summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--librpc/idl/krb5pac.idl (renamed from source4/librpc/idl/krb5pac.idl)10
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/librpc/gen_ndr/krb5pac.h23
-rw-r--r--source3/librpc/gen_ndr/ndr_krb5pac.c131
-rw-r--r--source3/librpc/gen_ndr/ndr_krb5pac.h8
-rw-r--r--source3/librpc/idl/krb5pac.idl120
-rw-r--r--source4/heimdal/kpasswd/kpasswd.c247
-rw-r--r--source4/heimdal/kpasswd/kpasswd_locl.h104
-rw-r--r--source4/heimdal/lib/krb5/prog_setup.c66
-rw-r--r--source4/heimdal/lib/roken/rkpty.c336
-rw-r--r--source4/heimdal_build/internal.m48
-rw-r--r--source4/heimdal_build/internal.mk35
-rw-r--r--source4/kdc/kdc.c10
-rw-r--r--source4/librpc/idl/lsa.idl32
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c40
-rwxr-xr-xsource4/script/mkrelease.sh16
-rw-r--r--source4/setup/provision_init.ldif1
-rw-r--r--source4/torture/rpc/lsa.c230
-rwxr-xr-xtestprogs/blackbox/test_kinit.sh44
19 files changed, 1192 insertions, 271 deletions
diff --git a/source4/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index bddba04165..a498b795f8 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -29,7 +29,7 @@ interface krb5pac
netr_SamInfo3 info3;
dom_sid2 *res_group_dom_sid;
samr_RidWithAttributeArray res_groups;
- } PAC_LOGON_INFO;
+ } PAC_LOGON_INFO;
typedef struct {
[value(2*strlen_m(upn_name))] uint16 upn_size;
@@ -46,7 +46,7 @@ interface krb5pac
typedef [public] struct {
PAC_LOGON_INFO *info;
- } PAC_LOGON_INFO_CTR;
+ } PAC_LOGON_INFO_CTR;
typedef [public,v1_enum] enum {
PAC_TYPE_LOGON_INFO = 1,
@@ -126,5 +126,9 @@ interface krb5pac
[in] PAC_Validate pac_validate
);
-
+ /* used for samba3 netsamlogon cache */
+ typedef [public] struct {
+ time_t timestamp;
+ netr_SamInfo3 info3;
+ } netsamlogoncache_entry;
}
diff --git a/source3/Makefile.in b/source3/Makefile.in
index e806e3f062..810666e0a9 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -1213,7 +1213,7 @@ samba3-idl::
../librpc/idl/eventlog.idl ../librpc/idl/wkssvc.idl librpc/idl/netlogon.idl \
../librpc/idl/notify.idl ../librpc/idl/epmapper.idl librpc/idl/messaging.idl \
../librpc/idl/xattr.idl ../librpc/idl/misc.idl librpc/idl/samr.idl \
- ../librpc/idl/security.idl ../librpc/idl/dssetup.idl librpc/idl/krb5pac.idl \
+ ../librpc/idl/security.idl ../librpc/idl/dssetup.idl ../librpc/idl/krb5pac.idl \
../librpc/idl/ntsvcs.idl librpc/idl/libnetapi.idl ../librpc/idl/drsuapi.idl \
../librpc/idl/drsblobs.idl ../librpc/idl/nbt.idl
diff --git a/source3/librpc/gen_ndr/krb5pac.h b/source3/librpc/gen_ndr/krb5pac.h
index b3b29e5b2f..7ec3e95d70 100644
--- a/source3/librpc/gen_ndr/krb5pac.h
+++ b/source3/librpc/gen_ndr/krb5pac.h
@@ -8,6 +8,7 @@
#ifndef _HEADER_krb5pac
#define _HEADER_krb5pac
+#define NETLOGON_GENERIC_KRB5_PAC_VALIDATE ( 3 )
struct PAC_LOGON_NAME {
NTTIME logon_time;
uint16_t size;/* [value(2*strlen_m(account_name))] */
@@ -39,10 +40,6 @@ struct PAC_UNKNOWN_12 {
};
struct PAC_LOGON_INFO_CTR {
- uint32_t unknown1;/* [value(0x00081001)] */
- uint32_t unknown2;/* [value(0xCCCCCCCC)] */
- uint32_t _ndr_size;/* [value(NDR_ROUND(ndr_size_PAC_LOGON_INFO(info,ndr->flags)+4,8))] */
- uint32_t unknown3;/* [value(0x00000000)] */
struct PAC_LOGON_INFO *info;/* [unique] */
}/* [public] */;
@@ -72,7 +69,7 @@ struct DATA_BLOB_REM {
};
union PAC_INFO {
- struct PAC_LOGON_INFO_CTR logon_info;/* [case(PAC_TYPE_LOGON_INFO)] */
+ struct PAC_LOGON_INFO_CTR logon_info;/* [subcontext(0xFFFFFC01),case(PAC_TYPE_LOGON_INFO)] */
struct PAC_SIGNATURE_DATA srv_cksum;/* [case(PAC_TYPE_SRV_CHECKSUM)] */
struct PAC_SIGNATURE_DATA kdc_cksum;/* [case(PAC_TYPE_KDC_CHECKSUM)] */
struct PAC_LOGON_NAME logon_name;/* [case(PAC_TYPE_LOGON_NAME)] */
@@ -105,6 +102,14 @@ struct PAC_DATA_RAW {
struct PAC_BUFFER_RAW *buffers;
}/* [public] */;
+struct PAC_Validate {
+ uint32_t MessageType;/* [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] */
+ uint32_t ChecksumLength;
+ int32_t SignatureType;
+ uint32_t SignatureLength;
+ DATA_BLOB ChecksumAndSignature;/* [flag(LIBNDR_FLAG_REMAINING)] */
+}/* [public] */;
+
struct netsamlogoncache_entry {
time_t timestamp;
struct netr_SamInfo3 info3;
@@ -134,4 +139,12 @@ struct decode_login_info {
};
+
+struct decode_pac_validate {
+ struct {
+ struct PAC_Validate pac_validate;
+ } in;
+
+};
+
#endif /* _HEADER_krb5pac */
diff --git a/source3/librpc/gen_ndr/ndr_krb5pac.c b/source3/librpc/gen_ndr/ndr_krb5pac.c
index 6e06f90a68..f9e93e5210 100644
--- a/source3/librpc/gen_ndr/ndr_krb5pac.c
+++ b/source3/librpc/gen_ndr/ndr_krb5pac.c
@@ -170,10 +170,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_LOGON_INFO_CTR(struct ndr_push *ndr, int
{
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_push_align(ndr, 4));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00081001));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0xCCCCCCCC));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, NDR_ROUND(ndr_size_PAC_LOGON_INFO(r->info, ndr->flags) + 4, 8)));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00000000));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->info));
}
if (ndr_flags & NDR_BUFFERS) {
@@ -190,10 +186,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_LOGON_INFO_CTR(struct ndr_pull *ndr, int
TALLOC_CTX *_mem_save_info_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
- NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1));
- NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2));
- NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->_ndr_size));
- NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3));
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info));
if (_ptr_info) {
NDR_PULL_ALLOC(ndr, r->info);
@@ -216,10 +208,6 @@ _PUBLIC_ void ndr_print_PAC_LOGON_INFO_CTR(struct ndr_print *ndr, const char *na
{
ndr_print_struct(ndr, name, "PAC_LOGON_INFO_CTR");
ndr->depth++;
- ndr_print_uint32(ndr, "unknown1", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?0x00081001:r->unknown1);
- ndr_print_uint32(ndr, "unknown2", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?0xCCCCCCCC:r->unknown2);
- ndr_print_uint32(ndr, "_ndr_size", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NDR_ROUND(ndr_size_PAC_LOGON_INFO(r->info, ndr->flags) + 4, 8):r->_ndr_size);
- ndr_print_uint32(ndr, "unknown3", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?0x00000000:r->unknown3);
ndr_print_ptr(ndr, "info", r->info);
ndr->depth++;
if (r->info) {
@@ -304,7 +292,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_INFO(struct ndr_push *ndr, int ndr_flags
int level = ndr_push_get_switch_value(ndr, r);
switch (level) {
case PAC_TYPE_LOGON_INFO: {
- NDR_CHECK(ndr_push_PAC_LOGON_INFO_CTR(ndr, NDR_SCALARS, &r->logon_info));
+ {
+ struct ndr_push *_ndr_logon_info;
+ NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_logon_info, 0xFFFFFC01, -1));
+ NDR_CHECK(ndr_push_PAC_LOGON_INFO_CTR(_ndr_logon_info, NDR_SCALARS|NDR_BUFFERS, &r->logon_info));
+ NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_logon_info, 0xFFFFFC01, -1));
+ }
break; }
case PAC_TYPE_SRV_CHECKSUM: {
@@ -334,7 +327,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_INFO(struct ndr_push *ndr, int ndr_flags
int level = ndr_push_get_switch_value(ndr, r);
switch (level) {
case PAC_TYPE_LOGON_INFO:
- NDR_CHECK(ndr_push_PAC_LOGON_INFO_CTR(ndr, NDR_BUFFERS, &r->logon_info));
break;
case PAC_TYPE_SRV_CHECKSUM:
@@ -361,7 +353,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_INFO(struct ndr_pull *ndr, int ndr_flags
if (ndr_flags & NDR_SCALARS) {
