The branch, master has been updated
via 95e8f09 s3-lsa: Fix crypto prototypes.
via 70192f0 s3-build: remove some unused/duplicate headers.
via df13422 s3-selftest: finally enable RPC-LSA against s3.
via d45b33c s3-selftest: enable RPC-LSA-SECRETS against s3.
via 6544bde s3-lsa: support secret objects in _lsa_QuerySecurity().
via 1387095 s3-lsa: support secret objects in _lsa_DeleteObject().
via caa0cc7 s3-lsa: implement _lsa_QuerySecret().
via eb88c7e s3-lsa: implement _lsa_SetSecret().
via d2d59ff s3-lsa: implement _lsa_CreateSecret().
via 7158e27 s3-lsa: implement _lsa_OpenSecret().
via 51481c5 s3-secrets: add lsa_secret passdb api.
via 3fd1652 s3-secrets: add lsa_secret struct to secrets IDL.
via f9a5df8 s3-passdb: add dummy calls to control global (replicated)
secrets.
via b0d9f62 s3-lsa: add LSA_HANDLE_SECRET_TYPE.
via b98145e s3-lsa: Fix _lsa_DeleteObject to handle trusted domain
objects.
from ff19070 s4-kcc: correctly populate the neighbor object when taking
information from repsTo
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 95e8f09f6ea2a26bb552e351d6fc9a9d31cece62
Author: Günther Deschner <[email protected]>
Date: Sun Jul 31 22:37:08 2011 +0200
s3-lsa: Fix crypto prototypes.
Guenther
Autobuild-User: Günther Deschner <[email protected]>
Autobuild-Date: Mon Aug 1 00:18:34 CEST 2011 on sn-devel-104
commit 70192f034c2ed71a91ca3d3cda4051c67b228e14
Author: Günther Deschner <[email protected]>
Date: Sun Jul 31 21:43:02 2011 +0200
s3-build: remove some unused/duplicate headers.
Guenther
commit df13422421490a609560e08a72cdd82b9d966c26
Author: Günther Deschner <[email protected]>
Date: Tue Nov 3 11:48:09 2009 +0100
s3-selftest: finally enable RPC-LSA against s3.
Guenther
commit d45b33cd282b03fc61c63515cc4a2b944447b3e4
Author: Günther Deschner <[email protected]>
Date: Fri Oct 30 00:09:25 2009 +0100
s3-selftest: enable RPC-LSA-SECRETS against s3.
Guenther
commit 6544bde2779be3969dfad39d883a93aacdd0f82d
Author: Günther Deschner <[email protected]>
Date: Thu Jul 1 22:25:16 2010 +0200
s3-lsa: support secret objects in _lsa_QuerySecurity().
Guenther
commit 13870959908250ff5d475ff2bc83f364884a51d9
Author: Günther Deschner <[email protected]>
Date: Fri Oct 30 00:05:07 2009 +0100
s3-lsa: support secret objects in _lsa_DeleteObject().
Guenther
commit caa0cc76b01d160911875d4c68a2a5495022e990
Author: Günther Deschner <[email protected]>
Date: Fri Oct 30 00:04:09 2009 +0100
s3-lsa: implement _lsa_QuerySecret().
Guenther
commit eb88c7e61e8bad47cce1796e3e8d24c21539ca51
Author: Günther Deschner <[email protected]>
Date: Fri Oct 30 00:03:21 2009 +0100
s3-lsa: implement _lsa_SetSecret().
Guenther
commit d2d59ff3eeac74950bafa451453769f0b67ad813
Author: Günther Deschner <[email protected]>
Date: Thu Oct 29 23:59:57 2009 +0100
s3-lsa: implement _lsa_CreateSecret().
Guenther
commit 7158e277243e95ed7e56c06f3a584c0c17449401
Author: Günther Deschner <[email protected]>
Date: Thu Oct 29 23:51:44 2009 +0100
s3-lsa: implement _lsa_OpenSecret().
Guenther
commit 51481c5912288368fd9c8ed4aebbe22a2a330ddc
Author: Günther Deschner <[email protected]>
Date: Thu Feb 17 16:10:28 2011 +0100
s3-secrets: add lsa_secret passdb api.
Guenther
commit 3fd1652104717cf9b7eead1979a718e1163341af
Author: Günther Deschner <[email protected]>
Date: Wed Oct 28 18:07:56 2009 +0100
s3-secrets: add lsa_secret struct to secrets IDL.
