The branch, master has been updated
via 835ae52f94f drsuapi.idl: fix source_dsa spelling
via f0399ca13b0 security.idl:
DOMAIN_RID_{FOREST,EXTERNAL}_TRUST_ACCOUNTS
via 45d97cf8415 security.idl: add SID_NT_THIS_ORGANIZATION_CERTIFICATE
via dba0cdad5bc security.idl: change ORGANISATION into ORGANIZATION
via 6c9f2e4a8f1 drsblobs.idl: make some scannerInfo related stuff public
via 896617acae6 drsblobs.idl: use dom_sid0 in ForestTrustDataDomainInfo
via 4f905af2ad4 drsblobs.idl: introduce ForestTrustDataScannerInfo
via 3295e0214c5 drsblobs.idl: split explicit binary data and unknown
data for ForestTrustData
via 64a80f220ec drsblobs.idl: set NDR_PAHEX for
ForestTrustDataBinaryData
via cee01274b2c s4:torture/ndr: add a ForestTrustInfo ndr test with
FOREST_TRUST_SCANNER_INFO
via 77a1ed4531a drsblobs.idl: add support for ForestTrustInfo with
FOREST_TRUST_SCANNER_INFO
from 4d5147119fc s4:kdc: let samba_kdc_trust_message2entry don't support
WITHIN_FOREST and PIM_TRUST
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 835ae52f94fa69b8216bcbb6534de6598d470f29
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 10 13:12:55 2025 +0100
drsuapi.idl: fix source_dsa spelling
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Sat Feb 8 19:49:33 UTC 2025 on atb-devel-224
commit f0399ca13b0129ee544f0aed6afcbec15dc542f3
Author: Stefan Metzmacher <[email protected]>
Date: Mon Jan 13 23:25:35 2025 +0100
security.idl: DOMAIN_RID_{FOREST,EXTERNAL}_TRUST_ACCOUNTS
These seem to be new in Windows 2025.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 45d97cf841539dd9938ee3e88dbe76d1c1a53f84
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 14:29:58 2025 +0100
security.idl: add SID_NT_THIS_ORGANIZATION_CERTIFICATE
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit dba0cdad5bcdfa09c2cf13b6413213cdf96635b5
Author: Stefan Metzmacher <[email protected]>
Date: Wed Dec 4 18:24:04 2024 +0100
security.idl: change ORGANISATION into ORGANIZATION
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 6c9f2e4a8f163138c080dda0cfe7b85f8f63d530
Author: Stefan Metzmacher <[email protected]>
Date: Wed Feb 5 13:16:03 2025 +0100
drsblobs.idl: make some scannerInfo related stuff public
This is needed in order to use ndr_pack() on them
in python code.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 896617acae66054f1b021d72830da5b070928a03
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 17 17:49:52 2024 +0100
drsblobs.idl: use dom_sid0 in ForestTrustDataDomainInfo
We already use ndr_size_dom_sid0() and when ForestTrustDataDomainInfo
is used as part of ForestTrustDataScannerInfo, sid_size is 0
and the subcontext for the sid is skipped.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 4f905af2ad4a0af07d684d4745dab6286c1c88d7
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 17 17:44:44 2024 +0100
drsblobs.idl: introduce ForestTrustDataScannerInfo
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 3295e0214c5ba2e22ca6afa268c6217638be35e4
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 17 15:40:49 2024 +0100
drsblobs.idl: split explicit binary data and unknown data for
ForestTrustData
For know FOREST_TRUST_SCANNER_INFO unknown.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 64a80f220ec3b2962564d895c8c9e7c465fb98a4
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 17 14:53:00 2024 +0100
drsblobs.idl: set NDR_PAHEX for ForestTrustDataBinaryData
The dump_data hexdump is much easier to read...
