The branch, v4-20-test has been updated
via 846b8c0d8c7 s4:rpc_server/lsa: let LookupSids* behave like Windows
2022/2025
via 981e6b51e6a libcli/security: let dom_sid_lookup_predefined_sid()
behave like Windows 2008R2
via 1e2291530ef python:tests/dcerpc/lsa: add tests for invalid
LookupSids2 combinations
via a1c2206e6bf s4:pyrpc: allow connections with
raise_result_exceptions=False
via 3e1b15aa6f1 pidl:Python: prepare code to avoid NTSTATUS/WERROR
exceptions
via e7d70c5a337 pidl:Python: handle NTSTATUS/WERROR exceptions first
via 37dee8f89c7 pidl:Python: separate logic to calculate the signature
string
via ba7115254ef pidl:Python: check PyTuple_New() return value
via d1998e201af pidl:Python: initialize pointers and add 'result' at
the end
via b4224ede9ea pidl:Python: introduce $is_raisable_return helper
variable
via b301d10f6da pidl:Python: generate nicer code for PyNdrRpcMethodDef
arrays
via 3dda8cc57f7 s3:auth: let check_sam_security() add
NETLOGON_NTLMV2_ENABLED
via d5a2358e3eb s4:auth/ntlm: let authsam_check_password_internals()
add NETLOGON_NTLMV2_ENABLED
via a0978446adb auth: Cleanup exit code paths in kerberos_decode_pac().
via 79ca540b0a6 auth: Add missing talloc_free() in error code path.
from f2514c60719 VERSION: Bump version up to Samba 4.20.8...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 846b8c0d8c7284bd17d175896327f74f644ac636
Author: Stefan Metzmacher <[email protected]>
Date: Fri Mar 10 15:05:15 2023 +0100
s4:rpc_server/lsa: let LookupSids* behave like Windows 2022/2025
The important part is the INVALID_SID should not
cause an early exit of the loop.
We need to return the intact names array with the
correct count. And only return INVALID_SID
if we would otherwise return NONE_MAPPED.
For SOME_NOT_MAPPED we need to ignore invalid sids
and just pretend they are not mapped.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 218a0f067c894cbf61cde6183a269c0474d64ddc)
Autobuild-User(v4-20-test): Jule Anger <[email protected]>
Autobuild-Date(v4-20-test): Mon Feb 3 15:53:33 UTC 2025 on atb-devel-224
commit 981e6b51e6a4ceb8166fe9cadc48d2b374c6c1b1
Author: Stefan Metzmacher <[email protected]>
Date: Wed Aug 12 17:08:14 2020 +0200
libcli/security: let dom_sid_lookup_predefined_sid() behave like Windows
2008R2
Windows 2008R2 (172.31.9.133) returns the following:
#> rpcclient 172.31.9.133 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1
S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
S-1-22-1 *unknown*\*unknown* (8)
S-1-22-1-0 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
While the current Samba (172.31.9.163) returns the following:
#> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1
S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
result was NT_STATUS_INVALID_SID
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
S-1-3 *unknown*\*unknown* (8)
With this change also return the same as Windows 2008R2:
#> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1
S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
S-1-22-1 *unknown*\*unknown* (8)
S-1-22-1-0 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
This is a minimal fix in order to avoid crashes in the Windows Explorer.
The real fix needs more work and additional tests, as the behavior seems
to be different in newer Windows releases.
The following patch will let us behave like Windows 2022/2025...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 9f369c62317d74615834f99a088caababef685fc)
commit 1e2291530ef59ab7dcd3ff7379f442536ac0272a
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 09:51:14 2025 +0100
python:tests/dcerpc/lsa: add tests for invalid LookupSids2 combinations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit abba3495d23524142a4cf55d208dce041adee96b)
commit a1c2206e6bff03067147e1e6c4c370d742e58e36
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 14:57:53 2025 +0100
s4:pyrpc: allow connections with raise_result_exceptions=False
This is needed in order to do useful tests with
specific error codes and still checking all other
out parameters.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 6b1ff9a38fcddbe72b00e28960414526a42bde14)
commit 3e1b15aa6f18d1ba02ba0297005df85efd5d76d9
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 14:56:54 2025 +0100
pidl:Python: prepare code to avoid NTSTATUS/WERROR exceptions
They are returned as additional result.
