The branch, master has been updated via f0a6935 s3:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation() via ac45921 s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation() via b6292d8 s4-torture: add ndr test for lsa_lsaRQueryForestTrustInformation(). via aea5537 drsblobs.idl: improve idl for ForestTrustInfoRecord* via 080db5f lsa.idl: improve idl for lsa_ForestTrust*Record* via 701ed11 lsa.idl: use 'boolean8 check_only' instead of 'uint8 check_only' via cdf6373 lsa.idl: fix idl for lsa_ForestTrustRecordType via 1d299f1 security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED} via 2c1f948 netlogon.idl: remove netr_SupportedEncTypes and use kerb_EncTypes instead via a0700dd netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR. via 4810f47 netlogon.idl: improve idl for netr_ServerTrustPasswordsGet() via 19e4a10 ldb-samba: implement --show-binary for msDS-RevealedUsers via 5abb9ac drsblobs.idl: make replPropertyMetaData1 public via 450dc02 s4:py_net: make domain and address fully optional to py_net_finddc via 79b1041 s4:librpc: add auth_type=ncalrpc_as_system as binding option via 29b173d s4:trust_utils: store new trust/machine passwords before trying it remotely. via 1623992 s3:winbindd: make open_internal_lsa_conn() non static via f126eeb s3:winbindd_cm: improve detection for the anonymous fallback. via 7391416 s3:pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusteddom_pw() via e0a4f43 s3:pdb_samba_dsdb: return the domain sid in pdb_samba_dsdb_get_trusteddom_pw() via 2a2cec6 s3:pdb_samba_dsdb: return the previous password and the kvno in pdb_samba_dsdb_get_trusteddom_creds() via 7d36141 s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key() via 0f3e322 s3:libnet: use cli_credentials based functions in libnet_join_ok() via 484adf4 s3:auth_domain: make use of cli_rpc_pipe_open_schannel() via 91e4cbc s3:auth_domain: fix talloc problem in connect_to_domain_password_server() via 9af336c s3:rpcclient: make use of rpccli_[create|setup]_netlogon_creds_with_creds() via 6d31763 s3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel() via c3b7e6e s3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel() via 0994e0a s3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel() via 8d73127 s3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_with_creds() via 33fcfb3 auth/credentials: add cli_credentials_set_old_utf16_password() via 016c4ce auth/credentials: add cli_credentials_[g|s]et_old_nt_hash() via 3abccce auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash() via 3098a43 s4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID via 4bebab2 selftest: Change testsuite to use a samAccountName with a space in it via 7f5740f kdc: Ensure we cope with a samAccountName with a space in it via 7ed2492 dsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName() via d3e0d7e selftest: Change testsuite to use a UPN with a space in it via 979385c selftest: fix the basedn for local accounts in non-DC environments e.g. s4member via 3cd8713 dsdb: Allow spaces in userPrincipalName values via da99f8a heimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY via b7cc8c1 heimdal:lib/krb5: allow enterprise principals in verify_logonname() via a1b4a5d torture-krb5: Test accepting the ticket to ensure PAC is well-formed via bc8b580 auth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac() via e48d136 auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison via 8909961 heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling via 9ebd10b heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling via 76f6633 heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling from 6e2f4c7 selftest: also test python.samba.tests.posixacl against plugin_s4_dc_no_nss
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f0a6935b1e0c140cc100036e5945fe6a7b95a45e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 11 16:39:05 2015 +0100 s3:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation() If there're no collisions we should not fill the collision_info pointer. Otherwise Windows fails to create a forest trust. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> Autobuild-User(master): Günther Deschner <g...@samba.org> Autobuild-Date(master): Thu Mar 12 19:49:33 CET 2015 on sn-devel-104 commit ac459219813992de33ef2ece06c30e7ee4155713 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 28 10:02:54 2015 +0000 s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation() If there're no collisions we should not fill the collision_info pointer. Otherwise Windows fails to create a forest trust. