summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-09-04 16:06:38 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-09-04 16:06:38 +1000
commit19fb3b0199dec2b8abacfab59910f2aed0ba310c (patch)
tree80f5ffa689dfb0a7c76a22e0d7fe81a35705f233
parentb533a1f4bf62c7983f612927499f60b503322c4d (diff)
downloadsamba-19fb3b0199dec2b8abacfab59910f2aed0ba310c.tar.gz
samba-19fb3b0199dec2b8abacfab59910f2aed0ba310c.tar.bz2
samba-19fb3b0199dec2b8abacfab59910f2aed0ba310c.zip
More work to implement LSA CreateTrustedDomainEx2
We still don't get the format inside the encrypted blob correct however. Andrew Bartlett (This used to be commit 99a3abda09716c064b3e9a37c4a79a8f62444eca)
-rw-r--r--source4/librpc/idl/drsblobs.idl10
-rw-r--r--source4/librpc/idl/lsa.idl24
-rw-r--r--source4/torture/rpc/lsa.c40
3 files changed, 63 insertions, 11 deletions
diff --git a/source4/librpc/idl/drsblobs.idl b/source4/librpc/idl/drsblobs.idl
index 39c9680bdb..196423c7dd 100644
--- a/source4/librpc/idl/drsblobs.idl
+++ b/source4/librpc/idl/drsblobs.idl
@@ -409,12 +409,20 @@ interface drsblobs {
[size_is(1)] AuthenticationInformation array[];
} AuthenticationInformationArray;
- typedef [public,nopull,nopush,noprint] struct {
+ typedef [public,nopull,nopush,noprint,gensize] struct {
uint32 count;
[relative] AuthenticationInformationArray *current;
[relative] AuthenticationInformationArray *previous;
} trustAuthInOutBlob;
+ typedef [public] struct {
+ uint8 confounder[512];
+ trustAuthInOutBlob outgoing;
+ trustAuthInOutBlob incoming;
+ [value(ndr_size_trustAuthInOutBlob(&outgoing, ndr->flags))] uint32 outgoing_size;
+ [value(ndr_size_trustAuthInOutBlob(&incoming, ndr->flags))] uint32 incoming_size;
+ } trustAuthInAndOutBlob;
+
void decode_trustAuthInOut(
[in] trustAuthInOutBlob blob
);
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 81931ae02a..4de3d6f1bf 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -607,13 +607,23 @@ import "misc.idl", "security.idl";
} lsa_TrustDomainInfoFullInfo;
typedef struct {
+ lsa_DATA_BUF2 auth_blob;
+ } lsa_TrustDomainInfoAuthInfoInternal;
+
+ typedef struct {
+ lsa_TrustDomainInfoInfoEx info_ex;
+ lsa_TrustDomainInfoPosixOffset posix_offset;
+ lsa_TrustDomainInfoAuthInfoInternal auth_info;
+ } lsa_TrustDomainInfoFullInfoInternal;
+
+ typedef struct {
lsa_TrustDomainInfoInfoEx info_ex;
- lsa_DATA_BUF2 data1;
+ uint32 forest_trust_length;
+ [size_is(forest_trust_length)] uint8 *forest_trust_data;
} lsa_TrustDomainInfoInfoEx2Internal;
typedef struct {
- lsa_TrustDomainInfoInfoEx info_ex;
- lsa_DATA_BUF2 data1;
+ lsa_TrustDomainInfoInfoEx2Internal info;
lsa_TrustDomainInfoPosixOffset posix_offset;
lsa_TrustDomainInfoAuthInfo auth_info;
} lsa_TrustDomainInfoInfo2Internal;
@@ -640,9 +650,9 @@ import "misc.idl", "security.idl";
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]
lsa_TrustDomainInfoFullInfo full_info;
[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL)]
- lsa_TrustDomainInfoAuthInfo auth_info_internal;
+ lsa_TrustDomainInfoAuthInfoInternal auth_info_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL)]
- lsa_TrustDomainInfoFullInfo full_info_internal;
+ lsa_TrustDomainInfoFullInfoInternal full_info_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL)]
lsa_TrustDomainInfoInfoEx2Internal info_ex2_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL)]
@@ -875,7 +885,7 @@ import "misc.idl", "security.idl";
NTSTATUS lsa_CreateTrustedDomainEx(
[in] policy_handle *policy_handle,
[in] lsa_TrustDomainInfoInfoEx *info,
- [in] lsa_TrustDomainInfoAuthInfo *auth_info,
+ [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
[in] uint32 access_mask,
