The branch, v4-22-stable has been updated
via 3f4135db35d VERSION: Disable GIT_SNAPSHOT for the 4.22.0rc3 release.
via 9b1c7416b88 WHATSNEW: Add release notes for Samba 4.22.0rc3.
via 29bd6fe9cbe python:lsa_utils: Fix fallback to OpenPolicy2
via 8a7346f6c03 python:lsa_utils: Don't use optional arguments for
OpenPolicyFallback()
via 1f84f56c6df pidl: Update documentation for DCERPC interface
connections
via 82aa8314259 librpc:pyrpc: Allow new authenticated rpc connection on
the same transport as the basis_connection
via 310b5c9dcec dcesrv_core: Make dcesrv_call_disconnect_after() public
via 1a3be37e0eb s3:rpc_client: Use cli_rpc_pipe_reopen_np_noauth() for
OpenPolicy fallback
via d0420684649 s3:rpc_cerver: Use dcerpc_lsa_open_policy3() for
internal RPC
via 60dc107d2a6 s3:rpc_client: Add cli_rpc_pipe_reopen_np_noauth()
via 3a7591436e6 pytests: test pysmbd with relative path names via
samba-tool ntacl
via aad39687b6f pysmbd: Fix interactive samba-tool use after
0bb35e246141
via 78ed8d3a985 pytests: test pysmbd with non-existent file
via 836ff80b954 pysmbd: Init mangle_fns
via 65494ee1223 mdssvc: support a few more attributes
via e951675239b ndr: fix coda logic around in ndr_pull_security_ace()
via c10e71fb004 pytest: add ndr packing tests for security descriptors
via b9c08aec94a docs: Update documentation for 'sync machine password
to keytab'
via cb50befaa21 s3:libads: Remove specifier for 'host' principal from
'sync machine password to keytab'
via 5b5862dc690 docs-xml:smbdotconf: Document new options for 'sync
machinepassword to keytab'
via 43059189596 s3: Add new keytab specifiers
via f57b2dacb5d vfs_ceph_new:minor logging improvement
via 1bb846f8344 VERSION: Bump version up to Samba 4.22.0rc3...
from 93f8fdc858b VERSION: Disable GIT_SNAPSHOT for the 4.22.0rc2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 34 +-
docs-xml/manpages/net.8.xml | 24 +-
.../security/syncmachinepasswordtokeytab.xml | 41 +-
librpc/ndr/ndr_sec_helper.c | 5 +-
librpc/rpc/dcesrv_core.c | 4 +-
librpc/rpc/dcesrv_core.h | 3 +
pidl/lib/Parse/Pidl/Samba4/Python.pm | 29 +-
python/samba/lsa_utils.py | 67 ++-
python/samba/netcmd/domain/trust.py | 93 ++-
python/samba/tests/dcerpc/lsa_utils.py | 51 +-
python/samba/tests/krb5/kdc_base_test.py | 32 +-
python/samba/tests/ndr/sd.py | 623 ++++++++++++++++++++
python/samba/tests/samba_tool/ntacl.py | 80 +++
selftest/target/Samba3.pm | 7 +-
selftest/tests.py | 1 +
source3/lib/netapi/localgroup.c | 2 +-
source3/libads/kerberos_keytab.c | 626 +++++++++++++--------
source3/modules/vfs_ceph_new.c | 137 +++--
source3/rpc_client/cli_lsarpc.c | 15 +-
source3/rpc_client/cli_lsarpc.h | 4 +-
source3/rpc_client/cli_pipe.c | 88 +++
source3/rpc_client/cli_pipe.h | 2 +
source3/rpc_server/mdssvc/mdssvc.c | 23 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
source3/rpcclient/cmd_lsarpc.c | 48 +-
source3/script/tests/test_update_keytab.sh | 401 +++++++++----
source3/smbd/pysmbd.c | 44 +-
source3/utils/net_rpc.c | 6 +-
source3/utils/net_rpc_rights.c | 4 +-
source3/utils/net_rpc_trust.c | 2 +-
source3/winbindd/winbindd_cm.c | 2 +-
source3/wscript_build | 2 +-
source4/librpc/rpc/pyrpc_util.c | 78 ++-
34 files changed, 1969 insertions(+), 613 deletions(-)
create mode 100644 python/samba/tests/ndr/sd.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 532ea4abac4..dcadc0cf4bd 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=2
+SAMBA_VERSION_RC_RELEASE=3
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2c4b5494c03..b7e111ec06d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the first release candidate of Samba 4.22. This is *not*
+This is the third release candidate of Samba 4.22. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -78,6 +78,38 @@ smb.conf changes
cldap port Removed
+CHANGES SINCE 4.22.0rc2
+=======================
+
+o Douglas Bagnall <[email protected]>
+ * BUG 15738: Creation of GPOs applicable to more than one group is
impossible
+ with Samba 4.20.0 and later.
