The branch, master has been updated
via ccdd146... s3-netlogon: make sure we protect some function codes in
_netr_LogonControl2Ex().
via bb2e1ff... s3-netlogon: let s3 pass against RPC-NETLOGON-S3 again.
via 40f3f45... s3-netlogon: implement _netr_NETLOGON_INFO_4 in
netr_LogonControl2Ex() and friends as well.
via b3a2147... s3-netlogon: implement remote trust account changing in
netr_LogonControl2Ex() and friends.
via 8be9ec6... security: re-run make samba3-idl after IDL change.
from 97496bb... s3-lsa: fill in some more info levels in
_lsa_QueryInfoPolicy().
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ccdd1462cc8d7e5e067b5f3d6122ee8765921b4f
Author: Günther Deschner <[email protected]>
Date: Wed Nov 4 00:34:29 2009 +0100
s3-netlogon: make sure we protect some function codes in
_netr_LogonControl2Ex().
Guenther
commit bb2e1ff6315f070b67d45600dd763011f8aba136
Author: Günther Deschner <[email protected]>
Date: Mon Oct 19 11:28:00 2009 +0200
s3-netlogon: let s3 pass against RPC-NETLOGON-S3 again.
Guenther
commit 40f3f456bcea3d37537e807dbcd3a09b08dbc870
Author: Günther Deschner <[email protected]>
Date: Thu Oct 8 00:58:02 2009 +0200
s3-netlogon: implement _netr_NETLOGON_INFO_4 in netr_LogonControl2Ex() and
friends as well.
Guenther
commit b3a21474971d3ffd6135011daa5f2fe521f535d1
Author: Günther Deschner <[email protected]>
Date: Thu Oct 8 00:38:53 2009 +0200
s3-netlogon: implement remote trust account changing in
netr_LogonControl2Ex() and friends.
Guenther
commit 8be9ec604e3208c339263ba1cb59c725255ace9b
Author: Günther Deschner <[email protected]>
Date: Tue Nov 3 23:46:26 2009 +0100
security: re-run make samba3-idl after IDL change.
Guenther
-----------------------------------------------------------------------
Summary of changes:
librpc/gen_ndr/ndr_security.c | 24 ------
librpc/gen_ndr/security.h | 1 -
source3/rpc_server/srv_netlog_nt.c | 136 ++++++++++++++++++++++++++++++++++++
3 files changed, 136 insertions(+), 25 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/gen_ndr/ndr_security.c b/librpc/gen_ndr/ndr_security.c
index 5453d0c..e20776b 100644
--- a/librpc/gen_ndr/ndr_security.c
+++ b/librpc/gen_ndr/ndr_security.c
@@ -865,7 +865,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_token(struct
ndr_push *ndr, int ndr
NDR_CHECK(ndr_push_unique_ptr(ndr,
r->sids[cntr_sids_0]));
}
NDR_CHECK(ndr_push_udlong(ndr, NDR_SCALARS, r->privilege_mask));
- NDR_CHECK(ndr_push_unique_ptr(ndr, r->default_dacl));
NDR_CHECK(ndr_push_trailer_align(ndr, 5));
}
if (ndr_flags & NDR_BUFFERS) {
@@ -880,9 +879,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_token(struct
ndr_push *ndr, int ndr
NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS,
r->sids[cntr_sids_0]));
}
}
- if (r->default_dacl) {
- NDR_CHECK(ndr_push_security_acl(ndr,
NDR_SCALARS|NDR_BUFFERS, r->default_dacl));
- }
}
return NDR_ERR_SUCCESS;
}
@@ -897,8 +893,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct
ndr_pull *ndr, int ndr
uint32_t cntr_sids_0;
TALLOC_CTX *_mem_save_sids_0;
TALLOC_CTX *_mem_save_sids_1;
- uint32_t _ptr_default_dacl;
- TALLOC_CTX *_mem_save_default_dacl_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 5));
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user_sid));
@@ -928,12 +922,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct
ndr_pull *ndr, int ndr
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_0, 0);
NDR_CHECK(ndr_pull_udlong(ndr, NDR_SCALARS,
&r->privilege_mask));
- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_default_dacl));
- if (_ptr_default_dacl) {
- NDR_PULL_ALLOC(ndr, r->default_dacl);
- } else {
- r->default_dacl = NULL;
- }
if (r->sids) {
NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->sids,
r->num_sids));
}
@@ -963,12 +951,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct
ndr_pull *ndr, int ndr
}
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_0, 0);
- if (r->default_dacl) {
- _mem_save_default_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
- NDR_PULL_SET_MEM_CTX(ndr, r->default_dacl, 0);
- NDR_CHECK(ndr_pull_security_acl(ndr,
NDR_SCALARS|NDR_BUFFERS, r->default_dacl));
- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_dacl_0, 0);
- }
}
return NDR_ERR_SUCCESS;
}
@@ -1007,12 +989,6 @@ _PUBLIC_ void ndr_print_security_token(struct ndr_print
*ndr, const char *name,
}
ndr->depth--;
ndr_print_udlong(ndr, "privilege_mask", r->privilege_mask);
- ndr_print_ptr(ndr, "default_dacl", r->default_dacl);
- ndr->depth++;
- if (r->default_dacl) {
- ndr_print_security_acl(ndr, "default_dacl", r->default_dacl);
- }
- ndr->depth--;
ndr->depth--;
}
diff --git a/librpc/gen_ndr/security.h b/librpc/gen_ndr/security.h
index 297ba18..c42b6ed 100644
--- a/librpc/gen_ndr/security.h
+++ b/librpc/gen_ndr/security.h
@@ -350,7 +350,6 @@ struct security_token {
uint32_t num_sids;
struct dom_sid **sids;/* [unique,size_is(num_sids)] */
uint64_t privilege_mask;
- struct security_acl *default_dacl;/* [unique] */
}/* [public] */;
/* bitmap security_secinfo */
diff --git a/source3/rpc_server/srv_netlog_nt.c
b/source3/rpc_server/srv_netlog_nt.c
index 491754f..c497455 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -95,6 +95,68 @@ WERROR _netr_LogonControl2(pipes_struct *p,
return _netr_LogonControl2Ex(p, &l);
}
+/*************************************************************************
+ *************************************************************************/
+
+static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
+{
+ wbcErr result;
+ struct wbcAuthErrorInfo *error = NULL;
+
+ result = wbcChangeTrustCredentials(domain, &error);
+ switch (result) {
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ return false;
+ case WBC_ERR_DOMAIN_NOT_FOUND:
+ *tc_status = WERR_NO_SUCH_DOMAIN;
+ return true;
+ case WBC_ERR_SUCCESS:
+ *tc_status = WERR_OK;
+ return true;
+ default:
+ break;
+ }
+
+ if (error && error->nt_status != 0) {
+ *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
+ } else {
+ *tc_status = WERR_TRUST_FAILURE;
+ }
+ wbcFreeMemory(error);
+ return true;
+}
+
+/*************************************************************************
+ *************************************************************************/
+
+static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
+{
+ wbcErr result;
+ struct wbcAuthErrorInfo *error = NULL;
+
+ result = wbcCheckTrustCredentials(domain, &error);
+ switch (result) {
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ return false;
+ case WBC_ERR_DOMAIN_NOT_FOUND:
+ *tc_status = WERR_NO_SUCH_DOMAIN;
+ return true;
+ case WBC_ERR_SUCCESS:
+ *tc_status = WERR_OK;
+ return true;
+ default:
+ break;
+ }
+
+ if (error && error->nt_status != 0) {
+ *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
+ } else {
+ *tc_status = WERR_TRUST_FAILURE;
+ }
+ wbcFreeMemory(error);
+ return true;
+}
+
/****************************************************************
_netr_LogonControl2Ex
****************************************************************/
@@ -113,6 +175,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
struct netr_NETLOGON_INFO_1 *info1;
struct netr_NETLOGON_INFO_2 *info2;
struct netr_NETLOGON_INFO_3 *info3;
+ struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
switch (p->hdr_req.opnum) {
@@ -129,10 +192,60 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
return WERR_INVALID_PARAM;
}
+ switch (r->in.function_code) {
+ case NETLOGON_CONTROL_TC_VERIFY:
+ case NETLOGON_CONTROL_CHANGE_PASSWORD:
+ case NETLOGON_CONTROL_REDISCOVER:
+ if (!nt_token_check_domain_rid(p->server_info->ptok,
DOMAIN_GROUP_RID_ADMINS) &&
+ !nt_token_check_sid(&global_sid_Builtin_Administrators,
p->server_info->ptok)) {
+ return WERR_ACCESS_DENIED;
+ }
+ break;
+ default:
+ break;
+ }
+
tc_status = WERR_NO_SUCH_DOMAIN;
switch (r->in.function_code) {
+ case NETLOGON_CONTROL_QUERY:
+ tc_status = WERR_OK;
+ break;
+ case NETLOGON_CONTROL_REPLICATE:
+ case NETLOGON_CONTROL_SYNCHRONIZE:
+ case NETLOGON_CONTROL_PDC_REPLICATE:
+ case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ case NETLOGON_CONTROL_BREAKPOINT:
+ return WERR_ACCESS_DENIED;
+ case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
+ case NETLOGON_CONTROL_FORCE_DNS_REG:
+ case NETLOGON_CONTROL_QUERY_DNS_REG:
+ return WERR_NOT_SUPPORTED;
+ case NETLOGON_CONTROL_FIND_USER:
+ if (!r->in.data || !r->in.data->user) {
+ return WERR_NOT_SUPPORTED;
+ }
+ break;
+ case NETLOGON_CONTROL_SET_DBFLAG:
+ if (!r->in.data) {
+ return WERR_NOT_SUPPORTED;
+ }
+ break;
+ case NETLOGON_CONTROL_TC_VERIFY:
+ if (!r->in.data || !r->in.data->domain) {
+ return WERR_NOT_SUPPORTED;
+ }
+
+ if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
+ return WERR_NOT_SUPPORTED;
+ }
+ break;
case NETLOGON_CONTROL_TC_QUERY:
+ if (!r->in.data || !r->in.data->domain) {
+ return WERR_NOT_SUPPORTED;
+ }
+
domain = r->in.data->domain;
if (!is_trusted_domain(domain)) {
@@ -154,6 +267,10 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
break;
case NETLOGON_CONTROL_REDISCOVER:
+ if (!r->in.data || !r->in.data->domain) {
+ return WERR_NOT_SUPPORTED;
+ }
+
domain = r->in.data->domain;
if (!is_trusted_domain(domain)) {
@@ -174,6 +291,16 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
break;
+ case NETLOGON_CONTROL_CHANGE_PASSWORD:
+ if (!r->in.data || !r->in.data->domain) {
+ return WERR_NOT_SUPPORTED;
+ }
+
+ if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
+ return WERR_NOT_SUPPORTED;
+ }
+ break;
+
default:
/* no idea what this should be */
DEBUG(0,("%s: unimplemented function level [%d]\n",
@@ -213,6 +340,15 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
r->out.query->info3 = info3;
break;
+ case 4:
+ info4 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_4);
+ W_ERROR_HAVE_NO_MEMORY(info4);
+
+ info4->trusted_dc_name = dc_name;
+ info4->trusted_domain_name = r->in.data->domain;
+
+ r->out.query->info4 = info4;
+ break;
default:
return WERR_UNKNOWN_LEVEL;
}
--
Samba Shared Repository
