Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into pac-verify

(This used to be commit b706708210a05d6f10474a3cd2bbc550704d4356)

3 files changed, 92 insertions, 40 deletions

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index a336ddb339..fa7b8d26f5 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -917,6 +917,7 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
 	DATA_BLOB stub;
 	uint32_t total_length, chunk_size;
 	struct dcesrv_connection_context *context = call->context;
+	size_t sig_size = 0;
 
 	/* call the reply function */
 	status = context->iface->reply(call, call, call->r);
@@ -948,7 +949,15 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
 
 	/* we can write a full max_recv_frag size, minus the dcerpc
 	   request header size */
-	chunk_size = call->conn->cli_max_recv_frag - (DCERPC_MAX_SIGN_SIZE+DCERPC_REQUEST_LENGTH);
+	chunk_size = call->conn->cli_max_recv_frag;
+	chunk_size -= DCERPC_REQUEST_LENGTH;
+	if (call->conn->auth_state.gensec_security) {
+		chunk_size -= DCERPC_AUTH_TRAILER_LENGTH;
+		sig_size = gensec_sig_size(call->conn->auth_state.gensec_security,
+					   call->conn->cli_max_recv_frag);
+		chunk_size -= sig_size;
+		chunk_size -= (chunk_size % 16);
+	}
 
 	do {
 		uint32_t length;
@@ -978,7 +987,7 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
 		pkt.u.response.stub_and_verifier.data = stub.data;
 		pkt.u.response.stub_and_verifier.length = length;
 
-		if (!dcesrv_auth_response(call, &rep->blob, &pkt)) {
+		if (!dcesrv_auth_response(call, &rep->blob, sig_size, &pkt)) {
 			return dcesrv_fault(call, DCERPC_FAULT_OTHER);		
 		}
 
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 64f42eea25..0aad3775d0 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -398,7 +398,8 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
    push a signed or sealed dcerpc request packet into a blob
 */
 bool dcesrv_auth_response(struct dcesrv_call_state *call,
-			  DATA_BLOB *blob, struct ncacn_packet *pkt)
+			  DATA_BLOB *blob, size_t sig_size,
+			  struct ncacn_packet *pkt)
 {
 	struct dcesrv_connection *dce_conn = call->conn;
 	NTSTATUS status;
@@ -445,9 +446,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
 		 * GENSEC mech does AEAD signing of the packet
 		 * headers */
 		dce_conn->auth_state.auth_info->credentials
-			= data_blob_talloc(call, NULL, 
-					   gensec_sig_size(dce_conn->auth_state.gensec_security, 
-							   payload_length));
+			= data_blob_talloc(call, NULL, sig_size);
 		data_blob_clear(&dce_conn->auth_state.auth_info->credentials);
 	}
 
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index f02e2325a0..f67b5dee10 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -23,6 +23,8 @@
 #include "rpc_server/lsa/lsa.h"
 #include "util/util_ldb.h"
 #include "libcli/ldap/ldap_ndr.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
 
 /*
   this type allows us to distinguish handle types
@@ -95,6 +97,16 @@ static NTSTATUS dcesrv_lsa_Close(struct dcesrv_call_state *dce_call, TALLOC_CTX
 static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 			   struct lsa_Delete *r)
 {
+	return NT_STATUS_NOT_SUPPORTED;
+}
+
+
+/* 
+  lsa_DeleteObject
+*/
+static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+		       struct lsa_DeleteObject *r)
+{
 	struct dcesrv_handle *h;
 	int ret;
 
@@ -121,6 +133,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX
 			return NT_STATUS_INVALID_HANDLE;
 		}
 
+		ZERO_STRUCTP(r->out.handle);
+
 		return NT_STATUS_OK;
 	} else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) {
 		struct lsa_trusted_domain_state *trusted_domain_state = h->data;
@@ -131,6 +145,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX
 			return NT_STATUS_INVALID_HANDLE;
 		}
 
+		ZERO_STRUCTP(r->out.handle);
+
 		return NT_STATUS_OK;
 	} else if (h->wire_handle.handle_type == LSA_HANDLE_ACCOUNT) {
 		struct lsa_RightSet *rights;
@@ -167,6 +183,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
+
+		ZERO_STRUCTP(r->out.handle);
 	} 
 	
 	return NT_STATUS_INVALID_HANDLE;
@@ -861,7 +879,7 @@ static NTSTATUS dcesrv_lsa_DeleteTrustedDomain(struct dcesrv_call_state *dce_cal
 {
 	NTSTATUS status;
 	struct lsa_OpenTrustedDomain open;
-	struct lsa_Delete delete;
+	struct lsa_DeleteObject delete;
 	struct dcesrv_handle *h;
 
 	open.in.handle = r->in.handle;
@@ -880,7 +898,8 @@ static NTSTATUS dcesrv_lsa_DeleteTrustedDomain(struct dcesrv_call_state *dce_cal
 	talloc_steal(mem_ctx, h);
 
 	delete.in.handle = open.out.trustdom_handle;
-	status = dcesrv_lsa_Delete(dce_call, mem_ctx, &delete);
+	delete.out.handle = open.out.trustdom_handle;
+	status = dcesrv_lsa_DeleteObject(dce_call, mem_ctx, &delete);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -924,6 +943,7 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_
 		"trustDirection",
 		"trustType",
 		"trustAttributes", 
+		"msDs-supportedEncryptionTypes",
 		NULL
 	};
 