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit b6292d8be48f6def099404319e439ca600e9331e Author: Günther Deschner <g...@samba.org> Date: Wed Mar 11 12:09:42 2015 +0100 s4-torture: add ndr test for lsa_lsaRQueryForestTrustInformation(). Thanks to Alexander for providing the binary blobs. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit aea55377f948e54e014f330c8e2b59926128d3db Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 4 18:00:44 2015 +0000 drsblobs.idl: improve idl for ForestTrustInfoRecord* Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 080db5f60a5536160bcfa9283673ee1a4c4d524e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 4 18:00:44 2015 +0000 lsa.idl: improve idl for lsa_ForestTrust*Record* The meaning of lsa_ForestTrustRecordFlags is based lsa_ForestTrustRecordType, but the type is not always available so it's not possible to use an union. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 701ed1117ba531430cbc845412a2dee79ad62054 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 30 08:01:58 2015 +0000 lsa.idl: use 'boolean8 check_only' instead of 'uint8 check_only' This is only a cosmetic change to make the idl more verbose, the resulting C code will still use 'uint8_t'. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit cdf6373c3b03b8946fbe142d4930c2f4d21d6145 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 30 08:01:58 2015 +0000 lsa.idl: fix idl for lsa_ForestTrustRecordType Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 1d299f1d7b0544c5e1ea5a8a89c96554fc619fb7 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 2 23:14:38 2015 +0100 security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED} These are not encryption types, but flags for specific kerberos features. See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 2c1f948150f16fb77b59bf02bece34f5c75dd39d Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 2 23:14:38 2015 +0100 netlogon.idl: remove netr_SupportedEncTypes and use kerb_EncTypes instead These are the same. We keep the old defines arround in order to avoid a lot of changes in the callers. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit a0700dd2753bf7ba106feca4002e74dad134a991 Author: Günther Deschner <g...@samba.org> Date: Tue Dec 18 15:27:06 2012 +0100 netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 4810f47c44b86b4d33a067c2a5e7ed56bf7e58ae Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 9 13:18:38 2015 +0100 netlogon.idl: improve idl for netr_ServerTrustPasswordsGet() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 19e4a101dbeee251cfe7e63f3febcb2075065b36 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 6 18:07:15 2015 +0100 ldb-samba: implement --show-binary for msDS-RevealedUsers Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 5abb9acc9bea99b2bc95f622492137e5720615c2 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 5 16:21:18 2015 +0100 drsblobs.idl: make replPropertyMetaData1 public This is used as binary data for the msDS-RevealedUsers attribute. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 450dc02d6dd0e405aaacddef03e37ff5f2829219 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 27 21:46:06 2015 +0000 s4:py_net: make domain and address fully optional to py_net_finddc E.g. address=None is now also possible. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 79b10416519376899d94802b0ecfb815eaaac527 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 26 16:02:20 2015 +0100 s4:librpc: add auth_type=ncalrpc_as_system as binding option In future we may want another way to trigger this, but our current rpc libraries need a lot of cleanup before. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 29b173d2a70745922d8345bfc6bd1da08951dfd3 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jan 31 10:42:09 2015 +0000 s4:trust_utils: store new trust/machine passwords before trying it remotely. If this fails we can still fallback to the old password... Before trying the password change we verify the dc knows our current password. This should make the password changes much more robust. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 1623992105854e84c552305feebac939e97f627e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 3 16:22:25 2015 +0100 s3:winbindd: make open_internal_lsa_conn() non static Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit f126eeb2a1b1c68b9687f2da1d1ce854226d0c43 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 11 15:05:55 2015 +0100 s3:winbindd_cm: improve detection for the anonymous fallback. If the kinit results in NT_STATUS_NO_LOGON_SERVERS, we should fallback, if allowed. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 739141639984837fe5e6b527d0ca8511a4ebaa28 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 5 09:26:23 2015 +0000 s3:pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusteddom_pw() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit e0a4f438d17fde962d2b2886776da2b0e7c4cd05 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 5 10:07:46 2015 +0000 s3:pdb_samba_dsdb: return the domain sid in pdb_samba_dsdb_get_trusteddom_pw() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 2a2cec6f9c5922e689cd79c13e9370eda8a396bb Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 30 16:53:40 2015 +0000 s3:pdb_samba_dsdb: return the previous password and the kvno in pdb_samba_dsdb_get_trusteddom_creds() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 7d36141ba3a6a12b71ef6a0b04184d38c4833c99 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 11:33:05 2015 +0100 s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 0f3e32247c503a8156099afa05fbcc9c9cdb489a Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 11:29:49 2015 +0100 s3:libnet: use cli_credentials based functions in libnet_join_ok() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 484adf45ede419af85e0e28661f659a548dd5471 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 09:52:45 2015 +0100 s3:auth_domain: make use of cli_rpc_pipe_open_schannel() This simplifies a lot and allows the previous password to be used. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 91e4cbc46f0f54570f27a829b7c7c71da657030b Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 10:33:01 2015 +0100 s3:auth_domain: fix talloc problem in connect_to_domain_password_server() return values of connect_to_domain_password_server() need to be exported to the callers memory context. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 9af336cce7b6adc76421dcf3ff4d237700a741c7 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 09:25:35 2015 +0100 s3:rpcclient: make use of rpccli_[create|setup]_netlogon_creds_with_creds() This passing struct cli_credentials allows the usage of the previous password. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 6d31763de14adaf00b4b28c31a19d462adc1aea3 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 10:05:37 2015 +0100 s3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel() This is only allowed with special config options ("client schannel = no", "require strong key = no" and "reject md5 servers = no"). By default we require NETLOGON_NEG_AUTHENTICATED_RPC. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit c3b7e6e2185b3e09d70326914e70eac314de9b63 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 09:34:45 2015 +0100 s3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel() This simplifies the code and allows the previous password to be passed through the stack. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 0994e0a3e30b447eb44e7701207de9a3c13e63cc Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 09:49:16 2015 +0100 s3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 8d731274626614a0679ff25f7e939bf34caa9440 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 30 16:54:06 2015 +0000 s3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_with_creds() This way we'll fallback to use the previous machine/trust account password if required. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 33fcfb37c476fc836836c344165abc1cba79130e Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 30 16:20:27 2015 +0000 auth/credentials: add cli_credentials_set_old_utf16_password() This is required to set the previous trust account password. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 016c4ce84f2a34abb705b85d0abd1e17aa1325db Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 09:04:42 2015 +0100 auth/credentials: add cli_credentials_[g|s]et_old_nt_hash() The machine and trust accounts it's important to retry netr_Authenticate3() with the previous (old) nt_hash. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 3abccced8cf057ce0768a5acf7e828db3823fae2 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 9 09:06:32 2015 +0100 auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 3098a432665b54b3e578b6e6b04b9fde5de43b72 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 21 14:44:44 2015 +0100 s4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 4bebab21463825c22cced6e8c59b99c525172911 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 12 13:43:49 2015 +1300 selftest: Change testsuite to use a samAccountName with a space in it This shows that the previous patch is correct Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 7f5740f34226301e2172c7e2024fd8c6c4ededf5 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 12 13:29:56 2015 +1300 kdc: Ensure we cope with a samAccountName with a space in it Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 7ed24924d2917556a03c51eadcb65b3e3c1e8af6 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 12 13:29:56 2015 +1300 dsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName() Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit d3e0d7e2b0ee9fb72a8c602c86aee1d2f2755236 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 12 12:56:56 2015 +1300 selftest: Change testsuite to use a UPN with a space in it This shows that the previous patch is correct Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 979385cd0fd20957d552e64edc07ea2fa0edc0fc Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 12 10:43:57 2015 +0100 selftest: fix the basedn for local accounts in non-DC environments e.g. s4member open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb"); doesn't generate an error if the command fails... 'testallowed' is a local account here, with a dn of CN=testallowed,CN=Users,DC=S4MEMBER instead of domain user CN=testallowed,CN=Users,DC=samba,DC=example,DC=com Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 3cd871321667045635d8236d91386070e84770a4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 12 12:50:23 2015 +1300 dsdb: Allow spaces in userPrincipalName values This is needed to enable a kinit with a UPN that has a space in it Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit da99f8a5b9e492406b5d64bb53f090de3fd93957 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 10 15:33:14 2015 +0100 heimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY An ENTERPRISE principal should result in 'administra...@s4xdom.base' instead of 'administrator\@S4XDOM.BASE'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit b7cc8c1187ff967e44587cd0d09185330378f366 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 10 15:36:01 2015 +0100 heimdal:lib/krb5: allow enterprise principals in verify_logonname() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit a1b4a5d977862bda48819d3f0b33eccbd10ca4fd Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 11 15:58:36 2015 +1300 torture-krb5: Test accepting the ticket to ensure PAC is well-formed A future test will ask for impersonation to a different user, and validate returned principal and the PAC matches that user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit bc8b580659d429690f6b54f17368526fc8c845e3 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 12 11:27:57 2015 +1300 auth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac() This ensures that in the all-Samba PAC creation code, we do not escape a space character if present in the logon name. This matches what we do in the Heimdal code in the KDC. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit e48d136e3a5c89c9bab8ea898775fad1449d2f96 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 11 15:57:06 2015 +1300 auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison This ensures that if an enterprise principal is used, we do the comparison properly This matters as in the enterprise case, which can be triggered by MIT kinit -E, does not use canonicalization, and so the enterprise name, with the @ in it, is in the logon name. Otherwise, we get errors like: Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 89099611fd3a30286fe50dfa57e16452ea6c8940 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 10 12:38:55 2015 +0100 heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt and the final rfc6806.txt. The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 9ebd10b3432c271625db9fbc1987759c02b23f83 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 10 12:38:55 2015 +0100 heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt and the final rfc6806.txt. The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> commit 76f66332a1be0a26760e82c39edb2cfdd892b367 