[out] policy_handle *trustdom_handle
);
@@ -996,7 +1006,7 @@ import "misc.idl", "security.idl";
NTSTATUS lsa_CreateTrustedDomainEx2(
[in] policy_handle *policy_handle,
[in] lsa_TrustDomainInfoInfoEx *info,
- [in] lsa_TrustDomainInfoAuthInfo *auth_info,
+ [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
[in] uint32 access_mask,
[out] policy_handle *trustdom_handle
);
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 1e35d94235..316412ec9e 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -23,11 +23,13 @@
#include "torture/torture.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
#include "librpc/gen_ndr/netlogon.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "lib/events/events.h"
#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
#include "torture/rpc/rpc.h"
#include "param/param.h"
+#include "lib/crypto/crypto.h"
#define TEST_MACHINENAME "lsatestmach"
static void init_lsa_String(struct lsa_String *name, const char *s)
@@ -1882,6 +1884,9 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
return false;
}
+ /* Start from the bottom again */
+ resume_handle = 0;
+
do {
r.in.handle = handle;
r.in.resume_handle = &resume_handle;
@@ -2063,6 +2068,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p,
}
static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
TALLOC_CTX *mem_ctx,
struct policy_handle *handle)
{
@@ -2070,13 +2076,24 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
bool ret = true;
struct lsa_CreateTrustedDomainEx2 r;
struct lsa_TrustDomainInfoInfoEx trustinfo;
+ struct lsa_TrustDomainInfoAuthInfoInternal authinfo;
+ struct trustAuthInAndOutBlob auth_struct;
+ DATA_BLOB auth_blob;
struct dom_sid *domsid[12];
struct policy_handle trustdom_handle[12];
struct lsa_QueryTrustedDomainInfo q;
+ DATA_BLOB session_key;
+ enum ndr_err_code ndr_err;
int i;
printf("Testing CreateTrustedDomainEx2 for 12 domains\n");
+ status = dcerpc_fetch_session_key(p, &session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
+ return false;
+ }
+
for (i=0; i< 12; i++) {
char *trust_name = talloc_asprintf(mem_ctx, "torturedom%02d", i);
char *trust_name_dns = talloc_asprintf(mem_ctx, "torturedom%02d.samba.example.com", i);
@@ -2102,9 +2119,26 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;
+ generate_random_buffer(auth_struct.confounder, sizeof(auth_struct.confounder));
+
+ auth_struct.outgoing.count = 0;
+ auth_struct.incoming.count = 0;
+
+ ndr_err = ndr_push_struct_blob(&auth_blob, mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &auth_struct,
+ (ndr_push_flags_fn_t)ndr_push_trustAuthInAndOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ printf("ndr_push_struct_blob of trustAuthInAndOutBlob structure failed");
+ ret = false;
+ }
+
+ arcfour_crypt_blob(auth_blob.data, auth_blob.length, &session_key);
+
+ authinfo.auth_blob.size = auth_blob.length;
+ authinfo.auth_blob.data = auth_blob.data;
+
r.in.policy_handle = handle;
r.in.info = &trustinfo;
- r.in.auth_info = NULL;
+ r.in.auth_info = &authinfo;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.out.trustdom_handle = &trustdom_handle[i];
@@ -2114,7 +2148,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
status = dcerpc_lsa_CreateTrustedDomainEx2(p, mem_ctx, &r);
}
if (!NT_STATUS_IS_OK(status)) {
- printf("CreateTrustedDomainEx failed - %s\n", nt_errstr(status));
+ printf("CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status));
ret = false;
} else {
@@ -2452,7 +2486,7 @@ bool torture_rpc_lsa(struct torture_context *tctx)
ret = false;
}
- if (!test_CreateTrustedDomainEx2(p, tctx, handle)) {
+ if (!test_CreateTrustedDomainEx2(p, tctx, tctx, handle)) {
ret = false;
}