diff options
Diffstat (limited to 'source4')
182 files changed, 4927 insertions, 1796 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 6bad017862..8a0f12efd8 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -23,6 +23,8 @@ #include "librpc/gen_ndr/ndr_krb5pac.h" +extern const char *krbtgt_attrs[]; +extern const char *server_attrs[]; extern const char *user_attrs[]; union netr_Validation; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 09bdec512d..f4ef36a24d 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -57,6 +57,7 @@ struct gensec_krb5_state { krb5_keyblock *keyblock; krb5_ticket *ticket; bool gssapi; + krb5_flags ap_req_options; }; static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) @@ -88,7 +89,7 @@ static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) return 0; } -static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi) { krb5_error_code ret; struct gensec_krb5_state *gensec_krb5_state; @@ -114,7 +115,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) gensec_krb5_state->keyblock = NULL; gensec_krb5_state->session_key = data_blob(NULL, 0); gensec_krb5_state->pac = data_blob(NULL, 0); - gensec_krb5_state->gssapi = false; + gensec_krb5_state->gssapi = gssapi; talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); @@ -186,12 +187,12 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) return NT_STATUS_OK; } -static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_common_server_start(struct gensec_security *gensec_security, bool gssapi) { NTSTATUS nt_status; struct gensec_krb5_state *gensec_krb5_state; - nt_status = gensec_krb5_start(gensec_security); + nt_status = gensec_krb5_start(gensec_security, gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -202,26 +203,23 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security return NT_STATUS_OK; } -static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security) { - NTSTATUS nt_status = gensec_krb5_server_start(gensec_security); + return gensec_krb5_common_server_start(gensec_security, false); +} - if (NT_STATUS_IS_OK(nt_status)) { - struct gensec_krb5_state *gensec_krb5_state; - gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; - gensec_krb5_state->gssapi = true; - } - return nt_status; +static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security) +{ + return gensec_krb5_common_server_start(gensec_security, true); } -static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi) { struct gensec_krb5_state *gensec_krb5_state; krb5_error_code ret; NTSTATUS nt_status; struct ccache_container *ccache_container; const char *hostname; - krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED; const char *principal; krb5_data in_data; @@ -240,13 +238,26 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security return NT_STATUS_INVALID_PARAMETER; } - nt_status = gensec_krb5_start(gensec_security); + nt_status = gensec_krb5_start(gensec_security, gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START; + gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY; + + if (gensec_krb5_state->gssapi) { + /* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */ + if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) { + gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; + } + } else { + /* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */ + if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) { + gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; + } + } principal = gensec_get_target_principal(gensec_security); @@ -274,7 +285,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security if (ret == 0) { ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context, - ap_req_options, + gensec_krb5_state->ap_req_options, target_principal, &in_data, ccache_container->ccache, &gensec_krb5_state->enc_ticket); @@ -284,7 +295,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security } else { ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context, - ap_req_options, + gensec_krb5_state->ap_req_options, gensec_get_target_service(gensec_security), hostname, &in_data, ccache_container->ccache, @@ -328,16 +339,14 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security } } -static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) { - NTSTATUS nt_status = gensec_krb5_client_start(gensec_security); + return gensec_krb5_common_client_start(gensec_security, false); +} - if (NT_STATUS_IS_OK(nt_status)) { - struct gensec_krb5_state *gensec_krb5_state; - gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; - gensec_krb5_state->gssapi = true; - } - return nt_status; +static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security) +{ + return gensec_krb5_common_client_start(gensec_security, true); } /** @@ -392,8 +401,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, } else { *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length); } - gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; - nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) { + gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; + nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + gensec_krb5_state->state_position = GENSEC_KRB5_DONE; + nt_status = NT_STATUS_OK; + } return nt_status; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index c396662c12..635d94242f 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -32,25 +32,37 @@ #include "param/param.h" #include "auth/auth_sam.h" -const char *user_attrs[] = { - /* required for the krb5 kdc */ - "objectClass", - "sAMAccountName", - "userPrincipalName", - "servicePrincipalName", - "msDS-KeyVersionNumber", - "supplementalCredentials", +#define KRBTGT_ATTRS \ + /* required for the krb5 kdc */ \ + "objectClass", \ + "sAMAccountName", \ + "userPrincipalName", \ + "servicePrincipalName", \ + "msDS-KeyVersionNumber", \ + "supplementalCredentials", \ + \ + /* passwords */ \ + "dBCSPwd", \ + "unicodePwd", \ + \ + "userAccountControl", \ + "objectSid", \ + \ + "pwdLastSet", \ + "accountExpires" + +const char *krbtgt_attrs[] = { + KRBTGT_ATTRS +}; - /* passwords */ - "dBCSPwd", - "unicodePwd", +const char *server_attrs[] = { + KRBTGT_ATTRS +}; - "userAccountControl", +const char *user_attrs[] = { + KRBTGT_ATTRS, - "pwdLastSet", - "accountExpires", "logonHours", - "objectSid", /* check 'allowed workstations' */ "userWorkstations", diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c index 8a21ea55c9..b1a46c3c31 100644 --- a/source4/cldap_server/netlogon.c +++ b/source4/cldap_server/netlogon.c @@ -189,7 +189,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, "(!(userAccountControl:" LDB_OID_COMPARATOR_AND ":=%u))" "(userAccountControl:" LDB_OID_COMPARATOR_OR ":=%u))", ldb_binary_encode_string(mem_ctx, user), - UF_ACCOUNTDISABLE, samdb_acb2uf(acct_control)); + UF_ACCOUNTDISABLE, ds_acb2uf(acct_control)); if (ret != LDB_SUCCESS) { DEBUG(2,("Unable to find referece to user '%s' with ACB 0x%8x under %s: %s\n", user, acct_control, ldb_dn_get_linearized(dom_res->msgs[0]->dn), diff --git a/source4/configure.ac b/source4/configure.ac index 1930f4b6c7..7c5f310aa9 100644 --- a/source4/configure.ac +++ b/source4/configure.ac @@ -37,6 +37,7 @@ m4_include(client/config.m4) AC_CONFIG_FILES(lib/registry/registry.pc) AC_CONFIG_FILES(librpc/dcerpc.pc) AC_CONFIG_FILES(../librpc/ndr.pc) +AC_CONFIG_FILES(../librpc/ndr_standard.pc) AC_CONFIG_FILES(../lib/torture/torture.pc) AC_CONFIG_FILES(auth/gensec/gensec.pc) AC_CONFIG_FILES(param/samba-hostconfig.pc) diff --git a/source4/dsdb/common/flag_mapping.c b/source4/dsdb/common/flag_mapping.c deleted file mode 100644 index dceb41be67..0000000000 --- a/source4/dsdb/common/flag_mapping.c +++ /dev/null @@ -1,145 +0,0 @@ -/* - Unix SMB/CIFS implementation. - helper mapping functions for the SAMDB server - - Copyright (C) Stefan (metze) Metzmacher 2002 - Copyright (C) Andrew Tridgell 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "librpc/gen_ndr/samr.h" -#include "dsdb/common/flags.h" -#include "lib/ldb/include/ldb.h" -#include "dsdb/common/proto.h" - -/* -translated the ACB_CTRL Flags to UserFlags (userAccountControl) -*/ -/* mapping between ADS userAccountControl and SAMR acct_flags */ -static const struct { - uint32_t uf; - uint32_t acb; -} acct_flags_map[] = { - { UF_ACCOUNTDISABLE, ACB_DISABLED }, - { UF_HOMEDIR_REQUIRED, ACB_HOMDIRREQ }, - { UF_PASSWD_NOTREQD, ACB_PWNOTREQ }, - { UF_TEMP_DUPLICATE_ACCOUNT, ACB_TEMPDUP }, - { UF_NORMAL_ACCOUNT, ACB_NORMAL }, - { UF_MNS_LOGON_ACCOUNT, ACB_MNS }, - { UF_INTERDOMAIN_TRUST_ACCOUNT, ACB_DOMTRUST }, - { UF_WORKSTATION_TRUST_ACCOUNT, ACB_WSTRUST }, - { UF_SERVER_TRUST_ACCOUNT, ACB_SVRTRUST }, - { UF_DONT_EXPIRE_PASSWD, ACB_PWNOEXP }, - { UF_LOCKOUT, ACB_AUTOLOCK }, - { UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED, ACB_ENC_TXT_PWD_ALLOWED }, - { UF_SMARTCARD_REQUIRED, ACB_SMARTCARD_REQUIRED }, - { UF_TRUSTED_FOR_DELEGATION, ACB_TRUSTED_FOR_DELEGATION }, - { UF_NOT_DELEGATED, ACB_NOT_DELEGATED }, - { UF_USE_DES_KEY_ONLY, ACB_USE_DES_KEY_ONLY}, - { UF_DONT_REQUIRE_PREAUTH, ACB_DONT_REQUIRE_PREAUTH }, - { UF_PASSWORD_EXPIRED, ACB_PW_EXPIRED }, - { UF_NO_AUTH_DATA_REQUIRED, ACB_NO_AUTH_DATA_REQD } -}; - -uint32_t samdb_acb2uf(uint32_t acb) -{ - uint32_t i, ret = 0; - for (i=0;i<ARRAY_SIZE(acct_flags_map);i++) { - if (acct_flags_map[i].acb & acb) { - ret |= acct_flags_map[i].uf; - } - } - return ret; -} - -/* -translated the UserFlags (userAccountControl) to ACB_CTRL Flags -*/ -uint32_t samdb_uf2acb(uint32_t uf) -{ - uint32_t i; - uint32_t ret = 0; - for (i=0;i<ARRAY_SIZE(acct_flags_map);i++) { - if (acct_flags_map[i].uf & uf) { - ret |= acct_flags_map[i].acb; - } - } - return ret; -} - -/* -get the accountType from the UserFlags -*/ -uint32_t samdb_uf2atype(uint32_t uf) -{ - uint32_t atype = 0x00000000; - - if (uf & UF_NORMAL_ACCOUNT) atype = ATYPE_NORMAL_ACCOUNT; - else if (uf & UF_TEMP_DUPLICATE_ACCOUNT) atype = ATYPE_NORMAL_ACCOUNT; - else if (uf & UF_SERVER_TRUST_ACCOUNT) atype = ATYPE_WORKSTATION_TRUST; - else if (uf & UF_WORKSTATION_TRUST_ACCOUNT) atype = ATYPE_WORKSTATION_TRUST; - else if (uf & UF_INTERDOMAIN_TRUST_ACCOUNT) atype = ATYPE_INTERDOMAIN_TRUST; - - return atype; -} - -/* -get the accountType from the groupType -*/ -uint32_t samdb_gtype2atype(uint32_t gtype) -{ - uint32_t atype = 0x00000000; - - switch(gtype) { - case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: - atype = ATYPE_SECURITY_LOCAL_GROUP; - break; - case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: - atype = ATYPE_SECURITY_LOCAL_GROUP; - break; - case GTYPE_SECURITY_GLOBAL_GROUP: - atype = ATYPE_SECURITY_GLOBAL_GROUP; - break; - - case GTYPE_DISTRIBUTION_GLOBAL_GROUP: - atype = ATYPE_DISTRIBUTION_GLOBAL_GROUP; - break; - case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: - atype = ATYPE_DISTRIBUTION_UNIVERSAL_GROUP; - break; - case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: - atype = ATYPE_DISTRIBUTION_LOCAL_GROUP; - break; - } - - return atype; -} - -/* turn a sAMAccountType into a SID_NAME_USE */ -enum lsa_SidType samdb_atype_map(uint32_t atype) -{ - switch (atype & 0xF0000000) { - case ATYPE_GLOBAL_GROUP: - return SID_NAME_DOM_GRP; - case ATYPE_SECURITY_LOCAL_GROUP: - return SID_NAME_ALIAS; - case ATYPE_ACCOUNT: - return SID_NAME_USER; - default: - DEBUG(1,("hmm, need to map account type 0x%x\n", atype)); - } - return SID_NAME_UNKNOWN; -} diff --git a/source4/dsdb/common/flags.h b/source4/dsdb/common/flags.h deleted file mode 100644 index dd8081732c..0000000000 --- a/source4/dsdb/common/flags.h +++ /dev/null @@ -1,137 +0,0 @@ -/* - Unix SMB/CIFS implementation. - User/Group specific flags - - Copyright (C) Andrew Tridgell 2001-2003 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -/* UserFlags for userAccountControl */ -#define UF_SCRIPT 0x00000001 /* NT or Lan Manager Login script must be executed */ -#define UF_ACCOUNTDISABLE 0x00000002 -#define UF_00000004 0x00000004 -#define UF_HOMEDIR_REQUIRED 0x00000008 - -#define UF_LOCKOUT 0x00000010 -#define UF_PASSWD_NOTREQD 0x00000020 -#define UF_PASSWD_CANT_CHANGE 0x00000040 -#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080 - -#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 /* Local user account in usrmgr */ -#define UF_NORMAL_ACCOUNT 0x00000200 -#define UF_00000400 0x00000400 -#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800 - -#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000 -#define UF_SERVER_TRUST_ACCOUNT 0x00002000 -#define UF_00004000 0x00004000 -#define UF_00008000 0x00008000 - -#define UF_DONT_EXPIRE_PASSWD 0x00010000 -#define UF_MNS_LOGON_ACCOUNT 0x00020000 -#define UF_SMARTCARD_REQUIRED 0x00040000 -#define UF_TRUSTED_FOR_DELEGATION 0x00080000 - -#define UF_NOT_DELEGATED 0x00100000 -#define UF_USE_DES_KEY_ONLY 0x00200000 -#define UF_DONT_REQUIRE_PREAUTH 0x00400000 -#define UF_PASSWORD_EXPIRED 0x00800000 - -#define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000 -#define UF_NO_AUTH_DATA_REQUIRED 0x02000000 - -/* sAMAccountType */ -#define ATYPE_NORMAL_ACCOUNT 0x30000000 /* 805306368 */ -#define ATYPE_WORKSTATION_TRUST 0x30000001 /* 805306369 */ -#define ATYPE_INTERDOMAIN_TRUST 0x30000002 /* 805306370 */ -#define ATYPE_SECURITY_GLOBAL_GROUP 0x10000000 /* 268435456 */ -#define ATYPE_DISTRIBUTION_GLOBAL_GROUP 0x10000001 /* 268435457 */ -#define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP ATYPE_DISTRIBUTION_GLOBAL_GROUP -#define ATYPE_SECURITY_LOCAL_GROUP 0x20000000 /* 536870912 */ -#define ATYPE_DISTRIBUTION_LOCAL_GROUP 0x20000001 /* 536870913 */ - -#define ATYPE_ACCOUNT ATYPE_NORMAL_ACCOUNT /* 0x30000000 805306368 */ -#define ATYPE_GLOBAL_GROUP ATYPE_SECURITY_GLOBAL_GROUP /* 0x10000000 268435456 */ -#define ATYPE_LOCAL_GROUP ATYPE_SECURITY_LOCAL_GROUP /* 0x20000000 536870912 */ - -/* groupType */ -#define GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001 -#define GROUP_TYPE_ACCOUNT_GROUP 0x00000002 -#define GROUP_TYPE_RESOURCE_GROUP 0x00000004 -#define GROUP_TYPE_UNIVERSAL_GROUP 0x00000008 -#define GROUP_TYPE_APP_BASIC_GROUP 0x00000010 -#define GROUP_TYPE_APP_QUERY_GROUP 0x00000020 -#define GROUP_TYPE_SECURITY_ENABLED 0x80000000 - -#define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP ( \ - /* 0x80000005 -2147483643 */ \ - GROUP_TYPE_BUILTIN_LOCAL_GROUP| \ - GROUP_TYPE_RESOURCE_GROUP| \ - GROUP_TYPE_SECURITY_ENABLED \ - ) -#define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP ( \ - /* 0x80000004 -2147483644 */ \ - GROUP_TYPE_RESOURCE_GROUP| \ - GROUP_TYPE_SECURITY_ENABLED \ - ) -#define GTYPE_SECURITY_GLOBAL_GROUP ( \ - /* 0x80000002 -2147483646 */ \ - GROUP_TYPE_ACCOUNT_GROUP| \ - GROUP_TYPE_SECURITY_ENABLED \ - ) -#define GTYPE_SECURITY_UNIVERSAL_GROUP ( \ - /* 0x80000008 -2147483656 */ \ - GROUP_TYPE_UNIVERSAL_GROUP| \ - GROUP_TYPE_SECURITY_ENABLED \ - ) -#define GTYPE_DISTRIBUTION_GLOBAL_GROUP 0x00000002 /* 2 */ -#define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x00000004 /* 4 */ -#define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x00000008 /* 8 */ - -#define INSTANCE_TYPE_IS_NC_HEAD 0x00000001 -#define INSTANCE_TYPE_UNINSTANT 0x00000002 -#define INSTANCE_TYPE_WRITE 0x00000004 -#define INSTANCE_TYPE_NC_ABOVE 0x00000008 -#define INSTANCE_TYPE_NC_COMING 0x00000010 -#define INSTANCE_TYPE_NC_GOING 0x00000020 - -#define SYSTEM_FLAG_CR_NTDS_NC 0x00000001 -#define SYSTEM_FLAG_CR_NTDS_DOMAIN 0x00000002 -#define SYSTEM_FLAG_CR_NTDS_NOT_GC_REPLICATED 0x00000004 -#define SYSTEM_FLAG_SCHEMA_BASE_OBJECT 0x00000010 -#define SYSTEM_FLAG_ATTR_IS_RDN 0x00000020 -#define SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE 0x02000000 -#define SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE 0x04000000 -#define SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME 0x08000000 -#define SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE 0x10000000 -#define SYSTEM_FLAG_CONFIG_ALLOW_MOVE 0x20000000 -#define SYSTEM_FLAG_CONFIG_ALLOW_RENAME 0x40000000 -#define SYSTEM_FLAG_DISALLOW_DELTE 0x80000000 - -#define SEARCH_FLAG_ATTINDEX 0x0000001 -#define SEARCH_FLAG_PDNTATTINDEX 0x0000002 -#define SEARCH_FLAG_ANR 0x0000004 -#define SEARCH_FLAG_PRESERVEONDELETE 0x0000008 -#define SEARCH_FLAG_COPY 0x0000010 -#define SEARCH_FLAG_TUPLEINDEX 0x0000020 -#define SEARCH_FLAG_SUBTREEATTRINDEX 0x0000040 -#define SEARCH_FLAG_CONFIDENTIAL 0x0000080 -#define SEARCH_FLAG_NEVERVALUEAUDIT 0x0000100 -#define SEARCH_FLAG_RODC_ATTRIBUTE 0x0000200 - -#define DS_BEHAVIOR_WIN2000 0 -#define DS_BEHAVIOR_WIN2003_INTERIM 1 -#define DS_BEHAVIOR_WIN2003 2 -#define DS_BEHAVIOR_WIN2008 3 diff --git a/source4/dsdb/common/sidmap.c b/source4/dsdb/common/sidmap.c index 5c20149384..3111a78e51 100644 --- a/source4/dsdb/common/sidmap.c +++ b/source4/dsdb/common/sidmap.c @@ -21,7 +21,7 @@ #include "includes.h" #include "system/passwd.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "dsdb/samdb/samdb.h" #include "auth/auth.h" #include "libcli/ldap/ldap_ndr.h" @@ -583,7 +583,7 @@ NTSTATUS sidmap_allocated_sid_lookup(struct sidmap_context *sidmap, struct passwd *pwd; uid_t uid = rid - SIDMAP_LOCAL_USER_BASE; atype = ATYPE_NORMAL_ACCOUNT; - *rtype = samdb_atype_map(atype); + *rtype = ds_atype_map(atype); pwd = getpwuid(uid); if (pwd == NULL) { @@ -595,7 +595,7 @@ NTSTATUS sidmap_allocated_sid_lookup(struct sidmap_context *sidmap, struct group *grp; gid_t gid = rid - SIDMAP_LOCAL_GROUP_BASE; atype = ATYPE_LOCAL_GROUP; - *rtype = samdb_atype_map(atype); + *rtype = ds_atype_map(atype); grp = getgrgid(gid); if (grp == NULL) { *name = talloc_asprintf(mem_ctx, "gid%u", gid); diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index cbae2ec24c..247aec7035 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -31,7 +31,7 @@ #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_security.h" #include "librpc/gen_ndr/ndr_misc.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "dsdb/common/proto.h" #include "libcli/ldap/ldap_ndr.h" #include "param/param.h" @@ -640,7 +640,7 @@ uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ct struct ldb_message *msg, struct ldb_dn *domain_dn) { uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); - uint32_t acct_flags = samdb_uf2acb(userAccountControl); + uint32_t acct_flags = ds_uf2acb(userAccountControl); NTTIME must_change_time; NTTIME now; @@ -902,7 +902,7 @@ int samdb_msg_add_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg, int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, uint32_t v) { - return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, samdb_acb2uf(v)); + return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v)); } /* diff --git a/source4/dsdb/config.mk b/source4/dsdb/config.mk index 0438647698..2a9f70fdb5 100644 --- a/source4/dsdb/config.mk +++ b/source4/dsdb/config.mk @@ -26,8 +26,8 @@ PRIVATE_DEPENDENCIES = LIBLDB SAMDB_COMMON_OBJ_FILES = $(addprefix $(dsdbsrcdir)/common/, \ sidmap.o \ - flag_mapping.o \ - util.o) + util.o) \ + ../libds/common/flag_mapping.o $(eval $(call proto_header_template,$(dsdbsrcdir)/common/proto.h,$(SAMDB_COMMON_OBJ_FILES:.o=.c))) [SUBSYSTEM::SAMDB_SCHEMA] diff --git a/source4/dsdb/samdb/ldb_modules/instancetype.c b/source4/dsdb/samdb/ldb_modules/instancetype.c index 8d648d6d82..f0d56ac627 100644 --- a/source4/dsdb/samdb/ldb_modules/instancetype.c +++ b/source4/dsdb/samdb/ldb_modules/instancetype.c @@ -38,7 +38,7 @@ #include "ldb_module.h" #include "librpc/gen_ndr/ndr_misc.h" #include "dsdb/samdb/samdb.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" struct it_context { struct ldb_module *module; diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c index 4e28c8a149..9ed06a9130 100644 --- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c +++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c @@ -741,15 +741,15 @@ static int la_op_search_callback(struct ldb_request *req, if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } - break; - case LDB_RENAME: - + return ret; + + case LDB_RENAME: + /* start the mod requests chain */ ret = la_do_mod_request(ac); if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); - } - + } return ret; default: @@ -759,7 +759,6 @@ static int la_op_search_callback(struct ldb_request *req, return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } - return LDB_SUCCESS; } talloc_free(ares); diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 44b7ef91e9..c7fa636aa8 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -42,7 +42,7 @@ #include "auth/kerberos/kerberos.h" #include "system/time.h" #include "dsdb/samdb/samdb.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "dsdb/samdb/ldb_modules/password_modules.h" #include "librpc/ndr/libndr.h" #include "librpc/gen_ndr/ndr_drsblobs.h" @@ -1026,6 +1026,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io) uint8_t zero16[16]; bool do_newer_keys = false; bool do_cleartext = false; + int *domainFunctionality; ZERO_STRUCT(zero16); ZERO_STRUCT(names); @@ -1064,10 +1065,10 @@ static int setup_supplemental_field(struct setup_password_fields_io *io) _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE); } } + /* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */ + domainFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int); - /* TODO: do the correct check for this, it maybe depends on the functional level? */ - do_newer_keys = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"), - NULL, "password_hash", "create_aes_key", false); + do_newer_keys = *domainFunctionality && (*domainFunctionality >= DS_BEHAVIOR_WIN2008); if (io->domain->store_cleartext && (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { @@ -1399,33 +1400,33 @@ static int setup_password_fields(struct setup_password_fields_io *io) } ret = setup_kerberos_keys(io); - if (ret != 0) { + if (ret != LDB_SUCCESS) { return ret; } } ret = setup_nt_fields(io); - if (ret != 0) { + if (ret != LDB_SUCCESS) { return ret; } ret = setup_lm_fields(io); - if (ret != 0) { + if (ret != LDB_SUCCESS) { return ret; } ret = setup_supplemental_field(io); - if (ret != 0) { + if (ret != LDB_SUCCESS) { return ret; } ret = setup_last_set_field(io); - if (ret != 0) { + if (ret != LDB_SUCCESS) { return ret; } ret = setup_kvno_field(io); - if (ret != 0) { + if (ret != LDB_SUCCESS) { return ret; } @@ -1648,6 +1649,7 @@ static int get_domain_data_callback(struct ldb_request *req, if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } + break; case LDB_REPLY_REFERRAL: /* ignore */ diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 41f4e8e7d5..53d6d0749c 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -41,7 +41,7 @@ #include "includes.h" #include "ldb_module.h" #include "dsdb/samdb/samdb.