The branch, master has been updated
via e898ad3 s4-lsa: prepare dcesrv_lsa_CreateTrustedDomain_base() to
deal with unencrypted auth info.
via 7f52cd3 s4-smbtorture: add very basic tests for
lsa_CreateTrustedDomainEx.
via ee1f25d lsa: lsa_CreateTrustedDomainEx takes
lsa_TrustDomainInfoAuthInfo, not lsa_TrustDomainInfoAuthInfoInternal.
via 3af3e48 lsa: rename auth info argument in lsa_CreateTrustedDomainEx2
from 7acc1a7 s4:kdc: set *_strongest_*_key to true to restore the old
behavior
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e898ad3ffecff5714f381f540753a2b745614995
Author: Günther Deschner <g...@samba.org>
Date: Fri Jul 15 18:38:21 2011 +0200
s4-lsa: prepare dcesrv_lsa_CreateTrustedDomain_base() to deal with
unencrypted auth info.
Guenther
Autobuild-User: Günther Deschner <g...@samba.org>
Autobuild-Date: Fri Jul 15 19:57:48 CEST 2011 on sn-devel-104
commit 7f52cd3b358c4a33606f222b4c59acb2f33d9235
Author: Günther Deschner <g...@samba.org>
Date: Fri Jul 15 15:38:12 2011 +0200
s4-smbtorture: add very basic tests for lsa_CreateTrustedDomainEx.
Guenther
commit ee1f25dc2ae715fa76417419010131861f95d8bf
Author: Günther Deschner <g...@samba.org>
Date: Fri Jul 15 11:18:00 2011 +0200
lsa: lsa_CreateTrustedDomainEx takes lsa_TrustDomainInfoAuthInfo, not
lsa_TrustDomainInfoAuthInfoInternal.
Guenther
commit 3af3e4843fbcfcc35594e0c681f4713ebb5b76e4
Author: Günther Deschner <g...@samba.org>
Date: Fri Jul 15 17:26:16 2011 +0200
lsa: rename auth info argument in lsa_CreateTrustedDomainEx2
Guenther
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/lsa.idl | 4 +-
source3/rpc_server/lsa/srv_lsa_nt.c | 13 +++--
source3/utils/net_rpc_trust.c | 2 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 30 ++++++----
source4/torture/rpc/forest_trust.c | 2 +-
source4/torture/rpc/lsa.c | 100 +++++++++++++++++++++++++++-------
6 files changed, 109 insertions(+), 42 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index c8aaa47..d8f2649 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -1052,7 +1052,7 @@ import "misc.idl", "security.idl";
NTSTATUS lsa_CreateTrustedDomainEx(
[in] policy_handle *policy_handle,
[in] lsa_TrustDomainInfoInfoEx *info,
- [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
+ [in] lsa_TrustDomainInfoAuthInfo *auth_info,
[in] lsa_TrustedAccessMask access_mask,
[out] policy_handle *trustdom_handle
);
@@ -1186,7 +1186,7 @@ import "misc.idl", "security.idl";
NTSTATUS lsa_CreateTrustedDomainEx2(
[in] policy_handle *policy_handle,
[in] lsa_TrustDomainInfoInfoEx *info,
- [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
+ [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info_internal,
[in] lsa_TrustedAccessMask access_mask,
[out] policy_handle *trustdom_handle
);
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c
b/source3/rpc_server/lsa/srv_lsa_nt.c
index c6f45ea..2342a0e 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1746,9 +1746,9 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct
*p,
td.trust_type = r->in.info->trust_type;
td.trust_attributes = r->in.info->trust_attributes;
- if (r->in.auth_info->auth_blob.size != 0) {
- auth_blob.length = r->in.auth_info->auth_blob.size;
- auth_blob.data = r->in.auth_info->auth_blob.data;
+ if (r->in.auth_info_internal->auth_blob.size != 0) {
+ auth_blob.length = r->in.auth_info_internal->auth_blob.size;
+ auth_blob.data = r->in.auth_info_internal->auth_blob.data;
arcfour_crypt_blob(auth_blob.data, auth_blob.length,
&p->session_info->session_key);
@@ -1818,10 +1818,13 @@ NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct
*p,
struct lsa_CreateTrustedDomainEx *r)
{
struct lsa_CreateTrustedDomainEx2 q;
+ struct lsa_TrustDomainInfoAuthInfoInternal auth_info;
+
+ ZERO_STRUCT(auth_info);
q.in.policy_handle = r->in.policy_handle;
q.in.info = r->in.info;
- q.in.auth_info = r->in.auth_info;
+ q.in.auth_info_internal = &auth_info;
q.in.access_mask = r->in.access_mask;
q.out.trustdom_handle = r->out.trustdom_handle;
@@ -1850,7 +1853,7 @@ NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
c.in.policy_handle = r->in.policy_handle;
c.in.info = &info;
- c.in.auth_info = &auth_info;
+ c.in.auth_info_internal = &auth_info;
c.in.access_mask = r->in.access_mask;
c.out.trustdom_handle = r->out.trustdom_handle;
diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
