r3807: Cross-check the basic attributes for groups and aliases in RPC-SAMSYNC.

Andrew Bartlett (This used to be commit 90398fda41dd15480899e3628df186eb02fdc139)
author: Andrew Bartlett <abartlet@samba.org> 2004-11-17 13:39:37 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:05:56 -0500
commit: 5ad5c6cc70df2006f694b56c4086af10860b4676 (patch)
tree: 7fda8a14d92a12d54b76dac64647d51766206f50
parent: 696fdc8cf91cc1660725fd93c2b91ec6b65d06b5 (diff)
download: samba-5ad5c6cc70df2006f694b56c4086af10860b4676.tar.gz
samba-5ad5c6cc70df2006f694b56c4086af10860b4676.tar.bz2
samba-5ad5c6cc70df2006f694b56c4086af10860b4676.zip
4 files changed, 118 insertions, 12 deletions
diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl
index ab07a5705d..ae6bfe249b 100644
--- a/source4/librpc/idl/netlogon.idl
+++ b/source4/librpc/idl/netlogon.idl
@@ -396,9 +396,10 @@ interface netlogon
 	} netr_DELTA_DOMAIN;
 
 	typedef struct {
-		netr_String groupname;
-		netr_GroupMembership group_membership;
-		netr_String comment;
+		netr_String group_name;
+		uint32 rid;
+		uint32 attributes;
+		netr_String description;
 		uint32 SecurityInformation;
 		sec_desc_buf sdbuf;
 		netr_String unknown1;
@@ -439,7 +440,7 @@ interface netlogon
 		uint32 rid;
 		uint32 SecurityInformation;
 		sec_desc_buf sdbuf;
-		netr_String unknown1;
+		netr_String description;
 		netr_String unknown2;
 		netr_String unknown3;
 		netr_String unknown4;
diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl
index 80295bb252..a7bbe07b6a 100644
--- a/source4/librpc/idl/samr.idl
+++ b/source4/librpc/idl/samr.idl
@@ -371,7 +371,7 @@
 
 	typedef struct {
 		samr_String name;
-		uint32 unknown;
+		uint32 attributes;
 		uint32 num_members;
 		samr_String description;
 	} samr_GroupInfoAll;
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 18cf2c4734..ef6e45cb1e 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1109,7 +1109,7 @@ static NTSTATUS samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, TALLOC_C
 	switch (r->in.level) {
 	case GroupInfoAll:
 		QUERY_STRING(msg, all.name.string,        "sAMAccountName");
-		r->out.info->all.unknown = 7; /* Do like w2k3 */
+		r->out.info->all.attributes = 7; /* Do like w2k3 */
 		QUERY_UINT  (msg, all.num_members,      "numMembers")
 		QUERY_STRING(msg, all.description.string, "description");
 		break;
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index 96c7846c59..777e5f36eb 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -515,6 +515,101 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy
 	return False;
 }
 
+static BOOL samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+				 int database_id, struct netr_DELTA_ENUM *delta) 
+{
+	uint32 rid = delta->delta_id_union.rid;
+	struct netr_DELTA_ALIAS *alias = delta->delta_union.alias;
+	NTSTATUS nt_status;
+	BOOL ret = True;
+
+	struct samr_OpenAlias r;
+	struct samr_QueryAliasInfo q;
+	struct policy_handle alias_handle;
+
+	if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
+		printf("SamSync needs domain information before the users\n");
+		return False;
+	}
+
+	r.in.domain_handle = samsync_state->domain_handle[database_id];
+	r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+	r.in.rid = rid;
+	r.out.alias_handle = &alias_handle;
+
+	nt_status = dcerpc_samr_OpenAlias(samsync_state->p_samr, mem_ctx, &r);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
+		return False;
+	}
+
+	q.in.alias_handle = &alias_handle;
+	q.in.level = 1;
+
+	nt_status = dcerpc_samr_QueryAliasInfo(samsync_state->p_samr, mem_ctx, &q);
+	if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &alias_handle)) {
+		return False;
+	}
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		printf("QueryAliasInfo level %u failed - %s\n", 
+		       q.in.level, nt_errstr(nt_status));
+		return False;
+	}
+
+	TEST_STRING_EQUAL(q.out.info->all.name, alias->alias_name);
+	TEST_STRING_EQUAL(q.out.info->all.description, alias->description);
+	return False;
+}
+
+static BOOL samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+				 int database_id, struct netr_DELTA_ENUM *delta) 
+{
+	uint32 rid = delta->delta_id_union.rid;
+	struct netr_DELTA_GROUP *group = delta->delta_union.group;
+	NTSTATUS nt_status;
+	BOOL ret = True;
+
+	struct samr_OpenGroup r;
+	struct samr_QueryGroupInfo q;
+	struct policy_handle group_handle;
+
+	if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
+		printf("SamSync needs domain information before the users\n");
+		return False;
+	}
+
+	r.in.domain_handle = samsync_state->domain_handle[database_id];
+	r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+	r.in.rid = rid;
+	r.out.group_handle = &group_handle;
+
+	nt_status = dcerpc_samr_OpenGroup(samsync_state->p_samr, mem_ctx, &r);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
+		return False;
+	}
+
+	q.in.group_handle = &group_handle;
+	q.in.level = 1;
+
+	nt_status = dcerpc_samr_QueryGroupInfo(samsync_state->p_samr, mem_ctx, &q);
+	if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &group_handle)) {
+		return False;
+	}
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		printf("QueryGroupInfo level %u failed - %s\n", 
+		       q.in.level, nt_errstr(nt_status));
+		return False;
+	}
+
+	TEST_STRING_EQUAL(q.out.info->all.name, group->group_name);
+	TEST_INT_EQUAL(q.out.info->all.attributes, group->attributes);
+	TEST_STRING_EQUAL(q.out.info->all.description, group->description);
+	return False;
+}
+
 static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 				  int database_id, struct netr_DELTA_ENUM *delta) 
 {
@@ -577,8 +672,7 @@ static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *sam
 	}
 