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "librpc/gen_ndr/ndr_misc.h" #include "librpc/gen_ndr/ndr_drsuapi.h" #include "librpc/gen_ndr/ndr_drsblobs.h" diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 7080fb632f..59ea51dbce 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -59,6 +59,7 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data); char **server_sasl; const struct dsdb_schema *schema; + int *val; ldb = ldb_module_get_ctx(module); schema = dsdb_get_schema(ldb); @@ -77,7 +78,7 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms } } - if (do_attribute(attrs, "supportedControl")) { + if (priv && do_attribute(attrs, "supportedControl")) { int i; for (i = 0; i < priv->num_controls; i++) { char *control = talloc_strdup(msg, priv->controls[i]); @@ -91,7 +92,7 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms } } - if (do_attribute(attrs, "namingContexts")) { + if (priv && do_attribute(attrs, "namingContexts")) { int i; for (i = 0; i < priv->num_partitions; i++) { struct ldb_dn *dn = priv->partitions[i]; @@ -201,13 +202,37 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms } } - if (schema && do_attribute_explicit(attrs, "vendorVersion")) { + if (do_attribute_explicit(attrs, "vendorVersion")) { if (ldb_msg_add_fmt(msg, "vendorVersion", "%s", SAMBA_VERSION_STRING) != 0) { goto failed; } } + if (priv && do_attribute(attrs, "domainFunctionality") + && (val = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int))) { + if (ldb_msg_add_fmt(msg, "domainFunctionality", + "%d", *val) != 0) { + goto failed; + } + } + + if (priv && do_attribute(attrs, "forestFunctionality") + && (val = talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), int))) { + if (ldb_msg_add_fmt(msg, "forestFunctionality", + "%d", *val) != 0) { + goto failed; + } + } + + if (priv && do_attribute(attrs, "domainControllerFunctionality") + && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) { + if (ldb_msg_add_fmt(msg, "domainControllerFunctionality", + "%d", *val) != 0) { + goto failed; + } + } + /* TODO: lots more dynamic attributes should be added here */ return LDB_SUCCESS; @@ -394,12 +419,17 @@ static int rootdse_request(struct ldb_module *module, struct ldb_request *req) static int rootdse_init(struct ldb_module *module) { + int ret; struct ldb_context *ldb; + struct ldb_result *res; struct private_data *data; + const char *attrs[] = { "msDS-Behavior-Version", NULL }; + const char *ds_attrs[] = { "dsServiceName", NULL }; + TALLOC_CTX *mem_ctx; ldb = ldb_module_get_ctx(module); - data = talloc(module, struct private_data); + data = talloc_zero(module, struct private_data); if (data == NULL) { return -1; } @@ -412,7 +442,107 @@ static int rootdse_init(struct ldb_module *module) ldb_set_default_dns(ldb); - return ldb_next_init(module); + ret = ldb_next_init(module); + + if (ret) { + return ret; + } + + mem_ctx = talloc_new(data); + if (!mem_ctx) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* Now that the partitions are set up, do a search for: + - domainControllerFunctionality + - domainFunctionality + - forestFunctionality + + Then stuff these values into an opaque + */ + ret = ldb_search(ldb, mem_ctx, &res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_BASE, attrs, NULL); + if (ret == LDB_SUCCESS && res->count == 1) { + int domain_behaviour_version + = ldb_msg_find_attr_as_int(res->msgs[0], + "msDS-Behavior-Version", -1); + if (domain_behaviour_version != -1) { + int *val = talloc(ldb, int); + if (!val) { + ldb_oom(ldb); + talloc_free(mem_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + *val = domain_behaviour_version; + ret = ldb_set_opaque(ldb, "domainFunctionality", val); + if (ret != LDB_SUCCESS) { + talloc_free(mem_ctx); + return ret; + } + } + } + + ret = ldb_search(ldb, mem_ctx, &res, + samdb_partitions_dn(ldb, mem_ctx), + LDB_SCOPE_BASE, attrs, NULL); + if (ret == LDB_SUCCESS && res->count == 1) { + int forest_behaviour_version + = ldb_msg_find_attr_as_int(res->msgs[0], + "msDS-Behavior-Version", -1); + if (forest_behaviour_version != -1) { + int *val = talloc(ldb, int); + if (!val) { + ldb_oom(ldb); + talloc_free(mem_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + *val = forest_behaviour_version; + ret = ldb_set_opaque(ldb, "forestFunctionality", val); + if (ret != LDB_SUCCESS) { + talloc_free(mem_ctx); + return ret; + } + } + } + + ret = ldb_search(ldb, mem_ctx, &res, + ldb_dn_new(mem_ctx, ldb, ""), + LDB_SCOPE_BASE, ds_attrs, NULL); + if (ret == LDB_SUCCESS && res->count == 1) { + struct ldb_dn *ds_dn + = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], + "dsServiceName"); + if (ds_dn) { + ret = ldb_search(ldb, mem_ctx, &res, ds_dn, + LDB_SCOPE_BASE, attrs, NULL); + if (ret == LDB_SUCCESS && res->count == 1) { + int domain_controller_behaviour_version + = ldb_msg_find_attr_as_int(res->msgs[0], + "msDS-Behavior-Version", -1); + if (domain_controller_behaviour_version != -1) { + int *val = talloc(ldb, int); + if (!val) { + ldb_oom(ldb); + talloc_free(mem_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + *val = domain_controller_behaviour_version; + ret = ldb_set_opaque(ldb, + "domainControllerFunctionality", val); + if (ret != LDB_SUCCESS) { + talloc_free(mem_ctx); + return ret; + } + } + } + } + } + + talloc_free(mem_ctx); + + return LDB_SUCCESS; } static int rootdse_modify(struct ldb_module *module, struct ldb_request *req) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 8e21e38139..544249cbe3 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -572,7 +572,7 @@ static int samldb_check_samAccountType(struct samldb_ctx *ac) "userAccountControl invalid"); return LDB_ERR_UNWILLING_TO_PERFORM; } else { - account_type = samdb_uf2atype(uac); + account_type = ds_uf2atype(uac); ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", @@ -590,7 +590,7 @@ static int samldb_check_samAccountType(struct samldb_ctx *ac) "groupType invalid"); return LDB_ERR_UNWILLING_TO_PERFORM; } else { - account_type = samdb_gtype2atype(group_type); + account_type = ds_gtype2atype(group_type); ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", @@ -1280,7 +1280,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) req->op.mod.message = msg = ldb_msg_copy_shallow(req, req->op.mod.message); group_type = strtoul((const char *)el->values[0].data, NULL, 0); - account_type = samdb_gtype2atype(group_type); + account_type = ds_gtype2atype(group_type); ret = samdb_msg_add_uint(ldb, msg, msg, "sAMAccountType", account_type); @@ -1296,7 +1296,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) req->op.mod.message = msg = ldb_msg_copy_shallow(req, req->op.mod.message); user_account_control = strtoul((const char *)el->values[0].data, NULL, 0); - account_type = samdb_uf2atype(user_account_control); + account_type = ds_uf2atype(user_account_control); ret = samdb_msg_add_uint(ldb, msg, msg, "sAMAccountType", account_type); diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 851187380b..08e6e0d985 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -36,7 +36,7 @@ #include "ldb_wrap.h" #include "../lib/util/util_ldb.h" #include "dsdb/samdb/samdb.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "param/param.h" #include "lib/events/events.h" #include "auth/credentials/credentials.h" diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 49dc14d74c..1493345b9d 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -38,7 +38,7 @@ struct tevent_context; #include "dsdb/schema/schema.h" #include "dsdb/samdb/samdb_proto.h" #include "dsdb/common/proto.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #define DSDB_CONTROL_CURRENT_PARTITION_OID "1.3.6.1.4.1.7165.4.3.2" struct dsdb_control_current_partition { diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index 3702ab9281..69b5bb1d6e 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -493,10 +493,10 @@ do_authenticate (krb5_context context, goto out; } - ret = _kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, - TRUE); + ret = kdc_check_flags (context, config, + client_entry, client_name, + server_entry, server_name, + TRUE); if (ret) { make_error_reply (hdr, KAPWEXPIRED, reply); goto out; @@ -790,10 +790,10 @@ do_getticket (krb5_context context, goto out; } - ret = _kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, - FALSE); + ret = kdc_check_flags (context, config, + client_entry, client_name, + server_entry, server_name, + FALSE); if (ret) { make_error_reply (hdr, KAPWEXPIRED, reply); goto out; diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index e364dcc1d1..43d54bf702 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -678,6 +678,12 @@ kdc_check_flags(krb5_context context, hdb_entry *client = &client_ex->entry; /* check client */ + if (client->flags.locked_out) { + kdc_log(context, config, 0, + "Client (%s) is locked out", client_name); + return KRB5KDC_ERR_POLICY; + } + if (client->flags.invalid) { kdc_log(context, config, 0, "Client (%s) has invalid bit set", client_name); @@ -727,6 +733,11 @@ kdc_check_flags(krb5_context context, if (server_ex != NULL) { hdb_entry *server = &server_ex->entry; + if (server->flags.locked_out) { + kdc_log(context, config, 0, + "Client server locked out -- %s", server_name); + return KRB5KDC_ERR_POLICY; + } if (server->flags.invalid) { kdc_log(context, config, 0, "Server has invalid flag set -- %s", server_name); @@ -883,6 +894,7 @@ _kdc_as_rep(krb5_context context, AS_REP rep; KDCOptions f = b->kdc_options; hdb_entry_ex *client = NULL, *server = NULL; + HDB *clientdb; krb5_enctype cetype, setype, sessionetype; krb5_data e_data; EncTicketPart et; @@ -966,7 +978,7 @@ _kdc_as_rep(krb5_context context, */ ret = _kdc_db_fetch(context, config, client_princ, - HDB_F_GET_CLIENT | flags, NULL, &client); + HDB_F_GET_CLIENT | flags, &clientdb, &client); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -1114,8 +1126,8 @@ _kdc_as_rep(krb5_context context, "No client key matching pa-data (%s) -- %s", estr, client_name); free(estr); - free_EncryptedData(&enc_data); + continue; } @@ -1159,6 +1171,10 @@ _kdc_as_rep(krb5_context context, e_text = "Failed to decrypt PA-DATA"; free_EncryptedData(&enc_data); + + if (clientdb->hdb_auth_status) + (clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD); + ret = KRB5KDC_ERR_PREAUTH_FAILED; continue; } @@ -1323,6 +1339,10 @@ _kdc_as_rep(krb5_context context, goto out; } + if (clientdb->hdb_auth_status) + (clientdb->hdb_auth_status)(context, clientdb, client, + HDB_AUTH_SUCCESS); + /* * Verify flags after the user been required to prove its identity * with in a preauth mech. diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 59104da3d6..635eb27e75 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -492,6 +492,7 @@ check_tgs_flags(krb5_context context, static krb5_error_code check_constrained_delegation(krb5_context context, krb5_kdc_configuration *config, + HDB *clientdb, hdb_entry_ex *client, krb5_const_principal server) { @@ -499,21 +500,32 @@ check_constrained_delegation(krb5_context context, krb5_error_code ret; int i; - ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); - if (ret) { - krb5_clear_error_message(context); - return ret; - } + /* if client delegates to itself, that ok */ + if (krb5_principal_compare(context, client->entry.principal, server) == TRUE) + return 0; - if (acl) { - for (i = 0; i < acl->len; i++) { - if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) - return 0; + if (clientdb->hdb_check_constrained_delegation) { + ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server); + if (ret == 0) + return 0; + } else { + ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); + if (ret) { + krb5_clear_error_message(context); + return ret; + } + + if (acl) { + for (i = 0; i < acl->len; i++) { + if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) + return 0; + } } + ret = KRB5KDC_ERR_BADOPTION; } kdc_log(context, config, 0, "Bad request for constrained delegation"); - return KRB5KDC_ERR_BADOPTION; + return ret; } /* @@ -793,17 +805,34 @@ tgs_make_reply(krb5_context context, et.flags.hw_authent = tgt->flags.hw_authent; et.flags.anonymous = tgt->flags.anonymous; et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; + + if(rspac->length) { + /* + * No not need to filter out the any PAC from the + * auth_data since it's signed by the KDC. + */ + ret = _kdc_tkt_add_if_relevant_ad(context, &et, + KRB5_AUTHDATA_WIN2K_PAC, rspac); + if (ret) + goto out; + } if (auth_data) { - /* XXX Check enc-authorization-data */ - et.authorization_data = calloc(1, sizeof(*et.authorization_data)); + unsigned int i = 0; + + /* XXX check authdata */ if (et.authorization_data == NULL) { ret = ENOMEM; + krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - ret = copy_AuthorizationData(auth_data, et.authorization_data); - if (ret) - goto out; + for(i = 0; i < auth_data->len ; i++) { + ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]); + if (ret) { + krb5_set_error_message(context, ret, "malloc: out of memory"); + goto out; + } + } /* Filter out type KRB5SignedPath */ ret = find_KRB5SignedPath(context, et.authorization_data, NULL); @@ -820,18 +849,6 @@ tgs_make_reply(krb5_context context, } } - if(rspac->length) { - /* - * No not need to filter out the any PAC from the - * auth_data since it's signed by the KDC. - */ - ret = _kdc_tkt_add_if_relevant_ad(context, &et, - KRB5_AUTHDATA_WIN2K_PAC, - rspac); - if (ret) - goto out; - } - ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key); if (ret) goto out; @@ -1369,6 +1386,7 @@ tgs_build_reply(krb5_context context, krb5_principal client_principal = NULL; char *spn = NULL, *cpn = NULL; hdb_entry_ex *server = NULL, *client = NULL; + HDB *clientdb; krb5_realm ref_realm = NULL; EncTicketPart *tgt = &ticket->ticket; krb5_principals spp = NULL; @@ -1531,7 +1549,7 @@ server_lookup: } ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, - NULL, &client); + &clientdb, &client); if(ret) { const char *krbtgt_realm; @@ -1792,7 +1810,7 @@ server_lookup: if (ret) { kdc_log(context, config, 0, "failed to decrypt ticket for " - "constrained delegation from %s to %s ", spn, cpn); + "constrained delegation from %s to %s ", cpn, spn); goto out; } @@ -1800,16 +1818,17 @@ server_lookup: if (adtkt.flags.forwardable == 0) { kdc_log(context, config, 0, "Missing forwardable flag on ticket for " - "constrained delegation from %s to %s ", spn, cpn); + "constrained delegation from %s to %s ", cpn, spn); ret = KRB5KDC_ERR_BADOPTION; goto out; } - ret = check_constrained_delegation(context, config, client, sp); + ret = check_constrained_delegation(context, config, clientdb, + client, sp); if (ret) { kdc_log(context, config, 0, "constrained delegation from %s to %s not allowed", - spn, cpn); + cpn, spn); goto out; } diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h index 9fe2bb8b46..91141808f5 100644 --- a/source4/heimdal/lib/gssapi/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h @@ -54,7 +54,13 @@ #endif #ifndef GSSAPI_DEPRECATED +#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) #define GSSAPI_DEPRECATED __attribute__((deprecated)) +#elif defined(_MSC_VER) +#define GSSAPI_DEPRECATED __declspec(deprecated) +#else +#define GSSAPI_DEPRECATED +#endif #endif /* @@ -768,42 +774,6 @@ gss_pseudo_random gss_buffer_t prf_out ); -/* - * AEAD support - */ - -OM_uint32 GSSAPI_LIB_FUNCTION -gss_wrap_iov(OM_uint32 * /* minor_status */, - gss_ctx_id_t /* context_handle */, - int /* conf_req_flag */, - gss_qop_t /* qop_req */, - int * /* conf_state */, - gss_iov_buffer_desc * /*iov */, - int /* iov_count */); - -OM_uint32 GSSAPI_LIB_FUNCTION -gss_unwrap_iov(OM_uint32 * /* minor_status */, - gss_ctx_id_t /* context_handle */, - int * /* conf_state */, - gss_qop_t * /* qop_state */, - gss_iov_buffer_desc * /* iov */, - int /* iov_count */); - -OM_uint32 GSSAPI_LIB_FUNCTION -gss_wrap_iov_length(OM_uint32 * /* minor_status */, - gss_ctx_id_t /* context_handle */, - int /* conf_req_flag */, - gss_qop_t /* qop_req */, - int * /* conf_state */, - gss_iov_buffer_desc * /* iov */, - int /* iov_count */); - -OM_uint32 GSSAPI_LIB_FUNCTION -gss_release_iov_buffer(OM_uint32 * /* minor_status */, - gss_iov_buffer_desc * /* iov */, - int /* iov_count */); - - OM_uint32 gss_store_cred(OM_uint32 * /* minor_status */, gss_cred_id_t /* input_cred_handle */, @@ -899,6 +869,31 @@ gss_decapsulate_token(gss_buffer_t /* input_token */, +/* + * AEAD support + */ + +/* + * GSS_IOV + */ + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_wrap_iov(OM_uint32 *, gss_ctx_id_t, int, gss_qop_t, int *, + gss_iov_buffer_desc *, int); + + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_unwrap_iov(OM_uint32 *, gss_ctx_id_t, int *, gss_qop_t *, + gss_iov_buffer_desc *, int); + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_wrap_iov_length(OM_uint32 *, gss_ctx_id_t, int, gss_qop_t, int *, + gss_iov_buffer_desc *, int); + +OM_uint32 GSSAPI_LIB_FUNCTION +gss_release_iov_buffer(OM_uint32 *, gss_iov_buffer_desc *, int); + + #ifdef __cplusplus } #endif diff --git a/source4/heimdal/lib/gssapi/krb5/8003.c b/source4/heimdal/lib/gssapi/krb5/8003.c index f5181cc311..a6f0165e72 100644 --- a/source4/heimdal/lib/gssapi/krb5/8003.c +++ b/source4/heimdal/lib/gssapi/krb5/8003.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - krb5_error_code _gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p) { diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c index e0944852a7..8d998ed098 100644 --- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER; krb5_keytab _gsskrb5_keytab; @@ -519,10 +517,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, } /* - * Samba style get some flags (but not DCE-STYLE) + * Samba style get some flags (but not DCE-STYLE), use + * ap_options to guess the mutual flag. */ - ctx->flags = - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + if (ap_options & AP_OPTS_MUTUAL_REQUIRED) + ctx->flags |= GSS_C_MUTUAL_FLAG; } } diff --git a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c index bfab5667be..4f6f38e674 100644 --- a/source4/heimdal/lib/gssapi/krb5/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/acquire_cred.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, krb5_context context, diff --git a/source4/heimdal/lib/gssapi/krb5/add_cred.c b/source4/heimdal/lib/gssapi/krb5/add_cred.c index aa96a45e45..adc8a09fa4 100644 --- a/source4/heimdal/lib/gssapi/krb5/add_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/add_cred.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_add_cred ( OM_uint32 *minor_status, const gss_cred_id_t input_cred_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/aeap.c b/source4/heimdal/lib/gssapi/krb5/aeap.c index 7dab7877d7..38a5ac2dbe 100644 --- a/source4/heimdal/lib/gssapi/krb5/aeap.c +++ b/source4/heimdal/lib/gssapi/krb5/aeap.c @@ -35,66 +35,6 @@ #include <roken.h> -static OM_uint32 -iov_allocate(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count) -{ - unsigned int i; - - for (i = 0; i < iov_count; i++) { - if (GSS_IOV_BUFFER_FLAGS(iov[i].type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE){ - void *ptr = malloc(iov[i].buffer.length); - if (ptr == NULL) - abort(); - if (iov[i].buffer.value) - memcpy(ptr, iov[i].buffer.value, iov[i].buffer.length); - iov[i].buffer.value = ptr; - iov[i].type |= GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED; - } - } - return GSS_S_COMPLETE; -} - -static OM_uint32 -iov_map(OM_uint32 *minor_status, - const gss_iov_buffer_desc *iov, - int iov_count, - krb5_crypto_iov *data) -{ - unsigned int i; - - for (i = 0; i < iov_count; i++) { - switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) { - case GSS_IOV_BUFFER_TYPE_EMPTY: - data[i].flags = KRB5_CRYPTO_TYPE_EMPTY; - break; - case GSS_IOV_BUFFER_TYPE_DATA: - data[i].flags = KRB5_CRYPTO_TYPE_DATA; - break; - case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: - data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; - break; - case GSS_IOV_BUFFER_TYPE_HEADER: - data[i].flags = KRB5_CRYPTO_TYPE_HEADER; - break; - case GSS_IOV_BUFFER_TYPE_TRAILER: - data[i].flags = KRB5_CRYPTO_TYPE_TRAILER; - break; - case GSS_IOV_BUFFER_TYPE_PADDING: - data[i].flags = KRB5_CRYPTO_TYPE_PADDING; - break; - case GSS_IOV_BUFFER_TYPE_STREAM: - abort(); - break; - default: - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - data[i].data.data = iov[i].buffer.value; - data[i].data.length = iov[i].buffer.length; - } - return GSS_S_COMPLETE; -} - OM_uint32 GSSAPI_LIB_FUNCTION _gk_wrap_iov(OM_uint32 * minor_status, gss_ctx_id_t context_handle, @@ -104,50 +44,17 @@ _gk_wrap_iov(OM_uint32 * minor_status, gss_iov_buffer_desc *iov, int iov_count) { - gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; - krb5_context context; - OM_uint32 major_status, junk; - krb5_crypto_iov *data; - krb5_error_code ret; - unsigned usage; - - GSSAPI_KRB5_INIT (&context); - - major_status = iov_allocate(minor_status, iov, iov_count); - if (major_status != GSS_S_COMPLETE) - return major_status; - - data = calloc(iov_count, sizeof(data[0])); - if (data == NULL) { - gss_release_iov_buffer(&junk, iov, iov_count); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - major_status = iov_map(minor_status, iov, iov_count, data); - if (major_status != GSS_S_COMPLETE) { - gss_release_iov_buffer(&junk, iov, iov_count); - free(data); - return major_status; - } + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; + krb5_context context; - if (ctx->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; - } else { - usage = KRB5_KU_USAGE_INITIATOR_SIGN; - } + GSSAPI_KRB5_INIT (&context); - ret = krb5_encrypt_iov_ivec(context, ctx->crypto, usage, - data, iov_count, NULL); - free(data); - if (ret) { - gss_release_iov_buffer(&junk, iov, iov_count); - *minor_status = ret; - return GSS_S_FAILURE; - } + if (ctx->more_flags & IS_CFX) + return _gssapi_wrap_cfx_iov(minor_status, ctx, context, + conf_req_flag, conf_state, + iov, iov_count); - *minor_status = 0; - return GSS_S_COMPLETE; + return GSS_S_FAILURE; } OM_uint32 GSSAPI_LIB_FUNCTION @@ -158,50 +65,16 @@ _gk_unwrap_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count) { - gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_context context; - krb5_error_code ret; - OM_uint32 major_status, junk; - krb5_crypto_iov *data; - unsigned usage; GSSAPI_KRB5_INIT (&context); - - major_status = iov_allocate(minor_status, iov, iov_count); - if (major_status != GSS_S_COMPLETE) - return major_status; - - data = calloc(iov_count, sizeof(data[0])); - if (data == NULL) { - gss_release_iov_buffer(&junk, iov, iov_count); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - major_status = iov_map(minor_status, iov, iov_count, data); - if (major_status != GSS_S_COMPLETE) { - gss_release_iov_buffer(&junk, iov, iov_count); - free(data); - return major_status; - } - - if (ctx->more_flags & LOCAL) { - usage = KRB5_KU_USAGE_INITIATOR_SIGN; - } else { - usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; - } - - ret = krb5_decrypt_iov_ivec(context, ctx->crypto, usage, - data, iov_count, NULL); - free(data); - if (ret) { - *minor_status = ret; - gss_release_iov_buffer(&junk, iov, iov_count); - return GSS_S_FAILURE; - } - - *minor_status = 0; - return GSS_S_COMPLETE; + + if (ctx->more_flags & IS_CFX) + return _gssapi_unwrap_cfx_iov(minor_status, ctx, context, + conf_state, qop_state, iov, iov_count); + + return GSS_S_FAILURE; } OM_uint32 GSSAPI_LIB_FUNCTION @@ -213,59 +86,15 @@ _gk_wrap_iov_length(OM_uint32 * minor_status, gss_iov_buffer_desc *iov, int iov_count) { - gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle; + const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; krb5_context context; - unsigned int i; - size_t size; - size_t *padding = NULL; - + GSSAPI_KRB5_INIT (&context); - *minor_status = 0; - - for (size = 0, i = 0; i < iov_count; i++) { - switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) { - case GSS_IOV_BUFFER_TYPE_EMPTY: - break; - case GSS_IOV_BUFFER_TYPE_DATA: - size += iov[i].buffer.length; - break; - case GSS_IOV_BUFFER_TYPE_HEADER: - iov[i].buffer.length = - krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER); - size += iov[i].buffer.length; - break; - case GSS_IOV_BUFFER_TYPE_TRAILER: - iov[i].buffer.length = - krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER); - size += iov[i].buffer.length; - break; - case GSS_IOV_BUFFER_TYPE_PADDING: - if (padding != NULL) { - *minor_status = 0; - return GSS_S_FAILURE; - } - padding = &iov[i].buffer.length; - break; - case GSS_IOV_BUFFER_TYPE_STREAM: - size += iov[i].buffer.length; - break; - case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: - break; - default: - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - } - if (padding) { - size_t pad = krb5_crypto_length(context, ctx->crypto, - KRB5_CRYPTO_TYPE_PADDING); - if (pad > 1) { - *padding = pad - (size % pad); - if (*padding == pad) - *padding = 0; - } else - *padding = 0; - } - - return GSS_S_COMPLETE; + + if (ctx->more_flags & IS_CFX) + return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context, + conf_req_flag, qop_req, conf_state, + iov, iov_count); + + return GSS_S_FAILURE; } diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c index b48cfebcf1..e7331b0119 100644 --- a/source4/heimdal/lib/gssapi/krb5/arcfour.c +++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - /* * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt * diff --git a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c index 3a206b1be1..7e0c3fe727 100644 --- a/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c +++ b/source4/heimdal/lib/gssapi/krb5/canonicalize_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_canonicalize_name ( OM_uint32 * minor_status, const gss_name_t input_name, diff --git a/source4/heimdal/lib/gssapi/krb5/cfx.c b/source4/heimdal/lib/gssapi/krb5/cfx.c index 7ae26e2e7a..35e5a9e45a 100755 --- a/source4/heimdal/lib/gssapi/krb5/cfx.c +++ b/source4/heimdal/lib/gssapi/krb5/cfx.c @@ -32,10 +32,8 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - /* - * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt + * Implementation of RFC 4121 */ #define CFXSentByAcceptor (1 << 0) @@ -101,13 +99,14 @@ _gsskrb5cfx_wrap_length_cfx(const gsskrb5_ctx context_handle, return 0; } -OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status, - const gsskrb5_ctx ctx, - krb5_context context, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size) +OM_uint32 +_gssapi_wrap_size_cfx(OM_uint32 *minor_status, + const gsskrb5_ctx ctx, + krb5_context context, + int conf_req_flag, + gss_qop_t qop_req, + OM_uint32 req_output_size, + OM_uint32 *max_input_size) { krb5_error_code ret; @@ -203,11 +202,763 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate) return 0; } +gss_iov_buffer_desc * +_gk_find_buffer(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type) +{ + int i; + + for (i = 0; i < iov_count; i++) + if (type == GSS_IOV_BUFFER_TYPE(iov[i].type)) + return &iov[i]; + return NULL; +} + +static OM_uint32 +allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t size) +{ + if (buffer->type & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED) { + if (buffer->buffer.length == size) + return GSS_S_COMPLETE; + free(buffer->buffer.value); + } + + buffer->buffer.value = malloc(size); + buffer->buffer.length = size; + if (buffer->buffer.value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + buffer->type |= GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED; + + return GSS_S_COMPLETE; +} + + + +OM_uint32 +_gssapi_wrap_cfx_iov(OM_uint32 *minor_status, + gsskrb5_ctx ctx, + krb5_context context, + int conf_req_flag, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 major_status, junk; + gss_iov_buffer_desc *header, *trailer, *padding; + size_t gsshsize, k5hsize; + size_t gsstsize, k5tsize; + size_t i, padlength, rrc = 0, ec = 0; + gss_cfx_wrap_token token; + krb5_error_code ret; + int32_t seq_number; + unsigned usage; + krb5_crypto_iov *data = NULL; + int paddingoffset = 0; + + header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + if (header == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_PADDING, &padlength); + + padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); + if (padlength != 0 && padding == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); + + if (conf_req_flag) { + ec = padlength; + + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER, &k5tsize); + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER, &k5hsize); + + gsshsize = k5hsize + sizeof(*token); + gsstsize = k5tsize + sizeof(*token); /* encrypted token stored in trailer */ + + } else { + + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_CHECKSUM, &k5tsize); + + gsshsize = sizeof(*token); + gsstsize = k5tsize; + } + + /* + * + */ + + if (trailer == NULL) { + /* conf_req_flag=0 doesn't support DCE_STYLE */ + if (conf_req_flag == 0) { + *minor_status = EINVAL; + major_status = GSS_S_FAILURE; + goto failure; + } + rrc = gsstsize; + if (IS_DCE_STYLE(ctx)) + rrc -= ec; + gsshsize += gsstsize; + gsstsize = 0; + } else if (GSS_IOV_BUFFER_FLAGS(trailer->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) { + major_status = allocate_buffer(minor_status, trailer, gsstsize); + if (major_status) + goto failure; + } else if (trailer->buffer.length < gsstsize) { + *minor_status = KRB5_BAD_MSIZE; + major_status = GSS_S_FAILURE; + goto failure; + } else + trailer->buffer.length = gsstsize; + + /* + * + */ + + if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) { + major_status = allocate_buffer(minor_status, header, gsshsize); + if (major_status != GSS_S_COMPLETE) + goto failure; + } else if (header->buffer.length < gsshsize) { + *minor_status = KRB5_BAD_MSIZE; + major_status = GSS_S_FAILURE; + goto failure; + } else + header->buffer.length = gsshsize; + + token = (gss_cfx_wrap_token)header->buffer.value; + + token->TOK_ID[0] = 0x05; + token->TOK_ID[1] = 0x04; + token->Flags = 0; + token->Filler = 0xFF; + + if (ctx->more_flags & ACCEPTOR_SUBKEY) + token->Flags |= CFXAcceptorSubkey; + + if (ctx->more_flags & LOCAL) + usage = KRB5_KU_USAGE_INITIATOR_SEAL; + else + usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; + + if (conf_req_flag) { + /* + * In Wrap tokens with confidentiality, the EC field is + * used to encode the size (in bytes) of the random filler. + */ + token->Flags |= CFXSealed; + token->EC[0] = (padlength >> 8) & 0xFF; + token->EC[1] = (padlength >> 0) & 0xFF; + + } else { + /* + * In Wrap tokens without confidentiality, the EC field is + * used to encode the size (in bytes) of the trailing + * checksum. + * + * This is not used in the checksum calcuation itself, + * because the checksum length could potentially vary + * depending on the data length. + */ + token->EC[0] = 0; + token->EC[1] = 0; + } + + /* + * In Wrap tokens that provide for confidentiality, the RRC + * field in the header contains the hex value 00 00 before + * encryption. + * + * In Wrap tokens that do not provide for confidentiality, + * both the EC and RRC fields in the appended checksum + * contain the hex value 00 00 for the purpose of calculating + * the checksum. + */ + token->RRC[0] = 0; + token->RRC[1] = 0; + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + krb5_auth_con_getlocalseqnumber(context, + ctx->auth_context, + &seq_number); + _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); + _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); + krb5_auth_con_setlocalseqnumber(context, + ctx->auth_context, + ++seq_number); + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + data = calloc(iov_count + 3, sizeof(data[0])); + if (data == NULL) { + *minor_status = ENOMEM; + major_status = GSS_S_FAILURE; + goto failure; + } + + if (conf_req_flag) { + /* + plain packet: + + {"header" | encrypt(plaintext-data | padding | E"header")} + + Expanded, this is with with RRC = 0: + + {"header" | krb5-header | plaintext-data | padding | E"header" | krb5-trailer } + + In DCE-RPC mode == no trailer: RRC = gss "trailer" == length(padding | E"header" | krb5-trailer) + + {"header" | padding | E"header" | krb5-trailer | krb5-header | plaintext-data } + */ + + i = 0; + data[i].flags = KRB5_CRYPTO_TYPE_HEADER; + data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize; + data[i].data.length = k5hsize; + + for (i = 1; i < iov_count + 1; i++) { + switch (GSS_IOV_BUFFER_TYPE(iov[i - 1].type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + break; + case GSS_IOV_BUFFER_TYPE_PADDING: + data[i].flags = KRB5_CRYPTO_TYPE_PADDING; + paddingoffset = i; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + break; + default: + data[i].flags = KRB5_CRYPTO_TYPE_EMPTY; + break; + } + data[i].data.length = iov[i - 1].buffer.length; + data[i].data.data = iov[i - 1].buffer.value; + } + + /* + * Any necessary padding is added here to ensure that the + * encrypted token header is always at the end of the + * ciphertext. + */ + + /* XXX KRB5_CRYPTO_TYPE_PADDING */ + + /* encrypted CFX header in trailer (or after the header if in + DCE mode). Copy in header into E"header" + */ + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + if (trailer) + data[i].data.data = trailer->buffer.value; + else + data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize - k5tsize - sizeof(*token); + + data[i].data.length = sizeof(*token); + memcpy(data[i].data.data, token, sizeof(*token)); + i++; + + /* Kerberos trailer comes after the gss trailer */ + data[i].flags = KRB5_CRYPTO_TYPE_TRAILER; + data[i].data.data = ((uint8_t *)data[i-1].data.data) + sizeof(*token); + data[i].data.length = k5tsize; + i++; + + ret = krb5_encrypt_iov_ivec(context, ctx->crypto, usage, data, i, NULL); + if (ret != 0) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto failure; + } + + if (rrc) { + token->RRC[0] = (rrc >> 8) & 0xFF; + token->RRC[1] = (rrc >> 0) & 0xFF; + } + + if (paddingoffset) + padding->buffer.length = data[paddingoffset].data.length; + + } else { + /* + plain packet: + + {data | "header" | gss-trailer (krb5 checksum) + + don't do RRC != 0 + + */ + + for (i = 0; i < iov_count; i++) { + switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + case GSS_IOV_BUFFER_TYPE_PADDING: + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + break; + default: + data[i].flags = KRB5_CRYPTO_TYPE_EMPTY; + break; + } + data[i].data.length = iov[i].buffer.length; + data[i].data.data = iov[i].buffer.value; + } + + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + data[i].data.data = header->buffer.value; + data[i].data.length = header->buffer.length; + i++; + + data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM; + data[i].data.data = trailer->buffer.value; + data[i].data.length = trailer->buffer.length; + i++; + + ret = krb5_create_checksum_iov(context, ctx->crypto, usage, data, i, NULL); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto failure; + } + + token->EC[0] = (trailer->buffer.length >> 8) & 0xFF; + token->EC[1] = (trailer->buffer.length >> 0) & 0xFF; + } + + if (conf_state != NULL) + *conf_state = conf_req_flag; + + free(data); + + *minor_status = 0; + return GSS_S_COMPLETE; + + failure: + if (data) + free(data); + + gss_release_iov_buffer(&junk, iov, iov_count); + + return major_status; +} + +/* This is slowpath */ +static OM_uint32 +unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int iov_count) +{ + uint8_t *p, *q; + size_t len = 0, skip; + int i; + + for (i = 0; i < iov_count; i++) + if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) + len += iov[i].buffer.length; + + p = malloc(len); + if (p == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + q = p; + + /* copy up */ + + for (i = 0; i < iov_count; i++) { + if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) + { + memcpy(q, iov[i].buffer.value, iov[i].buffer.length); + q += iov[i].buffer.length; + } + } + assert((q - p) == len); + + /* unrotate first part */ + q = p + rrc; + skip = rrc; + for (i = 0; i < iov_count; i++) { + if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) + { + if (iov[i].buffer.length <= skip) { + skip -= iov[i].buffer.length; + } else { + memcpy(((uint8_t *)iov[i].buffer.value) + skip, q, iov[i].buffer.length - skip); + q += iov[i].buffer.length - skip; + skip = 0; + } + } + } + /* copy trailer */ + q = p; + skip = rrc; + for (i = 0; i < iov_count; i++) { + if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING || + GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER) + { + memcpy(q, iov[i].buffer.value, MIN(iov[i].buffer.length, skip)); + if (iov[i].buffer.length > skip) + break; + skip -= iov[i].buffer.length; + q += iov[i].buffer.length; + } + } + return GSS_S_COMPLETE; +} + + +OM_uint32 +_gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, + gsskrb5_ctx ctx, + krb5_context context, + int *conf_state, + gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + OM_uint32 seq_number_lo, seq_number_hi, major_status, junk; + gss_iov_buffer_desc *header, *trailer; + gss_cfx_wrap_token token, ttoken; + u_char token_flags; + krb5_error_code ret; + unsigned usage; + uint16_t ec, rrc; + krb5_crypto_iov *data = NULL; + int i, j; + + *minor_status = 0; + + header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); + if (header == NULL) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + + if (header->buffer.length < sizeof(*token)) /* we check exact below */ + return GSS_S_DEFECTIVE_TOKEN; + + trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); + + token = (gss_cfx_wrap_token)header->buffer.value; + + if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) + return GSS_S_DEFECTIVE_TOKEN; + + /* Ignore unknown flags */ + token_flags = token->Flags & + (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey); + + if (token_flags & CFXSentByAcceptor) { + if ((ctx->more_flags & LOCAL) == 0) + return GSS_S_DEFECTIVE_TOKEN; + } + + if (ctx->more_flags & ACCEPTOR_SUBKEY) { + if ((token_flags & CFXAcceptorSubkey) == 0) + return GSS_S_DEFECTIVE_TOKEN; + } else { + if (token_flags & CFXAcceptorSubkey) + return GSS_S_DEFECTIVE_TOKEN; + } + + if (token->Filler != 0xFF) + return GSS_S_DEFECTIVE_TOKEN; + + if (conf_state != NULL) + *conf_state = (token_flags & CFXSealed) ? 1 : 0; + + ec = (token->EC[0] << 8) | token->EC[1]; + rrc = (token->RRC[0] << 8) | token->RRC[1]; + + /* + * Check sequence number + */ + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi); + _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo); + if (seq_number_hi) { + /* no support for 64-bit sequence numbers */ + *minor_status = ERANGE; + return GSS_S_UNSEQ_TOKEN; + } + + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); + ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); + if (ret != 0) { + *minor_status = 0; + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + return ret; + } + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + + /* + * Decrypt and/or verify checksum + */ + + if (ctx->more_flags & LOCAL) { + usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; + } else { + usage = KRB5_KU_USAGE_INITIATOR_SEAL; + } + + data = calloc(iov_count + 3, sizeof(data[0])); + if (data == NULL) { + *minor_status = ENOMEM; + major_status = GSS_S_FAILURE; + goto failure; + } + + if (token_flags & CFXSealed) { + size_t k5tsize, k5hsize; + + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER, &k5hsize); + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER, &k5tsize); + + /* Rotate by RRC; bogus to do this in-place XXX */ + /* Check RRC */ + + if (trailer == NULL) { + size_t gsstsize = k5tsize + sizeof(*token); + size_t gsshsize = k5hsize + sizeof(*token); + + if (IS_DCE_STYLE(ctx)) + gsstsize += ec; + gsshsize += gsstsize; + + if (rrc != gsstsize) { + major_status = GSS_S_DEFECTIVE_TOKEN; + goto failure; + } + if (header->buffer.length != gsshsize) { + major_status = GSS_S_DEFECTIVE_TOKEN; + goto failure; + } + } else if (trailer->buffer.length != sizeof(*token) + k5tsize) { + major_status = GSS_S_DEFECTIVE_TOKEN; + goto failure; + } else if (header->buffer.length != sizeof(*token) + k5hsize) { + major_status = GSS_S_DEFECTIVE_TOKEN; + goto failure; + } else if (rrc != 0) { + /* go though slowpath */ + major_status = unrotate_iov(minor_status, rrc, iov, iov_count); + if (major_status) + goto failure; + } + + i = 0; + data[i].flags = KRB5_CRYPTO_TYPE_HEADER; + data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize; + data[i].data.length = k5hsize; + i++; + + for (j = 0; j < iov_count; i++, j++) { + switch (GSS_IOV_BUFFER_TYPE(iov[j].type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + case GSS_IOV_BUFFER_TYPE_PADDING: + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + break; + default: + data[i].flags = KRB5_CRYPTO_TYPE_EMPTY; + break; + } + data[i].data.length = iov[j].buffer.length; + data[i].data.data = iov[j].buffer.value; + } + + /* encrypted CFX header in trailer (or after the header if in + DCE mode). Copy in header into E"header" + */ + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + if (trailer) + data[i].data.data = trailer->buffer.value; + else + data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize - k5tsize - sizeof(*token); + data[i].data.length = sizeof(*token); + ttoken = (gss_cfx_wrap_token)data[i].data.data; + i++; + + /* Kerberos trailer comes after the gss trailer */ + data[i].flags = KRB5_CRYPTO_TYPE_TRAILER; + data[i].data.data = ((uint8_t *)data[i-1].data.data) + sizeof(*token); + data[i].data.length = k5tsize; + i++; + + ret = krb5_decrypt_iov_ivec(context, ctx->crypto, usage, data, i, NULL); + if (ret != 0) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto failure; + } + + ttoken->RRC[0] = token->RRC[0]; + ttoken->RRC[1] = token->RRC[1]; + + /* Check the integrity of the header */ + if (memcmp(ttoken, token, sizeof(*token)) != 0) { + major_status = GSS_S_BAD_MIC; + goto failure; + } + } else { + /* Check RRC */ + if (rrc != 0) { + *minor_status = EINVAL; + major_status = GSS_S_FAILURE; + goto failure; + } + + if (trailer == NULL) { + *minor_status = EINVAL; + major_status = GSS_S_FAILURE; + goto failure; + } + + if (trailer->buffer.length != ec) { + *minor_status = EINVAL; + major_status = GSS_S_FAILURE; + goto failure; + } + + for (i = 0; i < iov_count; i++) { + switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_DATA: + case GSS_IOV_BUFFER_TYPE_PADDING: + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; + break; + default: + data[i].flags = KRB5_CRYPTO_TYPE_EMPTY; + break; + } + data[i].data.length = iov[i].buffer.length; + data[i].data.data = iov[i].buffer.value; + } + + data[i].flags = KRB5_CRYPTO_TYPE_DATA; + data[i].data.data = header->buffer.value; + data[i].data.length = header->buffer.length; + i++; + + data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM; + data[i].data.data = trailer->buffer.value; + data[i].data.length = trailer->buffer.length; + i++; + + token = (gss_cfx_wrap_token)header->buffer.value; + token->EC[0] = 0; + token->EC[1] = 0; + token->RRC[0] = 0; + token->RRC[1] = 0; + + ret = krb5_verify_checksum_iov(context, ctx->crypto, usage, data, i, NULL); + if (ret) { + *minor_status = ret; + major_status = GSS_S_FAILURE; + goto failure; + } + } + + if (qop_state != NULL) { + *qop_state = GSS_C_QOP_DEFAULT; + } + + free(data); + + *minor_status = 0; + return GSS_S_COMPLETE; + + failure: + if (data) + free(data); + + gss_release_iov_buffer(&junk, iov, iov_count); + + return major_status; +} + +OM_uint32 +_gssapi_wrap_iov_length_cfx(OM_uint32 *minor_status, + gsskrb5_ctx ctx, + krb5_context context, + int conf_req_flag, + gss_qop_t qop_req, + int *conf_state, + gss_iov_buffer_desc *iov, + int iov_count) +{ + size_t size; + int i; + size_t *padding = NULL; + + GSSAPI_KRB5_INIT (&context); + *minor_status = 0; + + for (size = 0, i = 0; i < iov_count; i++) { + switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) { + case GSS_IOV_BUFFER_TYPE_EMPTY: + break; + case GSS_IOV_BUFFER_TYPE_DATA: + size += iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_HEADER: + *minor_status = krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER, &iov[i].buffer.length); + if (*minor_status) + return GSS_S_FAILURE; + break; + case GSS_IOV_BUFFER_TYPE_TRAILER: + *minor_status = krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER, &iov[i].buffer.length); + if (*minor_status) + return GSS_S_FAILURE; + break; + case GSS_IOV_BUFFER_TYPE_PADDING: + if (padding != NULL) { + *minor_status = 0; + return GSS_S_FAILURE; + } + padding = &iov[i].buffer.length; + break; + case GSS_IOV_BUFFER_TYPE_SIGN_ONLY: + break; + default: + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + } + if (padding) { + size_t pad; + krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_PADDING, &pad); + if (pad > 1) { + *padding = pad - (size % pad); + if (*padding == pad) + *padding = 0; + } else + *padding = 0; + } + + return GSS_S_COMPLETE; +} + + + + OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, const gsskrb5_ctx ctx, krb5_context context, int conf_req_flag, - gss_qop_t qop_req, const gss_buffer_t input_message_buffer, int *conf_state, gss_buffer_t output_message_buffer) diff --git a/source4/heimdal/lib/gssapi/krb5/compare_name.c b/source4/heimdal/lib/gssapi/krb5/compare_name.c index fbb0f0218e..f45e4df3e2 100644 --- a/source4/heimdal/lib/gssapi/krb5/compare_name.c +++ b/source4/heimdal/lib/gssapi/krb5/compare_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_compare_name (OM_uint32 * minor_status, const gss_name_t name1, diff --git a/source4/heimdal/lib/gssapi/krb5/compat.c b/source4/heimdal/lib/gssapi/krb5/compat.c index 012602c074..221d219c69 100644 --- a/source4/heimdal/lib/gssapi/krb5/compat.c +++ b/source4/heimdal/lib/gssapi/krb5/compat.c @@ -33,9 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - - static krb5_error_code check_compat(OM_uint32 *minor_status, krb5_context context, krb5_const_principal name, diff --git a/source4/heimdal/lib/gssapi/krb5/context_time.c b/source4/heimdal/lib/gssapi/krb5/context_time.c index 3230389938..987ceea4aa 100644 --- a/source4/heimdal/lib/gssapi/krb5/context_time.c +++ b/source4/heimdal/lib/gssapi/krb5/context_time.