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit cee01274b2c96e00494cc12b63dadf8caafbc560
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 17 14:40:32 2024 +0100
s4:torture/ndr: add a ForestTrustInfo ndr test with
FOREST_TRUST_SCANNER_INFO
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 77a1ed4531ae17a9553c84ba5171cc6f9510adb0
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 17 12:30:56 2024 +0100
drsblobs.idl: add support for ForestTrustInfo with FOREST_TRUST_SCANNER_INFO
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/drsblobs.idl | 37 ++++++++++------
librpc/idl/drsuapi.idl | 4 +-
librpc/idl/security.idl | 7 +++-
python/samba/tests/krb5/test_ldap.py | 2 +-
source3/rpc_server/lsa/srv_lsa_nt.c | 14 ++++++-
source4/torture/ndr/drsblobs.c | 81 ++++++++++++++++++++++++++++++++++++
6 files changed, 126 insertions(+), 19 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl
index 002c04f7903..815677a3e9d 100644
--- a/librpc/idl/drsblobs.idl
+++ b/librpc/idl/drsblobs.idl
@@ -597,37 +597,50 @@ interface drsblobs {
/* MS-ADTS 7.1.6.9.3 msDS-TrustForestTrustInfo Attribute */
+ /* same as lsa_ForestTrustRecordType, but only 8 bit */
+ typedef [enum8bit] enum {
+ FOREST_TRUST_TOP_LEVEL_NAME = LSA_FOREST_TRUST_TOP_LEVEL_NAME,
+ FOREST_TRUST_TOP_LEVEL_NAME_EX =
LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX,
+ FOREST_TRUST_DOMAIN_INFO = LSA_FOREST_TRUST_DOMAIN_INFO,
+ FOREST_TRUST_BINARY_DATA = LSA_FOREST_TRUST_BINARY_DATA,
+ FOREST_TRUST_SCANNER_INFO = LSA_FOREST_TRUST_SCANNER_INFO
+ } ForestTrustInfoRecordType;
+
typedef struct {
[value(strlen_m(string))] uint32 size;
[charset(UTF8)] uint8 string[size];
} ForestTrustString;
- typedef [flag(NDR_NOALIGN)] struct {
+ typedef [public,flag(NDR_NOALIGN)] struct {
[value(ndr_size_dom_sid0(&sid, ndr->flags))] uint32 sid_size;
- [subcontext(0),subcontext_size(sid_size)] dom_sid sid;
+ [subcontext(0),subcontext_size(sid_size)] dom_sid0 sid;
ForestTrustString dns_name;
ForestTrustString netbios_name;
} ForestTrustDataDomainInfo;
- typedef [flag(NDR_NOALIGN)] struct {
+ typedef [public,flag(NDR_NOALIGN|NDR_PAHEX)] struct {
uint32 size;
uint8 data[size];
} ForestTrustDataBinaryData;
- typedef [nodiscriminant] union {
+ typedef [public,flag(NDR_NOALIGN)] struct {
+ [value(FOREST_TRUST_SCANNER_INFO)] ForestTrustInfoRecordType
sub_type;
+ ForestTrustDataDomainInfo info;
+ } ForestTrustDataScannerInfo;
+
+ typedef [public,nodiscriminant] union {
[case(FOREST_TRUST_TOP_LEVEL_NAME)] ForestTrustString name;
[case(FOREST_TRUST_TOP_LEVEL_NAME_EX)] ForestTrustString name;
[case(FOREST_TRUST_DOMAIN_INFO)] ForestTrustDataDomainInfo info;
- [default] ForestTrustDataBinaryData data;
+ [case(FOREST_TRUST_BINARY_DATA)] ForestTrustDataBinaryData
binary;
+ /*
+ * ForestTrustDataScannerInfo would have the same
+ * definition as ForestTrustDataDomainInfo
+ */
+ [case(FOREST_TRUST_SCANNER_INFO),subcontext(4)]