Guenther
commit f9a5df89292eeab54b9eed4bacb5b11e7f31f1fb
Author: Günther Deschner <[email protected]>
Date: Wed Oct 28 11:03:15 2009 +0100
s3-passdb: add dummy calls to control global (replicated) secrets.
Guenther
commit b0d9f620aa0182e4e3f60b19896e059f2cfa1ac1
Author: Günther Deschner <[email protected]>
Date: Mon Oct 26 13:43:16 2009 +0100
s3-lsa: add LSA_HANDLE_SECRET_TYPE.
Guenther
commit b98145edc92c739c8ad796f63373ec81bab41ca9
Author: Günther Deschner <[email protected]>
Date: Thu Jul 16 14:32:18 2009 +0200
s3-lsa: Fix _lsa_DeleteObject to handle trusted domain objects.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 3 +-
source3/include/passdb.h | 20 ++-
source3/include/secrets.h | 14 ++
source3/librpc/idl/secrets.idl | 12 +
source3/passdb/pdb_interface.c | 76 +++++++
source3/passdb/proto.h | 12 +
source3/passdb/secrets_lsa.c | 234 ++++++++++++++++++++
source3/rpc_server/lsa/srv_lsa_nt.c | 316 +++++++++++++++++++++++++-
source3/rpc_server/netlogon/srv_netlog_nt.c | 1 -
source3/selftest/tests.py | 4 +-
source3/wscript_build | 2 +-
11 files changed, 674 insertions(+), 20 deletions(-)
create mode 100644 source3/passdb/secrets_lsa.c
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f0718ce..ff2d433 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -520,7 +520,8 @@ LIBADS_SERVER_OBJ = libads/kerberos_verify.o
libads/authdata.o ../auth/kerberos/
LIBADS_PRINTER_OBJ = libads/ldap_printer.o
SECRETS_OBJ = passdb/secrets.o passdb/machine_account_secrets.o
passdb/machine_sid.o \
- librpc/gen_ndr/ndr_secrets.o
+ librpc/gen_ndr/ndr_secrets.o \
+ passdb/secrets_lsa.o
LIBNBT_OBJ = ../libcli/nbt/nbtname.o \
../libcli/netlogon/netlogon.o \
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 855d253..546bcb0 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -316,9 +316,10 @@ enum pdb_policy_type {
* Changed to 17, the sampwent interface is gone.
* Changed to 18, pdb_rid_algorithm -> pdb_capabilities
* Changed to 19, removed uid_to_rid
+ * Changed to 20, pdb_secret calls
*/
-#define PASSDB_INTERFACE_VERSION 19
+#define PASSDB_INTERFACE_VERSION 20
struct pdb_methods
{
@@ -484,7 +485,6 @@ struct pdb_methods
TALLOC_CTX *mem_ctx, uint32_t *num_domains,
struct trustdom_info ***domains);
-
NTSTATUS (*get_trusted_domain)(struct pdb_methods *methods,
TALLOC_CTX *mem_ctx,
const char *domain,
@@ -503,6 +503,22 @@ struct pdb_methods
uint32_t *num_domains,
struct pdb_trusted_domain ***domains);
+ NTSTATUS (*get_secret)(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd);
+ NTSTATUS (*set_secret)(struct pdb_methods *methods,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd);
+ NTSTATUS (*delete_secret)(struct pdb_methods *methods,
+ const char *secret_name);
+
void *private_data; /* Private data of some kind */
void (*free_private_data)(void **);
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 01e635c..4c23335 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -125,4 +125,18 @@ bool secrets_store_generic(const char *owner, const char
*key, const char *secre
char *secrets_fetch_generic(const char *owner, const char *key);
bool secrets_delete_generic(const char *owner, const char *key);
+/* The following definitions come from passdb/secrets_lsa.c */
+NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd);
+NTSTATUS lsa_secret_set(const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd);
+NTSTATUS lsa_secret_delete(const char *secret_name);
+
#endif /* _SECRETS_H */
diff --git a/source3/librpc/idl/secrets.idl b/source3/librpc/idl/secrets.idl
index b73f88b..1d0ba19 100644
--- a/source3/librpc/idl/secrets.idl
+++ b/source3/librpc/idl/secrets.idl
@@ -25,5 +25,17 @@ import "security.idl";
dom_sid domain_sid; /* remote domain's sid */
} TRUSTED_DOM_PASS;
+ /*
+ * s3 on-disc storage structure for lsa secrets, do not change !
