summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-11-22 08:47:47 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:03 -0500
commitbe7a3e3ce0c5b7623c67dcbb8ca20dae438d09af (patch)
treed4c701801706fb512f9d413938ab93f99978a5b7
parentaae697b9246a6688155895e6c666fda2f10d67f5 (diff)
downloadsamba-be7a3e3ce0c5b7623c67dcbb8ca20dae438d09af.tar.gz
samba-be7a3e3ce0c5b7623c67dcbb8ca20dae438d09af.tar.bz2
samba-be7a3e3ce0c5b7623c67dcbb8ca20dae438d09af.zip
r3904: * Add new LSA calls to open trusted domains
* Add new tests for ACCOUNTs in SamSync * Clean up names in NETLOGON and LSA * Verify Security Descriptors against LSA, as well as SamR Andrew Bartlett (This used to be commit 7094502fe0346255a89667f702289b4c8dc9fa08)
-rw-r--r--source4/librpc/idl/lsa.idl20
-rw-r--r--source4/librpc/idl/netlogon.idl14
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c4
-rw-r--r--source4/torture/rpc/lsa.c68
-rw-r--r--source4/torture/rpc/samlogon.c2
5 files changed, 88 insertions, 20 deletions
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 225979da18..f84addf150 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -56,10 +56,10 @@
/******************/
/* Function: 0x03 */
- NTSTATUS lsa_QuerySecObj (
+ NTSTATUS lsa_QuerySecurity (
[in,ref] policy_handle *handle,
[in] uint32 sec_info,
- [out] sec_desc_buf *sd
+ [out] sec_desc_buf *sdbuf
);
@@ -396,8 +396,15 @@
NTSTATUS lsa_GetSystemAccessAccount();
/* Function: 0x18 */
NTSTATUS lsa_SetSystemAccessAccount();
+
/* Function: 0x19 */
- NTSTATUS lsa_OpenTrustedDomain();
+ NTSTATUS lsa_OpenTrustedDomain(
+ [in,ref] policy_handle *handle,
+ [in,ref] dom_sid2 *sid,
+ [in] uint32 access_mask,
+ [out,ref] policy_handle *trustdom_handle
+ );
+
/* Function: 0x1a */
NTSTATUS lsa_QueryInfoTrustedDomain();
/* Function: 0x1b */
@@ -566,7 +573,12 @@
NTSTATUS lsa_SetDomInfoPolicy();
/* Function 0x37 */
- NTSTATUS lsa_OpenTrustedDomainByName();
+ NTSTATUS lsa_OpenTrustedDomainByName(
+ [in,ref] policy_handle *handle,
+ [in] lsa_Name name,
+ [in] uint32 access_mask,
+ [out,ref] policy_handle *trustdom_handle
+ );
/* Function 0x38 */
NTSTATUS lsa_TestCall();
diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl
index ae6bfe249b..27ba53ff8b 100644
--- a/source4/librpc/idl/netlogon.idl
+++ b/source4/librpc/idl/netlogon.idl
@@ -255,6 +255,8 @@ interface netlogon
/* Function 0x05 */
/* secure channel types */
+ /* Only SEC_CHAN_WKSTA can forward requests to other domains. */
+
const int SEC_CHAN_WKSTA = 2;
const int SEC_CHAN_DOMAIN = 4;
const int SEC_CHAN_BDC = 6;
@@ -527,7 +529,7 @@ interface netlogon
uint32 unknown6;
uint32 unknown7;
uint32 unknown8;
- } netr_DELTA_ACCOUNTS;
+ } netr_DELTA_ACCOUNT;
typedef struct {
uint16 unknown;
@@ -574,9 +576,9 @@ interface netlogon
NETR_DELTA_RENAME_ALIAS = 11,
NETR_DELTA_ALIAS_MEMBER = 12,
NETR_DELTA_POLICY = 13,
- NETR_DELTA_TRUSTED_DOMAIN = 14,
+ NETR_DELTA_TRUSTED_DOMAIN = 14,
NETR_DELTA_DELETE_TRUST = 15,
- NETR_DELTA_ACCOUNTS = 16,
+ NETR_DELTA_ACCOUNT = 16,
NETR_DELTA_DELETE_ACCOUNT = 17,
NETR_DELTA_SECRET = 18,
NETR_DELTA_DELETE_SECRET = 19,
@@ -599,9 +601,9 @@ interface netlogon
[case(NETR_DELTA_RENAME_ALIAS)] netr_DELTA_RENAME *rename_alias;
[case(NETR_DELTA_ALIAS_MEMBER)] netr_DELTA_ALIAS_MEMBER *alias_member;
[case(NETR_DELTA_POLICY)] netr_DELTA_POLICY *policy;
- [case(NETR_DELTA_TRUSTED_DOMAIN)] netr_DELTA_TRUSTED_DOMAIN *trusted_domain;
+ [case(NETR_DELTA_TRUSTED_DOMAIN)] netr_DELTA_TRUSTED_DOMAIN *trusted_domain;
[case(NETR_DELTA_DELETE_TRUST)] netr_DELTA_DELETE_TRUST delete_trust;
- [case(NETR_DELTA_ACCOUNTS)] netr_DELTA_ACCOUNTS *accounts;
+ [case(NETR_DELTA_ACCOUNT)] netr_DELTA_ACCOUNT *account;
[case(NETR_DELTA_DELETE_ACCOUNT)] netr_DELTA_DELETE_ACCOUNT delete_account;
[case(NETR_DELTA_SECRET)] netr_DELTA_SECRET *secret;
[case(NETR_DELTA_DELETE_SECRET)] netr_DELTA_DELETE_SECRET delete_secret;
@@ -626,7 +628,7 @@ interface netlogon
[case(NETR_DELTA_POLICY)] dom_sid2 *sid;
[case(NETR_DELTA_TRUSTED_DOMAIN)] dom_sid2 *sid;