index 318c06f..82cc8a5 100644
--- a/source3/utils/net_rpc_trust.c
+++ b/source3/utils/net_rpc_trust.c
@@ -128,7 +128,7 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx,
r.in.policy_handle = pol_hnd;
r.in.info = &trustinfo;
- r.in.auth_info = authinfo;
+ r.in.auth_info_internal = authinfo;
r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH |
LSA_TRUSTED_QUERY_DOMAIN_NAME;
r.out.trustdom_handle = &trustdom_handle;
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c
b/source4/rpc_server/lsa/dcesrv_lsa.c
index 1acde1c..d5c1b61 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -874,7 +874,8 @@ static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx,
static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state
*dce_call,
TALLOC_CTX *mem_ctx,
struct
lsa_CreateTrustedDomainEx2 *r,
- int op)
+ int op,
+ struct
lsa_TrustDomainInfoAuthInfo *unencrypted_auth_info)
{
struct dcesrv_handle *policy_handle;
struct lsa_policy_state *policy_state;
@@ -931,20 +932,26 @@ static NTSTATUS
dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
/* No secrets are created at this time, for this function */
auth_struct.outgoing.count = 0;
auth_struct.incoming.count = 0;
- } else {
- auth_blob = data_blob_const(r->in.auth_info->auth_blob.data,
- r->in.auth_info->auth_blob.size);
+ } else if (op == NDR_LSA_CREATETRUSTEDDOMAINEX2) {
+ auth_blob =
data_blob_const(r->in.auth_info_internal->auth_blob.data,
+
r->in.auth_info_internal->auth_blob.size);
nt_status = get_trustdom_auth_blob(dce_call, mem_ctx,
&auth_blob, &auth_struct);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+ } else if (op == NDR_LSA_CREATETRUSTEDDOMAINEX) {
- if (op == NDR_LSA_CREATETRUSTEDDOMAINEX) {
- if (auth_struct.incoming.count > 1) {
- return NT_STATUS_INVALID_PARAMETER;
- }
+ if (unencrypted_auth_info->incoming_count > 1) {
+ return NT_STATUS_INVALID_PARAMETER;
}
+
+ /* more investigation required here, do not create secrets for
+ * now */
+ auth_struct.outgoing.count = 0;
+ auth_struct.incoming.count = 0;
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
}
if (auth_struct.incoming.count) {
@@ -1126,7 +1133,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx2(struct
dcesrv_call_state *dce_
TALLOC_CTX *mem_ctx,
struct lsa_CreateTrustedDomainEx2 *r)
{
- return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, r,
NDR_LSA_CREATETRUSTEDDOMAINEX2);
+ return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, r,
NDR_LSA_CREATETRUSTEDDOMAINEX2, NULL);
}
/*
lsa_CreateTrustedDomainEx
@@ -1139,9 +1146,8 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx(struct
dcesrv_call_state *dce_c
r2.in.policy_handle = r->in.policy_handle;
r2.in.info = r->in.info;
- r2.in.auth_info = r->in.auth_info;
r2.out.trustdom_handle = r->out.trustdom_handle;
- return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2,
NDR_LSA_CREATETRUSTEDDOMAINEX);
+ return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2,
NDR_LSA_CREATETRUSTEDDOMAINEX, r->in.auth_info);
}
/*
@@ -1168,7 +1174,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain(struct
dcesrv_call_state *dce_cal
r2.in.access_mask = r->in.access_mask;
r2.out.trustdom_handle = r->out.trustdom_handle;
- return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2,
NDR_LSA_CREATETRUSTEDDOMAIN);
+ return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2,
NDR_LSA_CREATETRUSTEDDOMAIN, NULL);
}
diff --git a/source4/torture/rpc/forest_trust.c
b/source4/torture/rpc/forest_trust.c
index 5e3efeb..1c5c177 100644
--- a/source4/torture/rpc/forest_trust.c
+++ b/source4/torture/rpc/forest_trust.c
@@ -122,7 +122,7 @@ static bool test_create_trust_and_set_info(struct
dcerpc_pipe *p,
r.in.policy_handle = handle;
r.in.info = &trustinfo;
- r.in.auth_info = authinfo;
+ r.in.auth_info_internal = authinfo;
/* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following
* QueryTrustedDomainInfo call, although it seems that Windows does not
* expect this */
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index aee0264..4fbf36c 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -2394,16 +2394,19 @@ static bool test_CreateTrustedDomain(struct
dcerpc_binding_handle *b,
return ret;
}
-static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
- struct torture_context *tctx,
- struct policy_handle *handle,
- uint32_t num_trusts)