 	if (q.out.new_val->buf == NULL) {
-		printf("No secret buffer returned\n");
-		ret = False;
+		/* probably just not available due to ACLs */
 	} else {
 		lsa_blob1.data = q.out.new_val->buf->data;
 		lsa_blob1.length = q.out.new_val->buf->length;
@@ -675,6 +769,14 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
 					ret &= samsync_handle_user(mem_ctx, samsync_state, 
 								   r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
 					break;
+				case NETR_DELTA_GROUP:
+					ret &= samsync_handle_group(mem_ctx, samsync_state, 
+								    r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
+					break;
+				case NETR_DELTA_ALIAS:
+					ret &= samsync_handle_alias(mem_ctx, samsync_state, 
+								    r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
+					break;
 				case NETR_DELTA_TRUSTED_DOMAIN:
 					ret &= samsync_handle_trusted_domain(mem_ctx, samsync_state, 
 									     r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
@@ -703,8 +805,6 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
 	for (t=samsync_state->trusted_domains; t; t=t->next) {
 		char *secret_name = talloc_asprintf(mem_ctx, "G$$%s", t->name);
 		for (s=samsync_state->secrets; s; s=s->next) {
-			printf("Checking secret %s against %s\n",
-			       s->name, secret_name);
 			if (StrCaseCmp(s->name, secret_name) == 0) {
 				NTSTATUS nt_status;
 				struct samr_Password nt_hash;
@@ -718,7 +818,7 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
 							  &nt_hash,
 							  NULL);
 				if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
-					printf("Could not verify trust password to %s: %s\n", 
+					printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n", 
 					       t->name, nt_errstr(nt_status));
 					ret = False;
 				}
@@ -733,7 +833,7 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
 							  NULL);
 				
 				if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
-					printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n", 
+					printf("Verifiction of trust password to %s: should have failed (wrong password), instead: %s\n", 
 					       t->name, nt_errstr(nt_status));
 					ret = False;
 					ret = False;
@@ -907,6 +1007,11 @@ BOOL torture_rpc_samsync(void)
 				  timestring(mem_ctx, time(NULL)));
 	status = dcerpc_samr_SetDomainInfo(samsync_state->p_samr, mem_ctx, &s);
 
+	if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, domain_policy)) {
+		ret = False;
+		goto failed;
+	}
+
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("SetDomainInfo level %u failed - %s\n", 
 		       s.in.level, nt_errstr(status));
author	Andrew Bartlett <abartlet@samba.org>	2004-11-17 13:39:37 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:05:56 -0500
commit	5ad5c6cc70df2006f694b56c4086af10860b4676 (patch)
tree	7fda8a14d92a12d54b76dac64647d51766206f50
parent	696fdc8cf91cc1660725fd93c2b91ec6b65d06b5 (diff)
download	samba-5ad5c6cc70df2006f694b56c4086af10860b4676.tar.gz samba-5ad5c6cc70df2006f694b56c4086af10860b4676.tar.bz2 samba-5ad5c6cc70df2006f694b56c4086af10860b4676.zip