summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-01-12 02:40:25 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:08:44 -0500
commitc0571f623406ca33a4d5ce616c743479335eeba0 (patch)
treedc05f1e9787a52a96dfdedcc2727ad8d5bf9ab8d
parent9eaf1b45c0514dd9772059b460a99922c691de9a (diff)
downloadsamba-c0571f623406ca33a4d5ce616c743479335eeba0.tar.gz
samba-c0571f623406ca33a4d5ce616c743479335eeba0.tar.bz2
samba-c0571f623406ca33a4d5ce616c743479335eeba0.zip
r4698: - Initial implementation of trusted domains in LSA.
- Use templates for Secrets and the new trusted domains - Auto-add modifiedTime, createdTime and objectGUID to records in the samdb layer. Andrew Bartlett (This used to be commit 271c8faadfe2d9e0f3d523a1cdc831f5f9e35d19)
-rw-r--r--source4/dsdb/samdb/samdb.c22
-rw-r--r--source4/librpc/idl/lsa.idl2
-rw-r--r--source4/provision.ldif18
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c520
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c42
-rw-r--r--source4/torture/rpc/lsa.c6
6 files changed, 423 insertions, 187 deletions
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 0f72f2a1d6..81ce05d9fe 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -23,12 +23,13 @@
#include "includes.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
#include "lib/ldb/include/ldb.h"
+#include "system/time.h"
/*
connect to the SAM database
return an opaque context pointer on success, or NULL on failure
*/
-void *samdb_connect(TALLOC_CTX *mem_ctx)
+struct ldb_wrap *samdb_connect(TALLOC_CTX *mem_ctx)
{
return ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
}
@@ -604,7 +605,9 @@ int samdb_copy_template(struct ldb_wrap *sam_ctx, TALLOC_CTX *mem_ctx,
strcasecmp((char *)el->values[j].data, "userTemplate") == 0 ||
strcasecmp((char *)el->values[j].data, "groupTemplate") == 0 ||
strcasecmp((char *)el->values[j].data, "foreignSecurityTemplate") == 0 ||
- strcasecmp((char *)el->values[j].data, "aliasTemplate") == 0)) {
+ strcasecmp((char *)el->values[j].data, "aliasTemplate") == 0 ||
+ strcasecmp((char *)el->values[j].data, "trustedDomainTemplate") == 0 ||
+ strcasecmp((char *)el->values[j].data, "secretTemplate") == 0)) {
continue;
}
samdb_msg_add_string(sam_ctx, mem_ctx, msg, el->name,
@@ -919,6 +922,19 @@ int samdb_msg_set_ldaptime(struct ldb_wrap *sam_ctx, TALLOC_CTX *mem_ctx, struct
*/
int samdb_add(struct ldb_wrap *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
{
+ struct GUID guid;
+ const char *guidstr;
+ time_t now = time(NULL);
+ /* a new GUID */
+ guid = GUID_random();
+ guidstr = GUID_string(mem_ctx, &guid);
+ if (!guidstr) {
+ return -1;
+ }
+
+ samdb_msg_add_string(sam_ctx, mem_ctx, msg, "objectGUID", guidstr);
+ samdb_msg_set_ldaptime(sam_ctx, mem_ctx, msg, "whenCreated", now);
+ samdb_msg_set_ldaptime(sam_ctx, mem_ctx, msg, "whenChanged", now);
return ldb_add(sam_ctx->ldb, msg);
}
@@ -935,6 +951,8 @@ int samdb_delete(struct ldb_wrap *sam_ctx, TALLOC_CTX *mem_ctx, const char *dn)
*/
int samdb_modify(struct ldb_wrap *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
{
+ time_t now = time(NULL);
+ samdb_msg_set_ldaptime(sam_ctx, mem_ctx, msg, "whenChanged", now);
return ldb_modify(sam_ctx->ldb, msg);
}
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 4906947ada..8aeb40b3bc 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -263,7 +263,7 @@
[in,ref] policy_handle *handle,
[in,ref] lsa_TrustInformation *info,
[in] uint32 access_mask,
- [out,ref] policy_handle *dom_handle
+ [out,ref] policy_handle *trustdom_handle
);
diff --git a/source4/provision.ldif b/source4/provision.ldif
index c160972b5d..c583aa0f97 100644
--- a/source4/provision.ldif
+++ b/source4/provision.ldif
@@ -960,3 +960,21 @@ objectClass: Template
objectClass: foreignSecurityPrincipalTemplate
cn: TemplateForeignSecurityPrincipal
name: TemplateForeignSecurityPrincipal
+
+dn: CN=TemplateSecret,CN=Templates,${BASEDN}
+objectClass: top
+objectClass: leaf
+objectClass: Template
+objectClass: secretTemplate
+cn: TemplateSecret
+name: TemplateSecret
+instanceType: 4
+
+dn: CN=TemplateTrustedDomain,CN=Templates,${BASEDN}
+objectClass: top
+objectClass: leaf
+objectClass: Template
+objectClass: trustedDomainTemplate
+cn: TemplateTrustedDomain
