diff options
| author | Jelmer Vernooij <jelmer@samba.org> | 2012-09-26 19:47:56 +0200 |
|---|---|---|
| committer | Jelmer Vernooij <jelmer@samba.org> | 2012-09-26 22:12:07 +0200 |
| commit | 90b1a94cb436d872148742eec1af56ba7c6dc9ef (patch) | |
| tree | 958becb6d7b6fca31a78b7c5d2e6b1c35824db43 /source4 | |
| parent | 5022b3d8c183181b922e3ccac49e5819eb453035 (diff) | |
| download | samba-90b1a94cb436d872148742eec1af56ba7c6dc9ef.tar.gz samba-90b1a94cb436d872148742eec1af56ba7c6dc9ef.tar.bz2 samba-90b1a94cb436d872148742eec1af56ba7c6dc9ef.zip | |
netlogon: Per MS-NRPC, don't send unknown workstation flags back to the
client.
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 | ||||
| -rw-r--r-- | source4/torture/rpc/netlogon.c | 28 |
2 files changed, 27 insertions, 4 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 309601e9da..633687fd9d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1685,7 +1685,8 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal } domain_info->workstation_flags = - r->in.query->workstation_info->workstation_flags; + r->in.query->workstation_info->workstation_flags & ( + NETR_WS_FLAG_HANDLES_SPN_UPDATE | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS); r->out.info->domain_info = domain_info; break; diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index f1d605c674..d217db20c8 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -3209,7 +3209,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, NULL, cmdline_credentials, 0); - + torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!"); } @@ -3581,13 +3581,35 @@ static bool test_GetDomainInfo(struct torture_context *tctx, old_dnsname, "'DNS hostname' changed!"); + torture_comment(tctx, "Testing netr_LogonGetDomainInfo 7th call (extra workstation flags)\n"); + netlogon_creds_client_authenticator(creds, &a); + + q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE + | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS | 0x4; + + /* Put the DNS hostname back */ + talloc_free(discard_const_p(char, q1.dns_hostname)); + q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME, + lpcfg_dnsdomain(tctx->lp_ctx)); + + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r), + "LogonGetDomainInfo failed"); + torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed"); + + /* Checks "workstation flags" */ + torture_assert(tctx, + info.domain_info->workstation_flags + == (NETR_WS_FLAG_HANDLES_SPN_UPDATE + | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS), + "Out 'workstation flags' don't match!"); if (!torture_setting_bool(tctx, "dangerous", false)) { - torture_comment(tctx, "Not testing netr_LogonGetDomainInfo 7th call (no workstation info) - enable dangerous tests in order to do so\n"); + torture_comment(tctx, "Not testing netr_LogonGetDomainInfo 8th call (no workstation info) - enable dangerous tests in order to do so\n"); } else { /* Try a call without the workstation information structure */ - torture_comment(tctx, "Testing netr_LogonGetDomainInfo 7th call (no workstation info)\n"); + torture_comment(tctx, "Testing netr_LogonGetDomainInfo 8th call (no workstation info)\n"); netlogon_creds_client_authenticator(creds, &a); query.workstation_info = NULL; |