+ */
+
+ typedef [public] struct {
+ DATA_BLOB *secret_current;
+ NTTIME secret_current_lastchange;
+ DATA_BLOB *secret_old;
+ NTTIME secret_old_lastchange;
+ security_descriptor *sd;
+ } lsa_secret;
+
}
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 94ed355..c92b22a 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -2283,6 +2283,78 @@ static struct pdb_domain_info
*pdb_default_get_domain_info(
}
/*******************************************************************
+ secret methods
+ *******************************************************************/
+
+NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_secret(pdb, mem_ctx, secret_name,
+ secret_current, secret_current_lastchange,
+ secret_old, secret_old_lastchange,
+ sd);
+}
+
+NTSTATUS pdb_set_secret(const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_secret(pdb, secret_name,
+ secret_current,
+ secret_old,
+ sd);
+}
+
+NTSTATUS pdb_delete_secret(const char *secret_name)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->delete_secret(pdb, secret_name);
+}
+
+static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd)
+{
+ return lsa_secret_get(mem_ctx, secret_name,
+ secret_current,
+ secret_current_lastchange,
+ secret_old,
+ secret_old_lastchange,
+ sd);
+}
+
+static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
+{
+ return lsa_secret_set(secret_name,
+ secret_current,
+ secret_old,
+ sd);
+}
+
+static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
+ const char *secret_name)
+{
+ return lsa_secret_delete(secret_name);
+}
+
+/*******************************************************************
Create a pdb_methods structure and initialize it with the default
operations. In this way a passdb module can simply implement
the functionality it cares about. However, normally this is done
@@ -2353,5 +2425,9 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods )
(*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
(*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
+ (*methods)->get_secret = pdb_default_get_secret;
+ (*methods)->set_secret = pdb_default_set_secret;
+ (*methods)->delete_secret = pdb_default_delete_secret;
+
return NT_STATUS_OK;
}
diff --git a/source3/passdb/proto.h b/source3/passdb/proto.h
index 8b95b72..3699efe 100644
--- a/source3/passdb/proto.h
+++ b/source3/passdb/proto.h
@@ -295,6 +295,18 @@ NTSTATUS pdb_del_trusted_domain(const char *domain);
NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
struct pdb_trusted_domain ***domains);
NTSTATUS make_pdb_method( struct pdb_methods **methods ) ;
+NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd);
+NTSTATUS pdb_set_secret(const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd);
+NTSTATUS pdb_delete_secret(const char *secret_name);
/* The following definitions come from passdb/pdb_ldap.c */
diff --git a/source3/passdb/secrets_lsa.c b/source3/passdb/secrets_lsa.c
new file mode 100644
index 0000000..a40942c
--- /dev/null
+++ b/source3/passdb/secrets_lsa.c
@@ -0,0 +1,234 @@
+/*
+ Unix SMB/CIFS implementation.
+ Copyright (C) Guenther Deschner 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_secrets.h"
+#include "secrets.h"
+
+/******************************************************************************
+*******************************************************************************/
+
+static char *lsa_secret_key(TALLOC_CTX *mem_ctx,
+ const char *secret_name)
+{
+ return talloc_asprintf_strupper_m(mem_ctx, "SECRETS/LSA/%s",
+ secret_name);
+}
+
+/******************************************************************************
+*******************************************************************************/
+
+static NTSTATUS lsa_secret_get_common(TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ struct lsa_secret *secret)
+{
+ char *key;
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+
+ ZERO_STRUCTP(secret);
+
+ key = lsa_secret_key(mem_ctx, secret_name);
+ if (!key) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ blob.data = (uint8_t *)secrets_fetch(key, &blob.length);
+ talloc_free(key);
+
+ if (!blob.data) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, secret,
+ (ndr_pull_flags_fn_t)ndr_pull_lsa_secret);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ SAFE_FREE(blob.data);
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ SAFE_FREE(blob.data);
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************************
+*******************************************************************************/
+
+NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd)
+{
+ NTSTATUS status;
+ struct lsa_secret secret;