switch (level) {
case PAC_TYPE_LOGON_INFO: {
- NDR_CHECK(ndr_pull_PAC_LOGON_INFO_CTR(ndr, NDR_SCALARS, &r->logon_info));
+ {
+ struct ndr_pull *_ndr_logon_info;
+ NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_logon_info, 0xFFFFFC01, -1));
+ NDR_CHECK(ndr_pull_PAC_LOGON_INFO_CTR(_ndr_logon_info, NDR_SCALARS|NDR_BUFFERS, &r->logon_info));
+ NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_logon_info, 0xFFFFFC01, -1));
+ }
break; }
case PAC_TYPE_SRV_CHECKSUM: {
@@ -390,7 +387,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_INFO(struct ndr_pull *ndr, int ndr_flags
if (ndr_flags & NDR_BUFFERS) {
switch (level) {
case PAC_TYPE_LOGON_INFO:
- NDR_CHECK(ndr_pull_PAC_LOGON_INFO_CTR(ndr, NDR_BUFFERS, &r->logon_info));
break;
case PAC_TYPE_SRV_CHECKSUM:
@@ -672,6 +668,58 @@ _PUBLIC_ void ndr_print_PAC_DATA_RAW(struct ndr_print *ndr, const char *name, co
ndr->depth--;
}
+_PUBLIC_ enum ndr_err_code ndr_push_PAC_Validate(struct ndr_push *ndr, int ndr_flags, const struct PAC_Validate *r)
+{
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_push_align(ndr, 4));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, NETLOGON_GENERIC_KRB5_PAC_VALIDATE));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->ChecksumLength));
+ NDR_CHECK(ndr_push_int32(ndr, NDR_SCALARS, r->SignatureType));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->SignatureLength));
+ {
+ uint32_t _flags_save_DATA_BLOB = ndr->flags;
+ ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING);
+ NDR_CHECK(ndr_push_DATA_BLOB(ndr, NDR_SCALARS, r->ChecksumAndSignature));
+ ndr->flags = _flags_save_DATA_BLOB;
+ }
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_PAC_Validate(struct ndr_pull *ndr, int ndr_flags, struct PAC_Validate *r)
+{
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_pull_align(ndr, 4));
+ NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MessageType));
+ NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ChecksumLength));
+ NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->SignatureType));
+ NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->SignatureLength));
+ {
+ uint32_t _flags_save_DATA_BLOB = ndr->flags;
+ ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING);
+ NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->ChecksumAndSignature));
+ ndr->flags = _flags_save_DATA_BLOB;
+ }
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ void ndr_print_PAC_Validate(struct ndr_print *ndr, const char *name, const struct PAC_Validate *r)
+{
+ ndr_print_struct(ndr, name, "PAC_Validate");
+ ndr->depth++;
+ ndr_print_uint32(ndr, "MessageType", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NETLOGON_GENERIC_KRB5_PAC_VALIDATE:r->MessageType);
+ ndr_print_uint32(ndr, "ChecksumLength", r->ChecksumLength);
+ ndr_print_int32(ndr, "SignatureType", r->SignatureType);
+ ndr_print_uint32(ndr, "SignatureLength", r->SignatureLength);
+ ndr_print_DATA_BLOB(ndr, "ChecksumAndSignature", r->ChecksumAndSignature);
+ ndr->depth--;
+}
+
_PUBLIC_ enum ndr_err_code ndr_push_netsamlogoncache_entry(struct ndr_push *ndr, int ndr_flags, const struct netsamlogoncache_entry *r)
{
if (ndr_flags & NDR_SCALARS) {
@@ -830,6 +878,47 @@ _PUBLIC_ void ndr_print_decode_login_info(struct ndr_print *ndr, const char *nam
ndr->depth--;
}
+static enum ndr_err_code ndr_push_decode_pac_validate(struct ndr_push *ndr, int flags, const struct decode_pac_validate *r)
+{
+ if (flags & NDR_IN) {
+ NDR_CHECK(ndr_push_PAC_Validate(ndr, NDR_SCALARS, &r->in.pac_validate));
+ }
+ if (flags & NDR_OUT) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+static enum ndr_err_code ndr_pull_decode_pac_validate(struct ndr_pull *ndr, int flags, struct decode_pac_validate *r)
+{
+ if (flags & NDR_IN) {
+ NDR_CHECK(ndr_pull_PAC_Validate(ndr, NDR_SCALARS, &r->in.pac_validate));
+ }
+ if (flags & NDR_OUT) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ void ndr_print_decode_pac_validate(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac_validate *r)
+{
+ ndr_print_struct(ndr, name, "decode_pac_validate");
+ ndr->depth++;
+ if (flags & NDR_SET_VALUES) {
+ ndr->flags |= LIBNDR_PRINT_SET_VALUES;
+ }
+ if (flags & NDR_IN) {
+ ndr_print_struct(ndr, "in", "decode_pac_validate");
+ ndr->depth++;
+ ndr_print_PAC_Validate(ndr, "pac_validate", &r->in.pac_validate);
+ ndr->depth--;
+ }
+ if (flags & NDR_OUT) {
+ ndr_print_struct(ndr, "out", "decode_pac_validate");
+ ndr->depth++;
+ ndr->depth--;
+ }
+ ndr->depth--;
+}
+
static const struct ndr_interface_call krb5pac_calls[] = {
{
"decode_pac",
@@ -855,6 +944,14 @@ static const struct ndr_interface_call krb5pac_calls[] = {
(ndr_print_function_t) ndr_print_decode_login_info,
false,
},
+ {
+ "decode_pac_validate",
+ sizeof(struct decode_pac_validate),
+ (ndr_push_flags_fn_t) ndr_push_decode_pac_validate,
+ (ndr_pull_flags_fn_t) ndr_pull_decode_pac_validate,
+ (ndr_print_function_t) ndr_print_decode_pac_validate,
+ false,
+ },
{ NULL, 0, NULL, NULL, NULL, false }
};
@@ -884,7 +981,7 @@ const struct ndr_interface_table ndr_table_krb5pac = {
NDR_KRB5PAC_VERSION
},
.helpstring = NDR_KRB5PAC_HELPSTRING,
- .num_calls = 3,
+ .num_calls = 4,
.calls = krb5pac_calls,
.endpoints = &krb5pac_endpoints,
.authservices = &krb5pac_authservices
diff --git a/source3/librpc/gen_ndr/ndr_krb5pac.h b/source3/librpc/gen_ndr/ndr_krb5pac.h
index 7f03106879..bf09e3fad5 100644
--- a/source3/librpc/gen_ndr/ndr_krb5pac.h
+++ b/source3/librpc/gen_ndr/ndr_krb5pac.h
@@ -17,7 +17,9 @@ extern const struct ndr_interface_table ndr_table_krb5pac;
#define NDR_DECODE_LOGIN_INFO (0x02)
-#define NDR_KRB5PAC_CALL_COUNT (3)
+#define NDR_DECODE_PAC_VALIDATE (0x03)
+
+#define NDR_KRB5PAC_CALL_COUNT (4)
void ndr_print_PAC_LOGON_NAME(struct ndr_print *ndr, const char *name, const struct PAC_LOGON_NAME *r);
enum ndr_err_code ndr_push_PAC_SIGNATURE_DATA(struct ndr_push *ndr, int ndr_flags, const struct PAC_SIGNATURE_DATA *r);
enum ndr_err_code ndr_pull_PAC_SIGNATURE_DATA(struct ndr_pull *ndr, int ndr_flags, struct PAC_SIGNATURE_DATA *r);
@@ -46,10 +48,14 @@ void ndr_print_PAC_BUFFER_RAW(struct ndr_print *ndr, const char *name, const str
enum ndr_err_code ndr_push_PAC_DATA_RAW(struct ndr_push *ndr, int ndr_flags, const struct PAC_DATA_RAW *r);
enum ndr_err_code ndr_pull_PAC_DATA_RAW(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA_RAW *r);
void ndr_print_PAC_DATA_RAW(struct ndr_print *ndr, const char *name, const struct PAC_DATA_RAW *r);
+enum ndr_err_code ndr_push_PAC_Validate(struct ndr_push *ndr, int ndr_flags, const struct PAC_Validate *r);
+enum ndr_err_code ndr_pull_PAC_Validate(struct ndr_pull *ndr, int ndr_flags, struct PAC_Validate *r);
+void ndr_print_PAC_Validate(struct ndr_print *ndr, const char *name, const struct PAC_Validate *r);
enum ndr_err_code ndr_push_netsamlogoncache_entry(struct ndr_push *ndr, int ndr_flags, const struct netsamlogoncache_entry *r);
enum ndr_err_code ndr_pull_netsamlogoncache_entry(struct ndr_pull *ndr, int ndr_flags, struct netsamlogoncache_entry *r);
void ndr_print_netsamlogoncache_entry(struct ndr_print *ndr, const char *name, const struct netsamlogoncache_entry *r);
void ndr_print_decode_pac(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac *r);
void ndr_print_decode_pac_raw(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac_raw *r);
void ndr_print_decode_login_info(struct ndr_print *ndr, const char *name, int flags, const struct decode_login_info *r);
+void ndr_print_decode_pac_validate(struct ndr_print *ndr, const char *name, int flags, const struct decode_pac_validate *r);
