32[] = {
+ {
+ .name = "BUILTIN",
+ .type = SID_NAME_DOMAIN,
+ .sid = _SID1(5, 32), /* S-1-5-32 */
+ },
+};
+
+/*
+ * S-1-5-64
+ */
+static const struct predefined_name_mapping predefined_names_S_1_5_64[] = {
+ {
+ .name = "NTLM Authentication",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID2(5, 64, 10), /* S-1-5-64-10 */
+ },
+ {
+ .name = "SChannel Authentication",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID2(5, 64, 14), /* S-1-5-64-14 */
+ },
+ {
+ .name = "Digest Authentication",
+ .type = SID_NAME_WKN_GRP,
+ .sid = _SID2(5, 64, 21), /* S-1-5-64-21 */
+ },
+};
+
+/*
+ * S-1-7
+ */
+static const struct predefined_name_mapping predefined_names_S_1_7[] = {
+ {
+ .name = "Internet$",
+ .type = SID_NAME_DOMAIN,
+ .sid = _SID0(7), /* S-1-7 */
+ },
+};
+
+/*
+ * S-1-16
+ */
+static const struct predefined_name_mapping predefined_names_S_1_16[] = {
+ {
+ .name = "Mandatory Label",
+ .type = SID_NAME_DOMAIN,
+ .sid = _SID0(16), /* S-1-16 */
+ },
+ {
+ .name = "Untrusted Mandatory Level",
+ .type = SID_NAME_LABEL,
+ .sid = _SID1(16, 0), /* S-1-16-0 */
+ },
+ {
+ .name = "Low Mandatory Level",
+ .type = SID_NAME_LABEL,
+ .sid = _SID1(16, 4096), /* S-1-16-4096 */
+ },
+ {
+ .name = "Medium Mandatory Level",
+ .type = SID_NAME_LABEL,
+ .sid = _SID1(16, 8192), /* S-1-16-8192 */
+ },
+ {
+ .name = "High Mandatory Level",
+ .type = SID_NAME_LABEL,
+ .sid = _SID1(16, 12288), /* S-1-16-12288 */
+ },
+ {
+ .name = "System Mandatory Level",
+ .type = SID_NAME_LABEL,
+ .sid = _SID1(16, 16384), /* S-1-16-16384 */
+ },
+ {
+ .name = "Protected Process Mandatory Level",
+ .type = SID_NAME_LABEL,
+ .sid = _SID1(16, 20480), /* S-1-16-20480 */
+ },
+};
+
+static const struct predefined_domain_mapping predefined_domains[] = {
+ {
+ .domain = "",
+ .sid = _SID0(0), /* S-1-0 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_0),
+ .names = predefined_names_S_1_0,
+ },
+ {
+ .domain = "",
+ .sid = _SID0(1), /* S-1-1 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_1),
+ .names = predefined_names_S_1_1,
+ },
+ {
+ .domain = "",
+ .sid = _SID0(2), /* S-1-2 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_2),
+ .names = predefined_names_S_1_2,
+ },
+ {
+ .domain = "",
+ .sid = _SID0(3), /* S-1-3 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_3),
+ .names = predefined_names_S_1_3,
+ },
+ {
+ .domain = "",
+ .sid = _SID0(3), /* S-1-3 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_3),
+ .names = predefined_names_S_1_3,
+ },
+ /*
+ * S-1-5 is split here
+ *
+ * 'NT Pseudo Domain' has precedence before 'NT AUTHORITY'.
+ *
+ * In a LookupSids with multiple sids e.g. S-1-5 and S-1-5-7
+ * the domain section (struct lsa_DomainInfo) gets
+ * 'NT Pseudo Domain' with S-1-5. If asked in reversed order
+ * S-1-5-7 and then S-1-5, you get struct lsa_DomainInfo
+ * with 'NT AUTHORITY' and S-1-5.
+ */
+ {
+ .domain = "NT Pseudo Domain",
+ .sid = _SID0(5), /* S-1-5 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_5p),
+ .names = predefined_names_S_1_5p,
+ },
+ {
+ .domain = "NT AUTHORITY",
+ .sid = _SID0(5), /* S-1-5 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_5a),
+ .names = predefined_names_S_1_5a,
+ },
+ {
+ .domain = "BUILTIN",
+ .sid = _SID1(5, 32), /* S-1-5-32 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_5_32),
+ .names = predefined_names_S_1_5_32,
+ },
+ /*
+ * 'NT AUTHORITY' again with S-1-5-64 this time
+ */
+ {
+ .domain = "NT AUTHORITY",
+ .sid = _SID1(5, 64), /* S-1-5-64 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_5_64),
+ .names = predefined_names_S_1_5_64,
+ },
+ {
+ .domain = "Internet$",
+ .sid = _SID0(7), /* S-1-7 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_7),
+ .names = predefined_names_S_1_7,
+ },
+ {
+ .domain = "Mandatory Label",
+ .sid = _SID0(16), /* S-1-16 */
+ .num_names = ARRAY_SIZE(predefined_names_S_1_16),
+ .names = predefined_names_S_1_16,
+ },
+};
+
+NTSTATUS dom_sid_lookup_predefined_name(const char *name,
+ const struct dom_sid **sid,
+ enum lsa_SidType *type,
+ const struct dom_sid **authority_sid,
+ const char **authority_name)
+{
+ size_t di;
+ const char *domain = "";
+ size_t domain_len = 0;
+ const char *p;
+ bool match;
+
+ *sid = NULL;
+ *type = SID_NAME_UNKNOWN;
+ *authority_sid = NULL;
+ *authority_name = NULL;
+
+ if (name == NULL) {
+ name = "";
+ }
+
+ p = strchr(name, '\\');
+ if (p != NULL) {
+ domain = name;
+ domain_len = PTR_DIFF(p, domain);
+ name = p + 1;
+ }
+
+ match = strequal(name, "");
+ if (match) {
+ /*
+ * Strange, but that's what W2012R2 does.
+ */
+ name = "BUILTIN";
+ }
+
+ for (di = 0; di < ARRAY_SIZE(predefined_domains); di++) {
+ const struct predefined_domain_mapping *d =
+ &predefined_domains[di];
+ size_t ni;
+
+ if (domain_len != 0) {
+ int cmp;
+
+ cmp = strncasecmp(d->domain, domain, domain_len);
+ if (cmp != 0) {
+ continue;
+ }
+ }
+
+ for (ni = 0; ni < d->num_names; ni++) {
+ const struct predefined_name_mapping *n =
+ &d->names[ni];
+
+ match = strequal(n->name, name);
+ if (!match) {
+ continue;
+ }
+
+ *sid = &n->sid;
+ *type = n->type;
+ *authority_sid = &d->sid;
+ *authority_name = d->domain;
+ return NT_STATUS_OK;
+ }
+ }
+
+ return NT_STATUS_NONE_MAPPED;
+}
+
+NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
--
Samba Shared Repository
More information about the samba-cvs
mailing list