updated the LSA and NETLOGON servers with fixes resulting from the AD

plugfest in Redmond
author: Andrew Tridgell <tridge@samba.org> 2008-10-03 17:52:59 -0700
committer: Andrew Tridgell <tridge@samba.org> 2008-10-03 17:52:59 -0700
commit: ba5ef49f831dbbfec1a360cd4644999de822e2bc (patch)
tree: 2b70fa275856e976b924fb246f622b2b62b64c38 /source4/rpc_server/lsa
parent: 025ff92f59512fd530f4f68306fea77b26061682 (diff)
download: samba-ba5ef49f831dbbfec1a360cd4644999de822e2bc.tar.gz
samba-ba5ef49f831dbbfec1a360cd4644999de822e2bc.tar.bz2
samba-ba5ef49f831dbbfec1a360cd4644999de822e2bc.zip
2 files changed, 75 insertions, 14 deletions
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 7b15241b96..5e3be84cc5 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1,3 +1,5 @@
+/* need access mask/acl implementation */
+
 /* 
    Unix SMB/CIFS implementation.
 
@@ -141,7 +143,8 @@ static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALL
 
 		return NT_STATUS_OK;
 	} else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) {
-		struct lsa_trusted_domain_state *trusted_domain_state = h->data;
+		struct lsa_trusted_domain_state *trusted_domain_state = 
+			talloc_get_type(h->data, struct lsa_trusted_domain_state);
 		ret = ldb_transaction_start(trusted_domain_state->policy->sam_ldb);
 		if (ret != 0) {
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -187,6 +190,9 @@ static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALL
 		r2.in.sid = astate->account_sid;
 		r2.out.rights = rights;
 
+		/* dcesrv_lsa_EnumAccountRights takes a LSA_HANDLE_POLICY,
+		   but we have a LSA_HANDLE_ACCOUNT here, so this call
+		   will always fail */
 		status = dcesrv_lsa_EnumAccountRights(dce_call, mem_ctx, &r2);
 		if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
 			return NT_STATUS_OK;
@@ -444,18 +450,46 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call,
 	ZERO_STRUCTP(r->out.info);
 
 	switch (r->in.level) {
+	case LSA_POLICY_INFO_AUDIT_LOG:
+		/* we don't need to fill in any of this */
+		ZERO_STRUCT(r->out.info->audit_log);
+		return NT_STATUS_OK;
+	case LSA_POLICY_INFO_AUDIT_EVENTS:
+		/* we don't need to fill in any of this */
+		ZERO_STRUCT(r->out.info->audit_events);
+		return NT_STATUS_OK;
+	case LSA_POLICY_INFO_PD:
+		/* we don't need to fill in any of this */
+		ZERO_STRUCT(r->out.info->pd);
+		return NT_STATUS_OK;
 	case LSA_POLICY_INFO_DOMAIN:
 	case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
 		return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->account_domain);
+	case LSA_POLICY_INFO_ROLE:
+		r->out.info->role.role = LSA_ROLE_PRIMARY;
+		return NT_STATUS_OK;
 
 	case LSA_POLICY_INFO_DNS:
+	case LSA_POLICY_INFO_DNS_INT:
 		return dcesrv_lsa_info_DNS(state, mem_ctx, &r->out.info->dns);
-	case LSA_POLICY_INFO_DB:
+
+	case LSA_POLICY_INFO_REPLICA:
+		ZERO_STRUCT(r->out.info->replica);
+		return NT_STATUS_OK;
+
+	case LSA_POLICY_INFO_QUOTA:
+		ZERO_STRUCT(r->out.info->quota);
+		return NT_STATUS_OK;
+
 	case LSA_POLICY_INFO_AUDIT_FULL_SET:
+	case LSA_POLICY_INFO_DB:
 	case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
+		/* windows gives INVALID_PARAMETER */
+		r->out.info = NULL;
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	r->out.info = NULL;
 	return NT_STATUS_INVALID_INFO_CLASS;
 }
 
@@ -468,6 +502,8 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy(struct dcesrv_call_state *dce_call, T
 	struct lsa_QueryInfoPolicy2 r2;
 	NTSTATUS status;
 
+	ZERO_STRUCT(r2);
+
 	r2.in.handle = r->in.handle;
 	r2.in.level = r->in.level;
 	
@@ -484,6 +520,7 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy(struct dcesrv_call_state *dce_call, T
 static NTSTATUS dcesrv_lsa_SetInfoPolicy(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 				  struct lsa_SetInfoPolicy *r)
 {
+	/* need to support this */
 	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
 }
 
@@ -502,6 +539,13 @@ static NTSTATUS dcesrv_lsa_ClearAuditLog(struct dcesrv_call_state *dce_call, TAL
   lsa_CreateAccount 
 
   This call does not seem to have any long-term effects, hence no database operations
+
+  we need to talk to the MS product group to find out what this account database means!
+
+  answer is that the lsa database is totally separate from the SAM and
+  ldap databases. We are going to need a separate ldb to store these
+  accounts. The SIDs on this account bear no relation to the SIDs in
+  AD
 */
 static NTSTATUS dcesrv_lsa_CreateAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 				  struct lsa_CreateAccount *r)
@@ -648,7 +692,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
 	
 	dns_name = r->in.info->domain_name.string;
 	