#endif /* _HEADER_NDR_krb5pac */
diff --git a/source3/librpc/idl/krb5pac.idl b/source3/librpc/idl/krb5pac.idl
deleted file mode 100644
index c039502d23..0000000000
--- a/source3/librpc/idl/krb5pac.idl
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- krb5 PAC
-*/
-
-#include "idl_types.h"
-
-import "security.idl", "netlogon.idl", "samr.idl";
-
-[
- uuid("12345778-1234-abcd-0000-00000000"),
- version(0.0),
- pointer_default(unique),
- helpstring("Active Directory KRB5 PAC")
-]
-interface krb5pac
-{
- typedef struct {
- NTTIME logon_time;
- [value(2*strlen_m(account_name))] uint16 size;
- [charset(UTF16)] uint8 account_name[size];
- } PAC_LOGON_NAME;
-
- typedef [public,flag(NDR_PAHEX)] struct {
- uint32 type;
- [flag(NDR_REMAINING)] DATA_BLOB signature;
- } PAC_SIGNATURE_DATA;
-
- typedef [gensize] struct {
- netr_SamInfo3 info3;
- dom_sid2 *res_group_dom_sid;
- samr_RidWithAttributeArray res_groups;
- } PAC_LOGON_INFO;
-
- typedef struct {
- [value(2*strlen_m(upn_name))] uint16 upn_size;
- uint16 upn_offset;
- [value(2*strlen_m(domain_name))] uint16 domain_size;
- uint16 domain_offset;
- uint16 unknown3; /* 0x01 */
- uint16 unknown4;
- uint32 unknown5;
- [charset(UTF16)] uint8 upn_name[upn_size+2];
- [charset(UTF16)] uint8 domain_name[domain_size+2];
- uint32 unknown6; /* padding */
- } PAC_UNKNOWN_12;
-
- typedef [public] struct {
- [value(0x00081001)] uint32 unknown1;
- [value(0xCCCCCCCC)] uint32 unknown2;
- [value(NDR_ROUND(ndr_size_PAC_LOGON_INFO(info, ndr->flags)+4,8))] uint32 _ndr_size;
- [value(0x00000000)] uint32 unknown3;
- PAC_LOGON_INFO *info;
- } PAC_LOGON_INFO_CTR;
-
- typedef [public,v1_enum] enum {
- PAC_TYPE_LOGON_INFO = 1,
- PAC_TYPE_SRV_CHECKSUM = 6,
- PAC_TYPE_KDC_CHECKSUM = 7,
- PAC_TYPE_LOGON_NAME = 10,
- PAC_TYPE_CONSTRAINED_DELEGATION = 11,
- PAC_TYPE_UNKNOWN_12 = 12
- } PAC_TYPE;
-
- typedef struct {
- [flag(NDR_REMAINING)] DATA_BLOB remaining;
- } DATA_BLOB_REM;
-
- typedef [public,nodiscriminant,gensize] union {
- [case(PAC_TYPE_LOGON_INFO)] PAC_LOGON_INFO_CTR logon_info;
- [case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum;
- [case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum;
- [case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name;
- [default] [subcontext(0)] DATA_BLOB_REM unknown;
- /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */
- } PAC_INFO;
-
- typedef [public,nopush,nopull,noprint] struct {
- PAC_TYPE type;
- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
- [relative,switch_is(type),subcontext(0),subcontext_size(_subcontext_size_PAC_INFO(r, ndr->flags)),flag(NDR_ALIGN8)] PAC_INFO *info;
- [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
- } PAC_BUFFER;
-
- typedef [public] struct {
- uint32 num_buffers;
- uint32 version;
- PAC_BUFFER buffers[num_buffers];
- } PAC_DATA;
-
- typedef [public] struct {
- PAC_TYPE type;
- uint32 ndr_size;
- [relative,subcontext(0),subcontext_size(NDR_ROUND(ndr_size,8)),flag(NDR_ALIGN8)] DATA_BLOB_REM *info;
- [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
- } PAC_BUFFER_RAW;
-
- typedef [public] struct {
- uint32 num_buffers;
- uint32 version;
- PAC_BUFFER_RAW buffers[num_buffers];
- } PAC_DATA_RAW;
-
- void decode_pac(
- [in] PAC_DATA pac
- );
-
- void decode_pac_raw(
- [in] PAC_DATA_RAW pac
- );
-
- void decode_login_info(
- [in] PAC_LOGON_INFO logon_info
- );
-
- /* used for samba3 netsamlogon cache */
- typedef [public] struct {
- time_t timestamp;
- netr_SamInfo3 info3;
- } netsamlogoncache_entry;
-}
diff --git a/source4/heimdal/kpasswd/kpasswd.c b/source4/heimdal/kpasswd/kpasswd.c
new file mode 100644
index 0000000000..b844628f6f
--- /dev/null
+++ b/source4/heimdal/kpasswd/kpasswd.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id: kpasswd.c 19078 2006-11-20 18:12:41Z lha $");
+
+static int version_flag;
+static int help_flag;
+static char *admin_principal_str;
+static char *cred_cache_str;
+
+static struct getargs args[] = {
+ { "admin-principal", 0, arg_string, &admin_principal_str },
+ { "cache", 'c', arg_string, &cred_cache_str },
+ { "version", 0, arg_flag, &version_flag },
+ { "help", 0, arg_flag, &help_flag }
+};
+
+static void
+usage (int ret, struct getargs *a, int num_args)
+{
+ arg_printusage (a, num_args, NULL, "[principal ...]");
+ exit (ret);
+}
+
+static int
+change_password(krb5_context context,
+ krb5_principal principal,
+ krb5_ccache id)
+{
+ krb5_data result_code_string, result_string;
+ int result_code;
+ krb5_error_code ret;
+ char pwbuf[BUFSIZ];
+ char *msg, *name;
+
+ krb5_data_zero (&result_code_string);
+ krb5_data_zero (&result_string);
+
+ name = msg = NULL;
+ if (principal == NULL)
+ asprintf(&msg, "New password: ");
+ else {
+ ret = krb5_unparse_name(context, principal, &name);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_unparse_name");
+
+ asprintf(&msg, "New password for %s: ", name);
+ }
+
+ if (msg == NULL)
+ krb5_errx (context, 1, "out of memory");
+
+ ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg, 1);
+ free(msg);
+ if (name)
+ free(name);
+ if (ret != 0) {
+ return 1;
+ }
+
+ ret = krb5_set_password_using_ccache (context, id, pwbuf,
+ principal,
+ &result_code,
+ &result_code_string,
+ &result_string);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_set_password_using_ccache");
+ return 1;
+ }
+
+ printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code),
+ result_string.length > 0 ? " : " : "",
+ (int)result_string.length,
+ result_string.length > 0 ? (char *)result_string.data : "");
+
+ krb5_data_free (&result_code_string);
+ krb5_data_free (&result_string);
+
+ return ret != 0;
+}
+
+
+int
+main (int argc, char **argv)
+{
+ krb5_error_code ret;
+ krb5_context context;
+ krb5_principal principal;
+ int optind = 0;
+ krb5_get_init_creds_opt *opt;
+ krb5_ccache id = NULL;
+ int exit_value;
+
+ optind = krb5_program_setup(&context, argc, argv,
+ args, sizeof(args) / sizeof(args[0]), usage);
+
+ if (help_flag)
+ usage (0, args, sizeof(args) / sizeof(args[0]));
+
+ if(version_flag){
+ print_version (NULL);
+ exit(0);
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ ret = krb5_init_context (&context);
+ if (ret)
+ errx (1, "krb5_init_context failed: %d", ret);
+
+ ret = krb5_get_init_creds_opt_alloc (context, &opt);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
+
+ krb5_get_init_creds_opt_set_tkt_life (opt, 300);
+ krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
+ krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
+
+ if (cred_cache_str) {
+ ret = krb5_cc_resolve(context, cred_cache_str, &id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_resolve");
+ } else {
+ ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_gen_new");
+ }
+
+ if (cred_cache_str == NULL) {
+ krb5_principal admin_principal = NULL;
+ krb5_creds cred;
+
+ if (admin_principal_str) {
+ ret = krb5_parse_name (context, admin_principal_str,
+ &admin_principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+ } else if (argc == 1) {
+ ret = krb5_parse_name (context, argv[0], &admin_principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+ } else {
+ ret = krb5_get_default_principal (context, &admin_principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_get_default_principal");
+ }
+
+ ret = krb5_get_init_creds_password (context,
+ &cred,
+ admin_principal,
+ NULL,
+ krb5_prompter_posix,
+ NULL,
+ 0,
+ "kadmin/changepw",
+ opt);
+ switch (ret) {
+ case 0:
+ break;
+ case KRB5_LIBOS_PWDINTR :