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_lifetime_left(OM_uint32 *minor_status, krb5_context context, diff --git a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c index 40a8fab1b7..a4b28f91ed 100644 --- a/source4/heimdal/lib/gssapi/krb5/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/krb5/copy_ccache.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - #if 0 OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c index a2a5de9fe7..7ccf0b0f79 100644 --- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - /* * return the length of the mechanism in token or -1 * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c index ea0831815a..b3d436ea01 100644 --- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_delete_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/display_name.c b/source4/heimdal/lib/gssapi/krb5/display_name.c index 0b37731510..6487d84880 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_name.c +++ b/source4/heimdal/lib/gssapi/krb5/display_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_display_name (OM_uint32 * minor_status, const gss_name_t input_name, diff --git a/source4/heimdal/lib/gssapi/krb5/display_status.c b/source4/heimdal/lib/gssapi/krb5/display_status.c index 4136c25e53..f9d84fc762 100644 --- a/source4/heimdal/lib/gssapi/krb5/display_status.c +++ b/source4/heimdal/lib/gssapi/krb5/display_status.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static const char * calling_error(OM_uint32 v) { diff --git a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c index 2b5e5c0ef4..b0188acd51 100644 --- a/source4/heimdal/lib/gssapi/krb5/duplicate_name.c +++ b/source4/heimdal/lib/gssapi/krb5/duplicate_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_duplicate_name ( OM_uint32 * minor_status, const gss_name_t src_name, diff --git a/source4/heimdal/lib/gssapi/krb5/encapsulate.c b/source4/heimdal/lib/gssapi/krb5/encapsulate.c index 838a34d7db..79cd9232e1 100644 --- a/source4/heimdal/lib/gssapi/krb5/encapsulate.c +++ b/source4/heimdal/lib/gssapi/krb5/encapsulate.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - void _gssapi_encap_length (size_t data_len, size_t *len, diff --git a/source4/heimdal/lib/gssapi/krb5/export_name.c b/source4/heimdal/lib/gssapi/krb5/export_name.c index bad73611dc..705bb70d91 100644 --- a/source4/heimdal/lib/gssapi/krb5/export_name.c +++ b/source4/heimdal/lib/gssapi/krb5/export_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_export_name (OM_uint32 * minor_status, const gss_name_t input_name, diff --git a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c index 305d5c334e..3d3870a6b4 100644 --- a/source4/heimdal/lib/gssapi/krb5/export_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/export_sec_context.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_export_sec_context ( OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c index 1c28f7c141..df23776a63 100644 --- a/source4/heimdal/lib/gssapi/krb5/external.c +++ b/source4/heimdal/lib/gssapi/krb5/external.c @@ -34,8 +34,6 @@ #include "gsskrb5_locl.h" #include <gssapi_mech.h> -RCSID("$Id$"); - /* * The implementation must reserve static storage for a * gss_OID_desc object containing the value diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c index 66aaba44d6..ad3009c73e 100644 --- a/source4/heimdal/lib/gssapi/krb5/get_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static OM_uint32 mic_des (OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/import_name.c b/source4/heimdal/lib/gssapi/krb5/import_name.c index 8f5387fe2b..d488ce754b 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_name.c +++ b/source4/heimdal/lib/gssapi/krb5/import_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static OM_uint32 parse_krb5_name (OM_uint32 *minor_status, krb5_context context, diff --git a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c index ba1a977d2d..2af942338f 100644 --- a/source4/heimdal/lib/gssapi/krb5/import_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/import_sec_context.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_import_sec_context ( OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c index 3702106e79..b1d18bd244 100644 --- a/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c +++ b/source4/heimdal/lib/gssapi/krb5/indicate_mechs.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_indicate_mechs (OM_uint32 * minor_status, gss_OID_set * mech_set diff --git a/source4/heimdal/lib/gssapi/krb5/init.c b/source4/heimdal/lib/gssapi/krb5/init.c index b28e6a4c12..3a22c33ed6 100644 --- a/source4/heimdal/lib/gssapi/krb5/init.c +++ b/source4/heimdal/lib/gssapi/krb5/init.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER; static int created_key; static HEIMDAL_thread_key context_key; diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c index 4b632bd95a..35ab9dd88d 100644 --- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - /* * copy the addresses from `input_chan_bindings' (if any) to * the auth context `ac' @@ -697,7 +695,7 @@ repl_mutual if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM; - if (ctx->flags & GSS_C_DCE_STYLE) { + if (IS_DCE_STYLE(ctx)) { /* There is no OID wrapping. */ indata.length = input_token->length; indata.data = input_token->value; diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_context.c b/source4/heimdal/lib/gssapi/krb5/inquire_context.c index 188a6135a4..381ffc9e6f 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_context.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_context.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_inquire_context ( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c index 27e3014923..518736d78e 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_inquire_cred (OM_uint32 * minor_status, const gss_cred_id_t cred_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c index 1fd9733940..9da1ac43f1 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_inquire_cred_by_mech ( OM_uint32 * minor_status, const gss_cred_id_t cred_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c index 5a35202a6a..f32342f1d8 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c @@ -32,8 +32,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_inquire_cred_by_oid (OM_uint32 * minor_status, const gss_cred_id_t cred_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c index 5d54bd6508..5fa3c302a2 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_inquire_mechs_for_name ( OM_uint32 * minor_status, const gss_name_t input_name, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c index 9eba7b7f4d..591343307e 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c @@ -33,9 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - - static gss_OID *name_list[] = { &GSS_C_NT_HOSTBASED_SERVICE, &GSS_C_NT_USER_NAME, diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c index f8ef2a3aa4..ce01e666fa 100644 --- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c +++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c @@ -32,8 +32,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static int oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix) { diff --git a/source4/heimdal/lib/gssapi/krb5/prf.c b/source4/heimdal/lib/gssapi/krb5/prf.c index 9fd13f51bd..76ae3b78ed 100644 --- a/source4/heimdal/lib/gssapi/krb5/prf.c +++ b/source4/heimdal/lib/gssapi/krb5/prf.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/process_context_token.c b/source4/heimdal/lib/gssapi/krb5/process_context_token.c index 3229b36292..1c9d44588f 100644 --- a/source4/heimdal/lib/gssapi/krb5/process_context_token.c +++ b/source4/heimdal/lib/gssapi/krb5/process_context_token.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_process_context_token ( OM_uint32 *minor_status, const gss_ctx_id_t context_handle, diff --git a/source4/heimdal/lib/gssapi/krb5/release_buffer.c b/source4/heimdal/lib/gssapi/krb5/release_buffer.c index 18e0279939..b704e001eb 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_buffer.c +++ b/source4/heimdal/lib/gssapi/krb5/release_buffer.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_release_buffer (OM_uint32 * minor_status, gss_buffer_t buffer diff --git a/source4/heimdal/lib/gssapi/krb5/release_cred.c b/source4/heimdal/lib/gssapi/krb5/release_cred.c index 62674a1d53..5eec3c48cb 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_cred.c +++ b/source4/heimdal/lib/gssapi/krb5/release_cred.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_release_cred (OM_uint32 * minor_status, gss_cred_id_t * cred_handle diff --git a/source4/heimdal/lib/gssapi/krb5/release_name.c b/source4/heimdal/lib/gssapi/krb5/release_name.c index 5491052c59..0fafc275d0 100644 --- a/source4/heimdal/lib/gssapi/krb5/release_name.c +++ b/source4/heimdal/lib/gssapi/krb5/release_name.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - OM_uint32 _gsskrb5_release_name (OM_uint32 * minor_status, gss_name_t * input_name diff --git a/source4/heimdal/lib/gssapi/krb5/sequence.c b/source4/heimdal/lib/gssapi/krb5/sequence.c index 6391d44429..fbbc5b6c70 100644 --- a/source4/heimdal/lib/gssapi/krb5/sequence.c +++ b/source4/heimdal/lib/gssapi/krb5/sequence.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - #define DEFAULT_JITTER_WINDOW 20 struct gss_msg_order { diff --git a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c index 2a2390f8d1..15d7632e4c 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_cred_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_cred_option.c @@ -32,8 +32,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - /* 1.2.752.43.13.17 */ static gss_OID_desc gss_krb5_cred_no_ci_flags_x_oid_desc = {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11")}; diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c index 460cfe942a..096e835045 100644 --- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c +++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c @@ -36,8 +36,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static OM_uint32 get_bool(OM_uint32 *minor_status, const gss_buffer_t value, diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c index 0e87cb88b7..20cf952b4e 100644 --- a/source4/heimdal/lib/gssapi/krb5/unwrap.c +++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static OM_uint32 unwrap_des (OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c index 6eb7ae4b08..c7e16e81f7 100644 --- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - static OM_uint32 verify_mic_des (OM_uint32 * minor_status, diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c index b9f4c237c7..3de13f908f 100644 --- a/source4/heimdal/lib/gssapi/krb5/wrap.c +++ b/source4/heimdal/lib/gssapi/krb5/wrap.c @@ -33,8 +33,6 @@ #include "gsskrb5_locl.h" -RCSID("$Id$"); - /* * Return initiator subkey, or if that doesn't exists, the subkey. */ @@ -540,7 +538,7 @@ OM_uint32 _gsskrb5_wrap if (ctx->more_flags & IS_CFX) return _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag, - qop_req, input_message_buffer, conf_state, + input_message_buffer, conf_state, output_message_buffer); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c index a8ebe644ab..b1bc7dd981 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c +++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c @@ -50,7 +50,7 @@ gss_acquire_cred(OM_uint32 *minor_status, int i; *minor_status = 0; - if (output_cred_handle) + if (output_cred_handle == NULL) return GSS_S_CALL_INACCESSIBLE_READ; if (actual_mechs) *actual_mechs = GSS_C_NO_OID_SET; diff --git a/source4/heimdal/lib/gssapi/mech/gss_aeap.c b/source4/heimdal/lib/gssapi/mech/gss_aeap.c index cbe0cd1460..9c784f42de 100644 --- a/source4/heimdal/lib/gssapi/mech/gss_aeap.c +++ b/source4/heimdal/lib/gssapi/mech/gss_aeap.c @@ -3,27 +3,39 @@ */ #include "mech_locl.h" -RCSID("$Id$"); /** * Encrypts or sign the data. * + * This is a more complicated version of gss_wrap(), it allows the + * caller to use AEAD data (signed header/trailer) and allow greater + * controll over where the encrypted data is placed. + * * The maximum packet size is gss_context_stream_sizes.max_msg_size. * - * The caller needs provide the folloing buffers: + * The caller needs provide the folloing buffers when using in conf_req_flag=1 mode: * * - HEADER (of size gss_context_stream_sizes.header) - * SIGN_ONLY (optional, zero or more) - * DATA - * SIGN_ONLY (optional, zero or more) - * PADDING (of size gss_context_stream_sizes.blocksize) + * { DATA or SIGN_ONLY } (optional, zero or more) + * PADDING (of size gss_context_stream_sizes.blocksize, if zero padding is zero, can be omitted) * TRAILER (of size gss_context_stream_sizes.trailer) * * - on DCE-RPC mode, the caller can skip PADDING and TRAILER if the - * DATA elements is padded to a block bountry. + * DATA elements is padded to a block bountry and header is of at + * least size gss_context_stream_sizes.header + gss_context_stream_sizes.trailer. + * + * HEADER, PADDING, TRAILER will be shrunken to the size required to transmit any of them too large. * * To generate gss_wrap() compatible packets, use: HEADER | DATA | PADDING | TRAILER * + * When used in conf_req_flag=0, + * + * - HEADER (of size gss_context_stream_sizes.header) + * { DATA or SIGN_ONLY } (optional, zero or more) + * PADDING (of size gss_context_stream_sizes.blocksize, if zero padding is zero, can be omitted) + * TRAILER (of size gss_context_stream_sizes.trailer) + * + * * The input sizes of HEADER, PADDING and TRAILER can be fetched using gss_wrap_iov_length() or * gss_context_query_attributes(). * @@ -65,6 +77,13 @@ gss_wrap_iov(OM_uint32 * minor_status, iov, iov_count); } +/** + * Decrypt or verifies the signature on the data. + * + * + * @ingroup gssapi + */ + OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, @@ -99,7 +118,18 @@ gss_unwrap_iov(OM_uint32 *minor_status, iov, iov_count); } -OM_uint32 GSSAPI_LIB_FUNCTION +/** + * Update the length fields in iov buffer for the types: + * - GSS_IOV_BUFFER_TYPE_HEADER + * - GSS_IOV_BUFFER_TYPE_PADDING + * - GSS_IOV_BUFFER_TYPE_TRAILER + * + * Consider using gss_context_query_attributes() to fetch the data instead. + * + * @ingroup gssapi + */ + +OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_iov_length(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag, @@ -132,6 +162,13 @@ gss_wrap_iov_length(OM_uint32 * minor_status, iov, iov_count); } +/** + * Free all buffer allocated by gss_wrap_iov() or gss_unwrap_iov() by + * looking at the GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED flag. + * + * @ingroup gssapi + */ + OM_uint32 GSSAPI_LIB_FUNCTION gss_release_iov_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, @@ -146,9 +183,10 @@ gss_release_iov_buffer(OM_uint32 *minor_status, return GSS_S_CALL_INACCESSIBLE_READ; for (i = 0; i < iov_count; i++) { - if (iov[i].type & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED) + if ((iov[i].type & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED) == 0) continue; gss_release_buffer(&junk, &iov[i].buffer); + iov[i].type &= ~GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED; } return GSS_S_COMPLETE; } @@ -159,6 +197,8 @@ gss_release_iov_buffer(OM_uint32 *minor_status, * SSPI equivalent if this function is QueryContextAttributes. * * - GSS_C_ATTR_STREAM_SIZES data is a gss_context_stream_sizes. + * + * @ingroup gssapi */ static gss_OID_desc gss_c_attr_stream_sizes_desc = diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c index 158126d99f..2bdfc28ebf 100644 --- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -92,12 +92,6 @@ send_supported_mechs (OM_uint32 *minor_status, gss_buffer_t output_token) { NegotiationTokenWin nt; - char hostname[MAXHOSTNAMELEN + 1], *p; - gss_buffer_desc name_buf; - gss_OID name_type; - gss_name_t target_princ; - gss_name_t canon_princ; - OM_uint32 minor; size_t buf_len; gss_buffer_desc data; OM_uint32 ret; @@ -116,62 +110,9 @@ send_supported_mechs (OM_uint32 *minor_status, return ret; } - memset(&target_princ, 0, sizeof(target_princ)); - if (gethostname(hostname, sizeof(hostname) - 2) != 0) { - *minor_status = errno; - free_NegotiationTokenWin(&nt); - return GSS_S_FAILURE; - } - hostname[sizeof(hostname) - 1] = '\0'; - - /* Send the constructed SAM name for this host */ - for (p = hostname; *p != '\0' && *p != '.'; p++) { - *p = toupper((unsigned char)*p); - } - *p++ = '$'; - *p = '\0'; - - name_buf.length = strlen(hostname); - name_buf.value = hostname; - - ret = gss_import_name(minor_status, &name_buf, - GSS_C_NO_OID, - &target_princ); - if (ret != GSS_S_COMPLETE) { - free_NegotiationTokenWin(&nt); - return ret; - } - - name_buf.length = 0; - name_buf.value = NULL; - - /* Canonicalize the name using the preferred mechanism */ - ret = gss_canonicalize_name(minor_status, - target_princ, - GSS_C_NO_OID, - &canon_princ); - if (ret != GSS_S_COMPLETE) { - free_NegotiationTokenWin(&nt); - gss_release_name(&minor, &target_princ); - return ret; - } - - ret = gss_display_name(minor_status, canon_princ, - &name_buf, &name_type); - if (ret != GSS_S_COMPLETE) { - free_NegotiationTokenWin(&nt); - gss_release_name(&minor, &canon_princ); - gss_release_name(&minor, &target_princ); - return ret; - } - - gss_release_name(&minor, &canon_princ); - gss_release_name(&minor, &target_princ); - ALLOC(nt.u.negTokenInit.negHints, 1); if (nt.u.negTokenInit.negHints == NULL) { *minor_status = ENOMEM; - gss_release_buffer(&minor, &name_buf); free_NegotiationTokenWin(&nt); return GSS_S_FAILURE; } @@ -179,20 +120,19 @@ send_supported_mechs (OM_uint32 *minor_status, ALLOC(nt.u.negTokenInit.negHints->hintName, 1); if (nt.u.negTokenInit.negHints->hintName == NULL) { *minor_status = ENOMEM; - gss_release_buffer(&minor, &name_buf); free_NegotiationTokenWin(&nt); return GSS_S_FAILURE; } - *(nt.u.negTokenInit.negHints->hintName) = name_buf.value; - name_buf.value = NULL; + *nt.u.negTokenInit.negHints->hintName = strdup("not_defined_in_RFC4178@please_ignore"); nt.u.negTokenInit.negHints->hintAddress = NULL; ASN1_MALLOC_ENCODE(NegotiationTokenWin, data.value, data.length, &nt, &buf_len, ret); free_NegotiationTokenWin(&nt); if (ret) { - return ret; + *minor_status = ret; + return GSS_S_FAILURE; } if (data.length != buf_len) abort(); diff --git a/source4/heimdal/lib/hcrypto/des.h b/source4/heimdal/lib/hcrypto/des.h index 14402d4b1c..99eb76c818 100644 --- a/source4/heimdal/lib/hcrypto/des.h +++ b/source4/heimdal/lib/hcrypto/des.h @@ -84,12 +84,14 @@ typedef struct DES_key_schedule * */ -#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(x) -#endif - #ifndef HC_DEPRECATED +#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) #define HC_DEPRECATED __attribute__((deprecated)) +#elif defined(_MSC_VER) && (_MSC_VER>1200) +#define HC_DEPRECATED __declspec(deprecated) +#else +#define HC_DEPRECATED +#endif #endif #ifdef __cplusplus diff --git a/source4/heimdal/lib/hcrypto/evp.h b/source4/heimdal/lib/hcrypto/evp.h index a7c8fac900..0086a06960 100644 --- a/source4/heimdal/lib/hcrypto/evp.h +++ b/source4/heimdal/lib/hcrypto/evp.h @@ -190,10 +190,17 @@ struct hc_evp_md { #endif #ifndef HC_DEPRECATED +#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) #define HC_DEPRECATED __attribute__((deprecated)) +#elif defined(_MSC_VER) && (_MSC_VER>1200) +#define HC_DEPRECATED __declspec(deprecated) +#else +#define HC_DEPRECATED #endif +#endif + #ifndef HC_DEPRECATED_CRYPTO -#define HC_DEPRECATED_CRYPTO __attribute__((deprecated)) +#define HC_DEPRECATED_CRYPTO HC_DEPRECATED #endif diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c index 556833d1c4..9de0a04a1f 100644 --- a/source4/heimdal/lib/hdb/db.c +++ b/source4/heimdal/lib/hdb/db.c @@ -33,8 +33,6 @@ #include "hdb_locl.h" -RCSID("$Id$"); - #if HAVE_DB1 #if defined(HAVE_DB_185_H) @@ -317,6 +315,7 @@ hdb_db_create(krb5_context context, HDB **db, } (*db)->hdb_master_key_set = 0; (*db)->hdb_openp = 0; + (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL; (*db)->hdb_open = DB_open; (*db)->hdb_close = DB_close; (*db)->hdb_fetch = _hdb_fetch; diff --git a/source4/heimdal/lib/hdb/dbinfo.c b/source4/heimdal/lib/hdb/dbinfo.c index 7e2961c614..a399ab0a5c 100644 --- a/source4/heimdal/lib/hdb/dbinfo.c +++ b/source4/heimdal/lib/hdb/dbinfo.c @@ -33,8 +33,6 @@ #include "hdb_locl.h" -RCSID("$Id$"); - struct hdb_dbinfo { char *label; char *realm; diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c index 9053fd6633..faf0b6bdf2 100644 --- a/source4/heimdal/lib/hdb/ext.c +++ b/source4/heimdal/lib/hdb/ext.c @@ -34,8 +34,6 @@ #include "hdb_locl.h" #include <der.h> -RCSID("$Id$"); - krb5_error_code hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) { diff --git a/source4/heimdal/lib/hdb/hdb.asn1 b/source4/heimdal/lib/hdb/hdb.asn1 index c2abd4af73..a72851c9f2 100644 --- a/source4/heimdal/lib/hdb/hdb.asn1 +++ b/source4/heimdal/lib/hdb/hdb.asn1 @@ -45,7 +45,9 @@ HDBFlags ::= BIT STRING { immutable(13), -- may not be deleted trusted-for-delegation(14), -- Trusted to print forwardabled tickets allow-kerberos4(15), -- Allow Kerberos 4 requests - allow-digest(16) -- Allow digest requests + allow-digest(16), -- Allow digest requests + locked-out(17) -- Account is locked out, + -- authentication will be denied } GENERATION ::= SEQUENCE { diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index e55b0bed03..9795f8b255 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -33,7 +33,6 @@ #include "krb5_locl.h" #include "hdb_locl.h" -RCSID("$Id$"); #ifdef HAVE_DLFCN_H #include <dlfcn.h> diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index a5e6514e6c..f490dbf2f0 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -54,7 +54,15 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */ #define HDB_F_CANON 32 /* want canonicalition */ +/* hdb_capability_flags */ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 +#define HDB_CAP_F_HANDLE_PASSWORDS 2 +#define HDB_CAP_F_PASSWORD_UPDATE_KEYS 4 + +/* auth status values */ +#define HDB_AUTH_SUCCESS 0 +#define HDB_AUTH_WRONG_PASSWORD 1 +#define HDB_AUTH_INVALID_SIGNATURE 2 /* key usage for master key */ #define HDB_KU_MKEY 0x484442 @@ -184,6 +192,34 @@ typedef struct HDB{ * point for the module. */ krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*); + /** + * Change password. + * + * Will update keys for the entry when given password. The new + * keys must be written into the entry and and will then later be + * ->hdb_store() into the database. The backend will still perform + * all other operations, increasing the kvno, and update + * modification timestamp. + * + * The backen need to call _kadm5_set_keys() and perform password + * quality checks. + */ + krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int); + + /** + * Auth feedback + * + * This is a feedback call that allows backends that provides + * lockout functionality to register failure and/or successes. + * + * In case the entry is locked out, the backend should set the + * hdb_entry.flags.locked-out flag. + */ + krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int); + /** + * Check is delegation is allowed. + */ + krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); }HDB; #define HDB_INTERFACE_VERSION 5 diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c index 50fe7d7fda..63f254d002 100644 --- a/source4/heimdal/lib/hdb/keys.c +++ b/source4/heimdal/lib/hdb/keys.c @@ -34,8 +34,6 @@ #include "hdb_locl.h" -RCSID("$Id$"); - /* * free all the memory used by (len, keys) */ diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c index 97989a9764..9b36a268cf 100644 --- a/source4/heimdal/lib/hdb/keytab.c +++ b/source4/heimdal/lib/hdb/keytab.c @@ -35,8 +35,6 @@ /* keytab backend for HDB databases */ -RCSID("$Id$"); - struct hdb_data { char *dbname; char *mkey; @@ -123,61 +121,43 @@ hdb_get_name(krb5_context context, return 0; } -static void -set_config (krb5_context context, - const krb5_config_binding *binding, - const char **dbname, - const char **mkey) -{ - *dbname = krb5_config_get_string(context, binding, "dbname", NULL); - *mkey = krb5_config_get_string(context, binding, "mkey_file", NULL); -} - /* * try to figure out the database (`dbname') and master-key (`mkey') * that should be used for `principal'. */ -static void +static krb5_error_code find_db (krb5_context context, - const char **dbname, - const char **mkey, + char **dbname, + char **mkey, krb5_const_principal principal) { - const krb5_config_binding *top_bind = NULL; - const krb5_config_binding *default_binding = NULL; - const krb5_config_binding *db; krb5_const_realm realm = krb5_principal_get_realm(context, principal); + krb5_error_code ret; + struct hdb_dbinfo *head, *dbinfo = NULL; *dbname = *mkey = NULL; - while ((db = - krb5_config_get_next(context, - NULL, - &top_bind, - krb5_config_list, - "kdc", - "database", - NULL)) != NULL) { - const char *p; - - p = krb5_config_get_string (context, db, "realm", NULL); - if (p == NULL) { - if(default_binding) { - krb5_warnx(context, "WARNING: more than one realm-less " - "database specification"); - krb5_warnx(context, "WARNING: using the first encountered"); - } else - default_binding = db; - } else if (strcmp (realm, p) == 0) { - set_config (context, db, dbname, mkey); + ret = hdb_get_dbinfo(context, &head); + if (ret) + return ret; + + while ((dbinfo = hdb_dbinfo_get_next(head, dbinfo)) != NULL) { + const char *p = hdb_dbinfo_get_realm(context, dbinfo); + if (p && strcmp (realm, p) == 0) { + p = hdb_dbinfo_get_dbname(context, dbinfo); + if (p) + *dbname = strdup(p); + p = hdb_dbinfo_get_mkey_file(context, dbinfo); + if (p) + *mkey = strdup(p); break; } } - if (*dbname == NULL && default_binding != NULL) - set_config (context, default_binding, dbname, mkey); + hdb_free_dbinfo(context, &head); if (*dbname == NULL) - *dbname = HDB_DEFAULT_DB; + *dbname = strdup(HDB_DEFAULT_DB); + return 0; } /* @@ -196,29 +176,35 @@ hdb_get_entry(krb5_context context, hdb_entry_ex ent; krb5_error_code ret; struct hdb_data *d = id->data; - int i; - HDB *db; const char *dbname = d->dbname; const char *mkey = d->mkey; + char *fdbname = NULL, *fmkey = NULL; + HDB *db; + int i; memset(&ent, 0, sizeof(ent)); - if (dbname == NULL) - find_db (context, &dbname, &mkey, principal); + if (dbname == NULL) { + ret = find_db(context, &fdbname, &fmkey, principal); + if (ret) + return ret; + dbname = fdbname; + mkey = fmkey; + } ret = hdb_create (context, &db, dbname); if (ret) - return ret; + goto out2; ret = hdb_set_master_keyfile (context, db, mkey); if (ret) { (*db->hdb_destroy)(context, db); - return ret; + goto out2; } ret = (*db->hdb_open)(context, db, O_RDONLY, 0); if (ret) { (*db->hdb_destroy)(context, db); - return ret; + goto out2; } ret = (*db->hdb_fetch)(context, db, principal, HDB_F_DECRYPT| @@ -252,9 +238,12 @@ hdb_get_entry(krb5_context context, } } hdb_free_entry(context, &ent); -out: + out: (*db->hdb_close)(context, db); (*db->hdb_destroy)(context, db); + out2: + free(fdbname); + free(fmkey); return ret; } diff --git a/source4/heimdal/lib/hdb/mkey.c b/source4/heimdal/lib/hdb/mkey.c index 1520c4f7e9..35323cf100 100644 --- a/source4/heimdal/lib/hdb/mkey.c +++ b/source4/heimdal/lib/hdb/mkey.c @@ -36,8 +36,6 @@ #define O_BINARY 0 #endif -RCSID("$Id$"); - struct hdb_master_key_data { krb5_keytab_entry keytab; krb5_crypto crypto; diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c index 1e9df81652..d97a98ed6b 100644 --- a/source4/heimdal/lib/hdb/ndbm.c +++ b/source4/heimdal/lib/hdb/ndbm.c @@ -33,8 +33,6 @@ #include "hdb_locl.h" -RCSID("$Id$"); - #if HAVE_NDBM #if defined(HAVE_GDBM_NDBM_H) @@ -348,6 +346,7 @@ hdb_ndbm_create(krb5_context context, HDB **db, } (*db)->hdb_master_key_set = 0; (*db)->hdb_openp = 0; + (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL; (*db)->hdb_open = NDBM_open; (*db)->hdb_close = NDBM_close; (*db)->hdb_fetch = _hdb_fetch; diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c index 8063100717..f4667c6e31 100644 --- a/source4/heimdal/lib/hx509/crypto.c +++ b/source4/heimdal/lib/hx509/crypto.c @@ -37,10 +37,6 @@ struct hx509_crypto; struct signature_alg; -enum crypto_op_type { - COT_SIGN -}; - struct hx509_generate_private_context { const heim_oid *key_oid; int isCA; diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index 9fd2117345..a30780d1ed 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -3182,7 +3182,7 @@ krb5_encrypt_iov_ivec(krb5_context context, krb5_error_code ret; struct key_data *dkey; const struct encryption_type *et = crypto->et; - krb5_crypto_iov *tiv, *piv, *hiv, *div; + krb5_crypto_iov *tiv, *piv, *hiv; if (num_data < 0) { krb5_clear_error_message(context); @@ -3197,11 +3197,11 @@ krb5_encrypt_iov_ivec(krb5_context context, headersz = et->confoundersize; trailersz = CHECKSUMSIZE(et->keyed_checksum); - div = find_iv(data, num_data, KRB5_CRYPTO_TYPE_DATA); - if (div == NULL) - return KRB5_CRYPTO_INTERNAL; - - len = div->data.length; + for (len = 0, i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + len += data[i].data.length; + } sz = headersz + len; block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ @@ -3217,7 +3217,6 @@ krb5_encrypt_iov_ivec(krb5_context context, krb5_generate_random_block(hiv->data.data, hiv->data.length); /* padding */ - piv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_PADDING); /* its ok to have no TYPE_PADDING if there is no padding */ if (piv == NULL && pad_sz != 0) @@ -3226,26 +3225,26 @@ krb5_encrypt_iov_ivec(krb5_context context, if (piv->data.length < pad_sz) return KRB5_BAD_MSIZE; piv->data.length = pad_sz; + if (pad_sz) + memset(piv->data.data, pad_sz, pad_sz); + else + piv = NULL; } - /* trailer */ - tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); if (tiv == NULL || tiv->data.length != trailersz) return KRB5_BAD_MSIZE; - /* * XXX replace with EVP_Sign? at least make create_checksum an iov * function. * XXX CTS EVP is broken, can't handle multi buffers :( */ - len = hiv->data.length; + len = block_sz; for (i = 0; i < num_data; i++) { - if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && - data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) continue; len += data[i].data.length; } @@ -3261,6 +3260,10 @@ krb5_encrypt_iov_ivec(krb5_context context, memcpy(q, data[i].data.data, data[i].data.length); q += data[i].data.length; } + if (piv) { + memset(q, 0, piv->data.length); + q += piv->data.length; + } ret = create_checksum(context, et->keyed_checksum, @@ -3282,30 +3285,24 @@ krb5_encrypt_iov_ivec(krb5_context context, memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length); free_Checksum (&cksum); - /* now encrypt data */ - - ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); - if(ret) - return ret; - ret = _key_schedule(context, dkey); - if(ret) - return ret; - /* XXX replace with EVP_Cipher */ - - len = hiv->data.length + div->data.length; - if (piv) - len += piv->data.length; - - p = q = malloc(len); + p = q = malloc(block_sz); if(p == NULL) return ENOMEM; memcpy(q, hiv->data.data, hiv->data.length); q += hiv->data.length; - memcpy(q, div->data.data, div->data.length); - q += div->data.length; - memset(q, 0, pad_sz); + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + if (piv) { + memset(q, 0, piv->data.length); + q += piv->data.length; + } ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); if(ret) { @@ -3318,7 +3315,7 @@ krb5_encrypt_iov_ivec(krb5_context context, return ret; } - ret = (*et->encrypt)(context, dkey, p, len, 1, usage, ivec); + ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec); if (ret) { free(p); return ret; @@ -3330,11 +3327,17 @@ krb5_encrypt_iov_ivec(krb5_context context, memcpy(hiv->data.data, q, hiv->data.length); q += hiv->data.length; - memcpy(div->data.data, q, div->data.length); - q += div->data.length; - - if (piv) + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(data[i].data.data, q, data[i].data.length); + q += data[i].data.length; + } + if (piv) { memcpy(piv->data.data, q, pad_sz); + q += pad_sz; + } + free(p); return ret; @@ -3371,13 +3374,12 @@ krb5_decrypt_iov_ivec(krb5_context context, { unsigned int i; size_t headersz, trailersz, len; - size_t sz, block_sz, pad_sz; Checksum cksum; unsigned char *p, *q; krb5_error_code ret; struct key_data *dkey; struct encryption_type *et = crypto->et; - krb5_crypto_iov *tiv, *hiv, *div; + krb5_crypto_iov *tiv, *hiv; if (num_data < 0) { krb5_clear_error_message(context); @@ -3390,56 +3392,47 @@ krb5_decrypt_iov_ivec(krb5_context context, } headersz = et->confoundersize; - trailersz = CHECKSUMSIZE(et->keyed_checksum); - - for (len = 0, i = 0; i < num_data; i++) { - if (data[i].flags == KRB5_CRYPTO_TYPE_DATA) { - if (len != 0) - return KRB5_CRYPTO_INTERNAL; - len += data[i].data.length; - } - } - - sz = headersz + len; - block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ - - pad_sz = block_sz - sz; - trailersz += pad_sz; - - /* header */ hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER); - if (hiv == NULL || hiv->data.length < headersz) + if (hiv == NULL || hiv->data.length != headersz) return KRB5_BAD_MSIZE; - hiv->data.length = headersz; /* trailer */ + trailersz = CHECKSUMSIZE(et->keyed_checksum); tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); - if (tiv == NULL || tiv->data.length < trailersz) + if (tiv->data.length != trailersz) return KRB5_BAD_MSIZE; - tiv->data.length = trailersz; - - div = find_iv(data, num_data, KRB5_CRYPTO_TYPE_DATA); - if (div == NULL) - return KRB5_CRYPTO_INTERNAL; - /* XXX replace with EVP_Cipher */ + /* Find length of data we will decrypt */ - for (len = 0, i = 0; i < num_data; i++) { - if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER && - data[i].flags != KRB5_CRYPTO_TYPE_DATA) + len = headersz; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) continue; len += data[i].data.length; } + if ((len % et->padsize) != 0) { + krb5_clear_error_message(context); + return KRB5_BAD_MSIZE; + } + + /* XXX replace with EVP_Cipher */ + p = q = malloc(len); if (p == NULL) return ENOMEM; memcpy(q, hiv->data.data, hiv->data.length); q += hiv->data.length; - memcpy(q, div->data.data, div->data.length); + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); if(ret) { @@ -3460,20 +3453,26 @@ krb5_decrypt_iov_ivec(krb5_context context, /* copy data back to buffers */ memcpy(hiv->data.data, p, hiv->data.length); - memcpy(div->data.data, p + hiv->data.length, len - hiv->data.length); + q = p + hiv->data.length; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA) + continue; + memcpy(data[i].data.data, q, data[i].data.length); + q += data[i].data.length; + } + free(p); /* check signature */ - - len = hiv->data.length; for (i = 0; i < num_data; i++) { - if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && - data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) continue; len += data[i].data.length; } p = q = malloc(len); + if (p == NULL) + return ENOMEM; memcpy(q, hiv->data.data, hiv->data.length); q += hiv->data.length; @@ -3582,33 +3581,145 @@ krb5_create_checksum_iov(krb5_context context, return 0; } +/** + * Verify a Kerberos message checksum. + * + * @param context Kerberos context + * @param crypto Kerberos crypto context + * @param usage Key usage for this buffer + * @param data array of buffers to process + * @param num_data length of array + * + * @return Return an error code or 0. + * @ingroup krb5_crypto + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_verify_checksum_iov(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_crypto_iov *data, + unsigned int num_data, + krb5_cksumtype *type) +{ + struct encryption_type *et = crypto->et; + Checksum cksum; + krb5_crypto_iov *civ; + krb5_error_code ret; + int i; + size_t len; + char *p, *q; + + if (num_data < 0) { + krb5_clear_error_message(context); + return KRB5_CRYPTO_INTERNAL; + } + + if(!derived_crypto(context, crypto)) { + krb5_clear_error_message(context); + return KRB5_CRYPTO_INTERNAL; + } + + civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM); + if (civ == NULL) + return KRB5_BAD_MSIZE; + + len = 0; + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + len += data[i].data.length; + } + + p = q = malloc(len); + + for (i = 0; i < num_data; i++) { + if (data[i].flags != KRB5_CRYPTO_TYPE_DATA && + data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY) + continue; + memcpy(q, data[i].data.data, data[i].data.length); + q += data[i].data.length; + } + + cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum); + cksum.checksum.length = civ->data.length; + cksum.checksum.data = civ->data.data; + + ret = krb5_verify_checksum(context, crypto, usage, p, len, &cksum); + free(p); + + if (ret == 0 && type) + *type = cksum.cksumtype; + + return ret; +} + -size_t KRB5_LIB_FUNCTION +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_length(krb5_context context, krb5_crypto crypto, - int type) + int type, + size_t *len) { - if (!derived_crypto(context, crypto)) - return (size_t)-1; + if (!derived_crypto(context, crypto)) { + krb5_set_error_message(context, EINVAL, "not a derived crypto"); + return EINVAL; + } + switch(type) { case KRB5_CRYPTO_TYPE_EMPTY: + *len = 0; return 0; case KRB5_CRYPTO_TYPE_HEADER: - return crypto->et->blocksize; + *len = crypto->et->blocksize; + return 0; + case KRB5_CRYPTO_TYPE_DATA: + case KRB5_CRYPTO_TYPE_SIGN_ONLY: + /* len must already been filled in */ + return 0; case KRB5_CRYPTO_TYPE_PADDING: if (crypto->et->padsize > 1) - return crypto->et->padsize; + *len = crypto->et->padsize; + else + *len = 0; return 0; case KRB5_CRYPTO_TYPE_TRAILER: - return CHECKSUMSIZE(crypto->et->keyed_checksum); + *len = CHECKSUMSIZE(crypto->et->keyed_checksum); + return 0; case KRB5_CRYPTO_TYPE_CHECKSUM: if (crypto->et->keyed_checksum) - return CHECKSUMSIZE(crypto->et->keyed_checksum); - return CHECKSUMSIZE(crypto->et->checksum); + *len = CHECKSUMSIZE(crypto->et->keyed_checksum); + else + *len = CHECKSUMSIZE(crypto->et->checksum); + return 0; + } + krb5_set_error_message(context, EINVAL, + "%d not a supported type", type); + return EINVAL; +} + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_length_iov(krb5_context context, + krb5_crypto crypto, + krb5_crypto_iov *data, + unsigned int num_data) +{ + krb5_error_code ret; + int i; + + for (i = 0; i < num_data; i++) { + ret = krb5_crypto_length(context, crypto, + data[i].flags, + &data[i].data.length); + if (ret) + return ret; } - return (size_t)-1; + return 0; } + krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto, diff --git a/source4/heimdal/lib/krb5/get_addrs.c b/source4/heimdal/lib/krb5/get_addrs.c index 96571af531..8f366fa148 100644 --- a/source4/heimdal/lib/krb5/get_addrs.c +++ b/source4/heimdal/lib/krb5/get_addrs.c @@ -41,9 +41,7 @@ struct mbuf; #ifdef HAVE_NET_IF_H #include <net/if.h> #endif -#ifdef HAVE_IFADDR_H #include <ifaddrs.h> -#endif static krb5_error_code gethostname_fallback (krb5_context context, krb5_addresses *res) diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 0435ab5d3b..ff89a90d55 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -1601,7 +1601,7 @@ krb5_init_creds_step(krb5_context context, ret = 0; } else if (ret == KRB5_KDC_ERR_WRONG_REALM && ctx->flags.canonicalize) { /* client referal to a new realm */ - if (ctx->error.crealm) { + if (ctx->error.crealm == NULL) { krb5_set_error_message(context, ret, N_("Got a client referral, not but no realm", "")); goto out; diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 13dafacf21..1f2e769728 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -52,7 +52,13 @@ #endif #ifndef KRB5_DEPRECATED +#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) #define KRB5_DEPRECATED __attribute__((deprecated)) +#elif defined(_MSC_VER) && (_MSC_VER>1200) +#define KRB5_DEPRECATED __declspec(deprecated) +#else +#define KRB5_DEPRECATED +#endif #endif /* simple constants */ diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c index 31d267320f..ee5c1159b1 100644 --- a/source4/heimdal/lib/krb5/log.c +++ b/source4/heimdal/lib/krb5/log.c @@ -32,6 +32,7 @@ */ #include "krb5_locl.h" +#include <vis.h> struct facility { int min; @@ -218,11 +219,21 @@ log_file(const char *timestr, void *data) { struct file_data *f = data; + char *msgclean; + size_t len = strlen(msg) + 1; if(f->keep_open == 0) f->fd = fopen(f->filename, f->mode); if(f->fd == NULL) return; - fprintf(f->fd, "%s %s\n", timestr, msg); + /* make sure the log doesn't contain special chars */ + len *= 4; + msgclean = malloc(len); + if (msgclean == NULL) + goto out; + strvisx(rk_UNCONST(msg), msgclean, len, VIS_OCTAL); + fprintf(f->fd, "%s %s\n", timestr, msgclean); + free(msgclean); + out: if(f->keep_open == 0) { fclose(f->fd); f->fd = NULL; diff --git a/source4/heimdal/lib/krb5/store_emem.c b/source4/heimdal/lib/krb5/store_emem.c index 4be89b6564..acf984280e 100644 --- a/source4/heimdal/lib/krb5/store_emem.c +++ b/source4/heimdal/lib/krb5/store_emem.c @@ -110,7 +110,12 @@ emem_trunc(krb5_storage *sp, off_t offset) * If offset is larget then current size, or current size is * shrunk more then half of the current size, adjust buffer. */ - if (offset > s->size || (s->size / 2) > offset) { + if (offset == 0) { + free(s->base); + s->size = 0; + s->base = NULL; + s->ptr = NULL; + } else if (offset > s->size || (s->size / 2) > offset) { void *base; size_t off; off = s->ptr - s->base; diff --git a/source4/heimdal_build/ifaddrs.hin b/source4/heimdal_build/ifaddrs.hin new file mode 100644 index 0000000000..a50b03335b --- /dev/null +++ b/source4/heimdal_build/ifaddrs.hin @@ -0,0 +1 @@ +#include "system/network.h" diff --git a/source4/heimdal_build/internal.m4 b/source4/heimdal_build/internal.m4 index 5c8d78e56d..e7e7ae1842 100644 --- a/source4/heimdal_build/internal.m4 +++ b/source4/heimdal_build/internal.m4 @@ -46,6 +46,15 @@ dnl declarations will be correct). Phew! AC_CHECK_HEADERS([err.h], [], [ cp heimdal/lib/roken/err.hin heimdal_build/err.h ]) +dnl Not all systems have ifaddrs.h, so we provide a replacement. Heimdal +dnl unconditionally #includes <ifaddrs.h>, so we need to create an ifaddrs.h, +dnl but we can't just have a static one because we don't want to use +dnl it on systems that have a real ifaddrs.h. If the system has a real +dnl ifaddrs.h. We don't use heimdal's lib/roken/ifaddrs.hin because +dnl our libreplace would conflict with it. +AC_CHECK_HEADERS([ifaddrs.h], [], + [ cp heimdal_build/ifaddrs.hin heimdal_build/ifaddrs.h ]) + AC_CHECK_HEADERS([ \ crypt.h \ curses.h \ diff --git a/source4/heimdal_build/replace.c b/source4/heimdal_build/replace.c index ba43dd9495..8c3def7dca 100644 --- a/source4/heimdal_build/replace.c +++ b/source4/heimdal_build/replace.c @@ -21,11 +21,9 @@ */ #include "config.h" -#include <stdio.h> -#include <unistd.h> -#include <fcntl.h> #include "err.h" #include "roken.h" +#include "system/filesys.h" #ifndef HAVE_ERR void err(int eval, const char *format, ...) @@ -63,6 +61,7 @@ #ifndef HAVE_FLOCK int flock(int fd, int op) { +#undef flock struct flock lock; lock.l_whence = 0; lock.l_start = 0; diff --git a/source4/heimdal_build/roken.h b/source4/heimdal_build/roken.h index 4eabbe2af4..87060cff17 100644 --- a/source4/heimdal_build/roken.h +++ b/source4/heimdal_build/roken.h @@ -37,6 +37,10 @@ #define HAVE_SETEUID 1 #endif +#ifndef HAVE_STRNLEN +#define HAVE_STRNLEN +#endif + #ifndef HAVE_STRNDUP #define HAVE_STRNDUP #endif @@ -53,6 +57,14 @@ #define HAVE_STRCASECMP #endif +#ifndef HAVE_ASPRINTF +#define HAVE_ASPRINTF +#endif + +#ifndef HAVE_VASPRINTF +#define HAVE_VASPRINTF +#endif + #ifndef HAVE_MKSTEMP #define HAVE_MKSTEMP #endif @@ -85,6 +97,10 @@ #define HAVE_INNETGR #endif +#ifndef HAVE_INET_ATON +#define HAVE_INET_ATON +#endif + /* we lie about having pidfile() so that NetBSD5 can compile. Nothing in the parts of heimdal we use actually uses pidfile(), and we don't use it in Samba, so this works, although its ugly */ diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 7d731ab13d..cadbe33af6 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -34,7 +34,7 @@ #include "includes.h" #include "system/time.