diff options
| author | Jelmer Vernooij <jelmer@samba.org> | 2008-10-20 12:19:57 +0200 |
|---|---|---|
| committer | Jelmer Vernooij <jelmer@samba.org> | 2008-10-20 12:19:57 +0200 |
| commit | d78f3be238c93a07ff16ead29d7d006de8f92605 (patch) | |
| tree | f2fc45fccf777bc59b301e8904e9d0558b19a344 | |
| parent | a8707a43d03d884e625e28dddcd1d43d613a520f (diff) | |
| parent | 640847b4fc74c93dd74b2325b4ac92a001a81c92 (diff) | |
| download | samba-d78f3be238c93a07ff16ead29d7d006de8f92605.tar.gz samba-d78f3be238c93a07ff16ead29d7d006de8f92605.tar.bz2 samba-d78f3be238c93a07ff16ead29d7d006de8f92605.zip | |
Merge branch 'master' of ssh://git.samba.org/data/git/samba into crypt
| -rw-r--r-- | librpc/idl/krb5pac.idl (renamed from source4/librpc/idl/krb5pac.idl) | 10 | ||||
| -rw-r--r-- | source3/Makefile.in | 2 | ||||
| -rw-r--r-- | source3/librpc/gen_ndr/krb5pac.h | 23 | ||||
| -rw-r--r-- | source3/librpc/gen_ndr/ndr_krb5pac.c | 131 | ||||
| -rw-r--r-- | source3/librpc/gen_ndr/ndr_krb5pac.h | 8 | ||||
| -rw-r--r-- | source3/librpc/idl/krb5pac.idl | 120 | ||||
| -rw-r--r-- | source4/heimdal/kpasswd/kpasswd.c | 247 | ||||
| -rw-r--r-- | source4/heimdal/kpasswd/kpasswd_locl.h | 104 | ||||
| -rw-r--r-- | source4/heimdal/lib/krb5/prog_setup.c | 66 | ||||
| -rw-r--r-- | source4/heimdal/lib/roken/rkpty.c | 336 | ||||
| -rw-r--r-- | source4/heimdal_build/internal.m4 | 8 | ||||
| -rw-r--r-- | source4/heimdal_build/internal.mk | 35 | ||||
| -rw-r--r-- | source4/kdc/kdc.c | 10 | ||||
| -rw-r--r-- | source4/librpc/idl/lsa.idl | 32 | ||||
| -rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 40 | ||||
| -rwxr-xr-x | source4/script/mkrelease.sh | 16 | ||||
| -rw-r--r-- | source4/setup/provision_init.ldif | 1 | ||||
| -rw-r--r-- | source4/torture/rpc/lsa.c | 230 | ||||
| -rwxr-xr-x | testprogs/blackbox/test_kinit.sh | 44 |
19 files changed, 1192 insertions, 271 deletions
diff --git a/source4/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl index bddba04165..a498b795f8 100644 --- a/source4/librpc/idl/krb5pac.idl +++ b/librpc/idl/krb5pac.idl @@ -29,7 +29,7 @@ interface krb5pac netr_SamInfo3 info3; dom_sid2 *res_group_dom_sid; samr_RidWithAttributeArray res_groups; - } PAC_LOGON_INFO; + } PAC_LOGON_INFO; typedef struct { [value(2*strlen_m(upn_name))] uint16 upn_size; @@ -46,7 +46,7 @@ interface krb5pac typedef [public] struct { PAC_LOGON_INFO *info; - } PAC_LOGON_INFO_CTR; + } PAC_LOGON_INFO_CTR; typedef [public,v1_enum] enum { PAC_TYPE_LOGON_INFO = 1, @@ -126,5 +126,9 @@ interface krb5pac [in] PAC_Validate pac_validate ); - + /* used for samba3 netsamlogon cache */ + typedef [public] struct { + time_t timestamp; + netr_SamInfo3 info3; + } netsamlogoncache_entry; } diff --git a/source3/Makefile.in b/source3/Makefile.in index eef22fe500..eddcaaac42 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1213,7 +1213,7 @@ samba3-idl:: ../librpc/idl/eventlog.idl ../librpc/idl/wkssvc.idl librpc/idl/netlogon.idl \ ../librpc/idl/notify.idl ../librpc/idl/epmapper.idl librpc/idl/messaging.idl \ ../librpc/idl/xattr.idl ../librpc/idl/misc.idl librpc/idl/samr.idl \ - ../librpc/idl/security.idl ../librpc/idl/dssetup.idl librpc/idl/krb5pac.idl \ + ../librpc/idl/security.idl ../librpc/idl/dssetup.idl ../librpc/idl/krb5pac.idl \ ../librpc/idl/ntsvcs.idl librpc/idl/libnetapi.idl ../librpc/idl/drsuapi.idl \ ../librpc/idl/drsblobs.idl ../librpc/idl/nbt.idl diff --git a/source3/librpc/gen_ndr/krb5pac.h b/source3/librpc/gen_ndr/krb5pac.h index b3b29e5b2f..7ec3e95d70 100644 --- a/source3/librpc/gen_ndr/krb5pac.h +++ b/source3/librpc/gen_ndr/krb5pac.h @@ -8,6 +8,7 @@ #ifndef _HEADER_krb5pac #define _HEADER_krb5pac +#define NETLOGON_GENERIC_KRB5_PAC_VALIDATE ( 3 ) struct PAC_LOGON_NAME { NTTIME logon_time; uint16_t size;/* [value(2*strlen_m(account_name))] */ @@ -39,10 +40,6 @@ struct PAC_UNKNOWN_12 { }; struct PAC_LOGON_INFO_CTR { - uint32_t unknown1;/* [value(0x00081001)] */ - uint32_t unknown2;/* [value(0xCCCCCCCC)] */ - uint32_t _ndr_size;/* [value(NDR_ROUND(ndr_size_PAC_LOGON_INFO(info,ndr->flags)+4,8))] */ - uint32_t unknown3;/* [value(0x00000000)] */ struct PAC_LOGON_INFO *info;/* [unique] */ }/* [public] */; @@ -72,7 +69,7 @@ struct DATA_BLOB_REM { }; union PAC_INFO { - struct PAC_LOGON_INFO_CTR logon_info;/* [case(PAC_TYPE_LOGON_INFO)] */ + struct PAC_LOGON_INFO_CTR logon_info;/* [subcontext(0xFFFFFC01),case(PAC_TYPE_LOGON_INFO)] */ struct PAC_SIGNATURE_DATA srv_cksum;/* [case(PAC_TYPE_SRV_CHECKSUM)] */ struct PAC_SIGNATURE_DATA kdc_cksum;/* [case(PAC_TYPE_KDC_CHECKSUM)] */ struct PAC_LOGON_NAME logon_name;/* [case(PAC_TYPE_LOGON_NAME)] */ @@ -105,6 +102,14 @@ struct PAC_DATA_RAW { struct PAC_BUFFER_RAW *buffers; }/* [public] */; +struct PAC_Validate { + uint32_t MessageType;/* [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] */ + uint32_t ChecksumLength; + int32_t SignatureType; + uint32_t SignatureLength; + DATA_BLOB ChecksumAndSignature;/* [flag(LIBNDR_FLAG_REMAINING)] */ +}/* [public] */; + struct netsamlogoncache_entry { time_t timestamp; struct netr_SamInfo3 info3; @@ -134,4 +139,12 @@ struct decode_login_info { }; + +struct decode_pac_validate { + struct { + struct PAC_Validate pac_validate; + } in; + +}; + #endif /* _HEADER_krb5pac */ diff --git a/source3/librpc/gen_ndr/ndr_krb5pac.c b/source3/librpc/gen_ndr/ndr_krb5pac.c index 6e06f90a68..f9e93e5210 100644 --- a/source3/librpc/gen_ndr/ndr_krb5pac.c +++ b/source3/librpc/gen_ndr/ndr_krb5pac.c @@ -170,10 +170,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_LOGON_INFO_CTR(struct ndr_push *ndr, int { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00081001)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0xCCCCCCCC)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, NDR_ROUND(ndr_size_PAC_LOGON_INFO(r->info, ndr->flags) + 4, 8))); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00000000)); NDR_CHECK(ndr_push_unique_ptr(ndr, r->info)); } if (ndr_flags & NDR_BUFFERS) { @@ -190,10 +186,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_LOGON_INFO_CTR(struct ndr_pull *ndr, int TALLOC_CTX *_mem_save_info_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->_ndr_size)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3)); NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info)); if (_ptr_info) { NDR_PULL_ALLOC(ndr, r->info); @@ -216,10 +208,6 @@ _PUBLIC_ void ndr_print_PAC_LOGON_INFO_CTR(struct ndr_print *ndr, const char *na { ndr_print_struct(ndr, name, "PAC_LOGON_INFO_CTR"); ndr->depth++; - ndr_print_uint32(ndr, "unknown1", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?0x00081001:r->unknown1); - ndr_print_uint32(ndr, "unknown2", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?0xCCCCCCCC:r->unknown2); - ndr_print_uint32(ndr, "_ndr_size", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NDR_ROUND(ndr_size_PAC_LOGON_INFO(r->info, ndr->flags) + 4, 8):r->_ndr_size); - ndr_print_uint32(ndr, "unknown3", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?0x00000000:r->unknown3); ndr_print_ptr(ndr, "info", r->info); ndr->depth++; if (r->info) { @@ -304,7 +292,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_INFO(struct ndr_push *ndr, int ndr_flags int level = ndr_push_get_switch_value(ndr, r); switch (level) { case PAC_TYPE_LOGON_INFO: { - NDR_CHECK(ndr_push_PAC_LOGON_INFO_CTR(ndr, NDR_SCALARS, &r->logon_info)); + { + struct ndr_push *_ndr_logon_info; + NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_logon_info, 