summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2012-09-26 19:47:56 +0200
committerJelmer Vernooij <jelmer@samba.org>2012-09-26 22:12:07 +0200
commit90b1a94cb436d872148742eec1af56ba7c6dc9ef (patch)
tree958becb6d7b6fca31a78b7c5d2e6b1c35824db43
parent5022b3d8c183181b922e3ccac49e5819eb453035 (diff)
downloadsamba-90b1a94cb436d872148742eec1af56ba7c6dc9ef.tar.gz
samba-90b1a94cb436d872148742eec1af56ba7c6dc9ef.tar.bz2
samba-90b1a94cb436d872148742eec1af56ba7c6dc9ef.zip
netlogon: Per MS-NRPC, don't send unknown workstation flags back to the
client.
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c3
-rw-r--r--source4/torture/rpc/netlogon.c28
2 files changed, 27 insertions, 4 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 309601e9da..633687fd9d 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1685,7 +1685,8 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
}
domain_info->workstation_flags =
- r->in.query->workstation_info->workstation_flags;
+ r->in.query->workstation_info->workstation_flags & (
+ NETR_WS_FLAG_HANDLES_SPN_UPDATE | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS);
r->out.info->domain_info = domain_info;
break;
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index f1d605c674..d217db20c8 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -3209,7 +3209,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
NULL,
cmdline_credentials,
0);
-
+
torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
}
@@ -3581,13 +3581,35 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
old_dnsname,
"'DNS hostname' changed!");
+ torture_comment(tctx, "Testing netr_LogonGetDomainInfo 7th call (extra workstation flags)\n");
+ netlogon_creds_client_authenticator(creds, &a);
+
+ q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
+ | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS | 0x4;
+
+ /* Put the DNS hostname back */
+ talloc_free(discard_const_p(char, q1.dns_hostname));
+ q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
+ lpcfg_dnsdomain(tctx->lp_ctx));
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
+ "LogonGetDomainInfo failed");
+ torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
+
+ /* Checks "workstation flags" */
+ torture_assert(tctx,
+ info.domain_info->workstation_flags
+ == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
+ | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
+ "Out 'workstation flags' don't match!");
if (!torture_setting_bool(tctx, "dangerous", false)) {
- torture_comment(tctx, "Not testing netr_LogonGetDomainInfo 7th call (no workstation info) - enable dangerous tests in order to do so\n");
+ torture_comment(tctx, "Not testing netr_LogonGetDomainInfo 8th call (no workstation info) - enable dangerous tests in order to do so\n");
} else {
/* Try a call without the workstation information structure */
- torture_comment(tctx, "Testing netr_LogonGetDomainInfo 7th call (no workstation info)\n");
+ torture_comment(tctx, "Testing netr_LogonGetDomainInfo 8th call (no workstation info)\n");
netlogon_creds_client_authenticator(creds, &a);
query.workstation_info = NULL;