The branch, master has been updated via e898ad3 s4-lsa: prepare dcesrv_lsa_CreateTrustedDomain_base() to deal with unencrypted auth info. via 7f52cd3 s4-smbtorture: add very basic tests for lsa_CreateTrustedDomainEx. via ee1f25d lsa: lsa_CreateTrustedDomainEx takes lsa_TrustDomainInfoAuthInfo, not lsa_TrustDomainInfoAuthInfoInternal. via 3af3e48 lsa: rename auth info argument in lsa_CreateTrustedDomainEx2 from 7acc1a7 s4:kdc: set *_strongest_*_key to true to restore the old behavior
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e898ad3ffecff5714f381f540753a2b745614995 Author: Günther Deschner <g...@samba.org> Date: Fri Jul 15 18:38:21 2011 +0200 s4-lsa: prepare dcesrv_lsa_CreateTrustedDomain_base() to deal with unencrypted auth info. Guenther Autobuild-User: Günther Deschner <g...@samba.org> Autobuild-Date: Fri Jul 15 19:57:48 CEST 2011 on sn-devel-104 commit 7f52cd3b358c4a33606f222b4c59acb2f33d9235 Author: Günther Deschner <g...@samba.org> Date: Fri Jul 15 15:38:12 2011 +0200 s4-smbtorture: add very basic tests for lsa_CreateTrustedDomainEx. Guenther commit ee1f25dc2ae715fa76417419010131861f95d8bf Author: Günther Deschner <g...@samba.org> Date: Fri Jul 15 11:18:00 2011 +0200 lsa: lsa_CreateTrustedDomainEx takes lsa_TrustDomainInfoAuthInfo, not lsa_TrustDomainInfoAuthInfoInternal. Guenther commit 3af3e4843fbcfcc35594e0c681f4713ebb5b76e4 Author: Günther Deschner <g...@samba.org> Date: Fri Jul 15 17:26:16 2011 +0200 lsa: rename auth info argument in lsa_CreateTrustedDomainEx2 Guenther ----------------------------------------------------------------------- Summary of changes: librpc/idl/lsa.idl | 4 +- source3/rpc_server/lsa/srv_lsa_nt.c | 13 +++-- source3/utils/net_rpc_trust.c | 2 +- source4/rpc_server/lsa/dcesrv_lsa.c | 30 ++++++---- source4/torture/rpc/forest_trust.c | 2 +- source4/torture/rpc/lsa.c | 100 +++++++++++++++++++++++++++------- 6 files changed, 109 insertions(+), 42 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl index c8aaa47..d8f2649 100644 --- a/librpc/idl/lsa.idl +++ b/librpc/idl/lsa.idl @@ -1052,7 +1052,7 @@ import "misc.idl", "security.idl"; NTSTATUS lsa_CreateTrustedDomainEx( [in] policy_handle *policy_handle, [in] lsa_TrustDomainInfoInfoEx *info, - [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info, + [in] lsa_TrustDomainInfoAuthInfo *auth_info, [in] lsa_TrustedAccessMask access_mask, [out] policy_handle *trustdom_handle ); @@ -1186,7 +1186,7 @@ import "misc.idl", "security.idl"; NTSTATUS lsa_CreateTrustedDomainEx2( [in] policy_handle *policy_handle, [in] lsa_TrustDomainInfoInfoEx *info, - [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info, + [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info_internal, [in] lsa_TrustedAccessMask access_mask, [out] policy_handle *trustdom_handle ); diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index c6f45ea..2342a0e 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -1746,9 +1746,9 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p, td.trust_type = r->in.info->trust_type; td.trust_attributes = r->in.info->trust_attributes; - if (r->in.auth_info->auth_blob.size != 0) { - auth_blob.length = r->in.auth_info->auth_blob.size; - auth_blob.data = r->in.auth_info->auth_blob.data; + if (r->in.auth_info_internal->auth_blob.size != 0) { + auth_blob.length = r->in.auth_info_internal->auth_blob.size; + auth_blob.data = r->in.auth_info_internal->auth_blob.data; arcfour_crypt_blob(auth_blob.data, auth_blob.length, &p->session_info->session_key); @@ -1818,10 +1818,13 @@ NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p, struct lsa_CreateTrustedDomainEx *r) { struct lsa_CreateTrustedDomainEx2 q; + struct lsa_TrustDomainInfoAuthInfoInternal auth_info; + + ZERO_STRUCT(auth_info); q.in.policy_handle = r->in.policy_handle; q.in.info = r->in.info; - q.in.auth_info = r->in.auth_info; + q.in.auth_info_internal = &auth_info; q.in.access_mask = r->in.access_mask; q.out.trustdom_handle = r->out.trustdom_handle; @@ -1850,7 +1853,7 @@ NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p, c.in.policy_handle = r->in.policy_handle; c.in.info = &info; - c.in.auth_info = &auth_info; + c.in.auth_info_internal = &auth_info; c.in.access_mask = r->in.access_mask; c.out.trustdom_handle = r->out.trustdom_handle; diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c index 318c06f..82cc8a5 100644 --- a/source3/utils/net_rpc_trust.c +++ b/source3/utils/net_rpc_trust.c @@ -128,7 +128,7 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx, r.in.policy_handle = pol_hnd; r.in.info = &trustinfo; - r.in.auth_info = authinfo; + r.in.auth_info_internal = authinfo; r.in.access_mask = LSA_TRUSTED_SET_POSIX | LSA_TRUSTED_SET_AUTH | LSA_TRUSTED_QUERY_DOMAIN_NAME; r.out.trustdom_handle = &trustdom_handle; diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 1acde1c..d5c1b61 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -874,7 +874,8 @@ static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx, static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct lsa_CreateTrustedDomainEx2 *r, - int op) + int op, + struct lsa_TrustDomainInfoAuthInfo *unencrypted_auth_info) { struct dcesrv_handle *policy_handle; struct lsa_policy_state *policy_state; @@ -931,20 +932,26 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc /* No secrets are created at this time, for this function */ auth_struct.outgoing.count = 0; auth_struct.incoming.count = 0; - } else { - auth_blob = data_blob_const(r->in.auth_info->auth_blob.data, - r->in.auth_info->auth_blob.size); + } else if (op == NDR_LSA_CREATETRUSTEDDOMAINEX2) { + auth_blob = data_blob_const(r->in.auth_info_internal->auth_blob.data, + r->in.auth_info_internal->auth_blob.size); nt_status = get_trustdom_auth_blob(dce_call, mem_ctx, &auth_blob, &auth_struct); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } + } else if (op == NDR_LSA_CREATETRUSTEDDOMAINEX) { - if (op == NDR_LSA_CREATETRUSTEDDOMAINEX) { - if (auth_struct.incoming.count > 1) { - return NT_STATUS_INVALID_PARAMETER; - } + if (unencrypted_auth_info->incoming_count > 1) { + return NT_STATUS_INVALID_PARAMETER; } + + /* more investigation required here, do not create secrets for + * now */ + auth_struct.outgoing.count = 0; + auth_struct.incoming.count = 0; + } else { + return NT_STATUS_INVALID_PARAMETER; } if (auth_struct.incoming.count) { @@ -1126,7 +1133,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx2(struct dcesrv_call_state *dce_ TALLOC_CTX *mem_ctx, struct lsa_CreateTrustedDomainEx2 *r) { - return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, r, NDR_LSA_CREATETRUSTEDDOMAINEX2); + return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, r, NDR_LSA_CREATETRUSTEDDOMAINEX2, NULL); } /* lsa_CreateTrustedDomainEx @@ -1139,9 +1146,8 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx(struct dcesrv_call_state *dce_c r2.in.policy_handle = r->in.policy_handle; r2.in.info = r->in.info; - r2.in.auth_info = r->in.auth_info; r2.out.trustdom_handle = r->out.trustdom_handle; - return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAINEX); + return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAINEX, r->in.auth_info); } /* @@ -1168,7 +1174,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_cal r2.in.access_mask = r->in.access_mask; r2.out.trustdom_handle = r->out.trustdom_handle; - return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAIN); + return dcesrv_lsa_CreateTrustedDomain_base(dce_call, mem_ctx, &r2, NDR_LSA_CREATETRUSTEDDOMAIN, NULL); } diff --git a/source4/torture/rpc/forest_trust.c b/source4/torture/rpc/forest_trust.c index 5e3efeb..1c5c177 100644 --- a/source4/torture/rpc/forest_trust.c +++ b/source4/torture/rpc/forest_trust.c @@ -122,7 +122,7 @@ static bool test_create_trust_and_set_info(struct dcerpc_pipe *p, r.in.policy_handle = handle; r.in.info = &trustinfo; - r.in.auth_info = authinfo; + r.in.auth_info_internal = authinfo; /* LSA_TRUSTED_QUERY_DOMAIN_NAME is needed for for following * QueryTrustedDomainInfo call, although it seems that Windows does not * expect this */ diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index aee0264..4fbf36c 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -2394,16 +2394,19 @@ static bool test_CreateTrustedDomain(struct dcerpc_binding_handle *b, return ret; } -static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, - struct torture_context *tctx, - struct policy_handle *handle, - uint32_t num_trusts) +static bool test_CreateTrustedDomainEx_common(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + uint32_t num_trusts, + bool ex2_call) { NTSTATUS status; bool ret = true; - struct lsa_CreateTrustedDomainEx2 r; + struct lsa_CreateTrustedDomainEx r; + struct lsa_CreateTrustedDomainEx2 r2; struct lsa_TrustDomainInfoInfoEx trustinfo; - struct lsa_TrustDomainInfoAuthInfoInternal authinfo; + struct lsa_TrustDomainInfoAuthInfoInternal authinfo_internal; + struct lsa_TrustDomainInfoAuthInfo authinfo; struct trustDomainPasswords auth_struct; DATA_BLOB auth_blob; struct dom_sid **domsid; @@ -2415,7 +2418,11 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, int i; struct dcerpc_binding_handle *b = p->binding_handle; - torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d domains\n", num_trusts); + if (ex2_call) { + torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d domains\n", num_trusts); + } else { + torture_comment(tctx, "\nTesting CreateTrustedDomainEx for %d domains\n", num_trusts); + } domsid = talloc_array(tctx, struct dom_sid *, num_trusts); trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts); @@ -2475,24 +2482,55 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, arcfour_crypt_blob(auth_blob.data, auth_blob.length, &session_key); - authinfo.auth_blob.size = auth_blob.length; - authinfo.auth_blob.data = auth_blob.data; + ZERO_STRUCT(authinfo); - r.in.policy_handle = handle; - r.in.info = &trustinfo; - r.in.auth_info = &authinfo; - r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - r.out.trustdom_handle = &trustdom_handle[i]; + authinfo_internal.auth_blob.size = auth_blob.length; + authinfo_internal.auth_blob.data = auth_blob.data; - torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r), - "CreateTrustedDomainEx2 failed"); - if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) { - test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name); - torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r), + if (ex2_call) { + + r2.in.policy_handle = handle; + r2.in.info = &trustinfo; + r2.in.auth_info_internal = &authinfo_internal; + r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + r2.out.trustdom_handle = &trustdom_handle[i]; + + torture_assert_ntstatus_ok(tctx, + dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2), "CreateTrustedDomainEx2 failed"); + + status = r2.out.result; + } else { + + r.in.policy_handle = handle; + r.in.info = &trustinfo; + r.in.auth_info = &authinfo; + r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + r.out.trustdom_handle = &trustdom_handle[i]; + + torture_assert_ntstatus_ok(tctx, + dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r), + "CreateTrustedDomainEx failed"); + + status = r.out.result; } - if (!NT_STATUS_IS_OK(r.out.result)) { - torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(r.out.result)); + + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) { + test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name); + if (ex2_call) { + torture_assert_ntstatus_ok(tctx, + dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2), + "CreateTrustedDomainEx2 failed"); + status = r2.out.result; + } else { + torture_assert_ntstatus_ok(tctx, + dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r), + "CreateTrustedDomainEx2 failed"); + status = r.out.result; + } + } + if (!NT_STATUS_IS_OK(status)) { + torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status)); ret = false; } else { @@ -2553,6 +2591,22 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, return ret; } +static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + uint32_t num_trusts) +{ + return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, true); +} + +static bool test_CreateTrustedDomainEx(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + uint32_t num_trusts) +{ + return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, false); +} + static bool test_QueryDomainInfoPolicy(struct dcerpc_binding_handle *b, struct torture_context *tctx, struct policy_handle *handle) @@ -3008,6 +3062,10 @@ static bool testcase_TrustedDomains(struct torture_context *tctx, ret = false; } + if (!test_CreateTrustedDomainEx(p, tctx, handle, state->num_trusts)) { + ret = false; + } + if (!test_CreateTrustedDomainEx2(p, tctx, handle, state->num_trusts)) { ret = false; } -- Samba Shared Repository