r3904: * Add new LSA calls to open trusted domains

* Add new tests for ACCOUNTs in SamSync

* Clean up names in NETLOGON and LSA

* Verify Security Descriptors against LSA, as well as SamR

Andrew Bartlett
(This used to be commit 7094502fe0346255a89667f702289b4c8dc9fa08)

5 files changed, 88 insertions, 20 deletions

diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 225979da18..f84addf150 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -56,10 +56,10 @@
 	/******************/
 	/* Function: 0x03 */
 
-	NTSTATUS lsa_QuerySecObj (
+	NTSTATUS lsa_QuerySecurity (
 		[in,ref]     policy_handle *handle,
 		[in]         uint32 sec_info,
-		[out]        sec_desc_buf *sd
+		[out]        sec_desc_buf *sdbuf
 		);
 
 
@@ -396,8 +396,15 @@
 	NTSTATUS lsa_GetSystemAccessAccount();
 	/* Function:    0x18 */
 	NTSTATUS lsa_SetSystemAccessAccount();
+
 	/* Function:        0x19 */
-	NTSTATUS lsa_OpenTrustedDomain();
+	NTSTATUS lsa_OpenTrustedDomain(
+		[in,ref]     policy_handle *handle,
+		[in,ref]     dom_sid2      *sid,
+		[in]         uint32         access_mask,
+		[out,ref]    policy_handle *trustdom_handle
+		);
+
 	/* Function:       0x1a */
 	NTSTATUS lsa_QueryInfoTrustedDomain();
 	/* Function:     0x1b */
@@ -566,7 +573,12 @@
 	NTSTATUS lsa_SetDomInfoPolicy();
 
 	/* Function 0x37 */
-	NTSTATUS lsa_OpenTrustedDomainByName();
+	NTSTATUS lsa_OpenTrustedDomainByName(
+		[in,ref]     policy_handle *handle,
+		[in]         lsa_Name       name,
+		[in]         uint32         access_mask,
+		[out,ref]    policy_handle *trustdom_handle
+		);
 
 	/* Function 0x38 */
 	NTSTATUS lsa_TestCall();
diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl
index ae6bfe249b..27ba53ff8b 100644
--- a/source4/librpc/idl/netlogon.idl
+++ b/source4/librpc/idl/netlogon.idl
@@ -255,6 +255,8 @@ interface netlogon
 	/* Function 0x05 */
 
 	/* secure channel types */
+	/* Only SEC_CHAN_WKSTA can forward requests to other domains. */
+
 	const int SEC_CHAN_WKSTA   = 2;
 	const int SEC_CHAN_DOMAIN  = 4;
 	const int SEC_CHAN_BDC     = 6;
@@ -527,7 +529,7 @@ interface netlogon
 		uint32 unknown6;
 		uint32 unknown7;
 		uint32 unknown8;
-	} netr_DELTA_ACCOUNTS;
+	} netr_DELTA_ACCOUNT;
 
 	typedef struct {
 		uint16 unknown;
@@ -574,9 +576,9 @@ interface netlogon
 		NETR_DELTA_RENAME_ALIAS     = 11,
 		NETR_DELTA_ALIAS_MEMBER     = 12,
 		NETR_DELTA_POLICY           = 13,
-		NETR_DELTA_TRUSTED_DOMAIN  = 14,
+		NETR_DELTA_TRUSTED_DOMAIN   = 14,
 		NETR_DELTA_DELETE_TRUST     = 15,
-		NETR_DELTA_ACCOUNTS         = 16,
+		NETR_DELTA_ACCOUNT          = 16,
 		NETR_DELTA_DELETE_ACCOUNT   = 17,
 		NETR_DELTA_SECRET           = 18,
 		NETR_DELTA_DELETE_SECRET    = 19,
@@ -599,9 +601,9 @@ interface netlogon
 		[case(NETR_DELTA_RENAME_ALIAS)]    netr_DELTA_RENAME          *rename_alias;
 		[case(NETR_DELTA_ALIAS_MEMBER)]    netr_DELTA_ALIAS_MEMBER    *alias_member;
 		[case(NETR_DELTA_POLICY)]          netr_DELTA_POLICY          *policy;
-		[case(NETR_DELTA_TRUSTED_DOMAIN)] netr_DELTA_TRUSTED_DOMAIN   *trusted_domain;
+		[case(NETR_DELTA_TRUSTED_DOMAIN)]  netr_DELTA_TRUSTED_DOMAIN   *trusted_domain;
 		[case(NETR_DELTA_DELETE_TRUST)]    netr_DELTA_DELETE_TRUST     delete_trust;
-		[case(NETR_DELTA_ACCOUNTS)]        netr_DELTA_ACCOUNTS        *accounts;
+		[case(NETR_DELTA_ACCOUNT)]         netr_DELTA_ACCOUNT         *account;
 		[case(NETR_DELTA_DELETE_ACCOUNT)]  netr_DELTA_DELETE_ACCOUNT   delete_account;
 		[case(NETR_DELTA_SECRET)]          netr_DELTA_SECRET          *secret;
 		[case(NETR_DELTA_DELETE_SECRET)]   netr_DELTA_DELETE_SECRET    delete_secret;
@@ -626,7 +628,7 @@ interface netlogon
 		[case(NETR_DELTA_POLICY)]          dom_sid2 *sid;
 		[case(NETR_DELTA_TRUSTED_DOMAIN)]  dom_sid2 *sid;
 		[case(NETR_DELTA_DELETE_TRUST)]    dom_sid2 *sid;
-		[case(NETR_DELTA_ACCOUNTS)]        dom_sid2 *sid;
+		[case(NETR_DELTA_ACCOUNT)]         dom_sid2 *sid;
 		[case(NETR_DELTA_DELETE_ACCOUNT)]  dom_sid2 *sid;
 		[case(NETR_DELTA_SECRET)]          unistr *name;
 		[case(NETR_DELTA_DELETE_SECRET)]   unistr *name;
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index ce9f9f39ff..1c3e8d374a 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -113,8 +113,8 @@ static NTSTATUS lsa_EnumPrivs(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
 /* 
   lsa_QuerySecObj 
 */
-static NTSTATUS lsa_QuerySecObj(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-				struct lsa_QuerySecObj *r)
+static NTSTATUS lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+				  struct lsa_QuerySecurity *r)
 {
 	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
 }
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 8c9675457e..703df40654 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -523,22 +523,22 @@ static BOOL test_EnumAccountRights(struct dcerpc_pipe *p,
 }
 
