allow LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed...

[Stefan (metze) Metzmacher]

Hi,

here're two patches which allow a client to change
the LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE of a trusted domain.

Please review and push...

Thanks!
metze
-------------- next part --------------
From 76592c213b7def6f1e5aad42300215c4f98e8a4b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 5 Jan 2015 15:59:31 +0100
Subject: [PATCH 1/2] s4:rpc_server/lsa: allow
 LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 020360d..f3d3047 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1766,6 +1766,7 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 
 	if (info_ex) {
 		uint32_t origattrs;
+		uint32_t changed_attrs;
 		uint32_t origdir;
 		int origtype;
 
@@ -1815,11 +1816,20 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 		}
 		/* TODO: check forestFunctionality from ldb opaque */
 		/* TODO: check what is set makes sense */
-		/* for now refuse changes */
-		if (origattrs == -1 ||
-		    origattrs != info_ex->trust_attributes) {
-			DEBUG(1, ("Attempted to change trust attributes! "
-				  "Operation not handled\n"));
+
+		changed_attrs = origattrs ^ info_ex->trust_attributes;
+		if (changed_attrs & ~LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+			/*
+			 * For now we only allow
+			 * LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed.
+			 *
+			 * TODO: we may need to support more attribute changes
+			 */
+			DEBUG(1, ("Attempted to change trust attributes "
+				  "(0x%08x != 0x%08x)! "
+				  "Operation not handled yet...\n",
+				  (unsigned)origattrs,
+				  (unsigned)info_ex->trust_attributes));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 	}
-- 
1.9.1


From 643045d1c34fee9e9d3cf2c06c5dd4436396676b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 5 Jan 2015 16:01:16 +0100
Subject: [PATCH 2/2] s4:rpc_server/lsa: remove msDS-TrustForestTrustInfo if
 FOREST_TRANSITIVE is cleared

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index f3d3047..cc2048d 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1366,7 +1366,10 @@ static NTSTATUS get_tdo(struct ldb_context *sam, TALLOC_CTX *mem_ctx,
 				"securityIdentifier", "trustDirection",
 				"trustType", "trustAttributes",
 				"trustPosixOffset",
-				"msDs-supportedEncryptionTypes", NULL };
+				"msDs-supportedEncryptionTypes",
+				"msDS-TrustForestTrustInfo",
+				NULL
+	};
 	char *dns = NULL;
 	char *nbn = NULL;
 	char *sidstr = NULL;
@@ -1621,6 +1624,7 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 	bool add_incoming = false;
 	bool del_outgoing = false;
 	bool del_incoming = false;
+	bool del_forest_info = false;
 	bool in_transaction = false;
 	int ret;
 	bool am_rodc;
@@ -1832,6 +1836,18 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 				  (unsigned)info_ex->trust_attributes));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
+
+		if (!(info_ex->trust_attributes &
+		      LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE))
+		{
+			struct ldb_message_element *orig_forest_el = NULL;
+
+			orig_forest_el = ldb_msg_find_element(dom_msg,
+						"msDS-TrustForestTrustInfo");
+			if (orig_forest_el != NULL) {
+				del_forest_info = true;
+			}
+		}
 	}
 
 	if (enc_types) {
@@ -1872,6 +1888,13 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 			}
 		}
 	}
+	if (del_forest_info) {
+		ret = ldb_msg_add_empty(msg, "msDS-TrustForestTrustInfo",
+					LDB_FLAG_MOD_REPLACE, NULL);
+		if (ret != LDB_SUCCESS) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
 
 	/* start transaction */
 	ret = ldb_transaction_start(p_state->sam_ldb);
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150105/7c7116df/attachment.pgp>