ForestTrustDataScannerInfo scanner_info;
+ [default] ForestTrustDataBinaryData unknown;
} ForestTrustData;
- /* same as lsa_ForestTrustRecordType, but only 8 bit */
- typedef [enum8bit] enum {
- FOREST_TRUST_TOP_LEVEL_NAME = LSA_FOREST_TRUST_TOP_LEVEL_NAME,
- FOREST_TRUST_TOP_LEVEL_NAME_EX =
LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX,
- FOREST_TRUST_DOMAIN_INFO = LSA_FOREST_TRUST_DOMAIN_INFO
- } ForestTrustInfoRecordType;
-
/* meaning of flags depends on record type and values are
the same as in lsa.idl, see collision record types */
typedef [public,gensize,flag(NDR_NOALIGN)] struct {
diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl
index 99fbca6c7b7..fe27e88ac7c 100644
--- a/librpc/idl/drsuapi.idl
+++ b/librpc/idl/drsuapi.idl
@@ -914,8 +914,8 @@ interface drsuapi
typedef struct {
[ref] drsuapi_DsReplicaObjectIdentifier *naming_context;
- GUID source_dra;
- [charset(UTF16),string] uint16 *source_dra_address;
+ GUID source_dsa;
+ [charset(UTF16),string] uint16 *source_dsa_address;
uint8 schedule[84];
drsuapi_DrsOptions replica_flags;
uint32 modify_fields;
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index d88cd92671a..9f02ee10d92 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -251,7 +251,7 @@ interface security
const string SID_NT_RESTRICTED = "S-1-5-12";
const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
- const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
+ const string SID_NT_THIS_ORGANIZATION = "S-1-5-15";
const string SID_NT_IUSR = "S-1-5-17";
const string SID_NT_SYSTEM = "S-1-5-18";
const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
@@ -259,7 +259,8 @@ interface security
const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
- const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
+ const string SID_NT_THIS_ORGANIZATION_CERTIFICATE = "S-1-5-65-1";
+ const string SID_NT_OTHER_ORGANIZATION = "S-1-5-1000";
/* SECURITY_BUILTIN_DOMAIN_RID */
const string NAME_BUILTIN = "BUILTIN";
@@ -374,6 +375,8 @@ interface security
const int DOMAIN_RID_PROTECTED_USERS = 525;
const int DOMAIN_RID_KEY_ADMINS = 526;
const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527;
+ const int DOMAIN_RID_FOREST_TRUST_ACCOUNTS = 528;
+ const int DOMAIN_RID_EXTERNAL_TRUST_ACCOUNTS = 529;
const int DOMAIN_RID_RAS_SERVERS = 553;
const int DOMAIN_RID_RODC_ALLOW = 571;
const int DOMAIN_RID_RODC_DENY = 572;
diff --git a/python/samba/tests/krb5/test_ldap.py
b/python/samba/tests/krb5/test_ldap.py
index eaf79e7fa01..259fb8c3ccd 100755
--- a/python/samba/tests/krb5/test_ldap.py
+++ b/python/samba/tests/krb5/test_ldap.py
@@ -133,7 +133,7 @@ class LdapTests(KDCBaseTest):
self.assertEqual(security.SID_NT_NETWORK, str(token_sid))
if len(token_groups) >= 3:
token_sid = ndr_unpack(security.dom_sid, token_groups[2])
- self.assertEqual(security.SID_NT_THIS_ORGANISATION,
+ self.assertEqual(security.SID_NT_THIS_ORGANIZATION,
str(token_sid))
else:
# Ensure that they match.
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c
b/source3/rpc_server/lsa/srv_lsa_nt.c
index 992cf93875e..6d4d861fad9 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -4493,7 +4493,7 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx,
exclusion = false;
switch (nrec->type) {
- case LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX:
+ case FOREST_TRUST_TOP_LEVEL_NAME_EX:
/* exclusions do not conflict by definition */
break;
@@ -4501,11 +4501,21 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx,
dns_name = nrec->data.name.string;
break;
- case LSA_FOREST_TRUST_DOMAIN_INFO:
+ case FOREST_TRUST_DOMAIN_INFO:
dns_name = nrec->data.info.dns_name.string;
nb_name = nrec->data.info.netbios_name.string;
sid = &nrec->data.info.sid;
break;
+
+ case FOREST_TRUST_BINARY_DATA:
+ break;
+
+ case FOREST_TRUST_SCANNER_INFO:
+ /*
+ * We don't have a scanner yet,
+ * so we don't check this here
+ */
+ break;
}
if (!dns_name) continue;
diff --git a/source4/torture/ndr/drsblobs.c b/source4/torture/ndr/drsblobs.c
index 0ef2d95056b..b061d8320e8 100644
--- a/source4/torture/ndr/drsblobs.c
+++ b/source4/torture/ndr/drsblobs.c
@@ -61,6 +61,82 @@ static bool forest_trust_info_check_out(struct
torture_context *tctx,
return true;
}
+static const char *forest_trust_info_data_out2 =
+ "AQAAAAUAAAAfAAAAAAAAALpM2wE/1ICrAA4AAAB3NGVkb20tbD"
+
"QuYmFzZUgAAAAAAAAAukzbAT/UgKsCGAAAAAEEAAAAAAAFFQAAAFWTkhD0sKbKlkeXVg4AAAB3NGV"
+
"kb20tbDQuYmFzZQkAAABXNEVET00tTDQiAAAAAQAAALtM2wFbRoxWABEAAAB3NGVkb20tbDQucHJp"
+
"dmF0ZSEAAAABAAAAu0zbAVtGjFYAEAAAAHc0ZWRvbS1sNC5wdWJsaWM1AAAAAAAAALpM2wH9xHHPB"
+ "CQAAAAEAAAAAA4AAAB3NGVkb20tbDQuYmFzZQkAAABXNEVET00tTDQ=";
+
+static bool forest_trust_info_check_out2(struct torture_context *tctx,
+ struct ForestTrustInfo *r)
+{
+ const struct ForestTrustInfoRecord *rec = NULL;
+ const struct ForestTrustString *n = NULL;
+ const struct ForestTrustDataDomainInfo *d = NULL;
+ const struct ForestTrustDataScannerInfo *s = NULL;
+
+ torture_assert_int_equal(tctx, r->version, 1, "version");
+ torture_assert_int_equal(tctx, r->count, 5, "count");
+
+ torture_assert_int_equal(tctx, r->records[0].record_size, 0x0000001f,
"record size");
+ rec = &r->records[0].record;
+ torture_assert_int_equal(tctx, rec->flags, 0, "record flags");
+ torture_assert_u64_equal(tctx, rec->timestamp, 0xAB80D43F01DB4CBAULL,
"record timestamp");
+ torture_assert_int_equal(tctx, rec->type, FOREST_TRUST_TOP_LEVEL_NAME,
"record type");
+ n = &rec->data.name;
+ torture_assert_int_equal(tctx, n->size, 14, "record name size");
+ torture_assert_str_equal(tctx, n->string, "w4edom-l4.base", "record
name string");
+
+ torture_assert_int_equal(tctx, r->records[1].record_size, 0x00000048,
"record size");
+ rec = &r->records[1].record;
+ torture_assert_int_equal(tctx, rec->flags, 0, "record flags");
+ torture_assert_u64_equal(tctx, rec->timestamp, 0xAB80D43F01DB4CBAULL,
"record timestamp");
+ torture_assert_int_equal(tctx, rec->type, FOREST_TRUST_DOMAIN_INFO,
"record type");
+ d = &rec->data.info;
+ torture_assert_int_equal(tctx, d->sid_size, 0x00000018, "record info
sid_size");
+ torture_assert_sid_equal(tctx, &d->sid,
+ dom_sid_parse_talloc(tctx,
"S-1-5-21-278041429-3399921908-1452754838"), "record info sid");