0xFFFFFC01, -1)); + NDR_CHECK(ndr_push_PAC_LOGON_INFO_CTR(_ndr_logon_info, NDR_SCALARS|NDR_BUFFERS, &r->logon_info)); + NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_logon_info, 0xFFFFFC01, -1)); + } break; } case PAC_TYPE_SRV_CHECKSUM: { @@ -334,7 +327,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_INFO(struct ndr_push *ndr, int ndr_flags int level = ndr_push_get_switch_value(ndr, r); switch (level) { case PAC_TYPE_LOGON_INFO: - NDR_CHECK(ndr_push_PAC_LOGON_INFO_CTR(ndr, NDR_BUFFERS, &r->logon_info)); break; case PAC_TYPE_SRV_CHECKSUM: @@ -361,7 +353,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_INFO(struct ndr_pull *ndr, int ndr_flags if (ndr_flags & NDR_SCALARS) { switch (level) { case PAC_TYPE_LOGON_INFO: { - NDR_CHECK(ndr_pull_PAC_LOGON_INFO_CTR(ndr, NDR_SCALARS, &r->logon_info)); + { + struct ndr_pull *_ndr_logon_info; + NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_logon_info, 0xFFFFFC01, -1)); + NDR_CHECK(ndr_pull_PAC_LOGON_INFO_CTR(_ndr_logon_info, NDR_SCALARS|NDR_BUFFERS, &r->logon_info)); + NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_logon_info, 0xFFFFFC01, -1)); + } break; } case PAC_TYPE_SRV_CHECKSUM: { @@ -390,7 +387,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_INFO(struct ndr_pull *ndr, int ndr_flags if (ndr_flags & NDR_BUFFERS) { switch (level) { case PAC_TYPE_LOGON_INFO: - NDR_CHECK(ndr_pull_PAC_LOGON_INFO_CTR(ndr, NDR_BUFFERS, &r->logon_info)); break; case PAC_TYPE_SRV_CHECKSUM: @@ -672,6 +668,58 @@ _PUBLIC_ void ndr_print_PAC_DATA_RAW(struct ndr_print *ndr, const char *name, co ndr->depth--; } +_PUBLIC_ enum ndr_err_code ndr_push_PAC_Validate(struct ndr_push *ndr, int ndr_flags, const struct PAC_Validate *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, NETLOGON_GENERIC_KRB5_PAC_VALIDATE)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->ChecksumLength)); + NDR_CHECK(ndr_push_int32(ndr, NDR_SCALARS, r->SignatureType)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->SignatureLength)); + { + uint32_t _flags_save_DATA_BLOB = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING); + NDR_CHECK(ndr_push_DATA_BLOB(ndr, NDR_SCALARS, r->ChecksumAndSignature)); + ndr->flags = _flags_save_DATA_BLOB; + } + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_PAC_Validate(struct ndr_pull *ndr, int ndr_flags, struct PAC_Validate *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MessageType)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ChecksumLength)); + NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->SignatureType)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->SignatureLength)); + { + uint32_t _flags_save_DATA_BLOB = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING); + NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->ChecksumAndSignature)); + ndr->flags = _flags_save_DATA_BLOB; + } + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_PAC_Validate(struct ndr_print *ndr, const char *name, const struct PAC_Validate *r) +{ + ndr_print_struct(ndr, name, "PAC_Validate"); + ndr->depth++; + ndr_print_uint32(ndr, "MessageType", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NETLOGON_GENERIC_KRB5_PAC_VALIDATE:r->MessageType); + ndr_print_uint32(ndr, "ChecksumLength", r->ChecksumLength); + ndr_print_int32(ndr, "SignatureType", r->SignatureType); + ndr_print_uint32(ndr, "SignatureLength", r->SignatureLength); + ndr_print_DATA_BLOB(ndr, "ChecksumAndSignature", r->ChecksumAndSignature); + ndr->depth--; +} + _PUBLIC_ enum ndr_err_code ndr_push_netsamlogoncache_entry(struct ndr_push *ndr, int ndr_flags, const struct netsamlogoncache_entry *r) { if (ndr_flags & NDR_SCALARS) { @@ -830,6 +878,47 @@ _PUBLIC_ void ndr_print_decode_login_info(struct ndr_print *ndr, const char *nam ndr->depth--; } +static enum ndr_err_code ndr_push_decode_pac_validate(struct ndr_push *ndr, int flags, const struct decode_pac_validate *r) +{ + if (flags & NDR_IN) { + NDR_CHECK(ndr_push_PAC_Validate(ndr, NDR_SCALARS, &r->in.pac_validate)); + } + if (flags & NDR_OUT) { + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_decode_pac_validate(struct ndr_pull *ndr, int flags, struct decode_pac_validate *r) +{ + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_PAC_Validate(ndr, NDR_SCALARS, &r->in.pac_validate)); + } + if (flags & NDR_OUT) { + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_decode_pac_validate(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac_validate *r) +{ + ndr_print_struct(ndr, name, "decode_pac_validate"); + ndr->depth++; + if (flags & NDR_SET_VALUES) { + ndr->flags |= LIBNDR_PRINT_SET_VALUES; + } + if (flags & NDR_IN) { + ndr_print_struct(ndr, "in", "decode_pac_validate"); + ndr->depth++; + ndr_print_PAC_Validate(ndr, "pac_validate", &r->in.pac_validate); + ndr->depth--; + } + if (flags & NDR_OUT) { + ndr_print_struct(ndr, "out", "decode_pac_validate"); + ndr->depth++; + ndr->depth--; + } + ndr->depth--; +} + static const struct ndr_interface_call krb5pac_calls[] = { { "decode_pac", @@ -855,6 +944,14 @@ static const struct ndr_interface_call krb5pac_calls[] = { (ndr_print_function_t) ndr_print_decode_login_info, false, }, + { + "decode_pac_validate", + sizeof(struct decode_pac_validate), + (ndr_push_flags_fn_t) ndr_push_decode_pac_validate, + (ndr_pull_flags_fn_t) ndr_pull_decode_pac_validate, + (ndr_print_function_t) ndr_print_decode_pac_validate, + false, + }, { NULL, 0, NULL, NULL, NULL, false } }; @@ -884,7 +981,7 @@ const struct ndr_interface_table ndr_table_krb5pac = { NDR_KRB5PAC_VERSION }, .helpstring = NDR_KRB5PAC_HELPSTRING, - .num_calls = 3, + .num_calls = 4, .calls = krb5pac_calls, .endpoints = &krb5pac_endpoints, .authservices = &krb5pac_authservices diff --git a/source3/librpc/gen_ndr/ndr_krb5pac.h b/source3/librpc/gen_ndr/ndr_krb5pac.h index 7f03106879..bf09e3fad5 100644 --- a/source3/librpc/gen_ndr/ndr_krb5pac.h +++ b/source3/librpc/gen_ndr/ndr_krb5pac.h @@ -17,7 +17,9 @@ extern const struct ndr_interface_table ndr_table_krb5pac; #define NDR_DECODE_LOGIN_INFO (0x02) -#define NDR_KRB5PAC_CALL_COUNT (3) +#define NDR_DECODE_PAC_VALIDATE (0x03) + +#define NDR_KRB5PAC_CALL_COUNT (4) void ndr_print_PAC_LOGON_NAME(struct ndr_print *ndr, const char *name, const struct PAC_LOGON_NAME *r); enum ndr_err_code ndr_push_PAC_SIGNATURE_DATA(struct ndr_push *ndr, int ndr_flags, const struct PAC_SIGNATURE_DATA *r); enum ndr_err_code ndr_pull_PAC_SIGNATURE_DATA(struct ndr_pull *ndr, int ndr_flags, struct PAC_SIGNATURE_DATA *r); @@ -46,10 +48,14 @@ void ndr_print_PAC_BUFFER_RAW(struct ndr_print *ndr, const char *name, const str enum ndr_err_code ndr_push_PAC_DATA_RAW(struct ndr_push *ndr, int ndr_flags, const struct PAC_DATA_RAW *r); enum ndr_err_code ndr_pull_PAC_DATA_RAW(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA_RAW *r); void ndr_print_PAC_DATA_RAW(struct ndr_print *ndr, const char *name, const struct PAC_DATA_RAW *r); +enum ndr_err_code ndr_push_PAC_Validate(struct ndr_push *ndr, int ndr_flags, const struct PAC_Validate *r); +enum ndr_err_code ndr_pull_PAC_Validate(struct ndr_pull *ndr, int ndr_flags, struct PAC_Validate *r); +void ndr_print_PAC_Validate(struct ndr_print *ndr, const char *name, const struct PAC_Validate *r); enum ndr_err_code ndr_push_netsamlogoncache_entry(struct ndr_push *ndr, int ndr_flags, const struct netsamlogoncache_entry *r); enum ndr_err_code ndr_pull_netsamlogoncache_entry(struct ndr_pull *ndr, int ndr_flags, struct netsamlogoncache_entry *r); void ndr_print_netsamlogoncache_entry(struct ndr_print *ndr, const char *name, const struct netsamlogoncache_entry *r); void ndr_print_decode_pac(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac *r); void ndr_print_decode_pac_raw(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac_raw *r); void ndr_print_decode_login_info(struct ndr_print *ndr, const char *name, int flags, const struct decode_login_info *r); +void ndr_print_decode_pac_validate(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac_validate *r); #endif /* _HEADER_NDR_krb5pac */ diff --git a/source3/librpc/idl/krb5pac.idl b/source3/librpc/idl/krb5pac.idl deleted file mode 100644 index c039502d23..0000000000 --- a/source3/librpc/idl/krb5pac.idl +++ /dev/null @@ -1,120 +0,0 @@ -/* - krb5 PAC -*/ - -#include "idl_types.h" - -import "security.idl", "netlogon.idl", "samr.idl"; - -[ - uuid("12345778-1234-abcd-0000-00000000"), - version(0.0), - pointer_default(unique), - helpstring("Active Directory KRB5 PAC") -] -interface krb5pac -{ - typedef struct { - NTTIME logon_time; - [value(2*strlen_m(account_name))] uint16 size; - [charset(UTF16)] uint8 account_name[size]; - } PAC_LOGON_NAME; - - typedef [public,flag(NDR_PAHEX)] struct { - uint32 type; - [flag(NDR_REMAINING)] DATA_BLOB signature; - } PAC_SIGNATURE_DATA; - - typedef [gensize] struct { - netr_SamInfo3 info3; - dom_sid2 *res_group_dom_sid; - samr_RidWithAttributeArray res_groups; - } PAC_LOGON_INFO; - - typedef struct { - [value(2*strlen_m(upn_name))] uint16 upn_size; - uint16 upn_offset; - [value(2*strlen_m(domain_name))] uint16 domain_size; - uint16 domain_offset; - uint16 unknown3; /* 0x01 */ - uint16 unknown4; - uint32 unknown5; - [charset(UTF16)] uint8 upn_name[upn_size+2]; - [charset(UTF16)] uint8 domain_name[domain_size+2]; - uint32 unknown6; /* padding */ - } PAC_UNKNOWN_12; - - typedef [public] struct { - [value(0x00081001)] uint32 unknown1; - [value(0xCCCCCCCC)] uint32 unknown2; - [value(NDR_ROUND(ndr_size_PAC_LOGON_INFO(info, ndr->flags)+4,8))] uint32 _ndr_size; - [value(0x00000000)] uint32 unknown3; - PAC_LOGON_INFO *info; - } PAC_LOGON_INFO_CTR; - - typedef [public,v1_enum] enum { - PAC_TYPE_LOGON_INFO = 1, - PAC_TYPE_SRV_CHECKSUM = 6, - PAC_TYPE_KDC_CHECKSUM = 7, - PAC_TYPE_LOGON_NAME = 10, - PAC_TYPE_CONSTRAINED_DELEGATION = 11, - PAC_TYPE_UNKNOWN_12 = 12 - } PAC_TYPE; - - typedef struct { - [flag(NDR_REMAINING)] DATA_BLOB remaining; - } DATA_BLOB_REM; - - typedef [public,nodiscriminant,gensize] union { - [case(PAC_TYPE_LOGON_INFO)] PAC_LOGON_INFO_CTR logon_info; - [case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum; - [case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum; - [case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name; - [default] [subcontext(0)] DATA_BLOB_REM unknown; - /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */ - } PAC_INFO; - - typedef [public,nopush,nopull,noprint] struct { - PAC_TYPE type; - [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size; - [relative,switch_is(type),subcontext(0),subcontext_size(_subcontext_size_PAC_INFO(r, ndr->flags)),flag(NDR_ALIGN8)] PAC_INFO *info; - [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */ - } PAC_BUFFER; - - typedef [public] struct { - uint32 num_buffers; - uint32 version; - PAC_BUFFER buffers[num_buffers]; - } PAC_DATA; - - typedef [public] struct { - PAC_TYPE type; - uint32 ndr_size; - [relative,subcontext(0),subcontext_size(NDR_ROUND(ndr_size,8)),flag(NDR_ALIGN8)] DATA_BLOB_REM *info; - [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */ - } PAC_BUFFER_RAW; - - typedef [public] struct { - uint32 num_buffers; - uint32 version; - PAC_BUFFER_RAW buffers[num_buffers]; - } PAC_DATA_RAW; - - void decode_pac( - [in] PAC_DATA pac - ); - - void decode_pac_raw( - [in] PAC_DATA_RAW pac - ); - - void decode_login_info( - [in] PAC_LOGON_INFO logon_info - ); - - /* used for samba3 netsamlogon cache */ - typedef [public] struct { - time_t timestamp; - netr_SamInfo3 info3; - } netsamlogoncache_entry; -} diff --git a/source4/heimdal/kpasswd/kpasswd.c b/source4/heimdal/kpasswd/kpasswd.c new file mode 100644 index 0000000000..b844628f6f --- /dev/null +++ b/source4/heimdal/kpasswd/kpasswd.c @@ -0,0 +1,247 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kpasswd_locl.h" +RCSID("$Id: kpasswd.c 19078 2006-11-20 18:12:41Z lha $"); + +static int version_flag; +static int help_flag; +static char *admin_principal_str; +static char *cred_cache_str; + +static struct getargs args[] = { + { "admin-principal", 0, arg_string, &admin_principal_str }, + { "cache", 'c', arg_string, &cred_cache_str }, + { "version", 0, arg_flag, &version_flag }, + { "help", 0, arg_flag, &help_flag } +}; + +static void +usage (int ret, struct getargs *a, int num_args) +{ + arg_printusage (a, num_args, NULL, "[principal ...]"); + exit (ret); +} + +static int +change_password(krb5_context context, + krb5_principal principal, + krb5_ccache id) +{ + krb5_data result_code_string, result_string; + int result_code; + krb5_error_code ret; + char pwbuf[BUFSIZ]; + char *msg, *name; + + krb5_data_zero (&result_code_string); + krb5_data_zero (&result_string); + + name = msg = NULL; + if (principal == NULL) + asprintf(&msg, "New password: "); + else { + ret = krb5_unparse_name(context, principal, &name); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name"); + + asprintf(&msg, "New password for %s: ", name); + } + + if (msg == NULL) + krb5_errx (context, 1, "out of memory"); + + ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg, 1); + free(msg); + if (name) + free(name); + if (ret != 0) { + return 1; + } + + ret = krb5_set_password_using_ccache (context, id, pwbuf, + principal, + &result_code, + &result_code_string, + &result_string); + if (ret) { + krb5_warn (context, ret, "krb5_set_password_using_ccache"); + return 1; + } + + printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code), + result_string.length > 0 ? " : " : "", + (int)result_string.length, + result_string.length > 0 ? (char *)result_string.data : ""); + + krb5_data_free (&result_code_string); + krb5_data_free (&result_string); + + return ret != 0; +} + + +int +main (int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_principal principal; + int optind = 0; + krb5_get_init_creds_opt *opt; + krb5_ccache id = NULL; + int exit_value; + + optind = krb5_program_setup(&context, argc, argv, + args, sizeof(args) / sizeof(args[0]), usage); + + if (help_flag) + usage (0, args, sizeof(args) / sizeof(args[0])); + + if(version_flag){ + print_version (NULL); + exit(0); + } + + argc -= optind; + argv += optind; + + ret = krb5_init_context (&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + ret = krb5_get_init_creds_opt_alloc (context, &opt); + if (ret) + krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); + + krb5_get_init_creds_opt_set_tkt_life (opt, 300); + krb5_get_init_creds_opt_set_forwardable (opt, FALSE); + krb5_get_init_creds_opt_set_proxiable (opt, FALSE); + + if (cred_cache_str) { + ret = krb5_cc_resolve(context, cred_cache_str, &id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_resolve"); + } else { + ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_gen_new"); + } + + if (cred_cache_str == NULL) { + krb5_principal admin_principal = NULL; + krb5_creds cred; + + if (admin_principal_str) { + ret = krb5_parse_name (context, admin_principal_str, + &admin_principal); + if (ret) + krb5_err (context, 1, ret, "krb5_parse_name"); + } else if (argc == 1) { + ret = krb5_parse_name (context, argv[0], &admin_principal); + if (ret) + krb5_err (context, 1, ret, "krb5_parse_name"); + } else { + ret = krb5_get_default_principal (context, &admin_principal); + if (ret) + krb5_err (context, 1, ret, "krb5_get_default_principal"); + } + + ret = krb5_get_init_creds_password (context, + &cred, + admin_principal, + NULL, + krb5_prompter_posix, + NULL, + 0, + "kadmin/changepw", + opt); + switch (ret) { + case 0: + break; + case KRB5_LIBOS_PWDINTR : + return 1; + case KRB5KRB_AP_ERR_BAD_INTEGRITY : + case KRB5KRB_AP_ERR_MODIFIED : + krb5_errx(context, 1, "Password incorrect"); + break; + default: + krb5_err(context, 1, ret, "krb5_get_init_creds"); + } + + krb5_get_init_creds_opt_free(context, opt); + + ret = krb5_cc_initialize(context, id, admin_principal); + krb5_free_principal(context, admin_principal); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_store_cred(context, id, &cred); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_store_cred"); + + krb5_free_cred_contents (context, &cred); + } + + if (argc == 0) { + exit_value = change_password(context, NULL, id); + } else { + exit_value = 0; + + while (argc-- > 0) { + + ret = krb5_parse_name (context, argv[0], &principal); + if (ret) + krb5_err (context, 1, ret, "krb5_parse_name"); + + ret = change_password(context, principal, id); + if (ret) + exit_value = 1; + krb5_free_principal(context, principal); + argv++; + } + } + + if (cred_cache_str == NULL) { + ret = krb5_cc_destroy(context, id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_destroy"); + } else { + ret = krb5_cc_close(context, id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_close"); + } + + krb5_free_context (context); + return ret; +} diff --git a/source4/heimdal/kpasswd/kpasswd_locl.h b/source4/heimdal/kpasswd/kpasswd_locl.h new file mode 100644 index 0000000000..b797ceb26d --- /dev/null +++ b/source4/heimdal/kpasswd/kpasswd_locl.h @@ -0,0 +1,104 @@ +/* + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: kpasswd_locl.h 11444 2002-09-10 20:03:49Z joda $ */ + +#ifndef __KPASSWD_LOCL_H__ +#define __KPASSWD_LOCL_H__ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#ifdef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#ifdef HAVE_FCNTL_H +#include <fcntl.h> +#endif +#ifdef HAVE_SYS_UIO_H +#include <sys/uio.h> +#endif +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif +#ifdef HAVE_PWD_H +#include <pwd.h> +#endif +#ifdef HAVE_SYS_TIME_H +#include <sys/time.h> +#endif +#ifdef HAVE_SYS_SELECT_H +#include <sys/select.h> +#endif +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#endif +#ifdef HAVE_NETINET_IN6_H +#include <netinet/in6.h> +#endif +#ifdef HAVE_NETINET6_IN6_H +#include <netinet6/in6.h> +#endif + +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif +#ifdef HAVE_NETDB_H +#include <netdb.h> +#endif +#ifdef HAVE_ERRNO_H +#include <errno.h> +#endif +#ifdef HAVE_DLFCN_H +#include <dlfcn.h> +#endif +#ifdef HAVE_UTIL_H +#include <util.h> +#endif +#ifdef HAVE_LIBUTIL_H +#include <libutil.h> +#endif +#include <err.h> +#include <roken.h> +#include <getarg.h> +#include <krb5.h> +#include "crypto-headers.h" /* for des_read_pw_string */ + +#endif /* __KPASSWD_LOCL_H__ */ diff --git a/source4/heimdal/lib/krb5/prog_setup.c b/source4/heimdal/lib/krb5/prog_setup.c new file mode 100644 index 0000000000..0586155ac4 --- /dev/null +++ b/source4/heimdal/lib/krb5/prog_setup.c @@ -0,0 +1,66 @@ +/* + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +#include <getarg.h> +#include <err.h> + +RCSID("$Id: prog_setup.c 15470 2005-06-17 04:29:41Z lha $"); + +void KRB5_LIB_FUNCTION +krb5_std_usage(int code, struct getargs *args, int num_args) +{ + arg_printusage(args, num_args, NULL, ""); + exit(code); +} + +int KRB5_LIB_FUNCTION +krb5_program_setup(krb5_context *context, int argc, char **argv, + struct getargs *args, int num_args, + void (*usage)(int, struct getargs*, int)) +{ + krb5_error_code ret; + int optidx = 0; + + if(usage == NULL) + usage = krb5_std_usage; + + setprogname(argv[0]); + ret = krb5_init_context(context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + if(getarg(args, num_args, argc, argv, &optidx)) + (*usage)(1, args, num_args); + return optidx; +} diff --git a/source4/heimdal/lib/roken/rkpty.c b/source4/heimdal/lib/roken/rkpty.c new file mode 100644 index 0000000000..e29b2c5aca --- /dev/null +++ b/source4/heimdal/lib/roken/rkpty.c @@ -0,0 +1,336 @@ +/* + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#ifdef HAVE_SYS_WAIT_H +#include <sys/wait.h> +#endif +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#ifdef HAVE_PTY_H +#include <pty.h> +#endif +#ifdef HAVE_UTIL_H +#include <util.h> +#endif + +#include "roken.h" +#include <getarg.h> + +struct command { + enum { CMD_EXPECT = 0, CMD_SEND, CMD_PASSWORD } type; + unsigned int lineno; + char *str; + struct command *next; +}; + +/* + * + */ + +static struct command *commands, **next = &commands; + +static sig_atomic_t alarmset = 0; + +static int timeout = 10; +static int verbose; +static int help_flag; +static int version_flag; + +static int master; +static int slave; +static char line[256] = { 0 }; + +static void +caught_signal(int signo) +{ + alarmset = signo; +} + + +static void +open_pty(void) +{ +#if defined(HAVE_OPENPTY) || defined(__linux) || defined(__osf__) /* XXX */ + if(openpty(&master, &slave, line, 0, 0) == 0) + return; +#endif /* HAVE_OPENPTY .... */ + /* more cases, like open /dev/ptmx, etc */ + + exit(77); +} + +/* + * + */ + +static char * +iscmd(const char *buf, const char *s) +{ + size_t len = strlen(s); + if (strncmp(buf, s, len) != 0) + return NULL; + return estrdup(buf + len); +} + +static void +parse_configuration(const char *fn) +{ + struct command *c; + char s[1024]; + char *str; + unsigned int lineno = 0; + FILE *cmd; + + cmd = fopen(fn, "r"); + if (cmd == NULL) + err(1, "open: %s", fn); + + while (fgets(s, sizeof(s), cmd) != NULL) { + + s[strcspn(s, "#\n")] = '\0'; + lineno++; + + c = calloc(1, sizeof(*c)); + if (c == NULL) + errx(1, "malloc"); + + c->lineno = lineno; + (*next) = c; + next = &(c->next); + + if ((str = iscmd(s, "expect ")) != NULL) { + c->type = CMD_EXPECT; + c->str = str; + } else if ((str = iscmd(s, "send ")) != NULL) { + c->type = CMD_SEND; + c->str = str; + } else if ((str = iscmd(s, "password ")) != NULL) { + c->type = CMD_PASSWORD; + c->str = str; + } else + errx(1, "Invalid command on line %d: %s", lineno, s); + } + + fclose(cmd); +} + + +/* + * + */ + +static int +eval_parent(pid_t pid) +{ + struct command *c; + char in; + size_t len = 0; + ssize_t sret; + + for (c = commands; c != NULL; c = c->next) { + switch(c->type) { + case CMD_EXPECT: + if (verbose) + printf("[expecting %s]", c->str); + len = 0; + alarm(timeout); + while((sret = read(master, &in, sizeof(in))) > 0) { + alarm(timeout); + printf("%c", in); + if (c->str[len] != in) { + len = 0; + continue; + } + len++; + if (c->str[len] == '\0') + break; + } + alarm(0); + if (alarmset == SIGALRM) + errx(1, "timeout waiting for %s (line %u)", + c->str, c->lineno); + else if (alarmset) + errx(1, "got a signal %d waiting for %s (line %u)", + alarmset, c->str, c->lineno); + if (sret <= 0) + errx(1, "end command while waiting for %s (line %u)", + c->str, c->lineno); + break; + case CMD_SEND: + case CMD_PASSWORD: { + size_t i = 0; + const char *msg = (c->type == CMD_PASSWORD) ? "****" : c->str; + + if (verbose) + printf("[send %s]", msg); + + len = strlen(c->str); + + while (i < len) { + if (c->str[i] == '\\' && i < len - 1) { + char ctrl; + i++; + switch(c->str[i]) { + case 'n': ctrl = '\n'; break; + case 'r': ctrl = '\r'; break; + case 't': ctrl = '\t'; break; + default: + errx(1, "unknown control char %c (line %u)", + c->str[i], c->lineno); + } + if (net_write(master, &ctrl, 1) != 1) + errx(1, "command refused input (line %u)", c->lineno); + } else { + if (net_write(master, &c->str[i], 1) != 1) + errx(1, "command refused input (line %u)", c->lineno); + } + i++; + } + break; + } + default: + abort(); + } + } + while(read(master, &in, sizeof(in)) > 0) + printf("%c", in); + + if (verbose) + printf("[end of program]\n"); + + /* + * Fetch status from child + */ + { + int ret, status; + + ret = waitpid(pid, &status, 0); + if (ret == -1) + err(1, "waitpid"); + if (WIFEXITED(status) && WEXITSTATUS(status)) + return WEXITSTATUS(status); + else if (WIFSIGNALED(status)) { + printf("killed by signal: %d\n", WTERMSIG(status)); + return 1; + } + } + return 0; +} + +/* + * + */ + +static struct getargs args[] = { + { "timeout", 't', arg_integer, &timeout, "timout", "seconds" }, + { "verbose", 'v', arg_counter, &verbose, "verbose debugging" }, + { "version", 0, arg_flag, &version_flag, "print version" }, + { "help", 0, arg_flag, &help_flag, NULL } +}; + +static void +usage(int ret) +{ + arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "infile command.."); + exit (ret); +} + +int +main(int argc, char **argv) +{ + int optidx = 0; + pid_t pid; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if (version_flag) { + fprintf (stderr, "%s from %s-%s\n", getprogname(), PACKAGE, VERSION); + return 0; + } + + argv += optidx; + argc -= optidx; + + if (argc < 2) + usage(1); + + parse_configuration(argv[0]); + + argv += 1; + argc -= 1; + + open_pty(); + + pid = fork(); + switch (pid) { + case -1: + err(1, "Failed to fork"); + case 0: + + if(setsid()<0) + err(1, "setsid"); + + dup2(slave, STDIN_FILENO); + dup2(slave, STDOUT_FILENO); + dup2(slave, STDERR_FILENO); + closefrom(STDERR_FILENO + 1); + + execvp(argv[0], argv); /* add NULL to end of array ? */ + err(1, "Failed to exec: %s", argv[0]); + default: + close(slave); + { + struct sigaction sa; + + sa.sa_handler = caught_signal; + sa.sa_flags = 0; + sigemptyset (&sa.sa_mask); + + sigaction(SIGALRM, &sa, NULL); + } + + return eval_parent(pid); + } +} diff --git a/source4/heimdal_build/internal.m4 b/source4/heimdal_build/internal.m4 index 038c4d9417..06e798ce27 100644 --- a/source4/heimdal_build/internal.m4 +++ b/source4/heimdal_build/internal.m4 @@ -49,6 +49,7 @@ AC_CHECK_HEADERS([ \ errno.h \ inttypes.h \ netdb.h \ + pty.h \ signal.h \ sys/bswap.h \ sys/file.h \ @@ -158,6 +159,13 @@ m4_include(heimdal/cf/find-func-no-libs.m4) m4_include(heimdal/cf/find-func-no-libs2.m4) m4_include(heimdal/cf/resolv.m4) + +AC_CHECK_LIB_EXT(util, OPENPTY_LIBS, openpty) + +SMB_ENABLE(OPENPTY,YES) + +SMB_EXT_LIB(OPENPTY,[${OPENPTY_LIBS}],[${OPENPTY_CFLAGS}],[${OPENPTY_CPPFLAGS}],[${OPENPTY_LDFLAGS}]) + smb_save_LIBS=$LIBS RESOLV_LIBS="" LIBS="" diff --git a/source4/heimdal_build/internal.mk b/source4/heimdal_build/internal.mk index 67fda9dd58..7b1c9f5153 100644 --- a/source4/heimdal_build/internal.mk +++ b/source4/heimdal_build/internal.mk @@ -322,6 +322,7 @@ HEIMDAL_KRB5_OBJ_FILES = \ $(heimdalsrcdir)/lib/krb5/pkinit.o \ $(heimdalsrcdir)/lib/krb5/plugin.o \ $(heimdalsrcdir)/lib/krb5/principal.o \ + $(heimdalsrcdir)/lib/krb5/prog_setup.o \ $(heimdalsrcdir)/lib/krb5/pac.o \ $(heimdalsrcdir)/lib/krb5/prompter_posix.o \ $(heimdalsrcdir)/lib/krb5/rd_cred.o \ @@ -600,6 +601,7 @@ HEIMDAL_ROKEN_OBJ_FILES = \ $(heimdalsrcdir)/lib/roken/dumpdata.o \ $(heimdalsrcdir)/lib/roken/emalloc.o \ $(heimdalsrcdir)/lib/roken/ecalloc.o \ + $(heimdalsrcdir)/lib/roken/getarg.o \ $(heimdalsrcdir)/lib/roken/get_window_size.o \ $(heimdalsrcdir)/lib/roken/h_errno.o \ $(heimdalsrcdir)/lib/roken/issuid.o \ @@ -612,6 +614,7 @@ HEIMDAL_ROKEN_OBJ_FILES = \ $(heimdalsrcdir)/lib/roken/roken_gethostby.o \ $(heimdalsrcdir)/lib/roken/signal.o \ $(heimdalsrcdir)/lib/roken/vis.o \ + $(heimdalsrcdir)/lib/roken/setprogname.o \ $(heimdalsrcdir)/lib/roken/strlwr.o \ $(heimdalsrcdir)/lib/roken/strsep_copy.o \ $(heimdalsrcdir)/lib/roken/strsep.o \ @@ -677,8 +680,6 @@ dist:: $(heimdalsrcdir)/lib/asn1/lex.c asn1_compile_OBJ_FILES = \ $(asn1_compile_ASN1_OBJ_FILES) \ $(heimdalsrcdir)/lib/roken/emalloc.ho \ - $(heimdalsrcdir)/lib/roken/getarg.ho \ - $(heimdalsrcdir)/lib/roken/setprogname.ho \ $(heimdalsrcdir)/lib/roken/strupr.ho \ $(heimdalsrcdir)/lib/roken/get_window_size.ho \ $(heimdalsrcdir)/lib/roken/estrdup.ho \ @@ -713,10 +714,8 @@ compile_et_OBJ_FILES = $(heimdalsrcdir)/lib/vers/print_version.ho \ $(heimdalsrcdir)/lib/com_err/parse.ho \ $(heimdalsrcdir)/lib/com_err/lex.ho \ $(heimdalsrcdir)/lib/com_err/compile_et.ho \ - $(heimdalsrcdir)/lib/roken/getarg.ho \ $(heimdalsrcdir)/lib/roken/get_window_size.ho \ $(heimdalsrcdir)/lib/roken/strupr.ho \ - $(heimdalsrcdir)/lib/roken/setprogname.ho \ $(socketwrappersrcdir)/socket_wrapper.ho \ $(heimdalbuildsrcdir)/replace.ho @@ -761,8 +760,30 @@ PRIVATE_DEPENDENCIES = HEIMDAL_KRB5 HEIMDAL_NTLM ####################### samba4kinit_OBJ_FILES = $(heimdalsrcdir)/kuser/kinit.o \ - $(heimdalsrcdir)/lib/vers/print_version.o \ - $(heimdalsrcdir)/lib/roken/setprogname.o \ - $(heimdalsrcdir)/lib/roken/getarg.o + $(heimdalsrcdir)/lib/vers/print_version.o $(samba4kinit_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken + +####################### +# Start BINARY compile_et +[BINARY::samba4kpasswd] +PRIVATE_DEPENDENCIES = HEIMDAL_KRB5 HEIMDAL_NTLM +# End BINARY compile_et +####################### + +samba4kpasswd_OBJ_FILES = $(heimdalsrcdir)/kpasswd/kpasswd.o \ + $(heimdalsrcdir)/lib/vers/print_version.o + +$(samba4kpasswd_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken + +####################### +# Start BINARY compile_et +[BINARY::rkpty] +PRIVATE_DEPENDENCIES = HEIMDAL_ROKEN OPENPTY +# End BINARY compile_et +####################### + +rkpty_OBJ_FILES = $(heimdalsrcdir)/lib/roken/rkpty.o \ + $(socketwrappersrcdir)/socket_wrapper.o + +$(rkpty_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken -DPACKAGE=\"Samba\" diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index cf6dbf0c93..45fa803d04 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -657,6 +657,11 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, } +static struct hdb_method hdb_samba4 = { + .interface_version = HDB_INTERFACE_VERSION, + .prefix = "samba4:", + .create = hdb_samba4_create +}; /* startup the kdc task @@ -667,11 +672,6 @@ static void kdc_task_init(struct task_server *task) NTSTATUS status; krb5_error_code ret; struct interface *ifaces; - struct hdb_method hdb_samba4 = { - .interface_version = HDB_INTERFACE_VERSION, - .prefix = "samba4:", - .create = hdb_samba4_create - }; switch (lp_server_role(task->lp_ctx)) { case ROLE_STANDALONE: diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl index dd9791d894..8745385a10 100644 --- a/source4/librpc/idl/lsa.idl +++ b/source4/librpc/idl/lsa.idl @@ -263,11 +263,12 @@ import "misc.idl", "security.idl"; LSA_POLICY_INFO_ROLE=6, LSA_POLICY_INFO_REPLICA=7, LSA_POLICY_INFO_QUOTA=8, - LSA_POLICY_INFO_DB=9, + LSA_POLICY_INFO_MOD=9, LSA_POLICY_INFO_AUDIT_FULL_SET=10, LSA_POLICY_INFO_AUDIT_FULL_QUERY=11, LSA_POLICY_INFO_DNS=12, - LSA_POLICY_INFO_DNS_INT=13 + LSA_POLICY_INFO_DNS_INT=13, + LSA_POLICY_INFO_L_ACCOUNT_DOMAIN=14 } lsa_PolicyInfo; typedef [switch_type(uint16)] union { @@ -279,11 +280,12 @@ import "misc.idl", "security.idl"; [case(LSA_POLICY_INFO_ROLE)] lsa_ServerRole role; [case(LSA_POLICY_INFO_REPLICA)] lsa_ReplicaSourceInfo replica; [case(LSA_POLICY_INFO_QUOTA)] lsa_DefaultQuotaInfo quota; - [case(LSA_POLICY_INFO_DB)] lsa_ModificationInfo db; + [case(LSA_POLICY_INFO_MOD)] lsa_ModificationInfo