diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-11-17 13:39:37 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:05:56 -0500 |
commit | 5ad5c6cc70df2006f694b56c4086af10860b4676 (patch) | |
tree | 7fda8a14d92a12d54b76dac64647d51766206f50 /source4 | |
parent | 696fdc8cf91cc1660725fd93c2b91ec6b65d06b5 (diff) | |
download | samba-5ad5c6cc70df2006f694b56c4086af10860b4676.tar.gz samba-5ad5c6cc70df2006f694b56c4086af10860b4676.tar.bz2 samba-5ad5c6cc70df2006f694b56c4086af10860b4676.zip |
r3807: Cross-check the basic attributes for groups and aliases in RPC-SAMSYNC.
Andrew Bartlett
(This used to be commit 90398fda41dd15480899e3628df186eb02fdc139)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/librpc/idl/netlogon.idl | 9 | ||||
-rw-r--r-- | source4/librpc/idl/samr.idl | 2 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 2 | ||||
-rw-r--r-- | source4/torture/rpc/samsync.c | 117 |
4 files changed, 118 insertions, 12 deletions
diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl index ab07a5705d..ae6bfe249b 100644 --- a/source4/librpc/idl/netlogon.idl +++ b/source4/librpc/idl/netlogon.idl @@ -396,9 +396,10 @@ interface netlogon } netr_DELTA_DOMAIN; typedef struct { - netr_String groupname; - netr_GroupMembership group_membership; - netr_String comment; + netr_String group_name; + uint32 rid; + uint32 attributes; + netr_String description; uint32 SecurityInformation; sec_desc_buf sdbuf; netr_String unknown1; @@ -439,7 +440,7 @@ interface netlogon uint32 rid; uint32 SecurityInformation; sec_desc_buf sdbuf; - netr_String unknown1; + netr_String description; netr_String unknown2; netr_String unknown3; netr_String unknown4; diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl index 80295bb252..a7bbe07b6a 100644 --- a/source4/librpc/idl/samr.idl +++ b/source4/librpc/idl/samr.idl @@ -371,7 +371,7 @@ typedef struct { samr_String name; - uint32 unknown; + uint32 attributes; uint32 num_members; samr_String description; } samr_GroupInfoAll; diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 18cf2c4734..ef6e45cb1e 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -1109,7 +1109,7 @@ static NTSTATUS samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, TALLOC_C switch (r->in.level) { case GroupInfoAll: QUERY_STRING(msg, all.name.string, "sAMAccountName"); - r->out.info->all.unknown = 7; /* Do like w2k3 */ + r->out.info->all.attributes = 7; /* Do like w2k3 */ QUERY_UINT (msg, all.num_members, "numMembers") QUERY_STRING(msg, all.description.string, "description"); break; diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 96c7846c59..777e5f36eb 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -515,6 +515,101 @@ static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsy return False; } +static BOOL samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state, + int database_id, struct netr_DELTA_ENUM *delta) +{ + uint32 rid = delta->delta_id_union.rid; + struct netr_DELTA_ALIAS *alias = delta->delta_union.alias; + NTSTATUS nt_status; + BOOL ret = True; + + struct samr_OpenAlias r; + struct samr_QueryAliasInfo q; + struct policy_handle alias_handle; + + if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) { + printf("SamSync needs domain information before the users\n"); + return False; + } + + r.in.domain_handle = samsync_state->domain_handle[database_id]; + r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + r.in.rid = rid; + r.out.alias_handle = &alias_handle; + + nt_status = dcerpc_samr_OpenAlias(samsync_state->p_samr, mem_ctx, &r); + if (!NT_STATUS_IS_OK(nt_status)) { + printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status)); + return False; + } + + q.in.alias_handle = &alias_handle; + q.in.level = 1; + + nt_status = dcerpc_samr_QueryAliasInfo(samsync_state->p_samr, mem_ctx, &q); + if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &alias_handle)) { + return False; + } + + if (!NT_STATUS_IS_OK(nt_status)) { + printf("QueryAliasInfo level %u failed - %s\n", + q.in.level, nt_errstr(nt_status)); + return False; + } + + TEST_STRING_EQUAL(q.out.info->all.name, alias->alias_name); + TEST_STRING_EQUAL(q.out.info->all.description, alias->description); + return