It means callers can look at all out params,
even if the status is an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 7ecaf1a779370ef3ecf189e51a5e668329fa24c7)
commit e7d70c5a337ec139dc436de5b4907c57a28bb699
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 14:56:54 2025 +0100
pidl:Python: handle NTSTATUS/WERROR exceptions first
If we raise an exception we should not leak temporary
python objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 67c35d6b4ef6b7dbe9db3c52547b25580cd4756c)
commit 37dee8f89c73dd7edfbcf68dc40c584be0d7de10
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 10:27:16 2025 +0100
pidl:Python: separate logic to calculate the signature string
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 13d9231800ea969675f3207cd2c863e433104b4d)
commit ba7115254ef724480e5b3b9ae7c117931c4ee03f
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 10:20:08 2025 +0100
pidl:Python: check PyTuple_New() return value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit f7282c0dffbf30d72051a81d46d831344a9bbcf9)
commit d1998e201af03f58d8e48278d2936311865b617d
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 10:19:09 2025 +0100
pidl:Python: initialize pointers and add 'result' at the end
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 9dfb0ed8d29bd4a9146cf38bd63c4bb55b5faf73)
commit b4224ede9ea1229b975283659bc2ca24f02d89f9
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 10:07:18 2025 +0100
pidl:Python: introduce $is_raisable_return helper variable
No change in the generated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 8cdf7af43a365b0545562033f6c51150f2fbb3a4)
commit b301d10f6da4129a1d0da39bf05487d2c06b0194
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 12:02:08 2025 +0100
pidl:Python: generate nicer code for PyNdrRpcMethodDef arrays
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit fa6d0fd1b00e4836215b4d80f1a9f527db82e01a)
commit 3dda8cc57f7b75c811b24257829f3e54a242c1c6
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 15 12:41:21 2025 +0100
s3:auth: let check_sam_security() add NETLOGON_NTLMV2_ENABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 10f38aff7c23dc20bc98cf0e02a430f8b0d7b1ad)
commit d5a2358e3eb05af9c206ce61edeaf344ca02c511
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 15 11:57:12 2025 +0100
s4:auth/ntlm: let authsam_check_password_internals() add
NETLOGON_NTLMV2_ENABLED
Windows returns NETLOGON_NTLMV2_ENABLED in all
netr_LogonSamLogon* response messages.
Even if NTLMv1 was actually used and also
for password authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 1414004ee953975c50e0ee374684ff8e01246946)
commit a0978446adbc3ea3b96b87180938312e8ab63dfe
Author: Jeremy Allison <[email protected]>
Date: Thu Jan 16 16:12:31 2025 -0800
auth: Cleanup exit code paths in kerberos_decode_pac().
One more memory leak missed and now fixed. tmp_ctx
must be freed once the pac data is talloc_move'd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
Reviewed-by: Christian Ambach <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Fri Jan 17 12:01:47 UTC 2025 on atb-devel-224
(cherry picked from commit f9eb0b248da0689c82656f3e482161c45749afb6)
commit 79ca540b0a6cf70b0b04f76d5a2865406e89ad63
Author: Jeremy Allison <[email protected]>
Date: Wed Jan 15 10:21:19 2025 -0800
auth: Add missing talloc_free() in error code path.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Thu Jan 16 14:32:39 UTC 2025 on atb-devel-224
(cherry picked from commit c514ce8dcadcbbf0d86f3038d2be0f9253a76b75)
-----------------------------------------------------------------------
Summary of changes:
auth/kerberos/kerberos_pac.c | 87 +++++++-------
libcli/security/util_sid.c | 5 +-
pidl/lib/Parse/Pidl/Samba4/Python.pm | 157 ++++++++++++++++++++----
python/samba/tests/dcerpc/lsa.py | 226 ++++++++++++++++++++++++++++++++++-
source3/auth/check_samsec.c | 2 +
source4/auth/ntlm/auth_sam.c | 1 +
source4/librpc/rpc/pyrpc.h | 1 +
source4/librpc/rpc/pyrpc_util.c | 27 ++++-
source4/librpc/rpc/pyrpc_util.h | 2 +-