mod; [case(LSA_POLICY_INFO_AUDIT_FULL_SET)] lsa_AuditFullSetInfo auditfullset; [case(LSA_POLICY_INFO_AUDIT_FULL_QUERY)] lsa_AuditFullQueryInfo auditfullquery; [case(LSA_POLICY_INFO_DNS)] lsa_DnsDomainInfo dns; [case(LSA_POLICY_INFO_DNS_INT)] lsa_DnsDomainInfo dns; + [case(LSA_POLICY_INFO_L_ACCOUNT_DOMAIN)] lsa_DomainInfo l_account_domain; } lsa_PolicyInformation; NTSTATUS lsa_QueryInfoPolicy ( @@ -512,23 +514,39 @@ import "misc.idl", "security.idl"; /* Function: 0x16 */ [todo] NTSTATUS lsa_SetQuotasForAccount(); + typedef [bitmap32bit] bitmap { + LSA_POLICY_MODE_INTERACTIVE = 0x00000001, + LSA_POLICY_MODE_NETWORK = 0x00000002, + LSA_POLICY_MODE_BATCH = 0x00000004, + LSA_POLICY_MODE_SERVICE = 0x00000010, + LSA_POLICY_MODE_PROXY = 0x00000020, + LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040, + LSA_POLICY_MODE_DENY_NETWORK = 0x00000080, + LSA_POLICY_MODE_DENY_BATCH = 0x00000100, + LSA_POLICY_MODE_DENY_SERVICE = 0x00000200, + LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400, + LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800, + LSA_POLICY_MODE_ALL = 0x00000FF7, + LSA_POLICY_MODE_ALL_NT4 = 0x00000037 + } lsa_SystemAccessModeFlags; + /* Function: 0x17 */ NTSTATUS lsa_GetSystemAccessAccount( - [in] policy_handle *handle, + [in] policy_handle *handle, [out,ref] uint32 *access_mask ); /* Function: 0x18 */ NTSTATUS lsa_SetSystemAccessAccount( - [in] policy_handle *handle, - [in] uint32 access_mask + [in] policy_handle *handle, + [in] uint32 access_mask ); /* Function: 0x19 */ NTSTATUS lsa_OpenTrustedDomain( [in] policy_handle *handle, [in] dom_sid2 *sid, - [in] uint32 access_mask, + [in] uint32 access_mask, [out] policy_handle *trustdom_handle ); diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 4c596f1f03..b009d2f2f8 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -399,7 +399,6 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal return WERR_INVALID_PARAM; } - /* fill in the AccountDomain info */ @@ -462,9 +461,15 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call, /* we don't need to fill in any of this */ ZERO_STRUCT(r->out.info->pd); return NT_STATUS_OK; + case LSA_POLICY_INFO_DOMAIN: + return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->domain); case LSA_POLICY_INFO_ACCOUNT_DOMAIN: return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->account_domain); + case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN: + return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->l_account_domain); + + case LSA_POLICY_INFO_ROLE: r->out.info->role.role = LSA_ROLE_PRIMARY; return NT_STATUS_OK; @@ -481,8 +486,8 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call, ZERO_STRUCT(r->out.info->quota); return NT_STATUS_OK; + case LSA_POLICY_INFO_MOD: case LSA_POLICY_INFO_AUDIT_FULL_SET: - case LSA_POLICY_INFO_DB: case LSA_POLICY_INFO_AUDIT_FULL_QUERY: /* windows gives INVALID_PARAMETER */ r->out.info = NULL; @@ -2050,7 +2055,36 @@ static NTSTATUS dcesrv_lsa_SetQuotasForAccount(struct dcesrv_call_state *dce_cal static NTSTATUS dcesrv_lsa_GetSystemAccessAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct lsa_GetSystemAccessAccount *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + int i; + NTSTATUS status; + struct lsa_EnumPrivsAccount enumPrivs; + + enumPrivs.in.handle = r->in.handle; + + status = dcesrv_lsa_EnumPrivsAccount(dce_call, mem_ctx, &enumPrivs); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + *(r->out.access_mask) = 0x00000000; + + for (i = 0; i < enumPrivs.out.privs->count; i++) { + int priv = enumPrivs.out.privs->set[i].luid.low; + + switch (priv) { + case SEC_PRIV_INTERACTIVE_LOGON: + *(r->out.access_mask) |= LSA_POLICY_MODE_INTERACTIVE; + break; + case SEC_PRIV_NETWORK_LOGON: + *(r->out.access_mask) |= LSA_POLICY_MODE_NETWORK; + break; + case SEC_PRIV_REMOTE_INTERACTIVE_LOGON: + *(r->out.access_mask) |= LSA_POLICY_MODE_REMOTE_INTERACTIVE; + break; + } + } + + return NT_STATUS_OK; } diff --git a/source4/script/mkrelease.sh b/source4/script/mkrelease.sh index 0af738deb5..6a8c5ae2e7 100755 --- a/source4/script/mkrelease.sh +++ b/source4/script/mkrelease.sh @@ -1,6 +1,6 @@ #!/bin/sh -if [ ! -d ".git" -o `dirname $0` != "./source/script" ]; then +if [ ! -d ".git" -o `dirname $0` != "./source4/script" ]; then echo "Run this script from the top-level directory in the" echo "repository as: ./source/script/mkrelease.sh" exit 1 @@ -9,13 +9,23 @@ fi TMPDIR=`mktemp -d samba-XXXXX` (git archive --format=tar HEAD | (cd $TMPDIR/ && tar xf -)) -( cd $TMPDIR/source || exit 1 +#Prepare the tarball for a Samba4 release, with some generated files, +#but without Samba3 stuff (to avoid confusion) +( cd $TMPDIR/ || exit 1 + rm -rf source3 packaging docs-xml examples swat WHATSNEW.txt MAINTAINERS || exit 1 + cd source4 || exit 1 ./autogen.sh || exit 1 ./configure || exit 1 make dist || exit 1 ) || exit 1 -VERSION=`sed -n 's/^SAMBA_VERSION_STRING=//p' $TMPDIR/source/version.h` +VERSION_FILE=$TMPDIR/source4/version.h +if [ ! -f $VERSION_FILE ]; then + echo "Cannot find version.h at $VERSION_FILE" + exit 1; +fi + +VERSION=`sed -n 's/^SAMBA_VERSION_STRING=//p' $VERSION_FILE` mv $TMPDIR samba-$VERSION || exit 1 tar -cf samba-$VERSION.tar samba-$VERSION || (rm -rf samba-$VERSION; exit 1) rm -rf samba-$VERSION || exit 1 diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif index a6c591dd51..8e9b68fb30 100644 --- a/source4/setup/provision_init.ldif +++ b/source4/setup/provision_init.ldif @@ -34,6 +34,7 @@ dn: @OPTIONS checkBaseOnSearch: TRUE dn: @KLUDGEACL +passwordAttribute: clearTextPassword passwordAttribute: userPassword passwordAttribute: ntPwdHash passwordAttribute: sambaNTPwdHistory diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 245ed1e41b..69df965f19 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -46,7 +46,7 @@ static bool test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) NTSTATUS status; uint16_t system_name = '\\'; - printf("\ntesting OpenPolicy\n"); + printf("\nTesting OpenPolicy\n"); qos.len = 0; qos.impersonation_level = 2; @@ -88,7 +88,7 @@ bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct lsa_OpenPolicy2 r; NTSTATUS status; - printf("\ntesting OpenPolicy2\n"); + printf("\nTesting OpenPolicy2\n"); *handle = talloc(mem_ctx, struct policy_handle); if (!*handle) { @@ -781,7 +781,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p, } static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct policy_handle *acct_handle, struct lsa_LUID *luid) @@ -791,7 +791,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("Testing RemovePrivilegesFromAccount\n"); + printf("\nTesting RemovePrivilegesFromAccount\n"); r.in.handle = acct_handle; r.in.remove_all = 0; @@ -831,7 +831,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, } static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *acct_handle, struct lsa_LUID *luid) { @@ -840,7 +840,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("Testing AddPrivilegesToAccount\n"); + printf("\nTesting AddPrivilegesToAccount\n"); r.in.handle = acct_handle; r.in.privs = &privs; @@ -861,7 +861,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, } static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct policy_handle *acct_handle) { @@ -869,7 +869,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, struct lsa_EnumPrivsAccount r; bool ret = true; - printf("Testing EnumPrivsAccount\n"); + printf("\nTesting EnumPrivsAccount\n"); r.in.handle = acct_handle; @@ -895,6 +895,60 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, return