+ torture_assert_int_equal(tctx, d->dns_name.size, 14, "record name
size");
+ torture_assert_str_equal(tctx, d->dns_name.string, "w4edom-l4.base",
"record info dns_name string");
+ torture_assert_int_equal(tctx, d->netbios_name.size, 9, "record info
netbios_name size");
+ torture_assert_str_equal(tctx, d->netbios_name.string, "W4EDOM-L4",
"record info netbios_name string");
+
+ torture_assert_int_equal(tctx, r->records[2].record_size, 0x00000022,
"record size");
+ rec = &r->records[2].record;
+ torture_assert_int_equal(tctx, rec->flags, LSA_TLN_DISABLED_NEW,
"record flags");
+ torture_assert_u64_equal(tctx, rec->timestamp, 0x568C465B01DB4CBBULL,
"record timestamp");
+ torture_assert_int_equal(tctx, rec->type, FOREST_TRUST_TOP_LEVEL_NAME,
"record type");
+ n = &rec->data.name;
+ torture_assert_int_equal(tctx, n->size, 17, "record name size");
+ torture_assert_str_equal(tctx, n->string, "w4edom-l4.private", "record
name string");
+
+ torture_assert_int_equal(tctx, r->records[3].record_size, 0x00000021,
"record size");
+ rec = &r->records[3].record;
+ torture_assert_int_equal(tctx, rec->flags, LSA_TLN_DISABLED_NEW,
"record flags");
+ torture_assert_u64_equal(tctx, rec->timestamp, 0x568C465B01DB4CBBULL,
"record timestamp");
+ torture_assert_int_equal(tctx, rec->type, FOREST_TRUST_TOP_LEVEL_NAME,
"record type");
+ n = &rec->data.name;
+ torture_assert_int_equal(tctx, n->size, 16, "record name size");
+ torture_assert_str_equal(tctx, n->string, "w4edom-l4.public", "record
name string");
+
+ torture_assert_int_equal(tctx, r->records[4].record_size, 0x00000035,
"record size");
+ rec = &r->records[4].record;
+ torture_assert_int_equal(tctx, rec->flags, 0, "record flags");
+ torture_assert_u64_equal(tctx, rec->timestamp, 0xCF71C4FD01DB4CBAULL,
"record timestamp");
+ torture_assert_int_equal(tctx, rec->type, FOREST_TRUST_SCANNER_INFO,
"record type");
+ s = &rec->data.scanner_info;
+ torture_assert_int_equal(tctx, s->sub_type, FOREST_TRUST_SCANNER_INFO,
"record sub type");
+ d = &s->info;
+ torture_assert_int_equal(tctx, d->sid_size, 0x00000000, "record info
sid_size");
+ torture_assert_int_equal(tctx, d->dns_name.size, 14, "record name
size");
+ torture_assert_str_equal(tctx, d->dns_name.string, "w4edom-l4.base",
"record info dns_name string");
+ torture_assert_int_equal(tctx, d->netbios_name.size, 9, "record info
netbios_name size");
+ torture_assert_str_equal(tctx, d->netbios_name.string, "W4EDOM-L4",
"record info netbios_name string");
+
+ return true;
+}
+
static const uint8_t trust_domain_passwords_in[] = {
0x34, 0x1f, 0x6e, 0xcd, 0x5f, 0x14, 0x99, 0xf9, 0xd8, 0x34, 0x9f, 0x1d,
0x1c, 0xcf, 0x1f, 0x02, 0xb8, 0x30, 0xcc, 0x77, 0x21, 0xc1, 0xf3, 0xe2,
@@ -511,6 +587,11 @@ struct torture_suite *ndr_drsblobs_suite(TALLOC_CTX *ctx)
torture_suite_add_suite(suite, win2012R2_suite);
torture_suite_add_ndr_pull_test(suite, ForestTrustInfo,
forest_trust_info_data_out, forest_trust_info_check_out);
+ torture_suite_add_ndr_pull_validate_test_b64(suite, ForestTrustInfo,
+ "with_scanner",
+
forest_trust_info_data_out2,
+
forest_trust_info_check_out2);
+
torture_suite_add_ndr_pull_test(suite, trustDomainPasswords,
trust_domain_passwords_in, trust_domain_passwords_check_in);
torture_suite_add_ndr_pull_validate_test_blob(suite,
--
Samba Shared Repository