source4/rpc_server/lsa/lsa_lookup.c | 15 +++
10 files changed, 446 insertions(+), 77 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index b6272ac15eb..4c61cfe838f 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -137,7 +137,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
time_t tgs_authtime,
struct PAC_DATA **pac_data_out)
{
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
enum ndr_err_code ndr_err;
krb5_error_code ret;
DATA_BLOB modified_pac_blob;
@@ -173,8 +173,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}
ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
@@ -183,15 +183,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
if (pac_data->num_buffers < 4) {
/* we need logon_info, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
ndr_err = ndr_pull_struct_blob(
@@ -201,15 +200,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
if (pac_data_raw->num_buffers < 4) {
/* we need logon_info, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (pac_data->num_buffers != pac_data_raw->num_buffers) {
@@ -217,8 +215,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
"PAC_DATA_RAW has %d\n", pac_data->num_buffers,
pac_data_raw->num_buffers));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
for (i=0; i < pac_data->num_buffers; i++) {
@@ -229,8 +227,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
"%d while PAC_DATA_RAW has %d\n", i,
data_buf->type, raw_buf->type));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
switch (data_buf->type) {
case PAC_TYPE_LOGON_INFO:
@@ -263,26 +261,26 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (!logon_info) {
DEBUG(0,("PAC no logon_info\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (!logon_name) {
DEBUG(0,("PAC no logon_name\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (!srv_sig_ptr || !srv_sig_blob) {
DEBUG(0,("PAC no srv_key\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (!kdc_sig_ptr || !kdc_sig_blob) {
DEBUG(0,("PAC no kdc_key\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
/* Find and zero out the signatures,
@@ -297,8 +295,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
ndr_err = ndr_pull_struct_blob(
@@ -308,8 +305,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the SRV signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
/* Now zero the decoded structure */
@@ -326,8 +322,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the KDC signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
ndr_err = ndr_push_struct_blob(
srv_sig_blob, pac_data_raw, srv_sig_wipe,
@@ -336,8 +331,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the SRV signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
/* push out the whole structure, but now with zero'ed signatures */
@@ -348,8 +342,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the RAW PAC: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
if (service_keyblock) {
@@ -360,7 +353,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(5, ("PAC Decode: Failed to verify the service "
"signature: %s\n", error_message(ret)));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
if (krbtgt_keyblock) {
@@ -370,8 +364,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the KDC
signature: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
- talloc_free(tmp_ctx);
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
}
}
@@ -387,8 +381,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
nt_time_string(tmp_ctx,
logon_name->logon_time)));
DEBUG(2, ("PAC Decode: Ticket: %s\n",
nt_time_string(tmp_ctx,
tgs_authtime_nttime)));
- talloc_free(tmp_ctx);
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
}
@@ -400,8 +394,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(2, ("Could not unparse name from ticket to match
with name from PAC: [%s]:%s\n",
logon_name->account_name,
error_message(ret)));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
bool_ret = strcmp(client_principal_string,
logon_name->account_name) == 0;
@@ -412,8 +406,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
logon_name->account_name,