+name: TemplateTrustedDomain
+instanceType: 4
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index bdb2e3d4c9..2ea4d8aa25 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -36,7 +36,8 @@
enum lsa_handle {
LSA_HANDLE_POLICY,
LSA_HANDLE_ACCOUNT,
- LSA_HANDLE_SECRET
+ LSA_HANDLE_SECRET,
+ LSA_HANDLE_TRUSTED_DOMAIN
};
/*
@@ -79,6 +80,15 @@ struct lsa_secret_state {
BOOL global;
};
+/*
+ state associated with a lsa_OpenTrustedDomain() operation
+*/
+struct lsa_trusted_domain_state {
+ struct lsa_policy_state *policy;
+ uint32_t access_mask;
+ const char *trusted_domain_dn;
+};
+
/*
lsa_Close
*/
@@ -118,6 +128,16 @@ static NTSTATUS lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_c
}
return NT_STATUS_OK;
+ } else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) {
+ struct lsa_trusted_domain_state *trusted_domain_state = h->data;
+ ret = samdb_delete(trusted_domain_state->policy->sam_ctx, mem_ctx,
+ trusted_domain_state->trusted_domain_dn);
+ talloc_free(h);
+ if (ret != 0) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ return NT_STATUS_OK;
}
return NT_STATUS_INVALID_HANDLE;
@@ -520,12 +540,347 @@ static NTSTATUS lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALLOC_CTX
}
+/*
+ lsa_CreateTrustedDomainEx2
+*/
+static NTSTATUS lsa_CreateTrustedDomainEx2(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_CreateTrustedDomainEx2 *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+/*
+ lsa_CreateTrustedDomainEx
+*/
+static NTSTATUS lsa_CreateTrustedDomainEx(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_CreateTrustedDomainEx *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
/*
lsa_CreateTrustedDomain
*/
static NTSTATUS lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct lsa_CreateTrustedDomain *r)
{
+ struct dcesrv_handle *policy_handle;
+ struct lsa_policy_state *policy_state;
+ struct lsa_trusted_domain_state *trusted_domain_state;
+ struct dcesrv_handle *handle;
+ struct ldb_message **msgs, *msg;
+ const char *attrs[] = {
+ NULL
+ };
+ const char *name;
+ int ret;
+
+ DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
+ ZERO_STRUCTP(r->out.trustdom_handle);
+
+ policy_state = policy_handle->data;
+
+ if (!r->in.info->name.string) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ name = r->in.info->name.string;
+
+ trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
+ if (!trusted_domain_state) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ trusted_domain_state->policy = policy_state;
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* search for the trusted_domain record */
+ ret = samdb_search(trusted_domain_state->policy->sam_ctx,
+ mem_ctx, policy_state->system_dn, &msgs, attrs,
+ "(&(cn=%s)(objectclass=trustedDomain))",
+ r->in.info->name.string);
+ if (ret > 0) {
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+
+ if (ret < 0 || ret > 1) {
+ DEBUG(0,("Found %d records matching DN %s\n", ret, policy_state->system_dn));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ msg->dn = talloc_asprintf(mem_ctx, "cn=%s,%s", r->in.info->name.string,
+ policy_state->system_dn);
+ if (!msg->dn) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ samdb_msg_add_string(trusted_domain_state->policy->sam_ctx, mem_ctx, msg, "cn", name);
+ samdb_msg_add_string(trusted_domain_state->policy->sam_ctx, mem_ctx, msg, "flatname", name);
+
+ if (r->in.info->sid) {
+ const char *sid_string = dom_sid_string(mem_ctx, r->in.info->sid);
+ if (!sid_string) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ samdb_msg_add_string(trusted_domain_state->policy->sam_ctx, mem_ctx, msg, "securityIdentifier", name);
+ }
+
+ /* pull in all the template attributes. Note this is always from the global samdb */
+ ret = samdb_copy_template(trusted_domain_state->policy->sam_ctx, mem_ctx, msg,
+ "(&(name=TemplateTrustedDomain)(objectclass=trustedDomainTemplate))");
+ if (ret != 0) {
+ DEBUG(0,("Failed to load TemplateTrustedDomain from samdb\n"));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ samdb_msg_add_string(trusted_domain_state->policy->sam_ctx, mem_ctx, msg, "objectClass", "trustedDomain");
+
+ trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
+
+ /* create the trusted_domain */