[case(NETR_DELTA_DELETE_TRUST)] dom_sid2 *sid;
- [case(NETR_DELTA_ACCOUNTS)] dom_sid2 *sid;
+ [case(NETR_DELTA_ACCOUNT)] dom_sid2 *sid;
[case(NETR_DELTA_DELETE_ACCOUNT)] dom_sid2 *sid;
[case(NETR_DELTA_SECRET)] unistr *name;
[case(NETR_DELTA_DELETE_SECRET)] unistr *name;
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index ce9f9f39ff..1c3e8d374a 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -113,8 +113,8 @@ static NTSTATUS lsa_EnumPrivs(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
/*
lsa_QuerySecObj
*/
-static NTSTATUS lsa_QuerySecObj(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_QuerySecObj *r)
+static NTSTATUS lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct lsa_QuerySecurity *r)
{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 8c9675457e..703df40654 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -523,22 +523,22 @@ static BOOL test_EnumAccountRights(struct dcerpc_pipe *p,
}
-static BOOL test_QuerySecObj(struct dcerpc_pipe *p,
+static BOOL test_QuerySecurity(struct dcerpc_pipe *p,
TALLOC_CTX *mem_ctx,
struct policy_handle *handle,
struct policy_handle *acct_handle)
{
NTSTATUS status;
- struct lsa_QuerySecObj r;
+ struct lsa_QuerySecurity r;
- printf("Testing QuerySecObj\n");
+ printf("Testing QuerySecuriy\n");
r.in.handle = acct_handle;
r.in.sec_info = 7;
- status = dcerpc_lsa_QuerySecObj(p, mem_ctx, &r);
+ status = dcerpc_lsa_QuerySecurity(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
- printf("QuerySecObj failed - %s\n", nt_errstr(status));
+ printf("QuerySecurity failed - %s\n", nt_errstr(status));
return False;
}
@@ -571,7 +571,7 @@ static BOOL test_OpenAccount(struct dcerpc_pipe *p,
return False;
}
- if (!test_QuerySecObj(p, mem_ctx, handle, &acct_handle)) {
+ if (!test_QuerySecurity(p, mem_ctx, handle, &acct_handle)) {
return False;
}
@@ -746,6 +746,8 @@ static BOOL test_EnumTrustDom(struct dcerpc_pipe *p,
NTSTATUS status;
uint32_t resume_handle = 0;
struct lsa_DomainList domains;
+ int i;
+ BOOL ret = True;
printf("\nTesting EnumTrustDom\n");
@@ -767,7 +769,59 @@ static BOOL test_EnumTrustDom(struct dcerpc_pipe *p,
return False;
}
- return True;
+ printf("\nTesting OpenTrustedDomain and OpenTrustedDomainByName\n");
+
+ for (i=0; i< domains.count; i++) {
+ struct lsa_OpenTrustedDomain trust;
+ struct lsa_OpenTrustedDomainByName trust_by_name;
+ struct policy_handle trust_handle;
+ struct policy_handle handle2;
+ struct lsa_Close c;
+
+ trust.in.handle = handle;
+ trust.in.sid = domains.domains[i].sid;
+ trust.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ trust.out.trustdom_handle = &trust_handle;
+
+ status = dcerpc_lsa_OpenTrustedDomain(p, mem_ctx, &trust);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
+ return False;
+ }
+
+ c.in.handle = &trust_handle;
+ c.out.handle = &handle2;
+
+ status = dcerpc_lsa_Close(p, mem_ctx, &c);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Close of trusted doman failed - %s\n", nt_errstr(status));
+ return False;
+ }
+
+ trust_by_name.in.handle = handle;
+ trust_by_name.in.name = domains.domains[i].name;
+ trust_by_name.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ trust_by_name.out.trustdom_handle = &trust_handle;
+
+ status = dcerpc_lsa_OpenTrustedDomainByName(p, mem_ctx, &trust_by_name);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status));
+ return False;
+ }
+
+ c.in.handle = &trust_handle;
+ c.out.handle = &handle2;
+
+ status = dcerpc_lsa_Close(p, mem_ctx, &c);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Close of trusted doman failed - %s\n", nt_errstr(status));
+ return False;
+ }
+ }
+
+ return ret;
}
static BOOL test_QueryInfoPolicy(struct dcerpc_pipe *p,
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index 54d6dd85f8..5204175559 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -1031,7 +1031,7 @@ BOOL torture_rpc_samlogon(void)
}
if (!test_SetupCredentials(p, mem_ctx,
- TEST_MACHINE_NAME, machine_pass, &creds)) {
+ TEST_MACHINE_NAME, machine_pass, &creds)) {
ret = False;
}