+ return 1;
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY :
+ case KRB5KRB_AP_ERR_MODIFIED :
+ krb5_errx(context, 1, "Password incorrect");
+ break;
+ default:
+ krb5_err(context, 1, ret, "krb5_get_init_creds");
+ }
+
+ krb5_get_init_creds_opt_free(context, opt);
+
+ ret = krb5_cc_initialize(context, id, admin_principal);
+ krb5_free_principal(context, admin_principal);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+ ret = krb5_cc_store_cred(context, id, &cred);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_store_cred");
+
+ krb5_free_cred_contents (context, &cred);
+ }
+
+ if (argc == 0) {
+ exit_value = change_password(context, NULL, id);
+ } else {
+ exit_value = 0;
+
+ while (argc-- > 0) {
+
+ ret = krb5_parse_name (context, argv[0], &principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+
+ ret = change_password(context, principal, id);
+ if (ret)
+ exit_value = 1;
+ krb5_free_principal(context, principal);
+ argv++;
+ }
+ }
+
+ if (cred_cache_str == NULL) {
+ ret = krb5_cc_destroy(context, id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_destroy");
+ } else {
+ ret = krb5_cc_close(context, id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_close");
+ }
+
+ krb5_free_context (context);
+ return ret;
+}
diff --git a/source4/heimdal/kpasswd/kpasswd_locl.h b/source4/heimdal/kpasswd/kpasswd_locl.h
new file mode 100644
index 0000000000..b797ceb26d
--- /dev/null
+++ b/source4/heimdal/kpasswd/kpasswd_locl.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kpasswd_locl.h 11444 2002-09-10 20:03:49Z joda $ */
+
+#ifndef __KPASSWD_LOCL_H__
+#define __KPASSWD_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <krb5.h>
+#include "crypto-headers.h" /* for des_read_pw_string */
+
+#endif /* __KPASSWD_LOCL_H__ */
diff --git a/source4/heimdal/lib/krb5/prog_setup.c b/source4/heimdal/lib/krb5/prog_setup.c
new file mode 100644
index 0000000000..0586155ac4
--- /dev/null
+++ b/source4/heimdal/lib/krb5/prog_setup.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <getarg.h>
+#include <err.h>
+
+RCSID("$Id: prog_setup.c 15470 2005-06-17 04:29:41Z lha $");
+
+void KRB5_LIB_FUNCTION
+krb5_std_usage(int code, struct getargs *args, int num_args)
+{
+ arg_printusage(args, num_args, NULL, "");
+ exit(code);
+}
+
+int KRB5_LIB_FUNCTION
+krb5_program_setup(krb5_context *context, int argc, char **argv,
+ struct getargs *args, int num_args,
+ void (*usage)(int, struct getargs*, int))
+{
+ krb5_error_code ret;
+ int optidx = 0;
+
+ if(usage == NULL)
+ usage = krb5_std_usage;
+
+ setprogname(argv[0]);
+ ret = krb5_init_context(context);
+ if (ret)
+ errx (1, "krb5_init_context failed: %d", ret);
+
+ if(getarg(args, num_args, argc, argv, &optidx))
+ (*usage)(1, args, num_args);
+ return optidx;
+}
diff --git a/source4/heimdal/lib/roken/rkpty.c b/source4/heimdal/lib/roken/rkpty.c
new file mode 100644
index 0000000000..e29b2c5aca
--- /dev/null
+++ b/source4/heimdal/lib/roken/rkpty.c
@@ -0,0 +1,336 @@
+/*
+ * Copyright (c) 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#ifndef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#ifdef HAVE_PTY_H
+#include <pty.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+
+#include "roken.h"
+#include <getarg.h>
+
+struct command {
+ enum { CMD_EXPECT = 0, CMD_SEND, CMD_PASSWORD } type;
+ unsigned int lineno;
+ char *str;
+ struct command *next;
+};
+
+/*
+ *
+ */
+
+static struct command *commands, **next = &commands;
+
+static sig_atomic_t alarmset = 0;
+
+static int timeout = 10;
+static int verbose;
+static int help_flag;
+static int version_flag;
+
+static int master;
+static int slave;
+static char line[256] = { 0 };
+
+static void
+caught_signal(int signo)
+{
+ alarmset = signo;
+}
+
+
+static void
+open_pty(void)
+{
+#if defined(HAVE_OPENPTY) || defined(__linux) || defined(__osf__) /* XXX */
+ if(openpty(&master, &slave, line, 0, 0) == 0)
+ return;
+#endif /* HAVE_OPENPTY .... */
+ /* more cases, like open /dev/ptmx, etc */
+
+ exit(77);
+}
+
+/*
+ *
+ */
+
+static char *
+iscmd(const char *buf, const char *s)
+{
+ size_t len = strlen(s);
+ if (strncmp(buf, s, len) != 0)
+ return NULL;
+ return estrdup(buf + len);
+}
+
+static void
+parse_configuration(const char *fn)
+{
+ struct command *c;
+ char s[1024];
+ char *str;
+ unsigned int lineno = 0;
+ FILE *cmd;
+
+ cmd = fopen(fn, "r");
+ if (cmd == NULL)
+ err(1, "open: %s", fn);
+
+ while (fgets(s, sizeof(s), cmd) != NULL) {
+
+ s[strcspn(s, "#\n")] = '\0';
+ lineno++;
+
+ c = calloc(1, sizeof(*c));
+ if (c == NULL)
+ errx(1, "malloc");
+
+ c->lineno = lineno;
+ (*next) = c;
+ next = &(c->next);
+
+ if ((str = iscmd(s, "expect ")) != NULL) {
+ c->type = CMD_EXPECT;
+ c->str = str;
+ } else if ((str = iscmd(s, "send ")) != NULL) {
+ c->type = CMD_SEND;
+ c->str = str;
+ } else if ((str = iscmd(s, "password ")) != NULL) {
+ c->type = CMD_PASSWORD;
+ c->str = str;
+ } else
+ errx(1, "Invalid command on line %d: %s", lineno, s);
+ }
+
+ fclose(cmd);
+}
+
+
+/*
+ *
+ */
+
+static int
+eval_parent(pid_t pid)
+{
+ struct command *c;
+ char in;
+ size_t len = 0;
+ ssize_t sret;
+
+ for (c = commands; c != NULL; c = c->next) {
+ switch(c->type) {
+ case CMD_EXPECT:
+ if (verbose)
+ printf("[expecting %s]", c->str);
+ len = 0;
+ alarm(timeout);
+ while((sret = read(master, &in, sizeof(in))) > 0) {
+ alarm(timeout);
+ printf("%c", in);
+ if (c->str[len] != in) {
+ len = 0;
+ continue;
+ }
+ len++;
+ if (c->str[len] == '\0')
+ break;
+ }
+ alarm(0);
+ if (alarmset == SIGALRM)
+ errx(1, "timeout waiting for %s (line %u)",
+ c->str, c->lineno);
+ else if (alarmset)
+ errx(1, "got a signal %d waiting for %s (line %u)",
+ alarmset, c->str, c->lineno);
+ if (sret <= 0)
+ errx(1, "end command while waiting for %s (line %u)",
+ c->str, c->lineno);
+ break;
+ case CMD_SEND:
+ case CMD_PASSWORD: {
+ size_t i = 0;
+ const char *msg = (c->type == CMD_PASSWORD) ? "****" : c->str;
+
+ if (verbose)
+ printf("[send %s]", msg);
+
+ len = strlen(c->str);
+
+ while (i < len) {
+ if (c->str[i] == '\\' && i < len - 1) {
+ char ctrl;
+ i++;
+ switch(c->str[i]) {
+ case 'n': ctrl = '\n'; break;
+ case 'r': ctrl = '\r'; break;
+ case 't': ctrl = '\t'; break;
+ default:
+ errx(1, "unknown control char %c (line %u)",
+ c->str[i], c->lineno);
+ }
+ if (net_write(master, &ctrl, 1) != 1)
+ errx(1, "command refused input (line %u)", c->lineno);
+ } else {
+ if (net_write(master, &c->str[i], 1) != 1)
+ errx(1, "command refused input (line %u)", c->lineno);
+ }
+ i++;
+ }
+ break;
+ }
+ default:
+ abort();
+ }
+ }
+ while(read(master, &in, sizeof(in)) > 0)
+ printf("%c", in);
+
+ if (verbose)
+ printf("[end of program]\n");
+
+ /*
+ * Fetch status from child
+ */
+ {
+ int ret, status;
+
+ ret = waitpid(pid, &status, 0);
+ if (ret == -1)
+ err(1, "waitpid");
+ if (WIFEXITED(status) && WEXITSTATUS(status))
+ return WEXITSTATUS(status);
+ else if (WIFSIGNALED(status)) {
+ printf("killed by signal: %d\n", WTERMSIG(status));
+ return 1;
+ }
+ }
+ return 0;
+}
+
+/*
+ *
+ */
+
+static struct getargs args[] = {
+ { "timeout", 't', arg_integer, &timeout, "timout", "seconds" },
+ { "verbose", 'v', arg_counter, &verbose, "verbose debugging" },
+ { "version", 0, arg_flag, &version_flag, "print version" },
+ { "help", 0, arg_flag, &help_flag, NULL }
+};
+
+static void
+usage(int ret)
+{
+ arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "infile command..");
+ exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+ int optidx = 0;
+ pid_t pid;
+
+ setprogname(argv[0]);