client_principal_string));
SAFE_FREE(client_principal_string);
- talloc_free(tmp_ctx);
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
SAFE_FREE(client_principal_string);
@@ -434,10 +428,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
}
if (pac_data_out) {
- *pac_data_out = talloc_steal(mem_ctx, pac_data);
+ *pac_data_out = talloc_move(mem_ctx, &pac_data);
}
- return NT_STATUS_OK;
+ status = NT_STATUS_OK;
+
+ out:
+
+ TALLOC_FREE(tmp_ctx);
+ return status;
}
NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 54a2fc35fda..d7631374af1 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -1068,7 +1068,6 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct
dom_sid *sid,
const char **authority_name)
{
size_t di;
- bool match_domain = false;
*name = NULL;
*type = SID_NAME_UNKNOWN;
@@ -1090,8 +1089,6 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct
dom_sid *sid,
continue;
}
- match_domain = true;
-
for (ni = 0; ni < d->num_names; ni++) {
const struct predefined_name_mapping *n =
&d->names[ni];
@@ -1109,7 +1106,7 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct
dom_sid *sid,
}
}
- if (!match_domain) {
+ if (sid->num_auths == 0) {
return NT_STATUS_INVALID_SID;
}
diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm
b/pidl/lib/Parse/Pidl/Samba4/Python.pm
index c09ee4b784d..285e4321b19 100644
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@@ -967,61 +967,146 @@ sub PythonFunctionUnpackOut($$$)
my $env = GenerateFunctionOutEnv($fn, "r->");
my $result_size = 0;
- $self->pidl("static PyObject *$outfnname(struct $fn->{NAME} *r)");
+ $self->pidl("static PyObject *$outfnname(struct $fn->{NAME} *r, bool
raise_result_exception)");
$self->pidl("{");
$self->indent;
- $self->pidl("PyObject *result;");
foreach my $e (@{$fn->{ELEMENTS}}) {
next unless (grep(/out/,@{$e->{DIRECTION}}));
next if (($metadata_args->{in}->{$e->{NAME}} and grep(/in/,
@{$e->{DIRECTION}})) or
($metadata_args->{out}->{$e->{NAME}}) and grep(/out/,
@{$e->{DIRECTION}}));
- $self->pidl("PyObject *py_$e->{NAME};");
+ $self->pidl("PyObject *py_$e->{NAME} = NULL;");
$result_size++;
}
- if ($fn->{RETURN_TYPE}) {
- $result_size++ unless ($fn->{RETURN_TYPE} eq "WERROR" or
$fn->{RETURN_TYPE} eq "NTSTATUS");
+ my $is_raisable_return = 0;
+ if ($fn->{RETURN_TYPE} and ($fn->{RETURN_TYPE} eq "WERROR" or
$fn->{RETURN_TYPE} eq "NTSTATUS")) {
+ $is_raisable_return = 1;
}
- my $i = 0;
+ if ($fn->{RETURN_TYPE} and not $is_raisable_return) {
+ $result_size++;
+ }
+
+ my $max_result_size = $result_size;
+ my $alloc_size = "$result_size";
+ if ($fn->{RETURN_TYPE} and $is_raisable_return) {
+ $max_result_size++;
+ }
+ $self->pidl("PyObject *result = NULL;");
+ if ($max_result_size != $result_size) {
+ $self->pidl("size_t result_size = $result_size;");
+ $alloc_size = "result_size";
+ }
+ $self->pidl("");
if ($result_size > 1) {
- $self->pidl("result = PyTuple_New($result_size);");
$signature .= "(";
} elsif ($result_size == 0) {
- $self->pidl("result = Py_None;");
- $self->pidl("Py_INCREF(result);");
$signature .= "None";
}
+ if ($fn->{RETURN_TYPE} and $is_raisable_return) {
+ $self->pidl("if (raise_result_exception) {");
+ $self->indent;
+ if (defined($fn->{RETURN_TYPE}) and $fn->{RETURN_TYPE} eq
"NTSTATUS") {
+ $self->handle_ntstatus("r->out.result", "NULL", undef);
+ } elsif (defined($fn->{RETURN_TYPE}) and $fn->{RETURN_TYPE} eq
"WERROR") {
+ $self->handle_werror("r->out.result", "NULL", undef);
+ }
+ $self->deindent;
+ $self->pidl("} else {");
+ $self->indent;
+ $self->pidl("/* $fn->{RETURN_TYPE} will be part of the results
*/");
+ $self->pidl("result_size += 1;");
+ $self->deindent;
+ $self->pidl("}");
+ $self->pidl("");
+ }
+
+ if ($max_result_size > 1) {
+ if ($max_result_size != $result_size) {
+ $self->pidl("if (result_size > 1) {");
+ $self->indent;
+ }
+ $self->pidl("result = PyTuple_New($alloc_size);");
+ $self->pidl("if (result == NULL) {");
+ $self->indent;
+ $self->pidl("return NULL;");
+ $self->deindent;
+ $self->pidl("}");
+ if ($max_result_size != $result_size) {