False; +} + +static BOOL samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state, + int database_id, struct netr_DELTA_ENUM *delta) +{ + uint32 rid = delta->delta_id_union.rid; + struct netr_DELTA_GROUP *group = delta->delta_union.group; + NTSTATUS nt_status; + BOOL ret = True; + + struct samr_OpenGroup r; + struct samr_QueryGroupInfo q; + struct policy_handle group_handle; + + if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) { + printf("SamSync needs domain information before the users\n"); + return False; + } + + r.in.domain_handle = samsync_state->domain_handle[database_id]; + r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + r.in.rid = rid; + r.out.group_handle = &group_handle; + + nt_status = dcerpc_samr_OpenGroup(samsync_state->p_samr, mem_ctx, &r); + if (!NT_STATUS_IS_OK(nt_status)) { + printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status)); + return False; + } + + q.in.group_handle = &group_handle; + q.in.level = 1; + + nt_status = dcerpc_samr_QueryGroupInfo(samsync_state->p_samr, mem_ctx, &q); + if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &group_handle)) { + return False; + } + + if (!NT_STATUS_IS_OK(nt_status)) { + printf("QueryGroupInfo level %u failed - %s\n", + q.in.level, nt_errstr(nt_status)); + return False; + } + + TEST_STRING_EQUAL(q.out.info->all.name, group->group_name); + TEST_INT_EQUAL(q.out.info->all.attributes, group->attributes); + TEST_STRING_EQUAL(q.out.info->all.description, group->description); + return False; +} + static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state, int database_id, struct netr_DELTA_ENUM *delta) { @@ -577,8 +672,7 @@ static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *sam } if (q.out.new_val->buf == NULL) { - printf("No secret buffer returned\n"); - ret = False; + /* probably just not available due to ACLs */ } else { lsa_blob1.data = q.out.new_val->buf->data; lsa_blob1.length = q.out.new_val->buf->length; @@ -675,6 +769,14 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state, ret &= samsync_handle_user(mem_ctx, samsync_state, r.in.database_id, &r.out.delta_enum_array->delta_enum[d]); break; + case NETR_DELTA_GROUP: + ret &= samsync_handle_group(mem_ctx, samsync_state, + r.in.database_id, &r.out.delta_enum_array->delta_enum[d]); + break; + case NETR_DELTA_ALIAS: + ret &= samsync_handle_alias(mem_ctx, samsync_state, + r.in.database_id, &r.out.delta_enum_array->delta_enum[d]); + break; case NETR_DELTA_TRUSTED_DOMAIN: ret &= samsync_handle_trusted_domain(mem_ctx, samsync_state, r.in.database_id, &r.out.delta_enum_array->delta_enum[d]); @@ -703,8 +805,6 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state, for (t=samsync_state->trusted_domains; t; t=t->next) { char *secret_name = talloc_asprintf(mem_ctx, "G$$%s", t->name); for (s=samsync_state->secrets; s; s=s->next) { - printf("Checking secret %s against %s\n", - s->name, secret_name); if (StrCaseCmp(s->name, secret_name) == 0) { NTSTATUS nt_status; struct samr_Password nt_hash; @@ -718,7 +818,7 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state, &nt_hash, NULL); if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) { - printf("Could not verify trust password to %s: %s\n", + printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n", t->name, nt_errstr(nt_status)); ret = False; } @@ -733,7 +833,7 @@ static BOOL test_DatabaseSync(struct samsync_state *samsync_state, NULL); if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { - printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n", + printf("Verifiction of trust password to %s: should have failed (wrong password), instead: %s\n", t->name, nt_errstr(nt_status)); ret = False; ret = False; @@ -907,6 +1007,11 @@ BOOL torture_rpc_samsync(void) timestring(mem_ctx, time(NULL))); status = dcerpc_samr_SetDomainInfo(samsync_state->p_samr, mem_ctx, &s); + if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, domain_policy)) { + ret = False; + goto failed; + } + if (!NT_STATUS_IS_OK(status)) { printf("SetDomainInfo level %u failed - %s\n", s.in.level, nt_errstr(status)); |