diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-11-22 08:47:47 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:06:03 -0500 |
commit | be7a3e3ce0c5b7623c67dcbb8ca20dae438d09af (patch) | |
tree | d4c701801706fb512f9d413938ab93f99978a5b7 /source4 | |
parent | aae697b9246a6688155895e6c666fda2f10d67f5 (diff) | |
download | samba-be7a3e3ce0c5b7623c67dcbb8ca20dae438d09af.tar.gz samba-be7a3e3ce0c5b7623c67dcbb8ca20dae438d09af.tar.bz2 samba-be7a3e3ce0c5b7623c67dcbb8ca20dae438d09af.zip |
r3904: * Add new LSA calls to open trusted domains
* Add new tests for ACCOUNTs in SamSync
* Clean up names in NETLOGON and LSA
* Verify Security Descriptors against LSA, as well as SamR
Andrew Bartlett
(This used to be commit 7094502fe0346255a89667f702289b4c8dc9fa08)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/librpc/idl/lsa.idl | 20 | ||||
-rw-r--r-- | source4/librpc/idl/netlogon.idl | 14 | ||||
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 4 | ||||
-rw-r--r-- | source4/torture/rpc/lsa.c | 68 | ||||
-rw-r--r-- | source4/torture/rpc/samlogon.c | 2 |
5 files changed, 88 insertions, 20 deletions
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl index 225979da18..f84addf150 100644 --- a/source4/librpc/idl/lsa.idl +++ b/source4/librpc/idl/lsa.idl @@ -56,10 +56,10 @@ /******************/ /* Function: 0x03 */ - NTSTATUS lsa_QuerySecObj ( + NTSTATUS lsa_QuerySecurity ( [in,ref] policy_handle *handle, [in] uint32 sec_info, - [out] sec_desc_buf *sd + [out] sec_desc_buf *sdbuf ); @@ -396,8 +396,15 @@ NTSTATUS lsa_GetSystemAccessAccount(); /* Function: 0x18 */ NTSTATUS lsa_SetSystemAccessAccount(); + /* Function: 0x19 */ - NTSTATUS lsa_OpenTrustedDomain(); + NTSTATUS lsa_OpenTrustedDomain( + [in,ref] policy_handle *handle, + [in,ref] dom_sid2 *sid, + [in] uint32 access_mask, + [out,ref] policy_handle *trustdom_handle + ); + /* Function: 0x1a */ NTSTATUS lsa_QueryInfoTrustedDomain(); /* Function: 0x1b */ @@ -566,7 +573,12 @@ NTSTATUS lsa_SetDomInfoPolicy(); /* Function 0x37 */ - NTSTATUS lsa_OpenTrustedDomainByName(); + NTSTATUS lsa_OpenTrustedDomainByName( + [in,ref] policy_handle *handle, + [in] lsa_Name name, + [in] uint32 access_mask, + [out,ref] policy_handle *trustdom_handle + ); /* Function 0x38 */ NTSTATUS lsa_TestCall(); diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl index ae6bfe249b..27ba53ff8b 100644 --- a/source4/librpc/idl/netlogon.idl +++ b/source4/librpc/idl/netlogon.idl @@ -255,6 +255,8 @@ interface netlogon /* Function 0x05 */ /* secure channel types */ + /* Only SEC_CHAN_WKSTA can forward requests to other domains. */ + const int SEC_CHAN_WKSTA = 2; const int SEC_CHAN_DOMAIN = 4; const int SEC_CHAN_BDC = 6; @@ -527,7 +529,7 @@ interface netlogon uint32 unknown6; uint32 unknown7; uint32 unknown8; - } netr_DELTA_ACCOUNTS; + } netr_DELTA_ACCOUNT; typedef struct { uint16 unknown; @@ -574,9 +576,9 @@ interface netlogon NETR_DELTA_RENAME_ALIAS = 11, NETR_DELTA_ALIAS_MEMBER = 12, NETR_DELTA_POLICY = 13, - NETR_DELTA_TRUSTED_DOMAIN = 14, + NETR_DELTA_TRUSTED_DOMAIN = 14, NETR_DELTA_DELETE_TRUST = 15, - NETR_DELTA_ACCOUNTS = 16, + NETR_DELTA_ACCOUNT = 16, NETR_DELTA_DELETE_ACCOUNT = 17, NETR_DELTA_SECRET = 18, NETR_DELTA_DELETE_SECRET = 19, @@ -599,9 +601,9 @@ interface netlogon [case(NETR_DELTA_RENAME_ALIAS)] netr_DELTA_RENAME *rename_alias; [case(NETR_DELTA_ALIAS_MEMBER)] netr_DELTA_ALIAS_MEMBER *alias_member; [case(NETR_DELTA_POLICY)] netr_DELTA_POLICY *policy; - [case(NETR_DELTA_TRUSTED_DOMAIN)] netr_DELTA_TRUSTED_DOMAIN *trusted_domain; + [case(NETR_DELTA_TRUSTED_DOMAIN)] netr_DELTA_TRUSTED_DOMAIN *trusted_domain; [case(NETR_DELTA_DELETE_TRUST)] netr_DELTA_DELETE_TRUST delete_trust; - [case(NETR_DELTA_ACCOUNTS)] netr_DELTA_ACCOUNTS *accounts; + [case(NETR_DELTA_ACCOUNT)] netr_DELTA_ACCOUNT *account; [case(NETR_DELTA_DELETE_ACCOUNT)] netr_DELTA_DELETE_ACCOUNT delete_account; [case(NETR_DELTA_SECRET)] netr_DELTA_SECRET *secret; [case(NETR_DELTA_DELETE_SECRET)] netr_DELTA_DELETE_SECRET delete_secret; @@ -626,7 +628,7 @@ interface netlogon [case(NETR_DELTA_POLICY)] dom_sid2 *sid; [case(NETR_DELTA_TRUSTED_DOMAIN)] dom_sid2 *sid; [case(NETR_DELTA_DELETE_TRUST)] dom_sid2 *sid; - [case(NETR_DELTA_ACCOUNTS)] dom_sid2 *sid; + [case(NETR_DELTA_ACCOUNT)] dom_sid2 *sid; [case(NETR_DELTA_DELETE_ACCOUNT)] dom_sid2 *sid; [case(NETR_DELTA_SECRET)] unistr *name; [case(NETR_DELTA_DELETE_SECRET)] unistr *name; diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index ce9f9f39ff..1c3e8d374a 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -113,8 +113,8 @@ static NTSTATUS lsa_EnumPrivs(struct dcesrv_call_state *dce_call, TALLOC_CTX *me /* lsa_QuerySecObj */ -static NTSTATUS lsa_QuerySecObj(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct lsa_QuerySecObj *r) +static NTSTATUS lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct lsa_QuerySecurity *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 8c9675457e..703df40654 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -523,22 +523,22 @@ static BOOL test_EnumAccountRights(struct dcerpc_pipe *p, } -static BOOL test_QuerySecObj(struct dcerpc_pipe *p, +static BOOL test_QuerySecurity(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct policy_handle *acct_handle) { NTSTATUS status; - struct lsa_QuerySecObj r; + struct lsa_QuerySecurity r; - printf("Testing QuerySecObj\n"); + printf("Testing QuerySecuriy\n"); r.in.handle = acct_handle; r.in.sec_info = 7; - status = dcerpc_lsa_QuerySecObj(p, mem_ctx, &r); + status = dcerpc_lsa_QuerySecurity(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("QuerySecObj failed - %s\n", nt_errstr(status)); + printf("QuerySecurity failed - %s\n", nt_errstr(status)); return False; } @@ -571,7 +571,7 @@ static BOOL test_OpenAccount(struct dcerpc_pipe *p, return False; } - if (!test_QuerySecObj(p, mem_ctx, handle, &acct_handle)) { + if (!test_QuerySecurity(p, mem_ctx, handle, &acct_handle)) { return False; } @@ -746,6 +746,8 @@ static BOOL test_EnumTrustDom(struct dcerpc_pipe *p, NTSTATUS status; uint32_t resume_handle = 0; struct lsa_DomainList domains; + int i; + BOOL ret = True; printf("\nTesting EnumTrustDom\n"); @@ -767,7 +769,59 @@ static BOOL test_EnumTrustDom(struct dcerpc_pipe *p, return False; } - return True; + printf("\nTesting OpenTrustedDomain and OpenTrustedDomainByName\n"); + + for (i=0; i< domains.count; i++) { + struct lsa_OpenTrustedDomain trust; + struct lsa_OpenTrustedDomainByName trust_by_name; + struct policy_handle trust_handle; + struct policy_handle handle2; + struct lsa_Close c; + + trust.in.handle = handle; + trust.in.sid = domains.domains[i].sid; + trust.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + trust.out.trustdom_handle = &trust_handle; + + status = dcerpc_lsa_OpenTrustedDomain(p, mem_ctx, &trust); + + if (!NT_STATUS_IS_OK(status)) { + printf("OpenTrustedDomain failed - %s\n", nt_errstr(status)); + return False; + } + + c.in.handle = &trust_handle; + c.out.handle = &handle2; + + status = dcerpc_lsa_Close(p, mem_ctx, &c); + if (!NT_STATUS_IS_OK(status)) { + printf("Close of trusted doman failed - %s\n", nt_errstr(status)); + return False; + } + + trust_by_name.in.handle = handle; + trust_by_name.in.name = domains.domains[i].name; + trust_by_name.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; + trust_by_name.out.trustdom_handle = &trust_handle; + + status = dcerpc_lsa_OpenTrustedDomainByName(p, mem_ctx, &trust_by_name); + + if (!NT_STATUS_IS_OK(status)) { + printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); + return False; + } + + c.in.handle = &trust_handle; + c.out.handle = &handle2; + + status = dcerpc_lsa_Close(p, mem_ctx, &c); + if (!NT_STATUS_IS_OK(status)) { + printf("Close of trusted doman failed - %s\n", nt_errstr(status)); + return False; + } + } + + return ret; } static BOOL test_QueryInfoPolicy(struct dcerpc_pipe *p, diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 54d6dd85f8..5204175559 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -1031,7 +1031,7 @@ BOOL torture_rpc_samlogon(void) } if (!test_SetupCredentials(p, mem_ctx, - TEST_MACHINE_NAME, machine_pass, &creds)) { + TEST_MACHINE_NAME, machine_pass, &creds)) { ret = False; } |