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "librpc/gen_ndr/netlogon.h" @@ -154,7 +154,7 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h flags.invalid = 1; } -/* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in LDB_message2entry() */ +/* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in hdb_samba4_message2entry() */ /* if (userAccountControl & UF_MNS_LOGON_ACCOUNT) { @@ -193,7 +193,7 @@ static void hdb_ldb_free_entry(krb5_context context, hdb_entry_ex *entry_ex) talloc_free(entry_ex->ctx); } -static krb5_error_code LDB_message2entry_keys(krb5_context context, +static krb5_error_code hdb_samba4_message2entry_keys(krb5_context context, struct smb_iconv_convenience *iconv_convenience, TALLOC_CTX *mem_ctx, struct ldb_message *msg, @@ -283,22 +283,22 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context, (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { ret = EINVAL; - krb5_set_error_message(context, ret, "LDB_message2entry_keys: could not parse package_PrimaryKerberosBlob"); - krb5_warnx(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosBlob"); + krb5_set_error_message(context, ret, "hdb_samba4_message2entry_keys: could not parse package_PrimaryKerberosBlob"); + krb5_warnx(context, "hdb_samba4_message2entry_keys: could not parse package_PrimaryKerberosBlob"); goto out; } if (newer_keys && _pkb.version != 4) { ret = EINVAL; - krb5_set_error_message(context, ret, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4"); - krb5_warnx(context, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4"); + krb5_set_error_message(context, ret, "hdb_samba4_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4"); + krb5_warnx(context, "hdb_samba4_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4"); goto out; } if (!newer_keys && _pkb.version != 3) { ret = EINVAL; - krb5_set_error_message(context, ret, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3"); - krb5_warnx(context, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3"); + krb5_set_error_message(context, ret, "hdb_samba4_message2entry_keys: could not parse Primary:Kerberos not version 3"); + krb5_warnx(context, "hdb_samba4_message2entry_keys: could not parse Primary:Kerberos not version 3"); goto out; } @@ -484,7 +484,7 @@ out: /* * Construct an hdb_entry from a directory entry. */ -static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, enum hdb_ldb_ent_type ent_type, @@ -511,7 +511,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, if (!samAccountName) { ret = ENOENT; - krb5_set_error_message(context, ret, "LDB_message2entry: no samAccountName present"); + krb5_set_error_message(context, ret, "hdb_samba4_message2entry: no samAccountName present"); goto out; } @@ -690,7 +690,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, entry_ex->entry.generation = NULL; /* Get keys from the db */ - ret = LDB_message2entry_keys(context, p->iconv_convenience, p, msg, userAccountControl, entry_ex); + ret = hdb_samba4_message2entry_keys(context, p->iconv_convenience, p, msg, userAccountControl, entry_ex); if (ret) { /* Could be bougus data in the entry, or out of memory */ goto out; @@ -731,7 +731,7 @@ out: /* * Construct an hdb_entry from a directory entry. */ -static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, enum trust_direction direction, @@ -909,7 +909,7 @@ out: } -static krb5_error_code LDB_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx, +static krb5_error_code hdb_samba4_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx, TALLOC_CTX *mem_ctx, const char *realm, struct ldb_dn *realm_dn, @@ -946,39 +946,39 @@ static krb5_error_code LDB_lookup_trust(krb5_context context, struct ldb_context return 0; } -static krb5_error_code LDB_open(krb5_context context, HDB *db, int flags, mode_t mode) +static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode) { if (db->hdb_master_key_set) { krb5_error_code ret = HDB_ERR_NOENTRY; - krb5_warnx(context, "LDB_open: use of a master key incompatible with LDB\n"); - krb5_set_error_message(context, ret, "LDB_open: use of a master key incompatible with LDB\n"); + krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n"); + krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n"); return ret; } return 0; } -static krb5_error_code LDB_close(krb5_context context, HDB *db) +static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db) { return 0; } -static krb5_error_code LDB_lock(krb5_context context, HDB *db, int operation) +static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation) { return 0; } -static krb5_error_code LDB_unlock(krb5_context context, HDB *db) +static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db) { return 0; } -static krb5_error_code LDB_rename(krb5_context context, HDB *db, const char *new_name) +static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name) { return HDB_ERR_DB_INUSE; } -static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_fetch_client(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, @@ -1008,13 +1008,13 @@ static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, return EINVAL; } - ret = LDB_message2entry(context, db, lp_ctx, mem_ctx, + ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_CLIENT, realm_dn, msg, entry_ex); return ret; } -static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, @@ -1044,19 +1044,18 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, int lret; char *realm_fixed; - const char * const *princ_attrs = user_attrs; lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, realm_dn, LDB_SCOPE_SUBTREE, - &msg, princ_attrs, + &msg, krbtgt_attrs, "(&(objectClass=user)(samAccountName=krbtgt))"); if (lret == LDB_ERR_NO_SUCH_OBJECT) { - krb5_warnx(context, "LDB_fetch: could not find own KRBTGT in DB!"); - krb5_set_error_message(context, HDB_ERR_NOENTRY, "LDB_fetch: could not find own KRBTGT in DB!"); + krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!"); + krb5_set_error_message(context, HDB_ERR_NOENTRY, "hdb_samba4_fetch: could not find own KRBTGT in DB!"); return HDB_ERR_NOENTRY; } else if (lret != LDB_SUCCESS) { - krb5_warnx(context, "LDB_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(db->hdb_db)); - krb5_set_error_message(context, HDB_ERR_NOENTRY, "LDB_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(db->hdb_db)); + krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(db->hdb_db)); + krb5_set_error_message(context, HDB_ERR_NOENTRY, "hdb_samba4_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(db->hdb_db)); return HDB_ERR_NOENTRY; } @@ -1077,16 +1076,16 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, talloc_free(realm_fixed); if (!alloc_principal->name.name_string.val[1]) { ret = ENOMEM; - krb5_set_error_message(context, ret, "LDB_fetch: strdup() failed!"); + krb5_set_error_message(context, ret, "hdb_samba4_fetch: strdup() failed!"); return ret; } principal = alloc_principal; - ret = LDB_message2entry(context, db, lp_ctx, mem_ctx, + ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_KRBTGT, realm_dn, msg, entry_ex); if (ret != 0) { - krb5_warnx(context, "LDB_fetch: self krbtgt message2entry failed"); + krb5_warnx(context, "hdb_samba4_fetch: self krbtgt message2entry failed"); } return ret; @@ -1109,21 +1108,21 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, /* Trusted domains are under CN=system */ - ret = LDB_lookup_trust(context, (struct ldb_context *)db->hdb_db, + ret = hdb_samba4_lookup_trust(context, (struct ldb_context *)db->hdb_db, mem_ctx, realm, realm_dn, &msg); if (ret != 0) { - krb5_warnx(context, "LDB_fetch: could not find principal in DB"); - krb5_set_error_message(context, ret, "LDB_fetch: could not find principal in DB"); + krb5_warnx(context, "hdb_samba4_fetch: could not find principal in DB"); + krb5_set_error_message(context, ret, "hdb_samba4_fetch: could not find principal in DB"); return ret; } - ret = LDB_trust_message2entry(context, db, lp_ctx, mem_ctx, + ret = hdb_samba4_trust_message2entry(context, db, lp_ctx, mem_ctx, principal, direction, realm_dn, msg, entry_ex); if (ret != 0) { - krb5_warnx(context, "LDB_fetch: trust_message2entry failed"); + krb5_warnx(context, "hdb_samba4_fetch: trust_message2entry failed"); } return ret; @@ -1134,17 +1133,16 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, } -static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, - struct loadparm_context *lp_ctx, - TALLOC_CTX *mem_ctx, - krb5_const_principal principal, - unsigned flags, - hdb_entry_ex *entry_ex) +static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + const char **attrs, + struct ldb_dn **realm_dn, + struct ldb_message **msg) { krb5_error_code ret; const char *realm; - struct ldb_message *msg = NULL; - struct ldb_dn *realm_dn; if (principal->name.name_string.len >= 2) { /* 'normal server' case */ int ldb_ret; @@ -1164,7 +1162,7 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, * referral instead */ nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db, mem_ctx, principal_string, - &user_dn, &realm_dn); + &user_dn, realm_dn); free(principal_string); if (!NT_STATUS_IS_OK(nt_status)) { @@ -1174,7 +1172,7 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db, mem_ctx, user_dn, LDB_SCOPE_BASE, - &msg, user_attrs, + msg, attrs, "(objectClass=*)"); if (ldb_ret != LDB_SUCCESS) { return HDB_ERR_NOENTRY; @@ -1183,10 +1181,9 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, } else { int lret; char *filter = NULL; - const char * const *princ_attrs = user_attrs; char *short_princ; /* server as client principal case, but we must not lookup userPrincipalNames */ - realm_dn = ldb_get_default_basedn(db->hdb_db); + *realm_dn = ldb_get_default_basedn(db->hdb_db); realm = krb5_principal_get_realm(context, principal); /* TODO: Check if it is our realm, otherwise give referall */ @@ -1194,14 +1191,14 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ); if (ret != 0) { - krb5_set_error_message(context, ret, "LDB_lookup_principal: could not parse principal"); - krb5_warnx(context, "LDB_lookup_principal: could not parse principal"); + krb5_set_error_message(context, ret, "hdb_samba4_lookup_principal: could not parse principal"); + krb5_warnx(context, "hdb_samba4_lookup_principal: could not parse principal"); return ret; } lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, - realm_dn, LDB_SCOPE_SUBTREE, - &msg, princ_attrs, "(&(objectClass=user)(samAccountName=%s))", + *realm_dn, LDB_SCOPE_SUBTREE, + msg, attrs, "(&(objectClass=user)(samAccountName=%s))", ldb_binary_encode_string(mem_ctx, short_princ)); free(short_princ); if (lret == LDB_ERR_NO_SUCH_OBJECT) { @@ -1215,46 +1212,66 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, } } - ret = LDB_message2entry(context, db, lp_ctx, mem_ctx, + return 0; +} + +static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + unsigned flags, + hdb_entry_ex *entry_ex) +{ + krb5_error_code ret; + struct ldb_dn *realm_dn; + struct ldb_message *msg; + + ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal, + server_attrs, &realm_dn, &msg); + if (ret != 0) { + return ret; + } + + ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_SERVER, realm_dn, msg, entry_ex); if (ret != 0) { - krb5_warnx(context, "LDB_fetch: message2entry failed"); + krb5_warnx(context, "hdb_samba4_fetch: message2entry failed"); } return ret; } -static krb5_error_code LDB_fetch(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_fetch(krb5_context context, HDB *db, krb5_const_principal principal, unsigned flags, hdb_entry_ex *entry_ex) { krb5_error_code ret = HDB_ERR_NOENTRY; - TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context"); + TALLOC_CTX *mem_ctx = talloc_named(db, 0, "hdb_samba4_fetch context"); struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(db->hdb_db, "loadparm"), struct loadparm_context); if (!mem_ctx) { ret = ENOMEM; - krb5_set_error_message(context, ret, "LDB_fetch: talloc_named() failed!"); + krb5_set_error_message(context, ret, "hdb_samba4_fetch: talloc_named() failed!"); return ret; } if (flags & HDB_F_GET_CLIENT) { - ret = LDB_fetch_client(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); + ret = hdb_samba4_fetch_client(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; } if (flags & HDB_F_GET_SERVER) { /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */ - ret = LDB_fetch_krbtgt(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); + ret = hdb_samba4_fetch_krbtgt(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */ - ret = LDB_fetch_server(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); + ret = hdb_samba4_fetch_server(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; } if (flags & HDB_F_GET_KRBTGT) { - ret = LDB_fetch_krbtgt(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); + ret = hdb_samba4_fetch_krbtgt(context, db, lp_ctx, mem_ctx, principal, flags, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; } @@ -1263,12 +1280,12 @@ done: return ret; } -static krb5_error_code LDB_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) { return HDB_ERR_DB_INUSE; } -static krb5_error_code LDB_remove(krb5_context context, HDB *db, krb5_const_principal principal) +static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal) { return HDB_ERR_DB_INUSE; } @@ -1282,7 +1299,7 @@ struct hdb_ldb_seq { struct ldb_dn *realm_dn; }; -static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +static krb5_error_code hdb_samba4_seq(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) { krb5_error_code ret; struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_dbc; @@ -1294,16 +1311,16 @@ static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hd return HDB_ERR_NOENTRY; } - mem_ctx = talloc_named(priv, 0, "LDB_seq context"); + mem_ctx = talloc_named(priv, 0, "hdb_samba4_seq context"); if (!mem_ctx) { ret = ENOMEM; - krb5_set_error_message(context, ret, "LDB_seq: talloc_named() failed!"); + krb5_set_error_message(context, ret, "hdb_samba4_seq: talloc_named() failed!"); return ret; } if (priv->index < priv->count) { - ret = LDB_message2entry(context, db, priv->lp_ctx, + ret = hdb_samba4_message2entry(context, db, priv->lp_ctx, mem_ctx, NULL, HDB_SAMBA4_ENT_TYPE_ANY, priv->realm_dn, priv->msgs[priv->index++], entry); @@ -1321,7 +1338,7 @@ static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hd return ret; } -static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flags, +static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) { struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db; @@ -1353,11 +1370,11 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag priv->realm_dn = ldb_get_default_basedn(ldb_ctx); priv->count = 0; - mem_ctx = talloc_named(priv, 0, "LDB_firstkey context"); + mem_ctx = talloc_named(priv, 0, "hdb_samba4_firstkey context"); if (!mem_ctx) { ret = ENOMEM; - krb5_set_error_message(context, ret, "LDB_firstkey: talloc_named() failed!"); + krb5_set_error_message(context, ret, "hdb_samba4_firstkey: talloc_named() failed!"); return ret; } @@ -1382,7 +1399,7 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag db->hdb_dbc = priv; - ret = LDB_seq(context, db, flags, entry); + ret = hdb_samba4_seq(context, db, flags, entry); if (ret != 0) { talloc_free(priv); @@ -1393,18 +1410,87 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag return ret; } -static krb5_error_code LDB_nextkey(krb5_context context, HDB *db, unsigned flags, +static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) { - return LDB_seq(context, db, flags, entry); + return hdb_samba4_seq(context, db, flags, entry); } -static krb5_error_code LDB_destroy(krb5_context context, HDB *db) +static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) { talloc_free(db); return 0; } +krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, + hdb_entry_ex *entry, + krb5_const_principal target_principal) +{ + struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db; + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), + struct loadparm_context); + krb5_error_code ret; + krb5_principal enterprise_prinicpal = NULL; + struct ldb_dn *realm_dn; + struct ldb_message *msg; + struct dom_sid *orig_sid; + struct dom_sid *target_sid; + struct hdb_ldb_private *p = talloc_get_type(entry->ctx, struct hdb_ldb_private); + const char *delegation_check_attrs[] = { + "objectSid", NULL + }; + + TALLOC_CTX *mem_ctx = talloc_named(db, 0, "hdb_samba4_check_constrained_delegation"); + + if (!mem_ctx) { + ret = ENOMEM; + krb5_set_error_message(context, ret, "hdb_samba4_fetch: talloc_named() failed!"); + return ret; + } + + if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { + /* Need to reparse the enterprise principal to find the real target */ + if (target_principal->name.name_string.len != 1) { + ret = KRB5_PARSE_MALFORMED; + krb5_set_error_message(context, ret, "hdb_samba4_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components", + target_principal->name.name_string.len); + talloc_free(mem_ctx); + return ret; + } + ret = krb5_parse_name(context, target_principal->name.name_string.val[0], + &enterprise_prinicpal); + if (ret) { + talloc_free(mem_ctx); + return ret; + } + target_principal = enterprise_prinicpal; + } + + ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, target_principal, + delegation_check_attrs, &realm_dn, &msg); + + krb5_free_principal(context, enterprise_prinicpal); + + if (ret != 0) { + talloc_free(mem_ctx); + return ret; + } + + orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid"); + target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid"); + + /* Allow delegation to the same principal, even if by a different + * name. The easy and safe way to prove this is by SID + * comparison */ + if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { + talloc_free(mem_ctx); + return KRB5KDC_ERR_BADOPTION; + } + + talloc_free(mem_ctx); + return ret; +} + /* This interface is to be called by the KDC, which is expecting Samba * calling conventions. It is also called by a wrapper * (hdb_ldb_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb @@ -1451,22 +1537,25 @@ NTSTATUS kdc_hdb_samba4_create(TALLOC_CTX *mem_ctx, } (*db)->hdb_dbc = NULL; - (*db)->hdb_open = LDB_open; - (*db)->hdb_close = LDB_close; - (*db)->hdb_fetch = LDB_fetch; - (*db)->hdb_store = LDB_store; - (*db)->hdb_remove = LDB_remove; - (*db)->hdb_firstkey = LDB_firstkey; - (*db)->hdb_nextkey = LDB_nextkey; - (*db)->hdb_lock = LDB_lock; - (*db)->hdb_unlock = LDB_unlock; - (*db)->hdb_rename = LDB_rename; + (*db)->hdb_open = hdb_samba4_open; + (*db)->hdb_close = hdb_samba4_close; + (*db)->hdb_fetch = hdb_samba4_fetch; + (*db)->hdb_store = hdb_samba4_store; + (*db)->hdb_remove = hdb_samba4_remove; + (*db)->hdb_firstkey = hdb_samba4_firstkey; + (*db)->hdb_nextkey = hdb_samba4_nextkey; + (*db)->hdb_lock = hdb_samba4_lock; + (*db)->hdb_unlock = hdb_samba4_unlock; + (*db)->hdb_rename = hdb_samba4_rename; /* we don't implement these, as we are not a lockable database */ (*db)->hdb__get = NULL; (*db)->hdb__put = NULL; /* kadmin should not be used for deletes - use other tools instead */ (*db)->hdb__del = NULL; - (*db)->hdb_destroy = LDB_destroy; + (*db)->hdb_destroy = hdb_samba4_destroy; + + (*db)->hdb_auth_status = NULL; + (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation; return NT_STATUS_OK; } diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 5bd4cb10c7..21ae7091a6 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -21,7 +21,7 @@ */ #include "includes.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "lib/ldb/include/ldb.h" #include "librpc/gen_ndr/ndr_krb5pac.h" #include "librpc/gen_ndr/krb5pac.h" diff --git a/source4/lib/ldb/common/ldb.c b/source4/lib/ldb/common/ldb.c index 64ad6832db..164e5a95a0 100644 --- a/source4/lib/ldb/common/ldb.c +++ b/source4/lib/ldb/common/ldb.c @@ -240,7 +240,7 @@ int ldb_connect(struct ldb_context *ldb, const char *url, if (ldb_load_modules(ldb, options) != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_FATAL, - "Unable to load modules for %s: %s\n", + "Unable to load modules for %s: %s", url, ldb_errstring(ldb)); return LDB_ERR_OTHER; } diff --git a/source4/lib/ldb/common/ldb_debug.c b/source4/lib/ldb/common/ldb_debug.c index f8009eb8a3..7680862c2c 100644 --- a/source4/lib/ldb/common/ldb_debug.c +++ b/source4/lib/ldb/common/ldb_debug.c @@ -56,6 +56,7 @@ static void ldb_debug_stderr(void *context, enum ldb_debug_level level, { if (level <= LDB_DEBUG_WARNING) { vfprintf(stderr, fmt, ap); + fprintf(stderr, "\n"); } } diff --git a/source4/lib/ldb/common/ldb_ldif.c b/source4/lib/ldb/common/ldb_ldif.c index d64a9f1c3a..d890ff8300 100644 --- a/source4/lib/ldb/common/ldb_ldif.c +++ b/source4/lib/ldb/common/ldb_ldif.c @@ -296,7 +296,7 @@ int ldb_ldif_write(struct ldb_context *ldb, } } if (!ldb_changetypes[i].name) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: Invalid ldif changetype %d\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: Invalid ldif changetype %d", ldif->changetype); talloc_free(mem_ctx); return -1; @@ -561,7 +561,7 @@ struct ldb_ldif *ldb_ldif_read(struct ldb_context *ldb, /* first line must be a dn */ if (ldb_attr_cmp(attr, "dn") != 0) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: First line of ldif must be a dn not '%s'\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: First line of ldif must be a dn not '%s'", attr); goto failed; } @@ -569,7 +569,7 @@ struct ldb_ldif *ldb_ldif_read(struct ldb_context *ldb, msg->dn = ldb_dn_from_ldb_val(msg, ldb, &value); if ( ! ldb_dn_validate(msg->dn)) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: Unable to parse dn '%s'\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: Unable to parse dn '%s'", (char *)value.data); goto failed; } @@ -588,8 +588,8 @@ struct ldb_ldif *ldb_ldif_read(struct ldb_context *ldb, } } if (!ldb_changetypes[i].name) { - ldb_debug(ldb, LDB_DEBUG_ERROR, - "Error: Bad ldif changetype '%s'\n",(char *)value.data); + ldb_debug(ldb, LDB_DEBUG_ERROR, + "Error: Bad ldif changetype '%s'",(char *)value.data); } flags = 0; continue; @@ -638,7 +638,7 @@ struct ldb_ldif *ldb_ldif_read(struct ldb_context *ldb, } if (value.length == 0) { ldb_debug(ldb, LDB_DEBUG_ERROR, - "Error: Attribute value cannot be empty for attribute '%s'\n", el->name); + "Error: Attribute value cannot be empty for attribute '%s'", el->name); goto failed; } if (value.data != el->values[el->num_values].data) { diff --git a/source4/lib/ldb/common/ldb_match.c b/source4/lib/ldb/common/ldb_match.c index c622701d30..e6ee0de027 100644 --- a/source4/lib/ldb/common/ldb_match.c +++ b/source4/lib/ldb/common/ldb_match.c @@ -335,7 +335,7 @@ static int ldb_match_extended(struct ldb_context *ldb, } } if (comp == NULL) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: unknown extended rule_id %s\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: unknown extended rule_id %s", tree->u.extended.rule_id); return -1; } diff --git a/source4/lib/ldb/common/ldb_modules.c b/source4/lib/ldb/common/ldb_modules.c index ae97ef4cce..05dffd005a 100644 --- a/source4/lib/ldb/common/ldb_modules.c +++ b/source4/lib/ldb/common/ldb_modules.c @@ -84,13 +84,13 @@ const char **ldb_modules_list_from_string(struct ldb_context *ldb, TALLOC_CTX *m /* spaces not admitted */ modstr = ldb_modules_strdup_no_spaces(mem_ctx, string); if ( ! modstr) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_strdup_no_spaces()\n"); + ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_strdup_no_spaces()"); return NULL; } modules = talloc_realloc(mem_ctx, modules, char *, 2); if ( ! modules ) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_list_from_string()\n"); + ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_list_from_string()"); talloc_free(modstr); return NULL; } @@ -106,7 +106,7 @@ const char **ldb_modules_list_from_string(struct ldb_context *ldb, TALLOC_CTX *m i++; modules = talloc_realloc(mem_ctx, modules, char *, i + 2); if ( ! modules ) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_list_from_string()\n"); + ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_list_from_string()"); return NULL; } @@ -239,7 +239,7 @@ int ldb_connect_backend(struct ldb_context *ldb, if (fn == NULL) { ldb_debug(ldb, LDB_DEBUG_FATAL, - "Unable to find backend for '%s'\n", url); + "Unable to find backend for '%s'", url); return LDB_ERR_OTHER; } @@ -247,7 +247,7 @@ int ldb_connect_backend(struct ldb_context *ldb, if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_ERROR, - "Failed to connect to '%s'\n", url); + "Failed to connect to '%s'", url); return ret; } return ret; @@ -304,18 +304,18 @@ static void *ldb_dso_load_symbol(struct ldb_context *ldb, const char *name, path = talloc_asprintf(ldb, "%s/%s.