+ ret = samdb_add(trusted_domain_state->policy->sam_ctx, mem_ctx, msg);
+ if (ret != 0) {
+ DEBUG(0,("Failed to create trusted_domain record %s\n", msg->dn));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_TRUSTED_DOMAIN);
+ if (!handle) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ handle->data = talloc_steal(handle, trusted_domain_state);
+
+ trusted_domain_state->access_mask = r->in.access_mask;
+ trusted_domain_state->policy = talloc_reference(trusted_domain_state, policy_state);
+
+ *r->out.trustdom_handle = handle->wire_handle;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ lsa_OpenTrustedDomain
+*/
+static NTSTATUS lsa_OpenTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct lsa_OpenTrustedDomain *r)
+{
+ struct dcesrv_handle *policy_handle;
+
+ struct lsa_policy_state *policy_state;
+ struct lsa_trusted_domain_state *trusted_domain_state;
+ struct dcesrv_handle *handle;
+ struct ldb_message **msgs;
+ const char *attrs[] = {
+ NULL
+ };
+
+ const char *sid_string;
+ int ret;
+
+ DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
+ ZERO_STRUCTP(r->out.trustdom_handle);
+ policy_state = policy_handle->data;
+
+ trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
+ if (!trusted_domain_state) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ trusted_domain_state->policy = policy_state;
+
+ sid_string = dom_sid_string(mem_ctx, r->in.sid);
+ if (!sid_string) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* search for the trusted_domain record */
+ ret = samdb_search(trusted_domain_state->policy->sam_ctx,
+ mem_ctx, policy_state->system_dn, &msgs, attrs,
+ "(&(securityIdentifier=%s)(objectclass=trustedDomain))",
+ sid_string);
+ if (ret == 0) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ if (ret != 1) {
+ DEBUG(0,("Found %d records matching DN %s\n", ret, policy_state->system_dn));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msgs[0]->dn);
+
+ handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_TRUSTED_DOMAIN);
+ if (!handle) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ handle->data = talloc_steal(handle, trusted_domain_state);
+
+ trusted_domain_state->access_mask = r->in.access_mask;
+ trusted_domain_state->policy = talloc_reference(trusted_domain_state, policy_state);
+
+ *r->out.trustdom_handle = handle->wire_handle;
+
+ return NT_STATUS_OK;
+}
+
+
+/*
+ lsa_OpenTrustedDomainByName
+*/
+static NTSTATUS lsa_OpenTrustedDomainByName(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_OpenTrustedDomainByName *r)
+{
+ struct dcesrv_handle *policy_handle;
+
+ struct lsa_policy_state *policy_state;
+ struct lsa_trusted_domain_state *trusted_domain_state;
+ struct dcesrv_handle *handle;
+ struct ldb_message **msgs;
+ const char *attrs[] = {
+ NULL
+ };
+
+ int ret;
+
+ DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
+ ZERO_STRUCTP(r->out.trustdom_handle);
+ policy_state = policy_handle->data;
+
+ if (!r->in.name.string) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
+ if (!trusted_domain_state) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* search for the trusted_domain record */
+ ret = samdb_search(trusted_domain_state->policy->sam_ctx,
+ mem_ctx, policy_state->system_dn, &msgs, attrs,
+ "(&(cn=%s)(objectclass=trustedDomain))",
+ r->in.name.string);
+ if (ret == 0) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ if (ret != 1) {
+ DEBUG(0,("Found %d records matching DN %s\n", ret, policy_state->system_dn));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msgs[0]->dn);
+
+ handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_TRUSTED_DOMAIN);
+ if (!handle) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ handle->data = talloc_steal(handle, trusted_domain_state);
+
+ trusted_domain_state->access_mask = r->in.access_mask;
+ trusted_domain_state->policy = talloc_reference(trusted_domain_state, policy_state);
+
+ *r->out.trustdom_handle = handle->wire_handle;
+
+ return NT_STATUS_OK;
+}
+
+
+/*
+ lsa_QueryTrustedDomainInfoBySid
+*/
+static NTSTATUS lsa_QueryTrustedDomainInfoBySid(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct lsa_QueryTrustedDomainInfoBySid *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+