+
+ if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+ usage(1);
+
+ if (help_flag)
+ usage (0);
+
+ if (version_flag) {
+ fprintf (stderr, "%s from %s-%s\n", getprogname(), PACKAGE, VERSION);
+ return 0;
+ }
+
+ argv += optidx;
+ argc -= optidx;
+
+ if (argc < 2)
+ usage(1);
+
+ parse_configuration(argv[0]);
+
+ argv += 1;
+ argc -= 1;
+
+ open_pty();
+
+ pid = fork();
+ switch (pid) {
+ case -1:
+ err(1, "Failed to fork");
+ case 0:
+
+ if(setsid()<0)
+ err(1, "setsid");
+
+ dup2(slave, STDIN_FILENO);
+ dup2(slave, STDOUT_FILENO);
+ dup2(slave, STDERR_FILENO);
+ closefrom(STDERR_FILENO + 1);
+
+ execvp(argv[0], argv); /* add NULL to end of array ? */
+ err(1, "Failed to exec: %s", argv[0]);
+ default:
+ close(slave);
+ {
+ struct sigaction sa;
+
+ sa.sa_handler = caught_signal;
+ sa.sa_flags = 0;
+ sigemptyset (&sa.sa_mask);
+
+ sigaction(SIGALRM, &sa, NULL);
+ }
+
+ return eval_parent(pid);
+ }
+}
diff --git a/source4/heimdal_build/internal.m4 b/source4/heimdal_build/internal.m4
index 038c4d9417..06e798ce27 100644
--- a/source4/heimdal_build/internal.m4
+++ b/source4/heimdal_build/internal.m4
@@ -49,6 +49,7 @@ AC_CHECK_HEADERS([ \
errno.h \
inttypes.h \
netdb.h \
+ pty.h \
signal.h \
sys/bswap.h \
sys/file.h \
@@ -158,6 +159,13 @@ m4_include(heimdal/cf/find-func-no-libs.m4)
m4_include(heimdal/cf/find-func-no-libs2.m4)
m4_include(heimdal/cf/resolv.m4)
+
+AC_CHECK_LIB_EXT(util, OPENPTY_LIBS, openpty)
+
+SMB_ENABLE(OPENPTY,YES)
+
+SMB_EXT_LIB(OPENPTY,[${OPENPTY_LIBS}],[${OPENPTY_CFLAGS}],[${OPENPTY_CPPFLAGS}],[${OPENPTY_LDFLAGS}])
+
smb_save_LIBS=$LIBS
RESOLV_LIBS=""
LIBS=""
diff --git a/source4/heimdal_build/internal.mk b/source4/heimdal_build/internal.mk
index 67fda9dd58..7b1c9f5153 100644
--- a/source4/heimdal_build/internal.mk
+++ b/source4/heimdal_build/internal.mk
@@ -322,6 +322,7 @@ HEIMDAL_KRB5_OBJ_FILES = \
$(heimdalsrcdir)/lib/krb5/pkinit.o \
$(heimdalsrcdir)/lib/krb5/plugin.o \
$(heimdalsrcdir)/lib/krb5/principal.o \
+ $(heimdalsrcdir)/lib/krb5/prog_setup.o \
$(heimdalsrcdir)/lib/krb5/pac.o \
$(heimdalsrcdir)/lib/krb5/prompter_posix.o \
$(heimdalsrcdir)/lib/krb5/rd_cred.o \
@@ -600,6 +601,7 @@ HEIMDAL_ROKEN_OBJ_FILES = \
$(heimdalsrcdir)/lib/roken/dumpdata.o \
$(heimdalsrcdir)/lib/roken/emalloc.o \
$(heimdalsrcdir)/lib/roken/ecalloc.o \
+ $(heimdalsrcdir)/lib/roken/getarg.o \
$(heimdalsrcdir)/lib/roken/get_window_size.o \
$(heimdalsrcdir)/lib/roken/h_errno.o \
$(heimdalsrcdir)/lib/roken/issuid.o \
@@ -612,6 +614,7 @@ HEIMDAL_ROKEN_OBJ_FILES = \
$(heimdalsrcdir)/lib/roken/roken_gethostby.o \
$(heimdalsrcdir)/lib/roken/signal.o \
$(heimdalsrcdir)/lib/roken/vis.o \
+ $(heimdalsrcdir)/lib/roken/setprogname.o \
$(heimdalsrcdir)/lib/roken/strlwr.o \
$(heimdalsrcdir)/lib/roken/strsep_copy.o \
$(heimdalsrcdir)/lib/roken/strsep.o \
@@ -677,8 +680,6 @@ dist:: $(heimdalsrcdir)/lib/asn1/lex.c
asn1_compile_OBJ_FILES = \
$(asn1_compile_ASN1_OBJ_FILES) \
$(heimdalsrcdir)/lib/roken/emalloc.ho \
- $(heimdalsrcdir)/lib/roken/getarg.ho \
- $(heimdalsrcdir)/lib/roken/setprogname.ho \
$(heimdalsrcdir)/lib/roken/strupr.ho \
$(heimdalsrcdir)/lib/roken/get_window_size.ho \
$(heimdalsrcdir)/lib/roken/estrdup.ho \
@@ -713,10 +714,8 @@ compile_et_OBJ_FILES = $(heimdalsrcdir)/lib/vers/print_version.ho \
$(heimdalsrcdir)/lib/com_err/parse.ho \
$(heimdalsrcdir)/lib/com_err/lex.ho \
$(heimdalsrcdir)/lib/com_err/compile_et.ho \
- $(heimdalsrcdir)/lib/roken/getarg.ho \
$(heimdalsrcdir)/lib/roken/get_window_size.ho \
$(heimdalsrcdir)/lib/roken/strupr.ho \
- $(heimdalsrcdir)/lib/roken/setprogname.ho \
$(socketwrappersrcdir)/socket_wrapper.ho \
$(heimdalbuildsrcdir)/replace.ho
@@ -761,8 +760,30 @@ PRIVATE_DEPENDENCIES = HEIMDAL_KRB5 HEIMDAL_NTLM
#######################
samba4kinit_OBJ_FILES = $(heimdalsrcdir)/kuser/kinit.o \
- $(heimdalsrcdir)/lib/vers/print_version.o \
- $(heimdalsrcdir)/lib/roken/setprogname.o \
- $(heimdalsrcdir)/lib/roken/getarg.o
+ $(heimdalsrcdir)/lib/vers/print_version.o
$(samba4kinit_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken
+
+#######################
+# Start BINARY compile_et
+[BINARY::samba4kpasswd]
+PRIVATE_DEPENDENCIES = HEIMDAL_KRB5 HEIMDAL_NTLM
+# End BINARY compile_et
+#######################
+
+samba4kpasswd_OBJ_FILES = $(heimdalsrcdir)/kpasswd/kpasswd.o \
+ $(heimdalsrcdir)/lib/vers/print_version.o
+
+$(samba4kpasswd_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken
+
+#######################
+# Start BINARY compile_et
+[BINARY::rkpty]
+PRIVATE_DEPENDENCIES = HEIMDAL_ROKEN OPENPTY
+# End BINARY compile_et
+#######################
+
+rkpty_OBJ_FILES = $(heimdalsrcdir)/lib/roken/rkpty.o \
+ $(socketwrappersrcdir)/socket_wrapper.o
+
+$(rkpty_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken -DPACKAGE=\"Samba\"
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index cf6dbf0c93..45fa803d04 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -657,6 +657,11 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
}
+static struct hdb_method hdb_samba4 = {
+ .interface_version = HDB_INTERFACE_VERSION,
+ .prefix = "samba4:",
+ .create = hdb_samba4_create
+};
/*
startup the kdc task
@@ -667,11 +672,6 @@ static void kdc_task_init(struct task_server *task)
NTSTATUS status;
krb5_error_code ret;
struct interface *ifaces;
- struct hdb_method hdb_samba4 = {
- .interface_version = HDB_INTERFACE_VERSION,
- .prefix = "samba4:",
- .create = hdb_samba4_create
- };
switch (lp_server_role(task->lp_ctx)) {
case ROLE_STANDALONE:
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index dd9791d894..8745385a10 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -263,11 +263,12 @@ import "misc.idl", "security.idl";
LSA_POLICY_INFO_ROLE=6,
LSA_POLICY_INFO_REPLICA=7,
LSA_POLICY_INFO_QUOTA=8,
- LSA_POLICY_INFO_DB=9,
+ LSA_POLICY_INFO_MOD=9,
LSA_POLICY_INFO_AUDIT_FULL_SET=10,
LSA_POLICY_INFO_AUDIT_FULL_QUERY=11,
LSA_POLICY_INFO_DNS=12,
- LSA_POLICY_INFO_DNS_INT=13
+ LSA_POLICY_INFO_DNS_INT=13,
+ LSA_POLICY_INFO_L_ACCOUNT_DOMAIN=14
} lsa_PolicyInfo;
typedef [switch_type(uint16)] union {
@@ -279,11 +280,12 @@ import "misc.idl", "security.idl";
[case(LSA_POLICY_INFO_ROLE)] lsa_ServerRole role;
[case(LSA_POLICY_INFO_REPLICA)] lsa_ReplicaSourceInfo replica;
[case(LSA_POLICY_INFO_QUOTA)] lsa_DefaultQuotaInfo quota;
- [case(LSA_POLICY_INFO_DB)] lsa_ModificationInfo db;
+ [case(LSA_POLICY_INFO_MOD)] lsa_ModificationInfo mod;
[case(LSA_POLICY_INFO_AUDIT_FULL_SET)] lsa_AuditFullSetInfo auditfullset;
[case(LSA_POLICY_INFO_AUDIT_FULL_QUERY)] lsa_AuditFullQueryInfo auditfullquery;
[case(LSA_POLICY_INFO_DNS)] lsa_DnsDomainInfo dns;
[case(LSA_POLICY_INFO_DNS_INT)] lsa_DnsDomainInfo dns;
+ [case(LSA_POLICY_INFO_L_ACCOUNT_DOMAIN)] lsa_DomainInfo l_account_domain;
} lsa_PolicyInformation;
NTSTATUS lsa_QueryInfoPolicy (
@@ -512,23 +514,39 @@ import "misc.idl", "security.idl";
/* Function: 0x16 */
[todo] NTSTATUS lsa_SetQuotasForAccount();
+ typedef [bitmap32bit] bitmap {
+ LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
+ LSA_POLICY_MODE_NETWORK = 0x00000002,
+ LSA_POLICY_MODE_BATCH = 0x00000004,
+ LSA_POLICY_MODE_SERVICE = 0x00000010,
+ LSA_POLICY_MODE_PROXY = 0x00000020,
+ LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
+ LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
+ LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
+ LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
+ LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
+ LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
+ LSA_POLICY_MODE_ALL = 0x00000FF7,