ret; } +static bool test_GetSystemAccessAccount(struct dcerpc_pipe *p, + TALLOC_CTX *mem_ctx, + struct policy_handle *handle, + struct policy_handle *acct_handle) +{ + NTSTATUS status; + uint32_t access_mask; + struct lsa_GetSystemAccessAccount r; + + printf("\nTesting GetSystemAccessAccount\n"); + + r.in.handle = acct_handle; + r.out.access_mask = &access_mask; + + status = dcerpc_lsa_GetSystemAccessAccount(p, mem_ctx, &r); + if (!NT_STATUS_IS_OK(status)) { + printf("GetSystemAccessAccount failed - %s\n", nt_errstr(status)); + return false; + } + + if (r.out.access_mask != NULL) { + printf("Rights:"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE) + printf(" LSA_POLICY_MODE_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK) + printf(" LSA_POLICY_MODE_NETWORK"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH) + printf(" LSA_POLICY_MODE_BATCH"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE) + printf(" LSA_POLICY_MODE_SERVICE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY) + printf(" LSA_POLICY_MODE_PROXY"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE) + printf(" LSA_POLICY_MODE_DENY_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK) + printf(" LSA_POLICY_MODE_DENY_NETWORK"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH) + printf(" LSA_POLICY_MODE_DENY_BATCH"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE) + printf(" LSA_POLICY_MODE_DENY_SERVICE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE) + printf(" LSA_POLICY_MODE_REMOTE_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE) + printf(" LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL) + printf(" LSA_POLICY_MODE_ALL"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4) + printf(" LSA_POLICY_MODE_ALL_NT4"); + printf("\n"); + } + + return true; +} + static bool test_Delete(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle) @@ -902,7 +956,7 @@ static bool test_Delete(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_Delete r; - printf("testing Delete\n"); + printf("\nTesting Delete\n"); r.in.handle = handle; status = dcerpc_lsa_Delete(p, mem_ctx, &r); @@ -921,13 +975,13 @@ static bool test_DeleteObject(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_DeleteObject r; - printf("testing DeleteObject\n"); + printf("\nTesting DeleteObject\n"); r.in.handle = handle; r.out.handle = handle; status = dcerpc_lsa_DeleteObject(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("Delete failed - %s\n", nt_errstr(status)); + printf("DeleteObject failed - %s\n", nt_errstr(status)); return false; } @@ -946,7 +1000,7 @@ static bool test_CreateAccount(struct dcerpc_pipe *p, newsid = dom_sid_parse_talloc(mem_ctx, "S-1-5-12349876-4321-2854"); - printf("Testing CreateAccount\n"); + printf("\nTesting CreateAccount\n"); r.in.handle = handle; r.in.sid = newsid; @@ -998,7 +1052,7 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenTrustedDomainByName(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("lsa_OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); + printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); return false; } @@ -1026,7 +1080,7 @@ static bool test_DeleteTrustedDomainBySid(struct dcerpc_pipe *p, status = dcerpc_lsa_DeleteTrustedDomain(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("lsa_DeleteTrustedDomain failed - %s\n", nt_errstr(status)); + printf("DeleteTrustedDomain failed - %s\n", nt_errstr(status)); return false; } @@ -1072,7 +1126,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, secname[GLOBAL] = talloc_asprintf(mem_ctx, "G$torturesecret-%u", (uint_t)random()); for (i=0; i< 2; i++) { - printf("Testing CreateSecret of %s\n", secname[i]); + printf("\nTesting CreateSecret of %s\n", secname[i]); init_lsa_String(&r.in.name, secname[i]); @@ -1384,7 +1438,7 @@ static bool test_EnumAccountRights(struct dcerpc_pipe *p, struct lsa_EnumAccountRights r; struct lsa_RightSet rights; - printf("Testing EnumAccountRights\n"); + printf("\nTesting EnumAccountRights\n"); r.in.handle = acct_handle; r.in.sid = sid; @@ -1410,11 +1464,11 @@ static bool test_QuerySecurity(struct dcerpc_pipe *p, struct lsa_QuerySecurity r; if (torture_setting_bool(tctx, "samba4", false)) { - printf("skipping QuerySecurity test against Samba4\n"); + printf("\nskipping QuerySecurity test against Samba4\n"); return true; } - printf("Testing QuerySecurity\n"); + printf("\nTesting QuerySecurity\n"); r.in.handle = acct_handle; r.in.sec_info = 7; @@ -1437,7 +1491,7 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, struct lsa_OpenAccount r; struct policy_handle acct_handle; - printf("Testing OpenAccount\n"); + printf("\nTesting OpenAccount\n"); r.in.handle = handle; r.in.sid = sid; @@ -1454,6 +1508,10 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, return false; } + if (!test_GetSystemAccessAccount(p, mem_ctx, handle, &acct_handle)) { + return false; + } + if (!test_QuerySecurity(p, mem_ctx, handle, &acct_handle)) { return false; } @@ -1472,7 +1530,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\ntesting EnumAccounts\n"); + printf("\nTesting EnumAccounts\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -1503,7 +1561,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, * be on schannel, or we would not be able to do the * rest */ - printf("testing all accounts\n"); + printf("Testing all accounts\n"); for (i=0;i<sids1.num_sids;i++) { ret &= test_OpenAccount(p, mem_ctx, handle, sids1.sids[i].sid); ret &= test_EnumAccountRights(p, mem_ctx, handle, sids1.sids[i].sid); @@ -1515,7 +1573,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, return ret; } - printf("trying EnumAccounts partial listing (asking for 1 at 2)\n"); + printf("Trying EnumAccounts partial listing (asking for 1 at 2)\n"); resume_handle = 2; r.in.num_entries = 1; r.out.sids = &sids2; @@ -1545,7 +1603,7 @@ static bool test_LookupPrivDisplayName(struct dcerpc_pipe *p, terminals */ uint16_t language_id = (random() % 4) + 0x409; - printf("testing LookupPrivDisplayName(%s)\n", priv_name->string); + printf("\nTesting LookupPrivDisplayName(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1576,7 +1634,7 @@ static bool test_EnumAccountsWithUserRight(struct dcerpc_pipe *p, ZERO_STRUCT(sids); - printf("testing EnumAccountsWithUserRight(%s)\n", priv_name->string); + printf("\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1609,7 +1667,7 @@ static bool test_EnumPrivs(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\ntesting EnumPrivs\n"); + printf("\nTesting EnumPrivs\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -1669,7 +1727,7 @@ static bool test_QueryForestTrustInformation(struct dcerpc_pipe *p, status = dcerpc_lsa_lsaRQueryForestTrustInformation(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("lsaRQueryForestTrustInformation failed - %s\n", nt_errstr(status)); + printf("lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(status)); ret = false; } @@ -1999,7 +2057,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p, struct lsa_QueryTrustedDomainInfo q; int i; - printf("Testing CreateTrustedDomain for 12 domains\n"); + printf("\nTesting CreateTrustedDomain for 12 domains\n"); if (!test_EnumTrustDom(p, mem_ctx, handle)) { ret = false; @@ -2095,7 +2153,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, enum ndr_err_code ndr_err; int i; - printf("Testing CreateTrustedDomainEx2 for 12 domains\n"); + printf("\nTesting CreateTrustedDomainEx2 for 12 domains\n"); status = dcerpc_fetch_session_key(p, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -2226,7 +2284,7 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, r.in.handle = handle; r.in.level = i; - printf("\ntrying QueryDomainInformationPolicy level %d\n", i); + printf("\nTrying QueryDomainInformationPolicy level %d\n", i); status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r); @@ -2244,35 +2302,50 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, } -static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, - struct torture_context *tctx, - struct policy_handle *handle) +static bool test_QueryInfoPolicyCalls( bool version2, + struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle) { struct lsa_QueryInfoPolicy r; NTSTATUS status; int i; bool ret = true; - printf("\nTesting QueryInfoPolicy\n"); - for (i=1;i<=13;i++) { + if (version2) + printf("\nTesting QueryInfoPolicy2\n"); + else + printf("\nTesting QueryInfoPolicy\n"); + + for (i=1;i<=14;i++) { r.in.handle = handle; r.in.level = i; - printf("\ntrying QueryInfoPolicy level %d\n", i); + if (version2) + printf("\nTrying QueryInfoPolicy2 level %d\n", i); + else + printf("\nTrying QueryInfoPolicy level %d\n", i); - status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r); + if (version2) + /* We can perform the cast, because both types are + structurally equal */ + status = dcerpc_lsa_QueryInfoPolicy2(p, tctx, + (struct lsa_QueryInfoPolicy2*) &r); + else + status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r); switch (i) { - case LSA_POLICY_INFO_DB: + case LSA_POLICY_INFO_MOD: case LSA_POLICY_INFO_AUDIT_FULL_SET: case LSA_POLICY_INFO_AUDIT_FULL_QUERY: if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf("server should have failed level %u: %s\n", i, nt_errstr(status)); + printf("Server should have failed level %u: %s\n", i, nt_errstr(status)); ret = false; } break; case LSA_POLICY_INFO_DOMAIN: case LSA_POLICY_INFO_ACCOUNT_DOMAIN: + case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN: case LSA_POLICY_INFO_DNS_INT: case LSA_POLICY_INFO_DNS: case LSA_POLICY_INFO_REPLICA: @@ -2282,7 +2355,10 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, case LSA_POLICY_INFO_AUDIT_EVENTS: case LSA_POLICY_INFO_PD: if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + if (version2) + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + else + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; @@ -2290,17 +2366,24 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, if (torture_setting_bool(tctx, "samba4", false)) { /* Other levels not implemented yet */ if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + if (version2) + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + else + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } } else if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + if (version2) + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + else + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; } - if (NT_STATUS_IS_OK(status) && i == LSA_POLICY_INFO_DNS) { + if (NT_STATUS_IS_OK(status) && (i == LSA_POLICY_INFO_DNS + || i == LSA_POLICY_INFO_DNS_INT)) { /* Let's look up some of these names */ struct lsa_TransNameArray tnames; @@ -2342,63 +2425,18 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, return ret; } +static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle) +{ + return test_QueryInfoPolicyCalls(false, p, tctx, handle); +} + static bool test_QueryInfoPolicy2(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle) { - struct lsa_QueryInfoPolicy2 r; - NTSTATUS status; - int i; - bool ret = true; - printf("\nTesting QueryInfoPolicy2\n"); - for (i=1;i<13;i++) { - r.in.handle = handle; - r.in.level = i; - - printf("\ntrying QueryInfoPolicy2 level %d\n", i); - - status = dcerpc_lsa_QueryInfoPolicy2(p, tctx, &r); - - switch (i) { - case LSA_POLICY_INFO_DB: - case LSA_POLICY_INFO_AUDIT_FULL_SET: - case LSA_POLICY_INFO_AUDIT_FULL_QUERY: - if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf("server should have failed level %u: %s\n", i, nt_errstr(status)); - ret = false; - } - break; - case LSA_POLICY_INFO_DOMAIN: - case LSA_POLICY_INFO_ACCOUNT_DOMAIN: - case LSA_POLICY_INFO_DNS_INT: - case LSA_POLICY_INFO_DNS: - case LSA_POLICY_INFO_REPLICA: - case LSA_POLICY_INFO_QUOTA: - case LSA_POLICY_INFO_ROLE: - case LSA_POLICY_INFO_AUDIT_LOG: - case LSA_POLICY_INFO_AUDIT_EVENTS: - case LSA_POLICY_INFO_PD: - if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - ret = false; - } - break; - default: - if (torture_setting_bool(tctx, "samba4", false)) { - /* Other levels not implemented yet */ - if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - ret = false; - } - } else if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - ret = false; - } - break; - } - } - - return ret; + return test_QueryInfoPolicyCalls(true, p, tctx, handle); } static bool test_GetUserName(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) @@ -2433,7 +2471,7 @@ bool test_lsa_Close(struct dcerpc_pipe *p, struct lsa_Close r; struct policy_handle handle2; - printf("\ntesting Close\n"); + printf("\nTesting Close\n"); r.in.handle = handle; r.out.handle = &handle2; diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh index b9969e2c57..90e3d37453 100755 --- a/testprogs/blackbox/test_kinit.sh +++ b/testprogs/blackbox/test_kinit.sh @@ -1,7 +1,7 @@ #!/bin/sh # Blackbox tests for kinit and kerberos integration with smbclient etc # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> -# Copyright (C) 2006-2007 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> if [ $# -lt 5 ]; then cat <<EOF @@ -73,17 +73,55 @@ testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tm test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` NEWUSERPASS=testPaSS@34% -testit "change user password" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS $CONFIGURATION -k no $NEWUSERPASS $@ || failed=`expr $failed + 1` +testit "change user password with 'net password change' (rpc)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS $CONFIGURATION -k no $NEWUSERPASS $@ || failed=`expr $failed + 1` echo $NEWUSERPASS > ./tmpuserpassfile testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` + +USERPASS=$NEWUSERPASS +NEWUSERPASS=testPaSS@56% +echo $NEWUSERPASS > ./tmpuserpassfile + +cat > ./tmpkpasswdscript <<EOF +expect Password +password ${USERPASS}\n +expect New password +send ${NEWUSERPASS}\n +expect New password +send ${NEWUSERPASS}\n +expect Success +EOF + +testit "change user password with kpasswd" $samba4bindir/rkpty ./tmpkpasswdscript $samba4bindir/samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1` + +testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` + +NEWUSERPASS=testPaSS@78% +echo $NEWUSERPASS > ./tmpuserpassfile + +test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` + +cat > ./tmpkpasswdscript <<EOF +expect New password +send ${NEWUSERPASS}\n +expect New password +send ${NEWUSERPASS}\n +expect Success +EOF + +testit "set user password with kpasswd" $samba4bindir/rkpty ./tmpkpasswdscript $samba4bindir/samba4kpasswd --cache=$PREFIX/tmpccache nettestuser@$REALM || failed=`expr $failed + 1` + +testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` + +test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` + KRB5CCNAME="$PREFIX/tmpccache" export KRB5CCNAME testit "del user with kerberos ccache" $VALGRIND $net user delete nettestuser $CONFIGURATION -k yes $@ || failed=`expr $failed + 1` -rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache +rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript exit $failed |