+
+o Björn Baumbach <[email protected]>
+ * BUG 15806: samba-tool acl commands broken for relative path names
+ * BUG 15807: pysmbd seg faults when file is not found.
+
+o Ralph Boehme <[email protected]>
+ * BUG 15796: Spotlight search results don't show file size and creation
date.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15759: net ads create/join/winbind producing unix dysfunctional
+ keytabs.
+
+o Volker Lendecke <[email protected]>
+ * BUG 15806: samba-tool acl commands broken for relative path names.
+ * BUG 15807: pysmbd seg faults when file is not found.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 15680: Trust domains are not created.
+
+o Andreas Schneider <[email protected]>
+ * BUG 15680: Trust domains are not created.
+
+o Shweta Sodani <[email protected]>
+ * BUG 15703: General improvements for vfs_ceph_new module.
+
+
CHANGES SINCE 4.21.0rc1
=======================
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index ca34d322512..05191236ecc 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1549,29 +1549,25 @@ to show in the result.
<para>
Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
-name="sync machine password to keytab"/>. The keytab is created only for
+name="sync machine password to keytab"/> . The keytab can be created only when
+machine password is available in secrets.tdb, i.e. only for
<smbconfoption name="kerberos method">secrets only</smbconfoption> and
<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
the smb.conf default values for <smbconfoption name="kerberos method"> secrets
only</smbconfoption> and <smbconfoption name="sync machine password to
keytab"/>
(default is empty) the keytab is not generated at all. Keytab with a default
-name and SPNs synced from AD is created for <smbconfoption name="kerberos
-method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
-password to keytab"/> is missing.
+name containing: SPNs synced from AD, account name COMPUTER$ and principal
+host/dns_hostname is created for <smbconfoption name="kerberos method">secrets
+and keytab</smbconfoption> if <smbconfoption name="sync machine password to
+keytab"/> is missing.
</para>
<para>
-Till Samba 4.20.0, two more entries were created by default: the machinename of
-the client (ending with '$') and the UPN (host/domain@REALM). If these two
-entries are still needed, each must be specified in an own keytab file.
-Example below will generate three keytab files that contain SPNs synced from
-AD, host UPN and machine$ SPN:
+Till Samba 4.20, these entries were created by default: the account name
+COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
+such keytab:
</para>
<programlisting>
-<smbconfoption name="sync machine password to keytab">
-/etc/krb5.keytab0:sync_spns:machine_password,
-/etc/krb5.keytab1:spns=host/[email protected]:machine_password,
-/etc/krb5.keytab2:account_name:machine_password
-</smbconfoption>
+<smbconfoption name="sync machine password to
keytab">/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
</programlisting>
<para>
No changes are made to the computer AD account.
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index f7dc30023d4..ec3fffc1119 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -24,36 +24,48 @@ synchronization.
Each string has this form:
<programlisting>
-absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
+absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>
-where spn_spec can have exactly one of these four forms:
+spn_spec can be specified multiple times (separated using ':') and each
spn_spec can have exactly one of these forms:
<programlisting>
account_name
+sync_account_name
+sync_upn
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
</programlisting>
-No other combinations are allowed.
</para>
<para>
-Specifiers:
+Every keytab contains principals according the specification below:
<programlisting>
-account_name - creates entry using principal 'computer$@REALM'.
-sync_spns - uses principals received from AD DC.
-spn_prefixes - creates principals from the prefixes and adds netbios_aliases
or additional_dns_hostnames if specified.
-spns - creates only the principals defined in the list.