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 10 12:38:55 2015 +0100 heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt and the final rfc6806.txt. The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials.c | 42 +++ auth/credentials/credentials.h | 6 + auth/credentials/credentials_internal.h | 1 + auth/credentials/credentials_ntlm.c | 67 +++++ auth/kerberos/kerberos_pac.c | 23 +- lib/ldb-samba/ldif_handlers.c | 71 +++++ lib/ldb-samba/ldif_handlers.h | 1 + librpc/idl/drsblobs.idl | 12 +- librpc/idl/lsa.idl | 64 ++--- librpc/idl/netlogon.idl | 24 +- librpc/idl/security.idl | 9 +- selftest/target/Samba4.pm | 24 +- source3/auth/auth_domain.c | 108 ++------ source3/libnet/libnet_join.c | 65 ++--- source3/libsmb/trusts_util.c | 39 ++- source3/passdb/pdb_samba_dsdb.c | 383 ++++++++++++++++++++++++-- source3/rpc_client/cli_netlogon.c | 3 + source3/rpc_client/cli_pipe.c | 96 ------- source3/rpc_client/cli_pipe.h | 8 - source3/rpc_client/cli_pipe_schannel.c | 85 +++--- source3/rpc_server/lsa/srv_lsa_nt.c | 6 +- source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +- source3/rpcclient/rpcclient.c | 58 ++-- source3/utils/net_rpc.c | 2 +- source3/winbindd/winbindd_cm.c | 3 + source3/winbindd/winbindd_proto.h | 3 + source3/winbindd/winbindd_samr.c | 6 +- source4/auth/kerberos/kerberos_pac.c | 4 +- source4/dsdb/pydsdb.c | 1 + source4/dsdb/samdb/cracknames.c | 24 +- source4/heimdal/kdc/kerberos5.c | 52 ---- source4/heimdal/lib/asn1/krb5.asn1 | 11 - source4/heimdal/lib/krb5/pac.c | 8 +- source4/heimdal/lib/krb5/ticket.c | 81 ------ source4/kdc/db-glue.c | 5 +- source4/libnet/py_net.c | 2 +- source4/librpc/rpc/dcerpc_util.c | 16 ++ source4/rpc_server/lsa/dcesrv_lsa.c | 6 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- source4/selftest/tests.py | 4 +- source4/torture/krb5/kdc-canon.c | 135 ++++++++- source4/torture/ndr/lsa.c | 46 ++++ source4/torture/rpc/lsa.c | 2 +- source4/torture/rpc/netlogon.c | 5 +- 44 files changed, 1022 insertions(+), 597 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index a9e4fc8..42aa2a3 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -70,6 +70,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->bind_dn = NULL; cred->nt_hash = NULL; + cred->old_nt_hash = NULL; cred->lm_response.data = NULL; cred->lm_response.length = 0; @@ -481,6 +482,7 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred, /* Don't print the actual password in talloc memory dumps */ talloc_set_name_const(cred->old_password, "password set via cli_credentials_set_old_password"); } + cred->old_nt_hash = NULL; return true; } @@ -525,6 +527,46 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credential } /** + * Obtain the old password, in the form MD4(unicode(password)) for this credentials context. + * + * Sometimes we only have this much of the password, while the rest of + * the time this call avoids calling E_md4hash themselves. + * + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +_PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx) +{ + const char *old_password = NULL; + + if (cred->old_nt_hash != NULL) { + struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password); + if (!nt_hash) { + return NULL; + } + + *nt_hash = *cred->old_nt_hash; + + return nt_hash; + } + + old_password = cli_credentials_get_old_password(cred); + if (old_password) { + struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password); + if (!nt_hash) { + return NULL; + } + + E_md4hash(old_password, nt_hash->hash); + + return nt_hash; + } + + return NULL; +} + +/** * Obtain the 'short' or 'NetBIOS' domain for this credentials context. * @param cred credentials context * @retval The domain set on this context. diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 814f016..fdedd63 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -146,6 +146,8 @@ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx); void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained); struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, TALLOC_CTX *mem_ctx); +struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx); bool cli_credentials_set_realm(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained); @@ -194,9 +196,13 @@ void cli_credentials_set_kvno(struct cli_credentials *cred, bool cli_credentials_set_utf16_password(struct cli_credentials *cred, const DATA_BLOB *password_utf16, enum credentials_obtained