+
+ status = lsa_secret_get_common(mem_ctx, secret_name, &secret);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (secret_current) {
+ *secret_current = data_blob_null;
+ if (secret.secret_current) {
+ *secret_current = *secret.secret_current;
+ }
+ }
+ if (secret_current_lastchange) {
+ *secret_current_lastchange = secret.secret_current_lastchange;
+ }
+ if (secret_old) {
+ *secret_old = data_blob_null;
+ if (secret.secret_old) {
+ *secret_old = *secret.secret_old;
+ }
+ }
+ if (secret_old_lastchange) {
+ *secret_old_lastchange = secret.secret_old_lastchange;
+ }
+ if (sd) {
+ *sd = secret.sd;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************************
+*******************************************************************************/
+
+static NTSTATUS lsa_secret_set_common(TALLOC_CTX *mem_ctx,
+ const char *key,
+ struct lsa_secret *secret,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
+{
+ enum ndr_err_code ndr_err;
+ DATA_BLOB blob;
+ struct timeval now = timeval_current();
+
+ if (!secret) {
+ secret = talloc_zero(mem_ctx, struct lsa_secret);
+ }
+
+ if (!secret) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (secret_old) {
+ secret->secret_old = secret_old;
+ secret->secret_old_lastchange = timeval_to_nttime(&now);
+ } else {
+ if (secret->secret_current) {
+ secret->secret_old = secret->secret_current;
+ secret->secret_old_lastchange =
secret->secret_current_lastchange;
+ } else {
+ secret->secret_old = NULL;
+ secret->secret_old_lastchange = timeval_to_nttime(&now);
+ }
+ }
+ if (secret_current) {
+ secret->secret_current = secret_current;
+ secret->secret_current_lastchange = timeval_to_nttime(&now);
+ } else {
+ secret->secret_current = NULL;
+ secret->secret_current_lastchange = timeval_to_nttime(&now);
+ }
+ if (sd) {
+ secret->sd = sd;
+ }
+
+ ndr_err = ndr_push_struct_blob(&blob, mem_ctx, secret,
+ (ndr_push_flags_fn_t)ndr_push_lsa_secret);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ if (!secrets_store(key, blob.data, blob.length)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************************
+*******************************************************************************/
+
+NTSTATUS lsa_secret_set(const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
+{
+ char *key;
+ struct lsa_secret secret;
+ NTSTATUS status;
+
+ key = lsa_secret_key(talloc_tos(), secret_name);
+ if (!key) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = lsa_secret_get_common(talloc_tos(), secret_name, &secret);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ talloc_free(key);
+ return status;
+ }
+
+ status = lsa_secret_set_common(talloc_tos(), key,
+ &secret,
+ secret_current,
+ secret_old,
+ sd);
+ talloc_free(key);
+
+ return status;
+}
+
+/******************************************************************************
+*******************************************************************************/
+
+NTSTATUS lsa_secret_delete(const char *secret_name)
+{
+ char *key;
+ struct lsa_secret secret;
+ NTSTATUS status;
+
+ key = lsa_secret_key(talloc_tos(), secret_name);
+ if (!key) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = lsa_secret_get_common(talloc_tos(), secret_name, &secret);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(key);
+ return status;
+ }
+
+ if (!secrets_delete(key)) {
+ talloc_free(key);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ talloc_free(key);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c
b/source3/rpc_server/lsa/srv_lsa_nt.c
index 5877c7b..2843162 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -46,6 +46,8 @@
#include "auth.h"
#include "lib/privileges.h"
#include "rpc_server/srv_access_check.h"
+#include "../librpc/gen_ndr/ndr_wkssvc.h"
+#include "../libcli/auth/libcli_auth.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -55,7 +57,8 @@
enum lsa_handle_type {
LSA_HANDLE_POLICY_TYPE = 1,
LSA_HANDLE_ACCOUNT_TYPE = 2,
- LSA_HANDLE_TRUST_TYPE = 3};
+ LSA_HANDLE_TRUST_TYPE = 3,
+ LSA_HANDLE_SECRET_TYPE = 4};
struct lsa_info {
struct dom_sid sid;
@@ -1478,11 +1481,67 @@ static NTSTATUS
lsa_lookup_trusted_domain_by_name(TALLOC_CTX *mem_ctx,
}
/***************************************************************************
+ _lsa_OpenSecret
***************************************************************************/
-NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
+NTSTATUS _lsa_OpenSecret(struct pipes_struct *p,
+ struct lsa_OpenSecret *r)
{
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ struct lsa_info *handle;
+ struct security_descriptor *psd;
+ NTSTATUS status;
--
Samba Shared Repository