+ LSA_POLICY_MODE_ALL_NT4 = 0x00000037
+ } lsa_SystemAccessModeFlags;
+
/* Function: 0x17 */
NTSTATUS lsa_GetSystemAccessAccount(
- [in] policy_handle *handle,
+ [in] policy_handle *handle,
[out,ref] uint32 *access_mask
);
/* Function: 0x18 */
NTSTATUS lsa_SetSystemAccessAccount(
- [in] policy_handle *handle,
- [in] uint32 access_mask
+ [in] policy_handle *handle,
+ [in] uint32 access_mask
);
/* Function: 0x19 */
NTSTATUS lsa_OpenTrustedDomain(
[in] policy_handle *handle,
[in] dom_sid2 *sid,
- [in] uint32 access_mask,
+ [in] uint32 access_mask,
[out] policy_handle *trustdom_handle
);
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 4c596f1f03..b009d2f2f8 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -399,7 +399,6 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal
return WERR_INVALID_PARAM;
}
-
/*
fill in the AccountDomain info
*/
@@ -462,9 +461,15 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call,
/* we don't need to fill in any of this */
ZERO_STRUCT(r->out.info->pd);
return NT_STATUS_OK;
+
case LSA_POLICY_INFO_DOMAIN:
+ return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->domain);
case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->account_domain);
+ case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
+ return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->l_account_domain);
+
+
case LSA_POLICY_INFO_ROLE:
r->out.info->role.role = LSA_ROLE_PRIMARY;
return NT_STATUS_OK;
@@ -481,8 +486,8 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call,
ZERO_STRUCT(r->out.info->quota);
return NT_STATUS_OK;
+ case LSA_POLICY_INFO_MOD:
case LSA_POLICY_INFO_AUDIT_FULL_SET:
- case LSA_POLICY_INFO_DB:
case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
/* windows gives INVALID_PARAMETER */
r->out.info = NULL;
@@ -2050,7 +2055,36 @@ static NTSTATUS dcesrv_lsa_SetQuotasForAccount(struct dcesrv_call_state *dce_cal
static NTSTATUS dcesrv_lsa_GetSystemAccessAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct lsa_GetSystemAccessAccount *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ int i;
+ NTSTATUS status;
+ struct lsa_EnumPrivsAccount enumPrivs;
+
+ enumPrivs.in.handle = r->in.handle;
+
+ status = dcesrv_lsa_EnumPrivsAccount(dce_call, mem_ctx, &enumPrivs);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *(r->out.access_mask) = 0x00000000;
+
+ for (i = 0; i < enumPrivs.out.privs->count; i++) {
+ int priv = enumPrivs.out.privs->set[i].luid.low;
+
+ switch (priv) {
+ case SEC_PRIV_INTERACTIVE_LOGON:
+ *(r->out.access_mask) |= LSA_POLICY_MODE_INTERACTIVE;
+ break;
+ case SEC_PRIV_NETWORK_LOGON:
+ *(r->out.access_mask) |= LSA_POLICY_MODE_NETWORK;
+ break;
+ case SEC_PRIV_REMOTE_INTERACTIVE_LOGON:
+ *(r->out.access_mask) |= LSA_POLICY_MODE_REMOTE_INTERACTIVE;
+ break;
+ }
+ }
+
+ return NT_STATUS_OK;
}
diff --git a/source4/script/mkrelease.sh b/source4/script/mkrelease.sh
index 0af738deb5..6a8c5ae2e7 100755
--- a/source4/script/mkrelease.sh
+++ b/source4/script/mkrelease.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-if [ ! -d ".git" -o `dirname $0` != "./source/script" ]; then
+if [ ! -d ".git" -o `dirname $0` != "./source4/script" ]; then
echo "Run this script from the top-level directory in the"
echo "repository as: ./source/script/mkrelease.sh"
exit 1
@@ -9,13 +9,23 @@ fi
TMPDIR=`mktemp -d samba-XXXXX`
(git archive --format=tar HEAD | (cd $TMPDIR/ && tar xf -))
-( cd $TMPDIR/source || exit 1
+#Prepare the tarball for a Samba4 release, with some generated files,
+#but without Samba3 stuff (to avoid confusion)
+( cd $TMPDIR/ || exit 1
+ rm -rf source3 packaging docs-xml examples swat WHATSNEW.txt MAINTAINERS || exit 1
+ cd source4 || exit 1
./autogen.sh || exit 1
./configure || exit 1
make dist || exit 1
) || exit 1
-VERSION=`sed -n 's/^SAMBA_VERSION_STRING=//p' $TMPDIR/source/version.h`
+VERSION_FILE=$TMPDIR/source4/version.h
+if [ ! -f $VERSION_FILE ]; then
+ echo "Cannot find version.h at $VERSION_FILE"
+ exit 1;
+fi
+
+VERSION=`sed -n 's/^SAMBA_VERSION_STRING=//p' $VERSION_FILE`
mv $TMPDIR samba-$VERSION || exit 1
tar -cf samba-$VERSION.tar samba-$VERSION || (rm -rf samba-$VERSION; exit 1)
rm -rf samba-$VERSION || exit 1
diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif
index a6c591dd51..8e9b68fb30 100644
--- a/source4/setup/provision_init.ldif
+++ b/source4/setup/provision_init.ldif
@@ -34,6 +34,7 @@ dn: @OPTIONS
checkBaseOnSearch: TRUE
dn: @KLUDGEACL
+passwordAttribute: clearTextPassword
passwordAttribute: userPassword
passwordAttribute: ntPwdHash
passwordAttribute: sambaNTPwdHistory
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 245ed1e41b..69df965f19 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -46,7 +46,7 @@ static bool test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
NTSTATUS status;
uint16_t system_name = '\\';
- printf("\ntesting OpenPolicy\n");
+ printf("\nTesting OpenPolicy\n");
qos.len = 0;
qos.impersonation_level = 2;
@@ -88,7 +88,7 @@ bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct lsa_OpenPolicy2 r;
NTSTATUS status;
- printf("\ntesting OpenPolicy2\n");
+ printf("\nTesting OpenPolicy2\n");
*handle = talloc(mem_ctx, struct policy_handle);
if (!*handle) {
@@ -781,7 +781,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p,
}
static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct policy_handle *handle,
struct policy_handle *acct_handle,
struct lsa_LUID *luid)
@@ -791,7 +791,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p,
struct lsa_PrivilegeSet privs;
bool ret = true;
- printf("Testing RemovePrivilegesFromAccount\n");
+ printf("\nTesting RemovePrivilegesFromAccount\n");
r.in.handle = acct_handle;
r.in.remove_all = 0;
@@ -831,7 +831,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p,
}
static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct policy_handle *acct_handle,
struct lsa_LUID *luid)
{
@@ -840,7 +840,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p,
struct lsa_PrivilegeSet privs;
bool ret = true;
- printf("Testing AddPrivilegesToAccount\n");
+ printf("\nTesting AddPrivilegesToAccount\n");
r.in.handle = acct_handle;
r.in.privs = &privs;
@@ -861,7 +861,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p,
}
static bool test_EnumPrivsAccount(struct dcerpc_pipe *p,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct policy_handle *handle,
struct policy_handle *acct_handle)
{
@@ -869,7 +869,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p,
struct lsa_EnumPrivsAccount r;
bool ret = true;
- printf("Testing EnumPrivsAccount\n");
+ printf("\nTesting EnumPrivsAccount\n");
r.in.handle = acct_handle;
@@ -895,6 +895,60 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p,
return ret;
}
+static bool test_GetSystemAccessAccount(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *handle,
+ struct policy_handle *acct_handle)
+{
+ NTSTATUS status;
+ uint32_t access_mask;
+ struct lsa_GetSystemAccessAccount r;
+
+ printf("\nTesting GetSystemAccessAccount\n");
+
+ r.in.handle = acct_handle;
+ r.out.access_mask = &access_mask;
+
+ status = dcerpc_lsa_GetSystemAccessAccount(p, mem_ctx, &r);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("GetSystemAccessAccount failed - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if (r.out.access_mask != NULL) {
+ printf("Rights:");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE)
+ printf(" LSA_POLICY_MODE_INTERACTIVE");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK)
+ printf(" LSA_POLICY_MODE_NETWORK");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH)