 
-static BOOL test_QuerySecObj(struct dcerpc_pipe *p, 
+static BOOL test_QuerySecurity(struct dcerpc_pipe *p, 
 			     TALLOC_CTX *mem_ctx, 
 			     struct policy_handle *handle,
 			     struct policy_handle *acct_handle)
 {
 	NTSTATUS status;
-	struct lsa_QuerySecObj r;
+	struct lsa_QuerySecurity r;
 
-	printf("Testing QuerySecObj\n");
+	printf("Testing QuerySecuriy\n");
 
 	r.in.handle = acct_handle;
 	r.in.sec_info = 7;
 
-	status = dcerpc_lsa_QuerySecObj(p, mem_ctx, &r);
+	status = dcerpc_lsa_QuerySecurity(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("QuerySecObj failed - %s\n", nt_errstr(status));
+		printf("QuerySecurity failed - %s\n", nt_errstr(status));
 		return False;
 	}
 
@@ -571,7 +571,7 @@ static BOOL test_OpenAccount(struct dcerpc_pipe *p,
 		return False;
 	}
 
-	if (!test_QuerySecObj(p, mem_ctx, handle, &acct_handle)) {
+	if (!test_QuerySecurity(p, mem_ctx, handle, &acct_handle)) {
 		return False;
 	}
 
@@ -746,6 +746,8 @@ static BOOL test_EnumTrustDom(struct dcerpc_pipe *p,
 	NTSTATUS status;
 	uint32_t resume_handle = 0;
 	struct lsa_DomainList domains;
+	int i;
+	BOOL ret = True;
 
 	printf("\nTesting EnumTrustDom\n");
 
@@ -767,7 +769,59 @@ static BOOL test_EnumTrustDom(struct dcerpc_pipe *p,
 		return False;
 	}
 
-	return True;
+	printf("\nTesting OpenTrustedDomain and OpenTrustedDomainByName\n");
+
+	for (i=0; i< domains.count; i++) {
+		struct lsa_OpenTrustedDomain trust;
+		struct lsa_OpenTrustedDomainByName trust_by_name;
+		struct policy_handle trust_handle;
+		struct policy_handle handle2;
+		struct lsa_Close c;
+		
+		trust.in.handle = handle;
+		trust.in.sid = domains.domains[i].sid;
+		trust.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+		trust.out.trustdom_handle = &trust_handle;
+
+		status = dcerpc_lsa_OpenTrustedDomain(p, mem_ctx, &trust);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
+			return False;
+		}
+
+		c.in.handle = &trust_handle;
+		c.out.handle = &handle2;
+		
+		status = dcerpc_lsa_Close(p, mem_ctx, &c);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("Close of trusted doman failed - %s\n", nt_errstr(status));
+			return False;
+		}
+
+		trust_by_name.in.handle = handle;
+		trust_by_name.in.name = domains.domains[i].name;
+		trust_by_name.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+		trust_by_name.out.trustdom_handle = &trust_handle;
+		
+		status = dcerpc_lsa_OpenTrustedDomainByName(p, mem_ctx, &trust_by_name);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status));
+			return False;
+		}
+
+		c.in.handle = &trust_handle;
+		c.out.handle = &handle2;
+		
+		status = dcerpc_lsa_Close(p, mem_ctx, &c);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("Close of trusted doman failed - %s\n", nt_errstr(status));
+			return False;
+		}
+	}
+
+	return ret;
 }
 
 static BOOL test_QueryInfoPolicy(struct dcerpc_pipe *p, 
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index 54d6dd85f8..5204175559 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -1031,7 +1031,7 @@ BOOL torture_rpc_samlogon(void)
 	}
 
 	if (!test_SetupCredentials(p, mem_ctx, 
-				    TEST_MACHINE_NAME, machine_pass, &creds)) {
+				   TEST_MACHINE_NAME, machine_pass, &creds)) {
 		ret = False;
 	}