%s", ldb->modules_dir, name, SHLIBEXT); - ldb_debug(ldb, LDB_DEBUG_TRACE, "trying to load %s from %s\n", name, path); + ldb_debug(ldb, LDB_DEBUG_TRACE, "trying to load %s from %s", name, path); handle = dlopen(path, RTLD_NOW); if (handle == NULL) { - ldb_debug(ldb, LDB_DEBUG_WARNING, "unable to load %s from %s: %s\n", name, path, dlerror()); + ldb_debug(ldb, LDB_DEBUG_WARNING, "unable to load %s from %s: %s", name, path, dlerror()); return NULL; } sym = (int (*)(void))dlsym(handle, symbol); if (sym == NULL) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "no symbol `%s' found in %s: %s\n", symbol, path, dlerror()); + ldb_debug(ldb, LDB_DEBUG_ERROR, "no symbol `%s' found in %s: %s", symbol, path, dlerror()); return NULL; } @@ -351,7 +351,7 @@ int ldb_load_modules_list(struct ldb_context *ldb, const char **module_list, str } if (ops == NULL) { - ldb_debug(ldb, LDB_DEBUG_WARNING, "WARNING: Module [%s] not found\n", + ldb_debug(ldb, LDB_DEBUG_WARNING, "WARNING: Module [%s] not found", module_list[i]); continue; } @@ -382,7 +382,7 @@ int ldb_init_module_chain(struct ldb_context *ldb, struct ldb_module *module) if (module) { int ret = module->ops->init_context(module); if (ret != LDB_SUCCESS) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "module %s initialization failed\n", module->ops->name); + ldb_debug(ldb, LDB_DEBUG_FATAL, "module %s initialization failed", module->ops->name); return ret; } } @@ -428,7 +428,7 @@ int ldb_load_modules(struct ldb_context *ldb, const char *options[]) if (ret == LDB_ERR_NO_SUCH_OBJECT) { ldb_debug(ldb, LDB_DEBUG_TRACE, "no modules required by the db"); } else if (ret != LDB_SUCCESS) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "ldb error (%s) occurred searching for modules, bailing out\n", ldb_errstring(ldb)); + ldb_debug(ldb, LDB_DEBUG_FATAL, "ldb error (%s) occurred searching for modules, bailing out", ldb_errstring(ldb)); talloc_free(mem_ctx); return ret; } else { @@ -436,7 +436,7 @@ int ldb_load_modules(struct ldb_context *ldb, const char *options[]) if (res->count == 0) { ldb_debug(ldb, LDB_DEBUG_TRACE, "no modules required by the db"); } else if (res->count > 1) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "Too many records found (%d), bailing out\n", res->count); + ldb_debug(ldb, LDB_DEBUG_FATAL, "Too many records found (%d), bailing out", res->count); talloc_free(mem_ctx); return -1; } else { diff --git a/source4/lib/ldb/ldb.mk b/source4/lib/ldb/ldb.mk index a9a6dad46d..4234fcc311 100644 --- a/source4/lib/ldb/ldb.mk +++ b/source4/lib/ldb/ldb.mk @@ -67,11 +67,8 @@ build-python:: ldb.$(SHLIBEXT) pyldb.o: $(ldbdir)/pyldb.c $(CC) $(PICFLAG) -c $(ldbdir)/pyldb.c $(CFLAGS) `$(PYTHON_CONFIG) --cflags` -pyldb_util.o: $(ldbdir)/pyldb_util.c - $(CC) $(PICFLAG) -c $(ldbdir)/pyldb_util.c $(CFLAGS) `$(PYTHON_CONFIG) --cflags` - -ldb.$(SHLIBEXT): pyldb.o pyldb_util.o - $(SHLD) $(SHLD_FLAGS) -o ldb.$(SHLIBEXT) pyldb.o pyldb_util.o $(LIB_FLAGS) `$(PYTHON_CONFIG) --ldflags` +ldb.$(SHLIBEXT): pyldb.o + $(SHLD) $(SHLD_FLAGS) -o ldb.$(SHLIBEXT) pyldb.o $(LIB_FLAGS) `$(PYTHON_CONFIG) --ldflags` install-python:: build-python mkdir -p $(DESTDIR)`$(PYTHON) -c "import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1, prefix='$(prefix)')"` diff --git a/source4/lib/ldb/ldb.pc.in b/source4/lib/ldb/ldb.pc.in index b7e4c85844..01482f6bfb 100644 --- a/source4/lib/ldb/ldb.pc.in +++ b/source4/lib/ldb/ldb.pc.in @@ -2,7 +2,7 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ -modulesdir=@modulesdir@ +modulesdir=@LDB_MODULESDIR@ Name: ldb Description: An LDAP-like embedded database diff --git a/source4/lib/ldb/ldb_ildap/ldb_ildap.c b/source4/lib/ldb/ldb_ildap/ldb_ildap.c index 4447d0e09a..ffde048223 100644 --- a/source4/lib/ldb/ldb_ildap/ldb_ildap.c +++ b/source4/lib/ldb/ldb_ildap/ldb_ildap.c @@ -790,7 +790,7 @@ static int ildb_connect(struct ldb_context *ldb, const char *url, status = ldap_connect(ildb->ldap, url); if (!NT_STATUS_IS_OK(status)) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to ldap URL '%s' - %s\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to ldap URL '%s' - %s", url, ldap_errstr(ildb->ldap, module, status)); goto failed; } @@ -810,14 +810,14 @@ static int ildb_connect(struct ldb_context *ldb, const char *url, const char *password = cli_credentials_get_password(creds); status = ldap_bind_simple(ildb->ldap, bind_dn, password); if (!NT_STATUS_IS_OK(status)) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s", ldap_errstr(ildb->ldap, module, status)); goto failed; } } else { status = ldap_bind_sasl(ildb->ldap, creds, lp_ctx); if (!NT_STATUS_IS_OK(status)) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s", ldap_errstr(ildb->ldap, module, status)); goto failed; } diff --git a/source4/lib/ldb/ldb_ldap/ldb_ldap.c b/source4/lib/ldb/ldb_ldap/ldb_ldap.c index 43a01f75a7..52c16101bb 100644 --- a/source4/lib/ldb/ldb_ldap/ldb_ldap.c +++ b/source4/lib/ldb/ldb_ldap/ldb_ldap.c @@ -219,7 +219,7 @@ static int lldb_search(struct lldb_context *lldb_ac) } if (req->controls != NULL) { - ldb_debug(ldb, LDB_DEBUG_WARNING, "Controls are not yet supported by ldb_ldap backend!\n"); + ldb_debug(ldb, LDB_DEBUG_WARNING, "Controls are not yet supported by ldb_ldap backend!"); } ldb_request_set_state(req, LDB_ASYNC_PENDING); @@ -871,7 +871,7 @@ static int lldb_connect(struct ldb_context *ldb, ret = ldap_initialize(&lldb->ldap, url); if (ret != LDAP_SUCCESS) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_initialize failed for URL '%s' - %s\n", + ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_initialize failed for URL '%s' - %s", url, ldap_err2string(ret)); goto failed; } @@ -880,7 +880,7 @@ static int lldb_connect(struct ldb_context *ldb, ret = ldap_set_option(lldb->ldap, LDAP_OPT_PROTOCOL_VERSION, &version); if (ret != LDAP_SUCCESS) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_set_option failed - %s\n", + ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_set_option failed - %s", ldap_err2string(ret)); goto failed; } diff --git a/source4/lib/ldb/ldb_map/ldb_map.c b/source4/lib/ldb/ldb_map/ldb_map.c index 5b4ea7910a..68e9d3f392 100644 --- a/source4/lib/ldb/ldb_map/ldb_map.c +++ b/source4/lib/ldb/ldb_map/ldb_map.c @@ -242,7 +242,7 @@ int ldb_next_remote_request(struct ldb_module *module, struct ldb_request *reque default: ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " - "Invalid remote request!\n"); + "Invalid remote request!"); return LDB_ERR_OPERATIONS_ERROR; } @@ -503,14 +503,14 @@ struct ldb_dn *ldb_dn_map_local(struct ldb_module *module, void *mem_ctx, struct case MAP_GENERATE: ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " "MAP_IGNORE/MAP_GENERATE attribute '%s' " - "used in DN!\n", ldb_dn_get_component_name(dn, i)); + "used in DN!", ldb_dn_get_component_name(dn, i)); goto failed; case MAP_CONVERT: if (map->u.convert.convert_local == NULL) { ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " "'convert_local' not set for attribute '%s' " - "used in DN!\n", ldb_dn_get_component_name(dn, i)); + "used in DN!", ldb_dn_get_component_name(dn, i)); goto failed; } /* fall through */ @@ -578,14 +578,14 @@ struct ldb_dn *ldb_dn_map_remote(struct ldb_module *module, void *mem_ctx, struc case MAP_GENERATE: ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " "MAP_IGNORE/MAP_GENERATE attribute '%s' " - "used in DN!\n", ldb_dn_get_component_name(dn, i)); + "used in DN!", ldb_dn_get_component_name(dn, i)); goto failed; case MAP_CONVERT: if (map->u.convert.convert_remote == NULL) { ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " "'convert_remote' not set for attribute '%s' " - "used in DN!\n", ldb_dn_get_component_name(dn, i)); + "used in DN!", ldb_dn_get_component_name(dn, i)); goto failed; } /* fall through */ @@ -1007,7 +1007,7 @@ static int map_init_dns(struct ldb_module *module, struct ldb_map_context *data, dn = ldb_dn_new_fmt(data, ldb, "%s=%s", MAP_DN_NAME, name); if ( ! ldb_dn_validate(dn)) { ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " - "Failed to construct '%s' DN!\n", MAP_DN_NAME); + "Failed to construct '%s' DN!", MAP_DN_NAME); return LDB_ERR_OPERATIONS_ERROR; } @@ -1018,13 +1018,13 @@ static int map_init_dns(struct ldb_module *module, struct ldb_map_context *data, } if (res->count == 0) { ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " - "No results for '%s=%s'!\n", MAP_DN_NAME, name); + "No results for '%s=%s'!", MAP_DN_NAME, name); talloc_free(res); return LDB_ERR_CONSTRAINT_VIOLATION; } if (res->count > 1) { ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " - "Too many results for '%s=%s'!\n", MAP_DN_NAME, name); + "Too many results for '%s=%s'!", MAP_DN_NAME, name); talloc_free(res); return LDB_ERR_CONSTRAINT_VIOLATION; } diff --git a/source4/lib/ldb/ldb_map/ldb_map_inbound.c b/source4/lib/ldb/ldb_map/ldb_map_inbound.c index 455740ce59..89037419fb 100644 --- a/source4/lib/ldb/ldb_map/ldb_map_inbound.c +++ b/source4/lib/ldb/ldb_map/ldb_map_inbound.c @@ -73,7 +73,7 @@ static int ldb_msg_el_partition(struct ldb_module *module, struct ldb_message *l /* Unknown attribute: ignore */ if (map == NULL) { ldb_debug(ldb, LDB_DEBUG_WARNING, "ldb_map: " - "Not mapping attribute '%s': no mapping found\n", + "Not mapping attribute '%s': no mapping found", old->name); goto local; } @@ -86,7 +86,7 @@ static int ldb_msg_el_partition(struct ldb_module *module, struct ldb_message *l if (map->u.convert.convert_local == NULL) { ldb_debug(ldb, LDB_DEBUG_WARNING, "ldb_map: " "Not mapping attribute '%s': " - "'convert_local' not set\n", + "'convert_local' not set", map->local_name); goto local; } @@ -100,7 +100,7 @@ static int ldb_msg_el_partition(struct ldb_module *module, struct ldb_message *l if (map->u.generate.generate_remote == NULL) { ldb_debug(ldb, LDB_DEBUG_WARNING, "ldb_map: " "Not mapping attribute '%s': " - "'generate_remote' not set\n", + "'generate_remote' not set", map->local_name); goto local; } @@ -167,7 +167,7 @@ static int ldb_msg_partition(struct ldb_module *module, struct ldb_message *loca /* Skip 'IS_MAPPED' */ if (ldb_attr_cmp(msg->elements[i].name, IS_MAPPED) == 0) { ldb_debug(ldb, LDB_DEBUG_WARNING, "ldb_map: " - "Skipping attribute '%s'\n", + "Skipping attribute '%s'", msg->elements[i].name); continue; } diff --git a/source4/lib/ldb/ldb_map/ldb_map_outbound.c b/source4/lib/ldb/ldb_map/ldb_map_outbound.c index ffcefad6be..4487d7e763 100644 --- a/source4/lib/ldb/ldb_map/ldb_map_outbound.c +++ b/source4/lib/ldb/ldb_map/ldb_map_outbound.c @@ -304,7 +304,7 @@ static int ldb_msg_el_merge(struct ldb_module *module, struct ldb_message *local if (map->u.convert.convert_remote == NULL) { ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " "Skipping attribute '%s': " - "'convert_remote' not set\n", + "'convert_remote' not set", attr_name); return LDB_SUCCESS; } @@ -323,7 +323,7 @@ static int ldb_msg_el_merge(struct ldb_module *module, struct ldb_message *local if (map->u.generate.generate_local == NULL) { ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_map: " "Skipping attribute '%s': " - "'generate_local' not set\n", + "'generate_local' not set", attr_name); return LDB_SUCCESS; } @@ -900,7 +900,7 @@ static int map_subtree_collect_remote(struct ldb_module *module, void *mem_ctx, if (map->type == MAP_GENERATE) { ldb_debug(ldb, LDB_DEBUG_WARNING, "ldb_map: " "Skipping attribute '%s': " - "'convert_operator' not set\n", + "'convert_operator' not set", tree->u.equality.attr); *new = NULL; return 0; @@ -1062,7 +1062,7 @@ int map_return_entry(struct map_context *ac, struct ldb_reply *ares) ac->req->op.search.scope)) { ldb_debug(ldb, LDB_DEBUG_TRACE, "ldb_map: " "Skipping record '%s': " - "doesn't match original search\n", + "doesn't match original search", ldb_dn_get_linearized(ares->message->dn)); return LDB_SUCCESS; } diff --git a/source4/lib/ldb/ldb_tdb/ldb_cache.c b/source4/lib/ldb/ldb_tdb/ldb_cache.c index 042c1c9282..2c399686ea 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_cache.c +++ b/source4/lib/ldb/ldb_tdb/ldb_cache.c @@ -141,7 +141,7 @@ static int ltdb_attributes_load(struct ldb_module *module) const struct ldb_schema_syntax *s; if (ltdb_attributes_flags(&msg->elements[i], &flags) != 0) { - ldb_debug(ldb, LDB_DEBUG_ERROR, "Invalid @ATTRIBUTES element for '%s'\n", msg->elements[i].name); + ldb_debug(ldb, LDB_DEBUG_ERROR, "Invalid @ATTRIBUTES element for '%s'", msg->elements[i].name); goto failed; } switch (flags & ~LTDB_FLAG_HIDDEN) { @@ -156,7 +156,7 @@ static int ltdb_attributes_load(struct ldb_module *module) break; default: ldb_debug(ldb, LDB_DEBUG_ERROR, - "Invalid flag combination 0x%x for '%s' in @ATTRIBUTES\n", + "Invalid flag combination 0x%x for '%s' in @ATTRIBUTES", flags, msg->elements[i].name); goto failed; } @@ -164,7 +164,7 @@ static int ltdb_attributes_load(struct ldb_module *module) s = ldb_standard_syntax_by_name(ldb, syntax); if (s == NULL) { ldb_debug(ldb, LDB_DEBUG_ERROR, - "Invalid attribute syntax '%s' for '%s' in @ATTRIBUTES\n", + "Invalid attribute syntax '%s' for '%s' in @ATTRIBUTES", syntax, msg->elements[i].name); goto failed; } diff --git a/source4/lib/ldb/ldb_tdb/ldb_index.c b/source4/lib/ldb/ldb_tdb/ldb_index.c index fab60cb125..1daa4500f8 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_index.c +++ b/source4/lib/ldb/ldb_tdb/ldb_index.c @@ -1409,7 +1409,7 @@ int ltdb_index_del_value(struct ldb_module *module, const char *dn, struct ldb_ldif ldif; ldb_debug(ldb, LDB_DEBUG_ERROR, - "ERROR: dn %s not found in %s\n", dn, + "ERROR: dn %s not found in %s", dn, ldb_dn_get_linearized(dn_key)); ldif.changetype = LDB_CHANGETYPE_NONE; ldif.msg = msg; @@ -1587,7 +1587,7 @@ static int re_index(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, void * key2 = ltdb_key(module, msg->dn); if (key2.dptr == NULL) { /* probably a corrupt record ... darn */ - ldb_debug(ldb, LDB_DEBUG_ERROR, "Invalid DN in re_index: %s\n", + ldb_debug(ldb, LDB_DEBUG_ERROR, "Invalid DN in re_index: %s", ldb_dn_get_linearized(msg->dn)); talloc_free(msg); return 0; @@ -1609,7 +1609,7 @@ static int re_index(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, void * ret = ltdb_index_add0(module, dn, msg->elements, msg->num_elements); } else { ldb_debug(ldb, LDB_DEBUG_ERROR, - "Adding special ONE LEVEL index failed (%s)!\n", + "Adding special ONE LEVEL index failed (%s)!", ldb_dn_get_linearized(msg->dn)); } diff --git a/source4/lib/ldb/ldb_tdb/ldb_pack.c b/source4/lib/ldb/ldb_tdb/ldb_pack.c index 1995606f88..5640e7053c 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_pack.c +++ b/source4/lib/ldb/ldb_tdb/ldb_pack.c @@ -280,7 +280,7 @@ int ltdb_unpack_data(struct ldb_module *module, if (remaining != 0) { ldb_debug(ldb, LDB_DEBUG_ERROR, - "Error: %d bytes unread in ltdb_unpack_data\n", remaining); + "Error: %d bytes unread in ltdb_unpack_data", remaining); } return 0; diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.c b/source4/lib/ldb/ldb_tdb/ldb_tdb.c index 4a452761b8..d4f7b452cb 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_tdb.c +++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.c @@ -1276,7 +1276,7 @@ static int ltdb_connect(struct ldb_context *ldb, const char *url, ldb_get_create_perms(ldb), ldb); if (!ltdb->tdb) { ldb_debug(ldb, LDB_DEBUG_ERROR, - "Unable to open tdb '%s'\n", path); + "Unable to open tdb '%s'", path); talloc_free(ltdb); return -1; } diff --git a/source4/lib/ldb/modules/asq.c b/source4/lib/ldb/modules/asq.c index dd5afd868c..271cf52625 100644 --- a/source4/lib/ldb/modules/asq.c +++ b/source4/lib/ldb/modules/asq.c @@ -393,7 +393,7 @@ static int asq_init(struct ldb_module *module) ret = ldb_mod_register_control(module, LDB_CONTROL_ASQ_OID); if (ret != LDB_SUCCESS) { - ldb_debug(ldb, LDB_DEBUG_WARNING, "asq: Unable to register control with rootdse!\n"); + ldb_debug(ldb, LDB_DEBUG_WARNING, "asq: Unable to register control with rootdse!"); } return ldb_next_init(module); diff --git a/source4/lib/ldb/modules/operational.c b/source4/lib/ldb/modules/operational.c index 43b223b52e..77b0014afa 100644 --- a/source4/lib/ldb/modules/operational.c +++ b/source4/lib/ldb/modules/operational.c @@ -169,8 +169,8 @@ static int operational_search_post_process(struct ldb_module *module, return 0; failed: - ldb_debug_set(ldb, LDB_DEBUG_WARNING, - "operational_search_post_process failed for attribute '%s'\n", + ldb_debug_set(ldb, LDB_DEBUG_WARNING, + "operational_search_post_process failed for attribute '%s'", attrs[a]); return -1; } diff --git a/source4/lib/ldb/modules/paged_results.c b/source4/lib/ldb/modules/paged_results.c index f2692305d5..b712f84872 100644 --- a/source4/lib/ldb/modules/paged_results.c +++ b/source4/lib/ldb/modules/paged_results.c @@ -409,7 +409,7 @@ static int paged_request_init(struct ldb_module *module) if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_WARNING, "paged_results:" - "Unable to register control with rootdse!\n"); + "Unable to register control with rootdse!"); } return ldb_next_init(module); diff --git a/source4/lib/ldb/modules/rdn_name.c b/source4/lib/ldb/modules/rdn_name.c index 880678d89d..e9f873f073 100644 --- a/source4/lib/ldb/modules/rdn_name.c +++ b/source4/lib/ldb/modules/rdn_name.c @@ -98,7 +98,7 @@ static int rdn_name_add(struct ldb_module *module, struct ldb_request *req) int i, ret; ldb = ldb_module_get_ctx(module); - ldb_debug(ldb, LDB_DEBUG_TRACE, "rdn_name_add_record\n"); + ldb_debug(ldb, LDB_DEBUG_TRACE, "rdn_name_add_record"); /* do not manipulate our control entries */ if (ldb_dn_is_special(req->op.add.message->dn)) { @@ -288,7 +288,7 @@ static int rdn_name_rename(struct ldb_module *module, struct ldb_request *req) int ret; ldb = ldb_module_get_ctx(module); - ldb_debug(ldb, LDB_DEBUG_TRACE, "rdn_name_rename\n"); + ldb_debug(ldb, LDB_DEBUG_TRACE, "rdn_name_rename"); /* do not manipulate our control entries */ if (ldb_dn_is_special(req->op.rename.newdn)) { diff --git a/source4/lib/ldb/modules/sort.c b/source4/lib/ldb/modules/sort.c index a95a86140c..b4ea017b32 100644 --- a/source4/lib/ldb/modules/sort.c +++ b/source4/lib/ldb/modules/sort.c @@ -339,7 +339,7 @@ static int server_sort_init(struct ldb_module *module) if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_WARNING, "server_sort:" - "Unable to register control with rootdse!\n"); + "Unable to register control with rootdse!"); } return ldb_next_init(module); diff --git a/source4/lib/ldb/pyldb.c b/source4/lib/ldb/pyldb.c index 2e0f4fdf36..bcca70eb82 100644 --- a/source4/lib/ldb/pyldb.c +++ b/source4/lib/ldb/pyldb.c @@ -41,6 +41,16 @@ typedef intargfunc ssizeargfunc; #define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None #endif +static void PyErr_SetLdbError(PyObject *error, int ret, struct ldb_context *ldb_ctx) +{ + if (ret == LDB_ERR_PYTHON_EXCEPTION) + return; /* Python exception should already be set, just keep that */ + + PyErr_SetObject(error, + Py_BuildValue(discard_const_p(char, "(i,s)"), ret, + ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); +} + static PyObject *PyExc_LdbError; PyAPI_DATA(PyTypeObject) PyLdbMessage; diff --git a/source4/lib/ldb/pyldb.h b/source4/lib/ldb/pyldb.h index e0e0d2af69..a0954158bd 100644 --- a/source4/lib/ldb/pyldb.h +++ b/source4/lib/ldb/pyldb.h @@ -85,7 +85,6 @@ typedef struct { PyObject *PyLdbTree_FromTree(struct ldb_parse_tree *); #define PyLdbTree_AsTree(pyobj) ((PyLdbTreeObject *)pyobj)->tree -void PyErr_SetLdbError(PyObject *exctype, int ret, struct ldb_context *ldb_ctx); #define PyErr_LDB_ERROR_IS_ERR_RAISE(err,ret,ldb) \ if (ret != LDB_SUCCESS) { \ PyErr_SetLdbError(err, ret, ldb); \ diff --git a/source4/lib/ldb/pyldb_util.c b/source4/lib/ldb/pyldb_util.c deleted file mode 100644 index 84183e89de..0000000000 --- a/source4/lib/ldb/pyldb_util.c +++ /dev/null @@ -1,39 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - interface to ldb. - - Copyright (C) 2009 Jelmer Vernooij <jelmer@samba.org> - - ** NOTE! The following LGPL license applies to the ldb - ** library. This does NOT imply that all of Samba is released - ** under the LGPL - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 3 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, see <http://www.gnu.org/licenses/>. -*/ - -#include "replace.h" -#include <Python.h> -#include "pyldb.h" -#include <ldb.h> - -void PyErr_SetLdbError(PyObject *error, int ret, struct ldb_context *ldb_ctx) -{ - if (ret == LDB_ERR_PYTHON_EXCEPTION) - return; /* Python exception should already be set, just keep that */ - - PyErr_SetObject(error, - Py_BuildValue(discard_const_p(char, "(i,s)"), ret, - ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); -} diff --git a/source4/lib/ldb/python.mk b/source4/lib/ldb/python.mk index e08c150aaf..dbc2eb27eb 100644 --- a/source4/lib/ldb/python.mk +++ b/source4/lib/ldb/python.mk @@ -1,14 +1,6 @@ [PYTHON::pyldb] LIBRARY_REALNAME = ldb.