+ printf(" LSA_POLICY_MODE_BATCH");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE)
+ printf(" LSA_POLICY_MODE_SERVICE");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY)
+ printf(" LSA_POLICY_MODE_PROXY");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE)
+ printf(" LSA_POLICY_MODE_DENY_INTERACTIVE");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK)
+ printf(" LSA_POLICY_MODE_DENY_NETWORK");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH)
+ printf(" LSA_POLICY_MODE_DENY_BATCH");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE)
+ printf(" LSA_POLICY_MODE_DENY_SERVICE");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE)
+ printf(" LSA_POLICY_MODE_REMOTE_INTERACTIVE");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE)
+ printf(" LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL)
+ printf(" LSA_POLICY_MODE_ALL");
+ if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4)
+ printf(" LSA_POLICY_MODE_ALL_NT4");
+ printf("\n");
+ }
+
+ return true;
+}
+
static bool test_Delete(struct dcerpc_pipe *p,
TALLOC_CTX *mem_ctx,
struct policy_handle *handle)
@@ -902,7 +956,7 @@ static bool test_Delete(struct dcerpc_pipe *p,
NTSTATUS status;
struct lsa_Delete r;
- printf("testing Delete\n");
+ printf("\nTesting Delete\n");
r.in.handle = handle;
status = dcerpc_lsa_Delete(p, mem_ctx, &r);
@@ -921,13 +975,13 @@ static bool test_DeleteObject(struct dcerpc_pipe *p,
NTSTATUS status;
struct lsa_DeleteObject r;
- printf("testing DeleteObject\n");
+ printf("\nTesting DeleteObject\n");
r.in.handle = handle;
r.out.handle = handle;
status = dcerpc_lsa_DeleteObject(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
- printf("Delete failed - %s\n", nt_errstr(status));
+ printf("DeleteObject failed - %s\n", nt_errstr(status));
return false;
}
@@ -946,7 +1000,7 @@ static bool test_CreateAccount(struct dcerpc_pipe *p,
newsid = dom_sid_parse_talloc(mem_ctx, "S-1-5-12349876-4321-2854");
- printf("Testing CreateAccount\n");
+ printf("\nTesting CreateAccount\n");
r.in.handle = handle;
r.in.sid = newsid;
@@ -998,7 +1052,7 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p,
status = dcerpc_lsa_OpenTrustedDomainByName(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
- printf("lsa_OpenTrustedDomainByName failed - %s\n", nt_errstr(status));
+ printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status));
return false;
}
@@ -1026,7 +1080,7 @@ static bool test_DeleteTrustedDomainBySid(struct dcerpc_pipe *p,
status = dcerpc_lsa_DeleteTrustedDomain(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
- printf("lsa_DeleteTrustedDomain failed - %s\n", nt_errstr(status));
+ printf("DeleteTrustedDomain failed - %s\n", nt_errstr(status));
return false;
}
@@ -1072,7 +1126,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
secname[GLOBAL] = talloc_asprintf(mem_ctx, "G$torturesecret-%u", (uint_t)random());
for (i=0; i< 2; i++) {
- printf("Testing CreateSecret of %s\n", secname[i]);
+ printf("\nTesting CreateSecret of %s\n", secname[i]);
init_lsa_String(&r.in.name, secname[i]);
@@ -1384,7 +1438,7 @@ static bool test_EnumAccountRights(struct dcerpc_pipe *p,
struct lsa_EnumAccountRights r;
struct lsa_RightSet rights;
- printf("Testing EnumAccountRights\n");
+ printf("\nTesting EnumAccountRights\n");
r.in.handle = acct_handle;
r.in.sid = sid;
@@ -1410,11 +1464,11 @@ static bool test_QuerySecurity(struct dcerpc_pipe *p,
struct lsa_QuerySecurity r;
if (torture_setting_bool(tctx, "samba4", false)) {
- printf("skipping QuerySecurity test against Samba4\n");
+ printf("\nskipping QuerySecurity test against Samba4\n");
return true;
}
- printf("Testing QuerySecurity\n");
+ printf("\nTesting QuerySecurity\n");
r.in.handle = acct_handle;
r.in.sec_info = 7;
@@ -1437,7 +1491,7 @@ static bool test_OpenAccount(struct dcerpc_pipe *p,
struct lsa_OpenAccount r;
struct policy_handle acct_handle;
- printf("Testing OpenAccount\n");
+ printf("\nTesting OpenAccount\n");
r.in.handle = handle;
r.in.sid = sid;
@@ -1454,6 +1508,10 @@ static bool test_OpenAccount(struct dcerpc_pipe *p,
return false;
}
+ if (!test_GetSystemAccessAccount(p, mem_ctx, handle, &acct_handle)) {
+ return false;
+ }
+
if (!test_QuerySecurity(p, mem_ctx, handle, &acct_handle)) {
return false;
}
@@ -1472,7 +1530,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p,
int i;
bool ret = true;
- printf("\ntesting EnumAccounts\n");
+ printf("\nTesting EnumAccounts\n");
r.in.handle = handle;
r.in.resume_handle = &resume_handle;
@@ -1503,7 +1561,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p,
* be on schannel, or we would not be able to do the
* rest */
- printf("testing all accounts\n");
+ printf("Testing all accounts\n");
for (i=0;i<sids1.num_sids;i++) {
ret &= test_OpenAccount(p, mem_ctx, handle, sids1.sids[i].sid);
ret &= test_EnumAccountRights(p, mem_ctx, handle, sids1.sids[i].sid);
@@ -1515,7 +1573,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p,
return ret;
}
- printf("trying EnumAccounts partial listing (asking for 1 at 2)\n");
+ printf("Trying EnumAccounts partial listing (asking for 1 at 2)\n");
resume_handle = 2;
r.in.num_entries = 1;
r.out.sids = &sids2;
@@ -1545,7 +1603,7 @@ static bool test_LookupPrivDisplayName(struct dcerpc_pipe *p,
terminals */
uint16_t language_id = (random() % 4) + 0x409;
- printf("testing LookupPrivDisplayName(%s)\n", priv_name->string);
+ printf("\nTesting LookupPrivDisplayName(%s)\n", priv_name->string);
r.in.handle = handle;
r.in.name = priv_name;
@@ -1576,7 +1634,7 @@ static bool test_EnumAccountsWithUserRight(struct dcerpc_pipe *p,
ZERO_STRUCT(sids);
- printf("testing EnumAccountsWithUserRight(%s)\n", priv_name->string);
+ printf("\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string);
r.in.handle = handle;
r.in.name = priv_name;
@@ -1609,7 +1667,7 @@ static bool test_EnumPrivs(struct dcerpc_pipe *p,
int i;
bool ret = true;
- printf("\ntesting EnumPrivs\n");
+ printf("\nTesting EnumPrivs\n");
r.in.handle = handle;
r.in.resume_handle = &resume_handle;
@@ -1669,7 +1727,7 @@ static bool test_QueryForestTrustInformation(struct dcerpc_pipe *p,
status = dcerpc_lsa_lsaRQueryForestTrustInformation(p, tctx, &r);
if (!NT_STATUS_IS_OK(status)) {
- printf("lsaRQueryForestTrustInformation failed - %s\n", nt_errstr(status));
+ printf("lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(status));
ret = false;
}
@@ -1999,7 +2057,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p,
struct lsa_QueryTrustedDomainInfo q;
int i;
- printf("Testing CreateTrustedDomain for 12 domains\n");
+ printf("\nTesting CreateTrustedDomain for 12 domains\n");
if (!test_EnumTrustDom(p, mem_ctx, handle)) {
ret = false;
@@ -2095,7 +2153,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
enum ndr_err_code ndr_err;
int i;
- printf("Testing CreateTrustedDomainEx2 for 12 domains\n");
+ printf("\nTesting CreateTrustedDomainEx2 for 12 domains\n");
status = dcerpc_fetch_session_key(p, &session_key);
if (!NT_STATUS_IS_OK(status)) {
@@ -2226,7 +2284,7 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
r.in.handle = handle;
r.in.level = i;
- printf("\ntrying QueryDomainInformationPolicy level %d\n", i);
+ printf("\nTrying QueryDomainInformationPolicy level %d\n", i);
status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r);
@@ -2244,35 +2302,50 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
}
-static bool test_QueryInfoPolicy(struct dcerpc_pipe *p,
- struct torture_context *tctx,
- struct policy_handle *handle)