+ $self->deindent;
+ $self->pidl("}");
+ }
+ $self->pidl("");
+ }
+
+ my $i = 0;
+
foreach my $e (@{$fn->{ELEMENTS}}) {
next if ($metadata_args->{out}->{$e->{NAME}});
my $py_name = "py_$e->{NAME}";
if (grep(/out/,@{$e->{DIRECTION}})) {
$self->ConvertObjectToPython("r", $env, $e,
"r->out.$e->{NAME}", $py_name, "return NULL;");
if ($result_size > 1) {
- $self->pidl("PyTuple_SetItem(result, $i,
$py_name);");
- $i++;
$signature .= "$e->{NAME}, ";
} else {
- $self->pidl("result = $py_name;");
$signature .= $e->{NAME};
}
+
+ if ($max_result_size > 1) {
+ if ($max_result_size != $result_size and
$result_size == 1) {
+ $self->pidl("if (result_size > 1) {");
+ $self->indent;
+ }
+ $self->pidl("PyTuple_SetItem(result, $i,
$py_name);");
+ if ($max_result_size != $result_size and
$result_size == 1) {
+ $self->deindent;
+ $self->pidl("}");
+ }
+ }
+ if ($result_size == 1) {
+ if ($max_result_size != $result_size) {
+ $self->pidl("if (result_size == 1) {");
+ $self->indent;
+ }
+ $self->pidl("result = $py_name;");
+ if ($max_result_size != $result_size) {
+ $self->deindent;
+ $self->pidl("}");
+ }
+ }
+ $self->pidl("");
+ $i++;
}
}
- if (defined($fn->{RETURN_TYPE}) and $fn->{RETURN_TYPE} eq "NTSTATUS") {
- $self->handle_ntstatus("r->out.result", "NULL", undef);
- } elsif (defined($fn->{RETURN_TYPE}) and $fn->{RETURN_TYPE} eq
"WERROR") {
- $self->handle_werror("r->out.result", "NULL", undef);
- } elsif (defined($fn->{RETURN_TYPE})) {
+ if ($fn->{RETURN_TYPE} and $is_raisable_return) {
+ $self->pidl("if (!raise_result_exception) {");
+ $self->indent;
+ }
+
+ if ($fn->{RETURN_TYPE}) {
my $conv = $self->ConvertObjectToPythonData("r",
$fn->{RETURN_TYPE}, "r->out.result", $fn);
- if ($result_size > 1) {
+ if ($max_result_size > 1) {
$self->pidl("PyTuple_SetItem(result, $i, $conv);");
- } else {
+ } elsif ($max_result_size == 1) {
$self->pidl("result = $conv;");
+ } else {
+ fatal($fn->{ORIGINAL}, "Internal error
max_result_size=$max_result_size");
+ }
+
+ if (not $is_raisable_return) {
+ $signature .= "result";
}
- $signature .= "result";
+ }
+
+ if ($fn->{RETURN_TYPE} and $is_raisable_return) {
+ $self->deindent;
+ $self->pidl("}");
+ $self->pidl("");
+ } elsif ($fn->{RETURN_TYPE}) {
+ $self->pidl("");
}
if (substr($signature, -2) eq ", ") {
@@ -1031,6 +1116,20 @@ sub PythonFunctionUnpackOut($$$)
$signature .= ")";
}
+ if ($result_size == 0) {
+ if ($max_result_size != $result_size) {
+ $self->pidl("if (result_size == 0) {");
+ $self->indent;
+ }
+ $self->pidl("result = Py_None;");
+ $self->pidl("Py_INCREF(result);");
+ if ($max_result_size != $result_size) {
+ $self->deindent;
+ $self->pidl("}");
+ }
+ $self->pidl("");
+ }
+
$self->pidl("return result;");
$self->deindent;
$self->pidl("}");
@@ -1417,9 +1516,23 @@ sub Interface($$$)
$self->indent;
foreach my $d (@fns) {
my ($infn, $outfn, $callfn, $prettyname, $docstring,
$opnum) = @$d;
- $self->pidl("{ \"$prettyname\", $docstring,
(py_dcerpc_call_fn)$callfn, (py_data_pack_fn)$infn, (py_data_unpack_fn)$outfn,
$opnum, &ndr_table_$interface->{NAME} },");
+ $self->pidl("{");
+ $self->indent;
+ $self->pidl(".name = \"$prettyname\",");
+ $self->pidl(".doc = $docstring,");
+ $self->pidl(".call = (py_dcerpc_call_fn)$callfn,");
+ $self->pidl(".pack_in_data = (py_data_pack_fn)$infn,");
+ $self->pidl(".unpack_out_data =
(py_data_unpack_fn)$outfn,");
+ $self->pidl(".opnum = $opnum,");
+ $self->pidl(".table = &ndr_table_$interface->{NAME},");
+ $self->deindent;
+ $self->pidl("},");
}
- $self->pidl("{0}");
+ $self->pidl("{");
+ $self->indent;
+ $self->pidl(".name = NULL,");
+ $self->deindent;
+ $self->pidl("},");
$self->deindent;
$self->pidl("};");
$self->pidl("");
diff --git a/python/samba/tests/dcerpc/lsa.py b/python/samba/tests/dcerpc/lsa.py
index 355bb1f4440..685dd14bd18 100644
--- a/python/samba/tests/dcerpc/lsa.py
+++ b/python/samba/tests/dcerpc/lsa.py
@@ -20,12 +20,18 @@
"""Tests for samba.dcerpc.lsa."""
-from samba.dcerpc import lsa
+from samba.dcerpc import lsa, security
from samba.credentials import Credentials
--
Samba Shared Repository