@@ -967,12 +987,19 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_
 		ZERO_STRUCT(r->out.info->full_info);
 		return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->full_info.info_ex);
 
-	case LSA_TRUSTED_DOMAIN_INFO_INFO_ALL:
-		ZERO_STRUCT(r->out.info->info_all);
-		return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info_all.info_ex);
+	case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
+		ZERO_STRUCT(r->out.info->info2_internal);
+		r->out.info->info2_internal.posix_offset.posix_offset
+			= samdb_result_uint(msg, "posixOffset", 0);					   
+		return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info2_internal.info_ex);
+		
+	case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES:
+		r->out.info->enc_types.enc_types
+			= samdb_result_uint(msg, "msDs-supportedEncryptionTypes", KERB_ENCTYPE_RC4_HMAC_MD5);
+		break;
 
-	case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS_INFO:
-	case LSA_TRUSTED_DOMAIN_INFO_11:
+	case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS:
+	case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL:
 		/* oops, we don't want to return the info after all */
 		talloc_free(r->out.info);
 		r->out.info = NULL;
@@ -1986,22 +2013,14 @@ static NTSTATUS dcesrv_lsa_SetSecret(struct dcesrv_call_state *dce_call, TALLOC_
 		}
 
 		if (!r->in.new_val) {
-			/* This behaviour varies depending of if this is a local, or a global secret... */
-			if (secret_state->global) {
-				/* set old value mtime */
-				if (samdb_msg_add_uint64(secret_state->sam_ldb, 
-							 mem_ctx, msg, "lastSetTime", nt_now) != 0) { 
-					return NT_STATUS_NO_MEMORY; 
-				}
-			} else {
-				if (samdb_msg_add_delete(secret_state->sam_ldb, 
-							 mem_ctx, msg, "currentValue")) {
-					return NT_STATUS_NO_MEMORY;
-				}
-				if (samdb_msg_add_delete(secret_state->sam_ldb, 
-							 mem_ctx, msg, "lastSetTime")) {
-					return NT_STATUS_NO_MEMORY;
-				}
+			/* set old value mtime */
+			if (samdb_msg_add_uint64(secret_state->sam_ldb, 
+						 mem_ctx, msg, "lastSetTime", nt_now) != 0) { 
+				return NT_STATUS_NO_MEMORY; 
+			}
+			if (samdb_msg_add_delete(secret_state->sam_ldb, 
+						 mem_ctx, msg, "currentValue")) {
+				return NT_STATUS_NO_MEMORY;
 			}
 		}
 	}
@@ -2311,16 +2330,6 @@ static NTSTATUS dcesrv_lsa_LookupPrivDisplayName(struct dcesrv_call_state *dce_c
 
 
 /* 
-  lsa_DeleteObject
-*/
-static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-		       struct lsa_DeleteObject *r)
-{
-	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/* 
   lsa_EnumAccountsWithUserRight
 */
 static NTSTATUS dcesrv_lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *dce_call, 
@@ -2495,7 +2504,42 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state
 						 TALLOC_CTX *mem_ctx,
 						 struct lsa_QueryDomainInformationPolicy *r)
 {
-	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+	r->out.info = talloc(mem_ctx, union lsa_DomainInformationPolicy);
+	if (!r->out.info) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	switch (r->in.level) {
+	case LSA_DOMAIN_INFO_POLICY_EFS:
+		talloc_free(r->out.info);
+		r->out.info = NULL;
+		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+	case LSA_DOMAIN_INFO_POLICY_KERBEROS:
+	{
+		struct lsa_DomainInfoKerberos *k = &r->out.info->kerberos_info;
+		struct smb_krb5_context *smb_krb5_context;
+		int ret = smb_krb5_init_context(mem_ctx, 
+							dce_call->event_ctx, 
+							dce_call->conn->dce_ctx->lp_ctx,
+							&smb_krb5_context);
+		if (ret != 0) {
+			talloc_free(r->out.info);
+			r->out.info = NULL;
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+		k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */
+		k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */
+		k->user_tkt_lifetime = 0;    /* Need to find somewhere to store this, and query in KDC too */
+		k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */
+		k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context);
+		talloc_free(smb_krb5_context);
+		return NT_STATUS_OK;
+	}
+	default:
+		talloc_free(r->out.info);
+		r->out.info = NULL;
+		return NT_STATUS_INVALID_INFO_CLASS;
+	}
 }
 
 /*