+/*
+ lsa_SetTrustDomainInfo
+*/
+static NTSTATUS lsa_SetTrustDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct lsa_SetTrustDomainInfo *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+
+/*
+ lsa_DeleteTrustDomain
+*/
+static NTSTATUS lsa_DeleteTrustDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct lsa_DeleteTrustDomain *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+
+/*
+ lsa_QueryTrustedDomainInfo
+*/
+static NTSTATUS lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct lsa_QueryTrustedDomainInfo *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+
+/*
+ lsa_SetInformationTrustedDomain
+*/
+static NTSTATUS lsa_SetInformationTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct lsa_SetInformationTrustedDomain *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+
+/*
+ lsa_QueryTrustedDomainInfoByName
+*/
+static NTSTATUS lsa_QueryTrustedDomainInfoByName(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_QueryTrustedDomainInfoByName *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+/*
+ lsa_SetTrustedDomainInfoByName
+*/
+static NTSTATUS lsa_SetTrustedDomainInfoByName(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_SetTrustedDomainInfoByName *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+/*
+ lsa_EnumTrustedDomainsEx
+*/
+static NTSTATUS lsa_EnumTrustedDomainsEx(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_EnumTrustedDomainsEx *r)
+{
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+}
+
+/*
+ lsa_CloseTrustedDomainEx
+*/
+static NTSTATUS lsa_CloseTrustedDomainEx(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_CloseTrustedDomainEx *r)
+{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
@@ -990,7 +1345,7 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
const struct lsa_RightSet *rights)
{
const char *sidstr;
- struct ldb_message msg;
+ struct ldb_message *msg;
struct ldb_message_element el;
int i, ret;
const char *dn;
@@ -1001,21 +1356,23 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
return NT_STATUS_NO_MEMORY;
}
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
dn = samdb_search_string(state->sam_ctx, mem_ctx, NULL, "dn",
"objectSid=%s", sidstr);
if (dn == NULL) {
return NT_STATUS_NO_SUCH_USER;
}
- msg.dn = talloc_strdup(mem_ctx, dn);
- if (msg.dn == NULL) {
+ msg->dn = talloc_strdup(mem_ctx, dn);
+ if (msg->dn == NULL) {
return NT_STATUS_NO_MEMORY;
}
- msg.num_elements = 1;
- msg.elements = &el;
- el.flags = ldb_flag;
- el.name = talloc_strdup(mem_ctx, "privilege");
- if (el.name == NULL) {
+
+ if (ldb_msg_add_empty(state->sam_ctx->ldb, msg, "privilege", ldb_flag)) {
return NT_STATUS_NO_MEMORY;
}
@@ -1066,7 +1423,7 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
return NT_STATUS_OK;
}
- ret = samdb_modify(state->sam_ctx, mem_ctx, &msg);
+ ret = samdb_modify(state->sam_ctx, mem_ctx, msg);
if (ret != 0) {
if (ldb_flag == LDB_FLAG_MOD_DELETE) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -1217,36 +1574,6 @@ static NTSTATUS lsa_SetSystemAccessAccount(struct dcesrv_call_state *dce_call, T
/*
- lsa_OpenTrustedDomain
-*/
-static NTSTATUS lsa_OpenTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_OpenTrustedDomain *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/*
- lsa_QueryTrustedDomainInfo
-*/
-static NTSTATUS lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_QueryTrustedDomainInfo *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/*
- lsa_SetInformationTrustedDomain
-*/
-static NTSTATUS lsa_SetInformationTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_SetInformationTrustedDomain *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/*
lsa_CreateSecret
*/
static NTSTATUS lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1278,6 +1605,7 @@ static NTSTATUS lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALLOC_CTX
if (!secret_state) {
return NT_STATUS_NO_MEMORY;
}
+ secret_state->policy = policy_state;
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
@@ -1342,6 +1670,15 @@ static NTSTATUS lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALLOC_CTX
msg->dn = talloc_asprintf(mem_ctx, "cn=%s,cn=LSA Secrets", name);
samdb_msg_add_string(secret_state->sam_ctx, mem_ctx, msg, "cn", name);