obtained); +bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16); bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained); +bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash); bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, const DATA_BLOB *lm_response, const DATA_BLOB *nt_response, diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h index d05d153..aa01ccc 100644 --- a/auth/credentials/credentials_internal.h +++ b/auth/credentials/credentials_internal.h @@ -60,6 +60,7 @@ struct cli_credentials { /* Allows authentication from a keytab or similar */ struct samr_Password *nt_hash; + struct samr_Password *old_nt_hash; /* Allows NTLM pass-though authentication */ DATA_BLOB lm_response; diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c index 5e9aeed..4e12277 100644 --- a/auth/credentials/credentials_ntlm.c +++ b/auth/credentials/credentials_ntlm.c @@ -268,6 +268,53 @@ _PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred, return false; } +/* + * Set a old utf16 password on the credentials context. + * + * This is required because the nt_hash is calculated over the raw utf16 blob, + * which might not be completely valid utf16, which means the conversion + * from CH_UTF16MUNGED to CH_UTF8 might loose information. + */ +_PUBLIC_ bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16) +{ + struct samr_Password *nt_hash = NULL; + char *password_talloc = NULL; + size_t password_len = 0; + bool ok; + + if (password_utf16 == NULL) { + return cli_credentials_set_old_password(cred, NULL, CRED_SPECIFIED); + } + + nt_hash = talloc(cred, struct samr_Password); + if (nt_hash == NULL) { + return false; + } + + ok = convert_string_talloc(cred, + CH_UTF16MUNGED, CH_UTF8, + password_utf16->data, + password_utf16->length, + (void *)&password_talloc, + &password_len); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + ok = cli_credentials_set_old_password(cred, password_talloc, CRED_SPECIFIED); + TALLOC_FREE(password_talloc); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + mdfour(nt_hash->hash, password_utf16->data, password_utf16->length); + cred->old_nt_hash = nt_hash; + return true; +} + _PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained) @@ -276,6 +323,9 @@ _PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, cli_credentials_set_password(cred, NULL, obtained); if (nt_hash) { cred->nt_hash = talloc(cred, struct samr_Password); + if (cred->nt_hash == NULL) { + return false; + } *cred->nt_hash = *nt_hash; } else { cred->nt_hash = NULL; @@ -286,6 +336,23 @@ _PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, return false; } +_PUBLIC_ bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash) +{ + cli_credentials_set_old_password(cred, NULL, CRED_SPECIFIED); + if (nt_hash) { + cred->old_nt_hash = talloc(cred, struct samr_Password); + if (cred->old_nt_hash == NULL) { + return false; + } + *cred->old_nt_hash = *nt_hash; + } else { + cred->old_nt_hash = NULL; + } + + return true; +} + _PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, const DATA_BLOB *lm_response, const DATA_BLOB *nt_response, diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 8f55c8f..32d9d7f 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -106,7 +106,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, DATA_BLOB modified_pac_blob; NTTIME tgs_authtime_nttime; - krb5_principal client_principal_pac = NULL; int i; struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL; @@ -357,28 +356,30 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, } if (client_principal) { - ret = smb_krb5_parse_name_norealm(context, - logon_name->account_name, - &client_principal_pac); + char *client_principal_string; + ret = krb5_unparse_name_flags(context, client_principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &client_principal_string); if (ret) { - DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n", + DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n", logon_name->account_name, error_message(ret))); talloc_free(tmp_ctx); return NT_STATUS_INVALID_PARAMETER; } - bool_ret = smb_krb5_principal_compare_any_realm(context, - client_principal, - client_principal_pac); - - krb5_free_principal(context, client_principal_pac); + bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0; if (!bool_ret) { DEBUG(2, ("Name in PAC [%s] does not match principal name " - "in ticket\n", logon_name->account_name)); + "in ticket [%s]\n", + logon_name->account_name, + client_principal_string)); + SAFE_FREE(client_principal_string); talloc_free(tmp_ctx); return