summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-09-04 16:06:38 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-09-04 16:06:38 +1000
commit19fb3b0199dec2b8abacfab59910f2aed0ba310c (patch)
tree80f5ffa689dfb0a7c76a22e0d7fe81a35705f233 /source4
parentb533a1f4bf62c7983f612927499f60b503322c4d (diff)
downloadsamba-19fb3b0199dec2b8abacfab59910f2aed0ba310c.tar.gz
samba-19fb3b0199dec2b8abacfab59910f2aed0ba310c.tar.bz2
samba-19fb3b0199dec2b8abacfab59910f2aed0ba310c.zip
More work to implement LSA CreateTrustedDomainEx2
We still don't get the format inside the encrypted blob correct however. Andrew Bartlett (This used to be commit 99a3abda09716c064b3e9a37c4a79a8f62444eca)
Diffstat (limited to 'source4')
-rw-r--r--source4/librpc/idl/drsblobs.idl10
-rw-r--r--source4/librpc/idl/lsa.idl24
-rw-r--r--source4/torture/rpc/lsa.c40
3 files changed, 63 insertions, 11 deletions
diff --git a/source4/librpc/idl/drsblobs.idl b/source4/librpc/idl/drsblobs.idl
index 39c9680bdb..196423c7dd 100644
--- a/source4/librpc/idl/drsblobs.idl
+++ b/source4/librpc/idl/drsblobs.idl
@@ -409,12 +409,20 @@ interface drsblobs {
[size_is(1)] AuthenticationInformation array[];
} AuthenticationInformationArray;
- typedef [public,nopull,nopush,noprint] struct {
+ typedef [public,nopull,nopush,noprint,gensize] struct {
uint32 count;
[relative] AuthenticationInformationArray *current;
[relative] AuthenticationInformationArray *previous;
} trustAuthInOutBlob;
+ typedef [public] struct {
+ uint8 confounder[512];
+ trustAuthInOutBlob outgoing;
+ trustAuthInOutBlob incoming;
+ [value(ndr_size_trustAuthInOutBlob(&outgoing, ndr->flags))] uint32 outgoing_size;
+ [value(ndr_size_trustAuthInOutBlob(&incoming, ndr->flags))] uint32 incoming_size;
+ } trustAuthInAndOutBlob;
+
void decode_trustAuthInOut(
[in] trustAuthInOutBlob blob
);
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 81931ae02a..4de3d6f1bf 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -607,13 +607,23 @@ import "misc.idl", "security.idl";
} lsa_TrustDomainInfoFullInfo;
typedef struct {
+ lsa_DATA_BUF2 auth_blob;
+ } lsa_TrustDomainInfoAuthInfoInternal;
+
+ typedef struct {
+ lsa_TrustDomainInfoInfoEx info_ex;
+ lsa_TrustDomainInfoPosixOffset posix_offset;
+ lsa_TrustDomainInfoAuthInfoInternal auth_info;
+ } lsa_TrustDomainInfoFullInfoInternal;
+
+ typedef struct {
lsa_TrustDomainInfoInfoEx info_ex;
- lsa_DATA_BUF2 data1;
+ uint32 forest_trust_length;
+ [size_is(forest_trust_length)] uint8 *forest_trust_data;
} lsa_TrustDomainInfoInfoEx2Internal;
typedef struct {
- lsa_TrustDomainInfoInfoEx info_ex;
- lsa_DATA_BUF2 data1;
+ lsa_TrustDomainInfoInfoEx2Internal info;
lsa_TrustDomainInfoPosixOffset posix_offset;
lsa_TrustDomainInfoAuthInfo auth_info;
} lsa_TrustDomainInfoInfo2Internal;
@@ -640,9 +650,9 @@ import "misc.idl", "security.idl";
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]
lsa_TrustDomainInfoFullInfo full_info;
[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL)]
- lsa_TrustDomainInfoAuthInfo auth_info_internal;
+ lsa_TrustDomainInfoAuthInfoInternal auth_info_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL)]
- lsa_TrustDomainInfoFullInfo full_info_internal;
+ lsa_TrustDomainInfoFullInfoInternal full_info_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL)]
lsa_TrustDomainInfoInfoEx2Internal info_ex2_internal;
[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL)]
@@ -875,7 +885,7 @@ import "misc.idl", "security.idl";
NTSTATUS lsa_CreateTrustedDomainEx(
[in] policy_handle *policy_handle,
[in] lsa_TrustDomainInfoInfoEx *info,
- [in] lsa_TrustDomainInfoAuthInfo *auth_info,
+ [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