-	trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
+	trusted_domain_state = talloc_zero(mem_ctx, struct lsa_trusted_domain_state);
 	if (!trusted_domain_state) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1004,7 +1048,7 @@ static NTSTATUS dcesrv_lsa_OpenTrustedDomain(struct dcesrv_call_state *dce_call,
 	ZERO_STRUCTP(r->out.trustdom_handle);
 	policy_state = policy_handle->data;
 
-	trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
+	trusted_domain_state = talloc_zero(mem_ctx, struct lsa_trusted_domain_state);
 	if (!trusted_domain_state) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1088,7 +1132,7 @@ static NTSTATUS dcesrv_lsa_OpenTrustedDomainByName(struct dcesrv_call_state *dce
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	
-	trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
+	trusted_domain_state = talloc_zero(mem_ctx, struct lsa_trusted_domain_state);
 	if (!trusted_domain_state) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1228,7 +1272,7 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_
 
 	DCESRV_PULL_HANDLE(h, r->in.trustdom_handle, LSA_HANDLE_TRUSTED_DOMAIN);
 
-	trusted_domain_state = h->data;
+	trusted_domain_state = talloc_get_type(h->data, struct lsa_trusted_domain_state);
 
 	/* pull all the user attributes */
 	ret = gendb_search_dn(trusted_domain_state->policy->sam_ldb, mem_ctx,
@@ -2786,6 +2830,7 @@ static NTSTATUS dcesrv_lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call,
 				   TALLOC_CTX *mem_ctx,
 				   struct lsa_SetInfoPolicy2 *r)
 {
+	/* need to support these */
 	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
 }
 
diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index 0ffb0572ee..2375a6d27a 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -525,8 +525,19 @@ NTSTATUS dcesrv_lsa_LookupSids2(struct dcesrv_call_state *dce_call,
 	int i;
 	NTSTATUS status = NT_STATUS_OK;
 
+	if (r->in.level < LSA_LOOKUP_NAMES_ALL ||
+	    r->in.level > LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	r->out.domains = NULL;
 
+	/* NOTE: the WSPP test suite tries SIDs with invalid revision numbers,
+	   and expects NT_STATUS_INVALID_PARAMETER back - we just treat it as 
+	   an unknown SID. We could add a SID validator here. (tridge) 
+	   MS-DTYP 2.4.2
+	*/
+
 	status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -583,7 +594,7 @@ NTSTATUS dcesrv_lsa_LookupSids2(struct dcesrv_call_state *dce_call,
 						    authority_name, sid, 
 						    r->out.domains, &sid_index);
 		if (!NT_STATUS_IS_OK(status2)) {
-			return status2;
+			continue;
 		}
 
 		r->out.names->names[i].sid_type    = rtype;
@@ -683,9 +694,8 @@ NTSTATUS dcesrv_lsa_LookupSids(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
 	r2.out.names   = NULL;
 
 	status = dcesrv_lsa_LookupSids2(dce_call, mem_ctx, &r2);
-	if (NT_STATUS_IS_ERR(status)) {
-		return status;
-	}
+	/* we deliberately don't check for error from the above,
+	   as even on error we are supposed to return the names  */
 
 	r->out.domains = r2.out.domains;
 	if (!r2.out.names) {
@@ -727,6 +737,11 @@ NTSTATUS dcesrv_lsa_LookupNames3(struct dcesrv_call_state *dce_call,
 
 	DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
 
+	if (r->in.level < LSA_LOOKUP_NAMES_ALL ||
+	    r->in.level > LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	policy_state = policy_handle->data;
 
 	r->out.domains = NULL;
@@ -830,10 +845,11 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX
 
 	r2.in.num_names = r->in.num_names;
 	r2.in.names = r->in.names;
+	r2.in.level = r->in.level;
 	r2.in.sids = r->in.sids;
 	r2.in.count = r->in.count;
-	r2.in.unknown1 = r->in.unknown1;
-	r2.in.unknown2 = r->in.unknown2;
+	r2.in.lookup_options = r->in.lookup_options;
+	r2.in.client_revision = r->in.client_revision;
 	r2.out.domains = r->out.domains;
 	r2.out.sids = r->out.sids;
 	r2.out.count = r->out.count;
@@ -952,8 +968,8 @@ NTSTATUS dcesrv_lsa_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX *
 	r2.in.sids      = NULL;
 	r2.in.level     = r->in.level;
 	r2.in.count     = r->in.count;
-	r2.in.unknown1  = 0;
-	r2.in.unknown2  = 0;
+	r2.in.lookup_options = 0;
+	r2.in.client_revision = 0;
 	r2.out.count    = r->out.count;
 
 	status = dcesrv_lsa_LookupNames2(dce_call, mem_ctx, &r2);
author	Andrew Tridgell <tridge@samba.org>	2008-10-03 17:52:59 -0700
committer	Andrew Tridgell <tridge@samba.org>	2008-10-03 17:52:59 -0700
commit	ba5ef49f831dbbfec1a360cd4644999de822e2bc (patch)
tree	2b70fa275856e976b924fb246f622b2b62b64c38 /source4/rpc_server/lsa
parent	025ff92f59512fd530f4f68306fea77b26061682 (diff)
download	samba-ba5ef49f831dbbfec1a360cd4644999de822e2bc.tar.gz samba-ba5ef49f831dbbfec1a360cd4644999de822e2bc.tar.bz2 samba-ba5ef49f831dbbfec1a360cd4644999de822e2bc.zip