}
+
+ /* pull in all the template attributes. Note this is always from the global samdb */
+ ret = samdb_copy_template(secret_state->policy->sam_ctx, mem_ctx, msg,
+ "(&(name=TemplateSecret)(objectclass=secretTemplate))");
+ if (ret != 0) {
+ DEBUG(0,("Failed to load TemplateSecret from samdb\n"));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
samdb_msg_add_string(secret_state->sam_ctx, mem_ctx, msg, "objectClass", "secret");
secret_state->secret_dn = talloc_reference(secret_state, msg->dn);
@@ -1401,6 +1738,7 @@ static NTSTATUS lsa_OpenSecret(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
if (!secret_state) {
return NT_STATUS_NO_MEMORY;
}
+ secret_state->policy = policy_state;
if (strncmp("G$", r->in.name.string, 2) == 0) {
name = &r->in.name.string[2];
@@ -1953,36 +2291,6 @@ static NTSTATUS lsa_RemoveAccountRights(struct dcesrv_call_state *dce_call,
/*
- lsa_QueryTrustedDomainInfoBySid
-*/
-static NTSTATUS lsa_QueryTrustedDomainInfoBySid(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_QueryTrustedDomainInfoBySid *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/*
- lsa_SetTrustDomainInfo
-*/
-static NTSTATUS lsa_SetTrustDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_SetTrustDomainInfo *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/*
- lsa_DeleteTrustDomain
-*/
-static NTSTATUS lsa_DeleteTrustDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_DeleteTrustDomain *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/*
lsa_StorePrivateData
*/
static NTSTATUS lsa_StorePrivateData(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2068,56 +2376,6 @@ static NTSTATUS lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call,
}
/*
- lsa_QueryTrustedDomainInfoByName
-*/
-static NTSTATUS lsa_QueryTrustedDomainInfoByName(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_QueryTrustedDomainInfoByName *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-/*
- lsa_SetTrustedDomainInfoByName
-*/
-static NTSTATUS lsa_SetTrustedDomainInfoByName(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_SetTrustedDomainInfoByName *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-/*
- lsa_EnumTrustedDomainsEx
-*/
-static NTSTATUS lsa_EnumTrustedDomainsEx(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_EnumTrustedDomainsEx *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-/*
- lsa_CreateTrustedDomainEx
-*/
-static NTSTATUS lsa_CreateTrustedDomainEx(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_CreateTrustedDomainEx *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-/*
- lsa_CloseTrustedDomainEx
-*/
-static NTSTATUS lsa_CloseTrustedDomainEx(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_CloseTrustedDomainEx *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-/*
lsa_QueryDomainInformationPolicy
*/
static NTSTATUS lsa_QueryDomainInformationPolicy(struct dcesrv_call_state *dce_call,
@@ -2138,16 +2396,6 @@ static NTSTATUS lsa_SetDomInfoPolicy(struct dcesrv_call_state *dce_call,
}
/*
- lsa_OpenTrustedDomainByName
-*/
-static NTSTATUS lsa_OpenTrustedDomainByName(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_OpenTrustedDomainByName *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-/*
lsa_TestCall
*/
static NTSTATUS lsa_TestCall(struct dcesrv_call_state *dce_call,
@@ -2395,18 +2643,6 @@ static NTSTATUS lsa_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX *
return status;
}
-
-
-/*
- lsa_CreateTrustedDomainEx2
-*/
-static NTSTATUS lsa_CreateTrustedDomainEx2(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_CreateTrustedDomainEx2 *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
/*
lsa_CREDRWRITE
*/
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index a98fe5ae06..7cbe63056a 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -468,9 +468,7 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
const char *name;
struct ldb_message *msg;
uint32_t rid;
- const char *groupname, *sidstr, *guidstr;
- struct GUID guid;
- time_t now = time(NULL);
+ const char *groupname, *sidstr;
struct dcesrv_handle *g_handle;
int ret;
NTSTATUS status;
@@ -523,13 +521,6 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