NT_STATUS_ACCESS_DENIED; } + SAFE_FREE(client_principal_string); + } DEBUG(3,("Found account name from PAC: %s [%s]\n", diff --git a/lib/ldb-samba/ldif_handlers.c b/lib/ldb-samba/ldif_handlers.c index ea62bf9..3b84084 100644 --- a/lib/ldb-samba/ldif_handlers.c +++ b/lib/ldb-samba/ldif_handlers.c @@ -906,6 +906,69 @@ static int ldif_write_replUpToDateVector(struct ldb_context *ldb, void *mem_ctx, true); } +static int ldif_write_dn_binary_NDR(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out, + size_t struct_size, + ndr_pull_flags_fn_t pull_fn, + ndr_print_fn_t print_fn, + bool mask_errors) +{ + uint8_t *p = NULL; + enum ndr_err_code err; + struct dsdb_dn *dsdb_dn = NULL; + char *dn_str = NULL; + char *str = NULL; + + if (!(ldb_get_flags(ldb) & LDB_FLG_SHOW_BINARY)) { + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + dsdb_dn = dsdb_dn_parse(mem_ctx, ldb, in, DSDB_SYNTAX_BINARY_DN); + if (dsdb_dn == NULL) { + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + p = talloc_size(dsdb_dn, struct_size); + if (p == NULL) { + TALLOC_FREE(dsdb_dn); + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + err = ndr_pull_struct_blob(&dsdb_dn->extra_part, p, p, pull_fn); + if (err != NDR_ERR_SUCCESS) { + /* fail in not in mask_error mode */ + if (!mask_errors) { + return -1; + } + TALLOC_FREE(dsdb_dn); + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + dn_str = ldb_dn_get_extended_linearized(dsdb_dn, dsdb_dn->dn, 1); + if (dn_str == NULL) { + TALLOC_FREE(dsdb_dn); + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + str = ndr_print_struct_string(mem_ctx, print_fn, dn_str, p); + TALLOC_FREE(dsdb_dn); + if (str == NULL) { + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + *out = data_blob_string_const(str); + return 0; +} + +static int ldif_write_msDS_RevealedUsers(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + return ldif_write_dn_binary_NDR(ldb, mem_ctx, in, out, + sizeof(struct replPropertyMetaData1), + (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaData1, + (ndr_print_fn_t)ndr_print_replPropertyMetaData1, + true); +} /* convert a NDR formatted blob to a ldif formatted dnsRecord @@ -1337,6 +1400,13 @@ static const struct ldb_schema_syntax samba_syntaxes[] = { .comparison_fn = ldb_comparison_binary, .operator_fn = samba_syntax_operator_fn },{ + .name = LDB_SYNTAX_SAMBA_REVEALEDUSERS, + .ldif_read_fn = ldb_handler_copy, + .ldif_write_fn = ldif_write_msDS_RevealedUsers, + .canonicalise_fn = dsdb_dn_binary_canonicalise, + .comparison_fn = dsdb_dn_binary_comparison, + .operator_fn = samba_syntax_operator_fn + },{ .name = LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB, .ldif_read_fn = ldb_handler_copy, .ldif_write_fn = ldif_write_trustAuthInOutBlob, @@ -1477,6 +1547,7 @@ static const struct { { "repsTo", LDB_SYNTAX_SAMBA_REPSFROMTO }, { "replPropertyMetaData", LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA }, { "replUpToDateVector", LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR }, + { "msDS-RevealedUsers", LDB_SYNTAX_SAMBA_REVEALEDUSERS }, { "trustAuthIncoming", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB }, { "trustAuthOutgoing", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB }, { "msDS-TrustForestTrustInfo", LDB_SYNTAX_SAMBA_FORESTTRUSTINFO }, diff --git a/lib/ldb-samba/ldif_handlers.h b/lib/ldb-samba/ldif_handlers.h index 4e12293..5ba6f12 100644 --- a/lib/ldb-samba/ldif_handlers.h +++ b/lib/ldb-samba/ldif_handlers.h @@ -11,6 +11,7 @@ #define LDB_SYNTAX_SAMBA_REPSFROMTO "LDB_SYNTAX_SAMBA_REPSFROMTO" #define LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA "LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA" #define LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR "LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR" +#define LDB_SYNTAX_SAMBA_REVEALEDUSERS "LDB_SYNTAX_SAMBA_REVEALEDUSERS" #define LDB_SYNTAX_SAMBA_RANGE64 "LDB_SYNTAX_SAMBA_RANGE64" #define LDB_SYNTAX_SAMBA_DNSRECORD "LDB_SYNTAX_SAMBA_DNSRECORD" #define LDB_SYNTAX_SAMBA_DNSPROPERTY "LDB_SYNTAX_SAMBA_DNSPROPERTY" diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl index 1960716..499febb 100644 --- a/librpc/idl/drsblobs.idl +++ b/librpc/idl/drsblobs.idl @@ -18,7 +18,7 @@ interface drsblobs { * w2k uses version 1 * w2k3 uses version 1 */ - typedef struct { + typedef [public] struct { drsuapi_DsAttributeId attid; uint32 version; NTTIME_1sec originating_change_time; @@ -632,17 +632,17 @@ interface drsblobs { [default] ForestTrustDataBinaryData