+account_name - COMPUTER$@REALM
+sync_account_name - uses attribute "sAMAccountName" from AD
+sync_upn - uses attribute "userPrincipalName" (if exists in AD)
+sync_spns - uses attribute "servicePrincipalName" (if exists in AD)
+spn_prefixes - creates these two principals from each prefix. e.g.:
+ prefix/<smbconfoption name="netbios name"/>@REALM
+ prefix/<smbconfoption name="dns hostname"/>@REALM
+ with :netbios_aliases for each netbiosalias in
<smbconfoption name="netbios aliases"/>
+ prefix/netbiosalias@REALM
+ prefix/netbiosalias.dnsdomain@REALM
+ with :additional_dns_hostnames for each
additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
+ prefix/additionaldnshostname@REALM
+ - 'host' principal should be created using specifier
spn_prefixes
+spns - creates only the principals defined in the list
</programlisting>
+'account_name' and 'sync_account_name' are the same, just the source differs
(secrets.tdb vs. AD).
</para>
<para>
Options:
<programlisting>
-sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read
from DC and is used to find the highest common enc type for AD and KRB5 lib.
-sync_kvno - the key version number ("msDS-KeyVersionNumber") is
synchronized from DC, otherwise is set to -1.
-netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for
each alias. See <smbconfoption name="netbios aliases"/>
-additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption
name="additional dns hostnames"/>
+sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read
from AD and is used to find the highest common enc type for AD and KRB5 lib.
+sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used
to set KVNO. If this option is missing, KVNO is set to -1.
+netbios_aliases - evaluated only for spn_prefixes (see details above).
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above).
machine_password - mandatory, if missing the entry is ignored. For
future use.
</programlisting>
</para>
@@ -68,7 +80,8 @@ Example:
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
-"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
+"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
+"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to
DC. For "offline domain join" it might be useful not to use these options.
</para>
@@ -80,7 +93,7 @@ If no value is present and <smbconfoption name="kerberos
method"/> is different
<itemizedlist>
<listitem>
<para><userinput>winbind</userinput> uses value
-
<programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
+
<programlisting>/path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password</programlisting>
where the path to the keytab is obtained either from the
krb5 library or from
<smbconfoption name="dedicated keytab file"/>.
</para>
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index 7f95f1423d7..55e373cfdac 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -104,6 +104,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct
ndr_pull *ndr, ndr_flags
{
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
+ ssize_t sub_size;
NDR_CHECK(ndr_pull_align(ndr, 5));
NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS,
&r->type));
NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS,
&r->flags));
@@ -111,12 +112,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct
ndr_pull *ndr, ndr_flags
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr,
NDR_SCALARS, r));
NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
- if (!sec_ace_has_extra_blob(r->type)) {
+ sub_size = ndr_subcontext_size_of_ace_coda(r, r->size,
ndr->flags);
+ if (sub_size == 0 && !sec_ace_has_extra_blob(r->type)) {
r->coda.ignored.data = NULL;
r->coda.ignored.length = 0;
} else {
struct ndr_pull *_ndr_coda;
- ssize_t sub_size = ndr_subcontext_size_of_ace_coda(r,
r->size, ndr->flags);
NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0,
sub_size));
NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda,
&r->coda, r->type));
NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda,
NDR_SCALARS|NDR_BUFFERS, &r->coda));
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 66478001640..7fb23d49d61 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -783,8 +783,8 @@ static void dcesrv_call_set_list(struct dcesrv_call_state