return NT_STATUS_NO_MEMORY;
}
- /* a new GUID */
- guid = GUID_random();
- guidstr = GUID_string(mem_ctx, &guid);
- if (!guidstr) {
- return NT_STATUS_NO_MEMORY;
- }
-
/* add core elements to the ldb_message for the user */
msg->dn = talloc_asprintf(mem_ctx, "CN=%s,CN=Users,%s", groupname,
d_state->domain_dn);
@@ -541,9 +532,6 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName", groupname);
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass", "group");
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectSid", sidstr);
- samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectGUID", guidstr);
- samdb_msg_set_ldaptime(d_state->sam_ctx, mem_ctx, msg, "whenCreated", now);
- samdb_msg_set_ldaptime(d_state->sam_ctx, mem_ctx, msg, "whenChanged", now);
/* create the group */
ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
@@ -703,9 +691,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
const char *name;
struct ldb_message *msg;
uint32_t rid;
- const char *account_name, *sidstr, *guidstr;
- struct GUID guid;
- time_t now = time(NULL);
+ const char *account_name, *sidstr;
struct dcesrv_handle *u_handle;
int ret;
NTSTATUS status;
@@ -803,13 +789,6 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
return NT_STATUS_NO_MEMORY;
}
- /* a new GUID */
- guid = GUID_random();
- guidstr = GUID_string(mem_ctx, &guid);
- if (!guidstr) {
- return NT_STATUS_NO_MEMORY;
- }
-
/* add core elements to the ldb_message for the user */
msg->dn = talloc_asprintf(mem_ctx, "CN=%s,CN=%s,%s", account_name, container, d_state->domain_dn);
if (!msg->dn) {
@@ -823,9 +802,6 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass", additional_class);
}
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectSid", sidstr);
- samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectGUID", guidstr);
- samdb_msg_set_ldaptime(d_state->sam_ctx, mem_ctx, msg, "whenCreated", now);
- samdb_msg_set_ldaptime(d_state->sam_ctx, mem_ctx, msg, "whenChanged", now);
/* create the user */
ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
@@ -973,9 +949,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *aliasname, *name, *sidstr, *guidstr;
- struct GUID guid;
- time_t now = time(NULL);
+ const char *aliasname, *name, *sidstr;
struct ldb_message *msg;
uint32_t rid;
struct dcesrv_handle *a_handle;
@@ -1032,13 +1006,6 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
return NT_STATUS_NO_MEMORY;
}
- /* a new GUID */
- guid = GUID_random();
- guidstr = GUID_string(mem_ctx, &guid);
- if (!guidstr) {
- return NT_STATUS_NO_MEMORY;
- }
-
/* add core elements to the ldb_message for the alias */
msg->dn = talloc_asprintf(mem_ctx, "CN=%s,CN=Users,%s", aliasname,
d_state->domain_dn);
@@ -1051,9 +1018,6 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName", aliasname);
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass", "group");
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectSid", sidstr);
- samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectGUID", guidstr);
- samdb_msg_set_ldaptime(d_state->sam_ctx, mem_ctx, msg, "whenCreated", now);
- samdb_msg_set_ldaptime(d_state->sam_ctx, mem_ctx, msg, "whenChanged", now);
/* create the alias */
ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index c5b74c8674..98de8df78c 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -639,7 +639,7 @@ static BOOL test_CreateTrustedDomain(struct dcerpc_pipe *p,
struct lsa_CreateTrustedDomain r;
struct lsa_TrustInformation trustinfo;
struct dom_sid *domsid;
- struct policy_handle dom_handle;
+ struct policy_handle trustdom_handle;
printf("Testing CreateTrustedDomain\n");
@@ -651,7 +651,7 @@ static BOOL test_CreateTrustedDomain(struct dcerpc_pipe *p,
r.in.handle = handle;
r.in.info = &trustinfo;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
- r.out.dom_handle = &dom_handle;
+ r.out.trustdom_handle = &trustdom_handle;
status = dcerpc_lsa_CreateTrustedDomain(p, mem_ctx, &r);
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
@@ -663,7 +663,7 @@ static BOOL test_CreateTrustedDomain(struct dcerpc_pipe *p,
return False;
}
- if (!test_Delete(p, mem_ctx, &dom_handle)) {
+ if (!test_Delete(p, mem_ctx, &trustdom_handle)) {
return False;
}