data; } ForestTrustData; - /* same as lsa_ForestTrustRecordType */ + /* same as lsa_ForestTrustRecordType, but only 8 bit */ typedef [enum8bit] enum { - FOREST_TRUST_TOP_LEVEL_NAME = 0, - FOREST_TRUST_TOP_LEVEL_NAME_EX = 1, - FOREST_TRUST_DOMAIN_INFO = 2 + FOREST_TRUST_TOP_LEVEL_NAME = LSA_FOREST_TRUST_TOP_LEVEL_NAME, + FOREST_TRUST_TOP_LEVEL_NAME_EX = LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX, + FOREST_TRUST_DOMAIN_INFO = LSA_FOREST_TRUST_DOMAIN_INFO } ForestTrustInfoRecordType; /* meaning of flags depends on record type and values are the same as in lsa.idl, see collision record types */ typedef [public,gensize,flag(NDR_NOALIGN)] struct { - uint32 flags; + lsa_ForestTrustRecordFlags flags; NTTIME timestamp; ForestTrustInfoRecordType type; [switch_is(type)] ForestTrustData data; diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl index 251b4e2..09ddf71 100644 --- a/librpc/idl/lsa.idl +++ b/librpc/idl/lsa.idl @@ -1255,6 +1255,26 @@ import "misc.idl", "security.idl"; [todo] NTSTATUS lsa_LSARUNREGISTERAUDITEVENT(); /* Function 0x49 */ + typedef [bitmap32bit,public] bitmap { + /* these apply to LSA_FOREST_TRUST_TOP_LEVEL_NAME */ + LSA_TLN_DISABLED_NEW = 0x00000001, + LSA_TLN_DISABLED_ADMIN = 0x00000002, + LSA_TLN_DISABLED_CONFLICT = 0x00000004, + + /* these apply to LSA_FOREST_TRUST_DOMAIN_INFO */ + LSA_SID_DISABLED_ADMIN = 0x00000001, + LSA_SID_DISABLED_CONFLICT = 0x00000002, + LSA_NB_DISABLED_ADMIN = 0x00000004, + LSA_NB_DISABLED_CONFLICT = 0x00000008 + } lsa_ForestTrustRecordFlags; + + typedef enum { + LSA_FOREST_TRUST_TOP_LEVEL_NAME = 0, + LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX = 1, + LSA_FOREST_TRUST_DOMAIN_INFO = 2, + LSA_FOREST_TRUST_RECORD_TYPE_LAST = 3 + } lsa_ForestTrustRecordType; + typedef struct { [range(0,131072)] uint3264 length; [size_is(length)] uint8 *data; @@ -1266,24 +1286,17 @@ import "misc.idl", "security.idl"; lsa_StringLarge netbios_domain_name; } lsa_ForestTrustDomainInfo; - typedef [switch_type(uint32)] union { + typedef [switch_type(lsa_ForestTrustRecordType)] union { [case(LSA_FOREST_TRUST_TOP_LEVEL_NAME)] lsa_StringLarge top_level_name; [case(LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX)] lsa_StringLarge top_level_name_ex; [case(LSA_FOREST_TRUST_DOMAIN_INFO)] lsa_ForestTrustDomainInfo domain_info; [default] lsa_ForestTrustBinaryData data; } lsa_ForestTrustData; - typedef [v1_enum] enum { - LSA_FOREST_TRUST_TOP_LEVEL_NAME = 0, - LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX = 1, - LSA_FOREST_TRUST_DOMAIN_INFO = 2, - LSA_FOREST_TRUST_RECORD_TYPE_LAST = 3 - } lsa_ForestTrustRecordType; - typedef struct { - uint32 flags; + lsa_ForestTrustRecordFlags flags; lsa_ForestTrustRecordType type; - hyper time; + NTTIME_hyper time; [switch_is(type)] lsa_ForestTrustData forest_trust_data; } lsa_ForestTrustRecord; @@ -1292,10 +1305,10 @@ import "misc.idl", "security.idl"; [size_is(count)] lsa_ForestTrustRecord **entries; } lsa_ForestTrustInformation; - NTSTATUS lsa_lsaRQueryForestTrustInformation( + [public] NTSTATUS lsa_lsaRQueryForestTrustInformation( [in] policy_handle *handle, [in,ref] lsa_String *trusted_domain_name, - [in] uint16 unknown, /* level ? */ + [in] lsa_ForestTrustRecordType highest_record_type, [out,ref] lsa_ForestTrustInformation **forest_trust_info ); @@ -1308,31 +1321,10 @@ import "misc.idl", "security.idl"; LSA_FOREST_TRUST_COLLISION_OTHER = 2 } lsa_ForestTrustCollisionRecordType; - /* if type is CollisionTdo, flags can be */ - typedef [bitmap32bit] bitmap { - LSA_TLN_DISABLED_NEW = 0x00000001, - LSA_TLN_DISABLED_ADMIN = 0x00000002, - LSA_TLN_DISABLED_CONFLICT = 0x00000004 - } lsa_ForestTrustCollisionTDOFlags; - - /* if type is CollisionXref, flags can be */ - typedef [bitmap32bit] bitmap { - LSA_SID_DISABLED_ADMIN = 0x00000001, - LSA_SID_DISABLED_CONFLICT = 0x00000002, - LSA_NB_DISABLED_ADMIN = 0x00000004, - LSA_NB_DISABLED_CONFLICT = 0x00000008 - } lsa_ForestTrustCollisionXrefFlags; - - typedef [nodiscriminant] union { - [case(LSA_FOREST_TRUST_COLLISION_TDO)] lsa_ForestTrustCollisionTDOFlags flags; - [case(LSA_FOREST_TRUST_COLLISION_XREF)] lsa_ForestTrustCollisionXrefFlags flags; - [default] uint32 flags; - } lsa_ForestTrustCollisionFlags; - typedef [public] struct { uint32 index; lsa_ForestTrustCollisionRecordType type; - [switch_is(type)] lsa_ForestTrustCollisionFlags flags; + lsa_ForestTrustRecordFlags flags; lsa_String name; } lsa_ForestTrustCollisionRecord; -- Samba Shared Repository