*call,
}
}
-static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
- const char *reason)
+void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
+ const char *reason)
{
struct dcesrv_auth *a = NULL;
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index 90f5bd21d64..0b69af575b2 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -566,6 +566,9 @@ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state
*call,
NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call,
DATA_BLOB *session_key);
+void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
+ const char *reason);
+
/* a useful macro for generating a RPC fault in the backend code */
#define DCESRV_FAULT(code) do { \
dce_call->fault_code = code; \
diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm
b/pidl/lib/Parse/Pidl/Samba4/Python.pm
index 1d32f71c886..e6a5ac8bb17 100644
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@@ -1597,11 +1597,30 @@ sub Interface($$$)
$self->pidl("");
my $signature =
-"\"$interface->{NAME}(binding, lp_ctx=None, credentials=None) ->
connection\\n\"
-\"\\n\"
-\"binding should be a DCE/RPC binding string (for example:
ncacn_ip_tcp:127.0.0.1)\\n\"
-\"lp_ctx should be a path to a smb.conf file or a param.LoadParm object\\n\"
-\"credentials should be a credentials.Credentials object.\\n\\n\"";
+"\"$interface->{NAME}(binding, lp_ctx=None, credentials=None,
basis_connection=None) -> connection\\n\"
+\"\\n\\n\"
+\"Parameters\\n\"
+\"----------\\n\"
+\"binding : str\\n\"
+\" A DCE/RPC binding string (for example: ncacn_ip_tcp:127.0.0.1)\\n\"
+\"lp_ctx : param.LoadParm\\n\"
+\" Should be a path to a smb.conf file or a param.LoadParm object\\n\"
+\"credentials : credentials.Credentials, optional\\n\"
+\" A credentials.Credentials object (default is None).\\n\"
+\"basis_connection : samba.dcerpc.ClientConnection, optional\\n\"
+\" A $interface->{NAME} client connection object (default is None).\\n\"
+\"\\n\\n\"
+\"Returns\\n\"
+\"-------\\n\"
+\"samba.dcerpc.ClientConnection\\n\"
+\" A ClientConnection object\\n\"
+\"\\n\\n\"
+\"Raises\\n\"
+\"------\\n\"
+\"samba.NTSTATUSError\\n\"
+\" An NTSTATUS error\\n\"
+\"\\n\"";
+
my $docstring = $self->DocString($interface,
$interface->{NAME});
diff --git a/python/samba/lsa_utils.py b/python/samba/lsa_utils.py
index 043e65f3341..506dc399c93 100644
--- a/python/samba/lsa_utils.py
+++ b/python/samba/lsa_utils.py
@@ -20,24 +20,27 @@ from samba.dcerpc import lsa, drsblobs, misc
from samba.ndr import ndr_pack
from samba import (
NTSTATUSError,
+ ntstatus,
aead_aes_256_cbc_hmac_sha512,
arcfour_encrypt,
)
-from samba.ntstatus import (
- NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
-)
from samba import crypto
from secrets import token_bytes
+# FIXME from collections.abc import Callable
def OpenPolicyFallback(
- conn: lsa.lsarpc,
+ # new_lsa_conn: Callable[[], lsa.lsarpc], - FIXME the type doesn't work
+ # with python version 3.6 (CentOS8, SLES15).
+ new_lsa_conn,
system_name: str,
in_version: int,
in_revision_info: lsa.revision_info1,
- sec_qos: bool = False,
- access_mask: int = 0,
+ sec_qos: bool,
+ access_mask: int,
):
+ conn = new_lsa_conn()
+
attr = lsa.ObjectAttribute()
if sec_qos:
qos = lsa.QosInfo()
@@ -48,26 +51,38 @@ def OpenPolicyFallback(
attr.sec_qos = qos
- try:
- out_version, out_rev_info, policy = conn.OpenPolicy3(
- system_name,
- attr,
- access_mask,
- in_version,
- in_revision_info
- )
- except NTSTATUSError as e:
- if e.args[0] == NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE:
- out_version = 1
- out_rev_info = lsa.revision_info1()
- out_rev_info.revision = 1
- out_rev_info.supported_features = 0
-
- policy = conn.OpenPolicy2(system_name, attr, access_mask)
- else:
- raise
-
- return out_version, out_rev_info, policy
+ open_policy2 = False
+ if in_revision_info is not None:
+ try:
+ out_version, out_rev_info, policy = conn.OpenPolicy3(
+ system_name,
+ attr,
+ access_mask,
+ in_version,
+ in_revision_info
+ )
+ except NTSTATUSError as e:
+ if e.args[0] == ntstatus.NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE:
+ open_policy2 = True