+static bool test_CreateTrustedDomainEx_common(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint32_t num_trusts,
+ bool ex2_call)
{
NTSTATUS status;
bool ret = true;
- struct lsa_CreateTrustedDomainEx2 r;
+ struct lsa_CreateTrustedDomainEx r;
+ struct lsa_CreateTrustedDomainEx2 r2;
struct lsa_TrustDomainInfoInfoEx trustinfo;
- struct lsa_TrustDomainInfoAuthInfoInternal authinfo;
+ struct lsa_TrustDomainInfoAuthInfoInternal authinfo_internal;
+ struct lsa_TrustDomainInfoAuthInfo authinfo;
struct trustDomainPasswords auth_struct;
DATA_BLOB auth_blob;
struct dom_sid **domsid;
@@ -2415,7 +2418,11 @@ static bool test_CreateTrustedDomainEx2(struct
dcerpc_pipe *p,
int i;
struct dcerpc_binding_handle *b = p->binding_handle;
- torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d
domains\n", num_trusts);
+ if (ex2_call) {
+ torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d
domains\n", num_trusts);
+ } else {
+ torture_comment(tctx, "\nTesting CreateTrustedDomainEx for %d
domains\n", num_trusts);
+ }
domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);
@@ -2475,24 +2482,55 @@ static bool test_CreateTrustedDomainEx2(struct
dcerpc_pipe *p,
arcfour_crypt_blob(auth_blob.data, auth_blob.length,
&session_key);
- authinfo.auth_blob.size = auth_blob.length;
- authinfo.auth_blob.data = auth_blob.data;
+ ZERO_STRUCT(authinfo);
- r.in.policy_handle = handle;
- r.in.info = &trustinfo;
- r.in.auth_info = &authinfo;
- r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
- r.out.trustdom_handle = &trustdom_handle[i];
+ authinfo_internal.auth_blob.size = auth_blob.length;
+ authinfo_internal.auth_blob.data = auth_blob.data;
- torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r),
- "CreateTrustedDomainEx2 failed");
- if (NT_STATUS_EQUAL(r.out.result,
NT_STATUS_OBJECT_NAME_COLLISION)) {
- test_DeleteTrustedDomain(b, tctx, handle,
trustinfo.netbios_name);
- torture_assert_ntstatus_ok(tctx,
dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r),
+ if (ex2_call) {
+
+ r2.in.policy_handle = handle;
+ r2.in.info = &trustinfo;
+ r2.in.auth_info_internal = &authinfo_internal;
+ r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r2.out.trustdom_handle = &trustdom_handle[i];
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx,
&r2),
"CreateTrustedDomainEx2 failed");
+
+ status = r2.out.result;
+ } else {
+
+ r.in.policy_handle = handle;
+ r.in.info = &trustinfo;
+ r.in.auth_info = &authinfo;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r.out.trustdom_handle = &trustdom_handle[i];
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
+ "CreateTrustedDomainEx failed");
+
+ status = r.out.result;
}
- if (!NT_STATUS_IS_OK(r.out.result)) {
- torture_comment(tctx, "CreateTrustedDomainEx failed2 -
%s\n", nt_errstr(r.out.result));
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
+ test_DeleteTrustedDomain(b, tctx, handle,
trustinfo.netbios_name);
+ if (ex2_call) {
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_lsa_CreateTrustedDomainEx2_r(b,
tctx, &r2),
+ "CreateTrustedDomainEx2 failed");
+ status = r2.out.result;
+ } else {
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_lsa_CreateTrustedDomainEx_r(b,
tctx, &r),
+ "CreateTrustedDomainEx2 failed");
+ status = r.out.result;
+ }
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ torture_comment(tctx, "CreateTrustedDomainEx failed2 -
%s\n", nt_errstr(status));
ret = false;
} else {
@@ -2553,6 +2591,22 @@ static bool test_CreateTrustedDomainEx2(struct
dcerpc_pipe *p,
return ret;
}
+static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint32_t num_trusts)
+{
+ return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts,
true);
+}
+
+static bool test_CreateTrustedDomainEx(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint32_t num_trusts)
+{
+ return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts,
false);
+}
+
static bool test_QueryDomainInfoPolicy(struct dcerpc_binding_handle *b,
struct torture_context *tctx,
struct policy_handle *handle)
@@ -3008,6 +3062,10 @@ static bool testcase_TrustedDomains(struct
torture_context *tctx,
ret = false;
}
+ if (!test_CreateTrustedDomainEx(p, tctx, handle, state->num_trusts)) {
+ ret = false;
+ }
+
if (!test_CreateTrustedDomainEx2(p, tctx, handle, state->num_trusts)) {
ret = false;
}
--
Samba Shared Repository