+static bool test_QueryInfoPolicyCalls( bool version2,
+ struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle)
{
struct lsa_QueryInfoPolicy r;
NTSTATUS status;
int i;
bool ret = true;
- printf("\nTesting QueryInfoPolicy\n");
- for (i=1;i<=13;i++) {
+ if (version2)
+ printf("\nTesting QueryInfoPolicy2\n");
+ else
+ printf("\nTesting QueryInfoPolicy\n");
+
+ for (i=1;i<=14;i++) {
r.in.handle = handle;
r.in.level = i;
- printf("\ntrying QueryInfoPolicy level %d\n", i);
+ if (version2)
+ printf("\nTrying QueryInfoPolicy2 level %d\n", i);
+ else
+ printf("\nTrying QueryInfoPolicy level %d\n", i);
- status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r);
+ if (version2)
+ /* We can perform the cast, because both types are
+ structurally equal */
+ status = dcerpc_lsa_QueryInfoPolicy2(p, tctx,
+ (struct lsa_QueryInfoPolicy2*) &r);
+ else
+ status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r);
switch (i) {
- case LSA_POLICY_INFO_DB:
+ case LSA_POLICY_INFO_MOD:
case LSA_POLICY_INFO_AUDIT_FULL_SET:
case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
- printf("server should have failed level %u: %s\n", i, nt_errstr(status));
+ printf("Server should have failed level %u: %s\n", i, nt_errstr(status));
ret = false;
}
break;
case LSA_POLICY_INFO_DOMAIN:
case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
+ case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
case LSA_POLICY_INFO_DNS_INT:
case LSA_POLICY_INFO_DNS:
case LSA_POLICY_INFO_REPLICA:
@@ -2282,7 +2355,10 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p,
case LSA_POLICY_INFO_AUDIT_EVENTS:
case LSA_POLICY_INFO_PD:
if (!NT_STATUS_IS_OK(status)) {
- printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
+ if (version2)
+ printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
+ else
+ printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
ret = false;
}
break;
@@ -2290,17 +2366,24 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p,
if (torture_setting_bool(tctx, "samba4", false)) {
/* Other levels not implemented yet */
if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
- printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
+ if (version2)
+ printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
+ else
+ printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
ret = false;
}
} else if (!NT_STATUS_IS_OK(status)) {
- printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
+ if (version2)
+ printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
+ else
+ printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
ret = false;
}
break;
}
- if (NT_STATUS_IS_OK(status) && i == LSA_POLICY_INFO_DNS) {
+ if (NT_STATUS_IS_OK(status) && (i == LSA_POLICY_INFO_DNS
+ || i == LSA_POLICY_INFO_DNS_INT)) {
/* Let's look up some of these names */
struct lsa_TransNameArray tnames;
@@ -2342,63 +2425,18 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p,
return ret;
}
+static bool test_QueryInfoPolicy(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle)
+{
+ return test_QueryInfoPolicyCalls(false, p, tctx, handle);
+}
+
static bool test_QueryInfoPolicy2(struct dcerpc_pipe *p,
struct torture_context *tctx,
struct policy_handle *handle)
{
- struct lsa_QueryInfoPolicy2 r;
- NTSTATUS status;
- int i;
- bool ret = true;
- printf("\nTesting QueryInfoPolicy2\n");
- for (i=1;i<13;i++) {
- r.in.handle = handle;
- r.in.level = i;
-
- printf("\ntrying QueryInfoPolicy2 level %d\n", i);
-
- status = dcerpc_lsa_QueryInfoPolicy2(p, tctx, &r);
-
- switch (i) {
- case LSA_POLICY_INFO_DB:
- case LSA_POLICY_INFO_AUDIT_FULL_SET:
- case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
- if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
- printf("server should have failed level %u: %s\n", i, nt_errstr(status));
- ret = false;
- }
- break;
- case LSA_POLICY_INFO_DOMAIN:
- case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
- case LSA_POLICY_INFO_DNS_INT:
- case LSA_POLICY_INFO_DNS:
- case LSA_POLICY_INFO_REPLICA:
- case LSA_POLICY_INFO_QUOTA:
- case LSA_POLICY_INFO_ROLE:
- case LSA_POLICY_INFO_AUDIT_LOG:
- case LSA_POLICY_INFO_AUDIT_EVENTS:
- case LSA_POLICY_INFO_PD:
- if (!NT_STATUS_IS_OK(status)) {
- printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
- ret = false;
- }
- break;
- default:
- if (torture_setting_bool(tctx, "samba4", false)) {
- /* Other levels not implemented yet */
- if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
- printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
- ret = false;
- }
- } else if (!NT_STATUS_IS_OK(status)) {
- printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
- ret = false;
- }
- break;
- }
- }
-
- return ret;
+ return test_QueryInfoPolicyCalls(true, p, tctx, handle);
}
static bool test_GetUserName(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
@@ -2433,7 +2471,7 @@ bool test_lsa_Close(struct dcerpc_pipe *p,
struct lsa_Close r;
struct policy_handle handle2;
- printf("\ntesting Close\n");
+ printf("\nTesting Close\n");
r.in.handle = handle;
r.out.handle = &handle2;
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index b9969e2c57..90e3d37453 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -1,7 +1,7 @@
#!/bin/sh
# Blackbox tests for kinit and kerberos integration with smbclient etc
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
-# Copyright (C) 2006-2007 Andrew Bartlett <abartlet@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
if [ $# -lt 5 ]; then
cat <<EOF
@@ -73,17 +73,55 @@ testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tm
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
NEWUSERPASS=testPaSS@34%
-testit "change user password" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS $CONFIGURATION -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
+testit "change user password with 'net password change' (rpc)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS $CONFIGURATION -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
echo $NEWUSERPASS > ./tmpuserpassfile
testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
+
+USERPASS=$NEWUSERPASS
+NEWUSERPASS=testPaSS@56%
+echo $NEWUSERPASS > ./tmpuserpassfile
+
+cat > ./tmpkpasswdscript <<EOF
+expect Password
+password ${USERPASS}\n
+expect New password
+send ${NEWUSERPASS}\n
+expect New password
+send ${NEWUSERPASS}\n
+expect Success
+EOF
+
+testit "change user password with kpasswd" $samba4bindir/rkpty ./tmpkpasswdscript $samba4bindir/samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
+
+testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
+
+NEWUSERPASS=testPaSS@78%
+echo $NEWUSERPASS > ./tmpuserpassfile
+
+test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
+
+cat > ./tmpkpasswdscript <<EOF
+expect New password
+send ${NEWUSERPASS}\n
+expect New password
+send ${NEWUSERPASS}\n
+expect Success
+EOF
+
+testit "set user password with kpasswd" $samba4bindir/rkpty ./tmpkpasswdscript $samba4bindir/samba4kpasswd --cache=$PREFIX/tmpccache nettestuser@$REALM || failed=`expr $failed + 1`
+
+testit "kinit with user password" $samba4bindir/samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
+
+test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
+
KRB5CCNAME="$PREFIX/tmpccache"
export KRB5CCNAME
testit "del user with kerberos ccache" $VALGRIND $net user delete nettestuser $CONFIGURATION -k yes $@ || failed=`expr $failed + 1`
-rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache
+rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
exit $failed