+ if e.args[0] == ntstatus.NT_STATUS_ACCESS_DENIED:
+ # We need a new connection
+ conn = new_lsa_conn(basis_connection=conn)
+
+ open_policy2 = True
+ else:
+ raise
+ else:
+ open_policy2 = True
+
+ if open_policy2:
+ out_version = 1
+ out_rev_info = lsa.revision_info1()
+ out_rev_info.revision = 1
+ out_rev_info.supported_features = 0
+
+ policy = conn.OpenPolicy2(system_name, attr, access_mask)
+
+ return conn, out_version, out_rev_info, policy
def CreateTrustedDomainRelax(
diff --git a/python/samba/netcmd/domain/trust.py
b/python/samba/netcmd/domain/trust.py
index 0784fa5e282..f3d75f84137 100644
--- a/python/samba/netcmd/domain/trust.py
+++ b/python/samba/netcmd/domain/trust.py
@@ -125,8 +125,13 @@ class DomainTrustCommand(Command):
self.local_creds = local_creds
return self.local_server
- def new_local_lsa_connection(self):
- return lsa.lsarpc(self.local_binding_string, self.local_lp,
self.local_creds)
+ def new_local_lsa_connection(self, basis_connection=None):
+ return lsa.lsarpc(
+ self.local_binding_string,
+ self.local_lp,
+ self.local_creds,
+ basis_connection=basis_connection
+ )
def new_local_netlogon_connection(self):
return netlogon.netlogon(self.local_binding_string, self.local_lp,
self.local_creds)
@@ -203,13 +208,23 @@ class DomainTrustCommand(Command):
self.remote_creds = remote_creds
return self.remote_server
- def new_remote_lsa_connection(self):
- return lsa.lsarpc(self.remote_binding_string, self.local_lp,
self.remote_creds)
+ def new_remote_lsa_connection(self, basis_connection=None):
+ return lsa.lsarpc(
+ self.remote_binding_string,
+ self.local_lp,
+ self.remote_creds,
+ basis_connection=basis_connection
+ )
- def new_remote_netlogon_connection(self):
- return netlogon.netlogon(self.remote_binding_string, self.local_lp,
self.remote_creds)
+ def new_remote_netlogon_connection(self, basis_connection=None):
+ return netlogon.netlogon(
+ self.remote_binding_string,
+ self.local_lp,
+ self.remote_creds,
+ basis_connection=basis_connection
+ )
- def get_lsa_info(self, conn, policy_access):
+ def get_lsa_info(self, conn_fn, policy_access):
in_version = 1
in_revision_info1 = lsa.revision_info1()
in_revision_info1.revision = 1
@@ -217,17 +232,18 @@ class DomainTrustCommand(Command):
lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER
)
- out_version, out_revision_info1, policy = OpenPolicyFallback(
- conn,
- b''.decode('utf-8'),
+ conn, out_version, out_revision_info1, policy = OpenPolicyFallback(
+ conn_fn,
+ '',
in_version,
in_revision_info1,
+ False,
policy_access
)
info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS)
- return (policy, out_version, out_revision_info1, info)
+ return (conn, policy, out_version, out_revision_info1, info)
def get_netlogon_dc_unc(self, conn, server, domain):
try:
@@ -507,19 +523,15 @@ class cmd_domain_trust_show(DomainTrustCommand):
def run(self, domain, sambaopts=None, versionopts=None, localdcopts=None):
self.setup_local_server(sambaopts, localdcopts)
- try:
- local_lsa = self.new_local_lsa_connection()
- except RuntimeError as error:
- raise self.LocalRuntimeError(self, error, "failed to connect lsa
server")
-
try:
local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
(
+ local_lsa,
local_policy,
local_version,
local_revision_info1,
local_lsa_info
- ) = self.get_lsa_info(local_lsa, local_policy_access)
+ ) = self.get_lsa_info(self.new_local_lsa_connection,
local_policy_access)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "failed to query
LSA_POLICY_INFO_DNS")
@@ -648,19 +660,16 @@ class cmd_domain_trust_modify(DomainTrustCommand):
raise CommandError("modification arguments are required, try
--help")
self.setup_local_server(sambaopts, localdcopts)
- try:
- local_lsa = self.new_local_lsa_connection()
- except RuntimeError as error:
- raise self.LocalRuntimeError(self, error, "failed to connect to
lsa server")
try:
local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
(
+ local_lsa,
local_policy,
local_version,
local_revision_info1,
local_lsa_info
- ) = self.get_lsa_info(local_lsa, local_policy_access)
+ ) = self.get_lsa_info(self.new_local_lsa_connection,
local_policy_access)
except RuntimeError as error:
--
Samba Shared Repository