[in] uint32 access_mask,
[out] policy_handle *trustdom_handle
);
@@ -996,7 +1006,7 @@ import "misc.idl", "security.idl";
NTSTATUS lsa_CreateTrustedDomainEx2(
[in] policy_handle *policy_handle,
[in] lsa_TrustDomainInfoInfoEx *info,
- [in] lsa_TrustDomainInfoAuthInfo *auth_info,
+ [in] lsa_TrustDomainInfoAuthInfoInternal *auth_info,
[in] uint32 access_mask,
[out] policy_handle *trustdom_handle
);
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 1e35d94235..316412ec9e 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -23,11 +23,13 @@
#include "torture/torture.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
#include "librpc/gen_ndr/netlogon.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "lib/events/events.h"
#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
#include "torture/rpc/rpc.h"
#include "param/param.h"
+#include "lib/crypto/crypto.h"
#define TEST_MACHINENAME "lsatestmach"
static void init_lsa_String(struct lsa_String *name, const char *s)
@@ -1882,6 +1884,9 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
return false;
}
+ /* Start from the bottom again */
+ resume_handle = 0;
+
do {
r.in.handle = handle;
r.in.resume_handle = &resume_handle;
@@ -2063,6 +2068,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p,
}
static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
TALLOC_CTX *mem_ctx,
struct policy_handle *handle)
{
@@ -2070,13 +2076,24 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
bool ret = true;
struct lsa_CreateTrustedDomainEx2 r;
struct lsa_TrustDomainInfoInfoEx trustinfo;
+ struct lsa_TrustDomainInfoAuthInfoInternal authinfo;
+ struct trustAuthInAndOutBlob auth_struct;
+ DATA_BLOB auth_blob;
struct dom_sid *domsid[12];
struct policy_handle trustdom_handle[12];
struct lsa_QueryTrustedDomainInfo q;
+ DATA_BLOB session_key;
+ enum ndr_err_code ndr_err;
int i;
printf("Testing CreateTrustedDomainEx2 for 12 domains\n");
+ status = dcerpc_fetch_session_key(p, &session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
+ return false;
+ }
+
for (i=0; i< 12; i++) {
char *trust_name = talloc_asprintf(mem_ctx, "torturedom%02d", i);
char *trust_name_dns = talloc_asprintf(mem_ctx, "torturedom%02d.samba.example.com", i);
@@ -2102,9 +2119,26 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;
+ generate_random_buffer(auth_struct.confounder, sizeof(auth_struct.confounder));
+
+ auth_struct.outgoing.count = 0;
+ auth_struct.incoming.count = 0;
+
+ ndr_err = ndr_push_struct_blob(&auth_blob, mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &auth_struct,
+ (ndr_push_flags_fn_t)ndr_push_trustAuthInAndOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ printf("ndr_push_struct_blob of trustAuthInAndOutBlob structure failed");
+ ret = false;
+ }
+
+ arcfour_crypt_blob(auth_blob.data, auth_blob.length, &session_key);
+
+ authinfo.auth_blob.size = auth_blob.length;
+ authinfo.auth_blob.data = auth_blob.data;
+
r.in.policy_handle = handle;
r.in.info = &trustinfo;
- r.in.auth_info = NULL;
+ r.in.auth_info = &authinfo;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.out.trustdom_handle = &trustdom_handle[i];
@@ -2114,7 +2148,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
status = dcerpc_lsa_CreateTrustedDomainEx2(p, mem_ctx, &r);
}
if (!NT_STATUS_IS_OK(status)) {
- printf("CreateTrustedDomainEx failed - %s\n", nt_errstr(status));
+ printf("CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status));
ret = false;
} else {
@@ -2452,7 +2486,7 @@ bool torture_rpc_lsa(struct torture_context *tctx)
ret = false;
}
- if (!test_CreateTrustedDomainEx2(p, tctx, handle)) {
+ if (!test_CreateTrustedDomainEx2(p, tctx, tctx, handle)) {
ret = false;
}