$(SHLIBEXT) PUBLIC_DEPENDENCIES = LIBLDB PYTALLOC -PRIVATE_DEPENDENCIES = pyldb_util pyldb_OBJ_FILES = $(ldbsrcdir)/pyldb.o $(pyldb_OBJ_FILES): CFLAGS+=-I$(ldbsrcdir)/include - -[SUBSYSTEM::pyldb_util] -PUBLIC_DEPENDENCIES = LIBPYTHON -PRIVATE_DEPENDENCIES = LIBLDB - -pyldb_util_OBJ_FILES = $(ldbsrcdir)/pyldb_util.o -$(pyldb_OBJ_FILES): CFLAGS+=-I$(ldbsrcdir)/include diff --git a/source4/lib/ldb/rules.mk b/source4/lib/ldb/rules.mk index 639271b76d..0598f8039b 100644 --- a/source4/lib/ldb/rules.mk +++ b/source4/lib/ldb/rules.mk @@ -19,6 +19,7 @@ ctags: showflags:: @echo 'ldb will be compiled with flags:' @echo ' CFLAGS = $(CFLAGS)' + @echo ' SHLD_FLAGS = $(SHLD_FLAGS)' @echo ' LIBS = $(LIBS)' distclean:: diff --git a/source4/lib/registry/patchfile.c b/source4/lib/registry/patchfile.c index 925806985e..24d86abf48 100644 --- a/source4/lib/registry/patchfile.c +++ b/source4/lib/registry/patchfile.c @@ -316,6 +316,7 @@ _PUBLIC_ WERROR reg_diff_load(const char *filename, if (read(fd, &hdr, 4) != 4) { DEBUG(0, ("Error reading registry patch file `%s'\n", filename)); + close(fd); return WERR_GENERAL_FAILURE; } diff --git a/source4/lib/samba3/README b/source4/lib/samba3/README index 83520f673d..3f6553f7e8 100644 --- a/source4/lib/samba3/README +++ b/source4/lib/samba3/README @@ -3,6 +3,3 @@ Samba3 import, migration and compatibility. For example, the first file in this directory (smbpasswd.c) handles portions of the smbpasswd file format. - -The other files in this directory support reading the various -TDB databases from Samba3. diff --git a/source4/lib/samba3/STATUS b/source4/lib/samba3/STATUS deleted file mode 100644 index e4644526df..0000000000 --- a/source4/lib/samba3/STATUS +++ /dev/null @@ -1,68 +0,0 @@ ---- Samba3 -> Samba4 Upgrade --- -(C) 2005 Jelmer Vernooij <jelmer@samba.org> -Published under the GNU GPL - -Sponsored by the Google Summer of Code program (http://code.google.com/summerofcode.html) -Mentored by Andrew Bartlett <abartlet@samba.org> -Thanks! - -Done: - - Reading wins.dat - - Reading registry.tdb - - Reading passdb.tdb - - Reading account_policy.tdb - - Reading group_mappings.tdb - - Reading winbindd_idmap.tdb - - Reading share_info.tdb - - Reading secrets.tdb - - Reading smbpasswd - - Reading + writing (generic) smb.conf files - - Testsuite for read support mentioned above - - Console utility for dumping Samba information - - Import user accounts in Samba4 - - Import groups in Samba4 - - Import secrets in Samba4 - - Import WINS data in Samba4 - - Dump idmap data to LDB - - Import registry keys/values in Samba4 - - Import account policies in Samba4 - - Testsuite for upgrade - - Console utility from upgrading from Samba3 -> Samba4 - - SWAT (Web interface) support for upgrading from Samba3 -> Samba4 - - LDB generic mapping module - - (Experimental) Samba4 LDB <-> Samba3 LDAP mapping module based on LDB generic mapping module - - Testsuite for Samba4 LDB <-> Samba3 LDAP mapping module - -Source files: -source/lib/ldb/modules/ldb_map.c -source/lib/ldb/modules/ldb_map.h -source/lib/samba3/group.c -source/lib/samba3/idmap.c -source/lib/samba3/policy.c -source/lib/samba3/registry.c -source/lib/samba3/samba3.c -source/lib/samba3/secrets.c -source/lib/samba3/share_info.c -source/lib/samba3/smbpasswd.c -source/lib/samba3/tdbsam.c -source/lib/samba3/winsdb.c -source/lib/samba3/samba3.h -source/scripting/libjs/upgrade.js -source/scripting/ejs/smbcalls_param.c -source/scripting/ejs/smbcalls_samba3.c -source/param/generic.c -source/param/generic.h -testdata/samba3/verify -testprogs/ejs/samba3sam -source/setup/upgrade -source/scripting/bin/samba3dump -source/dsdb/samdb/ldb_modules/samba3sam.c -source/script/tests/test_s3upgrade.sh -swat/install/samba3.esp - -Known remaining issues: - - [upgrade] Conversion from the smbpasswd/TDB passwords to ntPwdHash / lmPwdHash is broken. Couldn't find out why. - - [ldb_map] Conversion of attribute names in DN's is still a bit dodgy - - [ldb_map] mapped objectClass names may be mentioned multiple times in returned records - - [ldb_map] add/modify support not tested very well with LDAP yet (only LDB+TDB) - - [ldb_map] group membership is not yet mapped (only primaryGroupID / sambaPrimaryGroupSID) diff --git a/source4/lib/samba3/samba3.h b/source4/lib/samba3/samba3.h index 1a0ce04143..87de13f8f8 100644 --- a/source4/lib/samba3/samba3.h +++ b/source4/lib/samba3/samba3.h @@ -22,7 +22,6 @@ #include "librpc/gen_ndr/security.h" #include "librpc/gen_ndr/samr.h" -#include "param/param.h" struct samr_Password *smbpasswd_gethexpwd(TALLOC_CTX *mem_ctx, const char *p); char *smbpasswd_sethexpwd(TALLOC_CTX *mem_ctx, struct samr_Password *pwd, uint16_t acb_info); diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c index e1349e06f8..0764dfeb8f 100644 --- a/source4/libcli/security/security_token.c +++ b/source4/libcli/security/security_token.c @@ -1,7 +1,7 @@ /* Unix SMB/CIFS implementation. - security descriptror utility functions + security descriptor utility functions Copyright (C) Andrew Tridgell 2004 Copyright (C) Stefan Metzmacher 2005 diff --git a/source4/libcli/smb2/request.c b/source4/libcli/smb2/request.c index f3684ed280..5d09a5083a 100644 --- a/source4/libcli/smb2/request.c +++ b/source4/libcli/smb2/request.c @@ -78,9 +78,11 @@ struct smb2_request *smb2_request_init(struct smb2_transport *transport, uint16_ req = talloc(transport, struct smb2_request); if (req == NULL) return NULL; - seqnum = transport->seqnum++; - if (seqnum == UINT64_MAX) { - seqnum = transport->seqnum++; + seqnum = transport->seqnum; + if (transport->credits.charge > 0) { + transport->seqnum += transport->credits.charge; + } else { + transport->seqnum += 1; } req->state = SMB2_REQUEST_INIT; @@ -131,7 +133,7 @@ struct smb2_request *smb2_request_init(struct smb2_transport *transport, uint16_ SIVAL(req->out.hdr, 0, SMB2_MAGIC); SSVAL(req->out.hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY); - SSVAL(req->out.hdr, SMB2_HDR_EPOCH, 0); + SSVAL(req->out.hdr, SMB2_HDR_EPOCH, transport->credits.charge); SIVAL(req->out.hdr, SMB2_HDR_STATUS, 0); SSVAL(req->out.hdr, SMB2_HDR_OPCODE, opcode); SSVAL(req->out.hdr, SMB2_HDR_CREDIT, transport->credits.ask_num); diff --git a/source4/libcli/smb2/smb2.h b/source4/libcli/smb2/smb2.h index eb231984df..6372cd805b 100644 --- a/source4/libcli/smb2/smb2.h +++ b/source4/libcli/smb2/smb2.h @@ -87,6 +87,7 @@ struct smb2_transport { } compound; struct { + uint16_t charge; uint16_t ask_num; } credits; diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c index 60522370b7..dffd1acd2b 100644 --- a/source4/libcli/smb2/transport.c +++ b/source4/libcli/smb2/transport.c @@ -84,6 +84,7 @@ struct smb2_transport *smb2_transport_init(struct smbcli_socket *sock, transport->socket = talloc_steal(transport, sock); transport->options = *options; + transport->credits.charge = 0; transport->credits.ask_num = 1; /* setup the stream -> packet parser */ @@ -552,6 +553,12 @@ void smb2_transport_credits_ask_num(struct smb2_transport *transport, transport->credits.ask_num = ask_num; } +void smb2_transport_credits_set_charge(struct smb2_transport *transport, + uint16_t charge) +{ + transport->credits.charge = charge; +} + static void idle_handler(struct tevent_context *ev, struct tevent_timer *te, struct timeval t, void *private_data) { diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c index dbbabd6a6d..b89e238a1c 100644 --- a/source4/libnet/libnet_become_dc.c +++ b/source4/libnet/libnet_become_dc.c @@ -25,7 +25,7 @@ #include "lib/ldb/include/ldb_errors.h" #include "lib/ldb_wrap.h" #include "dsdb/samdb/samdb.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "librpc/gen_ndr/ndr_drsuapi_c.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_misc.h" diff --git a/source4/libnet/libnet_group.c b/source4/libnet/libnet_group.c index b0669640f3..9e7abe81b1 100644 --- a/source4/libnet/libnet_group.c +++ b/source4/libnet/libnet_group.c @@ -484,7 +484,7 @@ struct composite_context *libnet_GroupList_send(struct libnet_context *ctx, /* store the arguments in the state structure */ s->ctx = ctx; s->page_size = io->in.page_size; - s->resume_index = (uint32_t)io->in.resume_index; + s->resume_index = io->in.resume_index; s->domain_name = talloc_strdup(c, io->in.domain_name); s->monitor_fn = monitor; diff --git a/source4/libnet/libnet_group.h b/source4/libnet/libnet_group.h index b80d3449c8..8ac47437fd 100644 --- a/source4/libnet/libnet_group.h +++ b/source4/libnet/libnet_group.h @@ -58,11 +58,11 @@ struct libnet_GroupList { struct { const char *domain_name; int page_size; - uint resume_index; + uint32_t resume_index; } in; struct { int count; - uint resume_index; + uint32_t resume_index; struct grouplist { const char *sid; diff --git a/source4/libnet/libnet_samdump.c b/source4/libnet/libnet_samdump.c index 08a2295169..8092260515 100644 --- a/source4/libnet/libnet_samdump.c +++ b/source4/libnet/libnet_samdump.c @@ -25,6 +25,7 @@ #include "../lib/util/dlinklist.h" #include "samba3/samba3.h" #include "libcli/security/security.h" +#include "param/param.h" struct samdump_secret { diff --git a/source4/libnet/libnet_unbecome_dc.c b/source4/libnet/libnet_unbecome_dc.c index e0e5e42115..3bd7a4e287 100644 --- a/source4/libnet/libnet_unbecome_dc.c +++ b/source4/libnet/libnet_unbecome_dc.c @@ -25,7 +25,7 @@ #include "lib/ldb/include/ldb_errors.h" #include "lib/ldb_wrap.h" #include "dsdb/samdb/samdb.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "librpc/gen_ndr/ndr_drsuapi_c.h" #include "param/param.h" diff --git a/source4/libnet/libnet_user.c b/source4/libnet/libnet_user.c index 8606d0856e..dd4d501c17 100644 --- a/source4/libnet/libnet_user.c +++ b/source4/libnet/libnet_user.c @@ -945,7 +945,7 @@ struct composite_context* libnet_UserList_send(struct libnet_context *ctx, /* store the arguments in the state structure */ s->ctx = ctx; s->page_size = r->in.page_size; - s->resume_index = (uint32_t)r->in.resume_index; + s->resume_index = r->in.resume_index; s->domain_name = talloc_strdup(c, r->in.domain_name); s->monitor_fn = monitor; diff --git a/source4/libnet/libnet_user.h b/source4/libnet/libnet_user.h index 4aad654b3b..8203d14c33 100644 --- a/source4/libnet/libnet_user.h +++ b/source4/libnet/libnet_user.h @@ -140,11 +140,11 @@ struct libnet_UserList { struct { const char *domain_name; int page_size; - uint resume_index; + uint32_t resume_index; } in; struct { int count; - uint resume_index; + uint32_t resume_index; struct userlist { const char *sid; diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index 52c7f3e2d1..9cb2d7faf6 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -79,11 +79,6 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_WINSTATION_OBJ_FILES = $(gen_ndrsrcdir)/ndr_winstation.o -[SUBSYSTEM::NDR_ECHO] -PUBLIC_DEPENDENCIES = LIBNDR - -NDR_ECHO_OBJ_FILES = ../librpc/gen_ndr/ndr_echo.o - [SUBSYSTEM::NDR_IRPC] PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY NDR_NBT @@ -114,30 +109,23 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_ORPC NDR_ROT_OBJ_FILES = ../librpc/gen_ndr/ndr_rot.o -[SUBSYSTEM::NDR_LSA] -PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY - -NDR_LSA_OBJ_FILES = ../librpc/gen_ndr/ndr_lsa.o - -PUBLIC_HEADERS += ../librpc/gen_ndr/lsa.h - -[SUBSYSTEM::NDR_DFS] -PUBLIC_DEPENDENCIES = LIBNDR - -NDR_DFS_OBJ_FILES = ../librpc/gen_ndr/ndr_dfs.o - [SUBSYSTEM::NDR_FRSRPC] PUBLIC_DEPENDENCIES = LIBNDR -NDR_FRSRPC_OBJ_FILES = ../librpc/gen_ndr/ndr_frsrpc.o +NDR_FRSRPC_OBJ_FILES = ../librpc/gen_ndr/ndr_frsrpc.o ../librpc/ndr/ndr_frsrpc.o [SUBSYSTEM::NDR_FRSAPI] PUBLIC_DEPENDENCIES = LIBNDR NDR_FRSAPI_OBJ_FILES = ../librpc/gen_ndr/ndr_frsapi.o +[SUBSYSTEM::NDR_FRSTRANS] +PUBLIC_DEPENDENCIES = LIBNDR + +NDR_FRSTRANS_OBJ_FILES = ../librpc/gen_ndr/ndr_frstrans.o + [SUBSYSTEM::NDR_DRSUAPI] -PUBLIC_DEPENDENCIES = LIBNDR NDR_COMPRESSION NDR_SECURITY NDR_SAMR ASN1_UTIL +PUBLIC_DEPENDENCIES = LIBNDR NDR_COMPRESSION NDR_SECURITY NDR_STANDARD ASN1_UTIL NDR_DRSUAPI_OBJ_FILES = ../librpc/gen_ndr/ndr_drsuapi.o ../librpc/ndr/ndr_drsuapi.o @@ -161,13 +149,6 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY NDR_UNIXINFO_OBJ_FILES = ../librpc/gen_ndr/ndr_unixinfo.o -[SUBSYSTEM::NDR_SAMR] -PUBLIC_DEPENDENCIES = LIBNDR NDR_LSA NDR_SECURITY - -NDR_SAMR_OBJ_FILES = ../librpc/gen_ndr/ndr_samr.o - -PUBLIC_HEADERS += $(addprefix ../librpc/gen_ndr/, samr.h ndr_samr.h ndr_samr_c.h) - [SUBSYSTEM::NDR_NFS4ACL] PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY @@ -182,35 +163,6 @@ NDR_SPOOLSS_OBJ_FILES = ../librpc/gen_ndr/ndr_spoolss.o NDR_SPOOLSS_BUF_OBJ_FILES = ../librpc/ndr/ndr_spoolss_buf.o -[SUBSYSTEM::NDR_WKSSVC] -PUBLIC_DEPENDENCIES = LIBNDR NDR_SRVSVC NDR_SECURITY - -NDR_WKSSVC_OBJ_FILES = ../librpc/gen_ndr/ndr_wkssvc.o - -[SUBSYSTEM::NDR_SRVSVC] -PUBLIC_DEPENDENCIES = LIBNDR NDR_SVCCTL NDR_SECURITY - -NDR_SRVSVC_OBJ_FILES = ../librpc/gen_ndr/ndr_srvsvc.o - -[SUBSYSTEM::NDR_SVCCTL] -PUBLIC_DEPENDENCIES = LIBNDR - -NDR_SVCCTL_OBJ_FILES = ../librpc/gen_ndr/ndr_svcctl.o ../librpc/ndr/ndr_svcctl.o - -PUBLIC_HEADERS += $(addprefix ../librpc/gen_ndr/, ndr_svcctl.h svcctl.h) - -[SUBSYSTEM::NDR_ATSVC] -PUBLIC_DEPENDENCIES = LIBNDR - -NDR_ATSVC_OBJ_FILES = ../librpc/gen_ndr/ndr_atsvc.o - -PUBLIC_HEADERS += $(addprefix ../librpc/gen_ndr/, atsvc.h ndr_atsvc.h) - -[SUBSYSTEM::NDR_EVENTLOG] -PUBLIC_DEPENDENCIES = LIBNDR NDR_LSA - -NDR_EVENTLOG_OBJ_FILES = ../librpc/gen_ndr/ndr_eventlog.o - [SUBSYSTEM::NDR_EPMAPPER] PUBLIC_DEPENDENCIES = LIBNDR @@ -236,16 +188,6 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_WINS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_wins.o -[SUBSYSTEM::NDR_WINREG] -PUBLIC_DEPENDENCIES = LIBNDR NDR_INITSHUTDOWN NDR_SECURITY - -NDR_WINREG_OBJ_FILES = ../librpc/gen_ndr/ndr_winreg.o - -[SUBSYSTEM::NDR_INITSHUTDOWN] -PUBLIC_DEPENDENCIES = LIBNDR - -NDR_INITSHUTDOWN_OBJ_FILES = ../librpc/gen_ndr/ndr_initshutdown.o - [SUBSYSTEM::NDR_MGMT] PUBLIC_DEPENDENCIES = LIBNDR @@ -291,18 +233,6 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_SCERPC_OBJ_FILES = ../librpc/gen_ndr/ndr_scerpc.o -[SUBSYSTEM::NDR_NTSVCS] -PUBLIC_DEPENDENCIES = LIBNDR - -NDR_NTSVCS_OBJ_FILES = ../librpc/gen_ndr/ndr_ntsvcs.o - -[SUBSYSTEM::NDR_NETLOGON] -PUBLIC_DEPENDENCIES = LIBNDR NDR_SAMR NDR_LSA NDR_SECURITY - -NDR_NETLOGON_OBJ_FILES = ../librpc/gen_ndr/ndr_netlogon.o ../librpc/ndr/ndr_netlogon.o - -PUBLIC_HEADERS += ../librpc/gen_ndr/netlogon.h - [SUBSYSTEM::NDR_TRKWKS] PUBLIC_DEPENDENCIES = LIBNDR @@ -314,7 +244,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_KEYSVC_OBJ_FILES = ../librpc/gen_ndr/ndr_keysvc.o [SUBSYSTEM::NDR_KRB5PAC] -PUBLIC_DEPENDENCIES = LIBNDR NDR_NETLOGON NDR_SECURITY +PUBLIC_DEPENDENCIES = LIBNDR NDR_STANDARD NDR_SECURITY NDR_KRB5PAC_OBJ_FILES = ../librpc/gen_ndr/ndr_krb5pac.o ../librpc/ndr/ndr_krb5pac.o @@ -339,7 +269,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT NDR_SCHANNEL_OBJ_FILES = $(gen_ndrsrcdir)/ndr_schannel.o [SUBSYSTEM::NDR_NBT] -PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT_BUF NDR_SVCCTL NDR_SECURITY NDR_SAMR LIBCLI_NDR_NETLOGON +PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT_BUF NDR_SECURITY NDR_STANDARD LIBCLI_NDR_NETLOGON NDR_NBT_OBJ_FILES = ../librpc/gen_ndr/ndr_nbt.o @@ -356,7 +286,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT NDR_WINSREPL_OBJ_FILES = $(gen_ndrsrcdir)/ndr_winsrepl.o [SUBSYSTEM::NDR_WINBIND] -PUBLIC_DEPENDENCIES = LIBNDR NDR_NETLOGON +PUBLIC_DEPENDENCIES = LIBNDR NDR_STANDARD NDR_WINBIND_OBJ_FILES = $(gen_ndrsrcdir)/ndr_winbind.o #PUBLIC_HEADERS += $(gen_ndrsrcdir)/winbind.h @@ -374,18 +304,48 @@ $(gen_ndrsrcdir)/tables.c: $(IDL_NDR_PARSE_H_FILES) @$(PERL) ../librpc/tables.pl --output=$@ $^ > $(gen_ndrsrcdir)/tables.x @mv $(gen_ndrsrcdir)/tables.x $@ +[LIBRARY::NDR_STANDARD] +PUBLIC_DEPENDENCIES = LIBNDR +PRIVATE_DEPENDENCIES = NDR_SECURITY + +NDR_STANDARD_OBJ_FILES = ../librpc/gen_ndr/ndr_echo.o \ + ../librpc/gen_ndr/ndr_lsa.o \ + ../librpc/gen_ndr/ndr_samr.o \ + ../librpc/gen_ndr/ndr_netlogon.o \ + ../librpc/ndr/ndr_netlogon.o \ + ../librpc/gen_ndr/ndr_dfs.o \ + ../librpc/gen_ndr/ndr_atsvc.o \ + ../librpc/gen_ndr/ndr_wkssvc.o \ + ../librpc/gen_ndr/ndr_srvsvc.o \ + ../librpc/gen_ndr/ndr_svcctl.o \ + ../librpc/ndr/ndr_svcctl.o \ + ../librpc/gen_ndr/ndr_winreg.o \ + ../librpc/gen_ndr/ndr_initshutdown.o \ + ../librpc/gen_ndr/ndr_eventlog.o \ + ../librpc/gen_ndr/ndr_ntsvcs.o + +PC_FILES += $(librpcsrcdir)/ndr_standard.pc + +PUBLIC_HEADERS += $(addprefix ../librpc/gen_ndr/, samr.h ndr_samr.h lsa.h netlogon.h atsvc.h ndr_atsvc.h ndr_svcctl.h svcctl.h) + +NDR_STANDARD_VERSION = 0.0.1 +NDR_STANDARD_SOVERSION = 0 + [SUBSYSTEM::NDR_TABLE] PUBLIC_DEPENDENCIES = \ - NDR_AUDIOSRV NDR_ECHO NDR_DCERPC \ - NDR_DSBACKUP NDR_EFS NDR_LSA NDR_DFS NDR_DRSUAPI \ - NDR_POLICYAGENT NDR_UNIXINFO NDR_SAMR NDR_SPOOLSS NDR_WKSSVC NDR_SRVSVC NDR_ATSVC \ - NDR_EVENTLOG NDR_EPMAPPER NDR_DBGIDL NDR_DSSETUP NDR_MSGSVC NDR_WINS \ - NDR_WINREG NDR_MGMT NDR_PROTECTED_STORAGE NDR_OXIDRESOLVER \ - NDR_REMACT NDR_WZCSVC NDR_BROWSER NDR_W32TIME NDR_SCERPC NDR_NTSVCS \ - NDR_NETLOGON NDR_TRKWKS NDR_KEYSVC NDR_KRB5PAC NDR_XATTR NDR_SCHANNEL \ - NDR_ROT NDR_DRSBLOBS NDR_SVCCTL NDR_NBT NDR_WINSREPL NDR_SECURITY \ - NDR_INITSHUTDOWN NDR_DNSSERVER NDR_WINSTATION NDR_IRPC NDR_OPENDB \ - NDR_SASL_HELPERS NDR_NOTIFY NDR_WINBIND NDR_FRSRPC NDR_FRSAPI NDR_NFS4ACL NDR_NTP_SIGND \ + NDR_STANDARD \ + NDR_AUDIOSRV \ + NDR_DSBACKUP NDR_EFS NDR_DRSUAPI \ + NDR_POLICYAGENT NDR_UNIXINFO NDR_SPOOLSS \ + NDR_EPMAPPER NDR_DBGIDL NDR_DSSETUP NDR_MSGSVC NDR_WINS \ + NDR_MGMT NDR_PROTECTED_STORAGE NDR_OXIDRESOLVER \ + NDR_REMACT NDR_WZCSVC NDR_BROWSER NDR_W32TIME NDR_SCERPC \ + NDR_TRKWKS NDR_KEYSVC NDR_KRB5PAC NDR_XATTR NDR_SCHANNEL \ + NDR_ROT NDR_DRSBLOBS NDR_NBT NDR_WINSREPL NDR_SECURITY \ + NDR_DNSSERVER NDR_WINSTATION NDR_IRPC NDR_OPENDB \ + NDR_SASL_HELPERS NDR_NOTIFY NDR_WINBIND \ + NDR_FRSRPC NDR_FRSAPI NDR_FRSTRANS \ + NDR_NFS4ACL NDR_NTP_SIGND \ NDR_DCOM NDR_WMI NDR_NAMED_PIPE_AUTH NDR_TABLE_OBJ_FILES = ../librpc/ndr/ndr_table.o $(gen_ndrsrcdir)/tables.o @@ -401,7 +361,7 @@ PUBLIC_DEPENDENCIES = NDR_AUDIOSRV dcerpc RPC_NDR_AUDIOSRV_OBJ_FILES = ../librpc/gen_ndr/ndr_audiosrv_c.o [SUBSYSTEM::RPC_NDR_ECHO] -PUBLIC_DEPENDENCIES = dcerpc NDR_ECHO +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_ECHO_OBJ_FILES = ../librpc/gen_ndr/ndr_echo_c.o @@ -416,12 +376,12 @@ PUBLIC_DEPENDENCIES = dcerpc NDR_EFS RPC_NDR_EFS_OBJ_FILES = ../librpc/gen_ndr/ndr_efs_c.o [SUBSYSTEM::RPC_NDR_LSA] -PUBLIC_DEPENDENCIES = dcerpc NDR_LSA +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_LSA_OBJ_FILES = ../librpc/gen_ndr/ndr_lsa_c.o [SUBSYSTEM::RPC_NDR_DFS] -PUBLIC_DEPENDENCIES = dcerpc NDR_DFS +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_DFS_OBJ_FILES = ../librpc/gen_ndr/ndr_dfs_c.o @@ -456,7 +416,7 @@ PUBLIC_DEPENDENCIES = dcerpc NDR_IRPC RPC_NDR_IRPC_OBJ_FILES = $(gen_ndrsrcdir)/ndr_irpc_c.o [LIBRARY::dcerpc_samr] -PUBLIC_DEPENDENCIES = dcerpc NDR_SAMR +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD PC_FILES += $(librpcsrcdir)/dcerpc_samr.pc @@ -464,13 +424,15 @@ dcerpc_samr_VERSION = 0.0.1 dcerpc_samr_SOVERSION = 0 dcerpc_samr_OBJ_FILES = ../librpc/gen_ndr/ndr_samr_c.o +PUBLIC_HEADERS += ../librpc/gen_ndr/ndr_samr_c.h + [SUBSYSTEM::RPC_NDR_SPOOLSS] PUBLIC_DEPENDENCIES = dcerpc NDR_SPOOLSS RPC_NDR_SPOOLSS_OBJ_FILES = ../librpc/gen_ndr/ndr_spoolss_c.o [SUBSYSTEM::RPC_NDR_WKSSVC] -PUBLIC_DEPENDENCIES = dcerpc NDR_WKSSVC +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_WKSSVC_OBJ_FILES = ../librpc/gen_ndr/ndr_wkssvc_c.o @@ -480,14 +442,14 @@ PUBLIC_DEPENDENCIES = dcerpc NDR_SRVSVC RPC_NDR_SRVSVC_OBJ_FILES = ../librpc/gen_ndr/ndr_srvsvc_c.o [SUBSYSTEM::RPC_NDR_SVCCTL] -PUBLIC_DEPENDENCIES = dcerpc NDR_SVCCTL +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_SVCCTL_OBJ_FILES = ../librpc/gen_ndr/ndr_svcctl_c.o PUBLIC_HEADERS += ../librpc/gen_ndr/ndr_svcctl_c.h [LIBRARY::dcerpc_atsvc] -PUBLIC_DEPENDENCIES = dcerpc NDR_ATSVC +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD dcerpc_atsvc_VERSION = 0.0.1 dcerpc_atsvc_SOVERSION = 0 @@ -498,7 +460,7 @@ PC_FILES += $(librpcsrcdir)/dcerpc_atsvc.pc PUBLIC_HEADERS += ../librpc/gen_ndr/ndr_atsvc_c.h [SUBSYSTEM::RPC_NDR_EVENTLOG] -PUBLIC_DEPENDENCIES = dcerpc NDR_EVENTLOG +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_EVENTLOG_OBJ_FILES = ../librpc/gen_ndr/ndr_eventlog_c.o @@ -528,12 +490,12 @@ PUBLIC_DEPENDENCIES = dcerpc NDR_WINS RPC_NDR_WINS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_wins_c.o [SUBSYSTEM::RPC_NDR_WINREG] -PUBLIC_DEPENDENCIES = dcerpc NDR_WINREG +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_WINREG_OBJ_FILES = ../librpc/gen_ndr/ndr_winreg_c.o [SUBSYSTEM::RPC_NDR_INITSHUTDOWN] -PUBLIC_DEPENDENCIES = dcerpc NDR_INITSHUTDOWN +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_INITSHUTDOWN_OBJ_FILES = ../librpc/gen_ndr/ndr_initshutdown_c.o @@ -573,12 +535,12 @@ PUBLIC_DEPENDENCIES = dcerpc NDR_SCERPC RPC_NDR_SCERPC_OBJ_FILES = ../librpc/gen_ndr/ndr_scerpc_c.o [SUBSYSTEM::RPC_NDR_NTSVCS] -PUBLIC_DEPENDENCIES = dcerpc NDR_NTSVCS +PUBLIC_DEPENDENCIES = dcerpc NDR_STANDARD RPC_NDR_NTSVCS_OBJ_FILES = ../librpc/gen_ndr/ndr_ntsvcs_c.o [SUBSYSTEM::RPC_NDR_NETLOGON] -PUBLIC_DEPENDENCIES = NDR_NETLOGON +PUBLIC_DEPENDENCIES = NDR_STANDARD RPC_NDR_NETLOGON_OBJ_FILES = ../librpc/gen_ndr/ndr_netlogon_c.o diff --git a/source4/ntptr/simple_ldb/ntptr_simple_ldb.c b/source4/ntptr/simple_ldb/ntptr_simple_ldb.c index 4ebbaaeffc..601f7902df 100644 --- a/source4/ntptr/simple_ldb/ntptr_simple_ldb.c +++ b/source4/ntptr/simple_ldb/ntptr_simple_ldb.c @@ -192,9 +192,12 @@ static WERROR sptr_GetPrintServerData(struct ntptr_GenericHandle *server, TALLOC os_ex.major = server_info->version_major; os_ex.minor = server_info->version_minor; os_ex.build = server_info->version_build; - os_ex.extra_string = ""; - os_ex.unknown2 = 0; - os_ex.unknown3 = 0; + os_ex.extra_string = ""; + os_ex.service_pack_major= 0; + os_ex.service_pack_minor= 0; + os_ex.suite_mask = 0; + os_ex.product_type = 0; + os_ex.reserved = 0; ndr_err = ndr_push_struct_blob(&blob, mem_ctx, lp_iconv_convenience(server->ntptr->lp_ctx), &os_ex, (ndr_push_flags_fn_t)ndr_push_spoolss_OSVersionEx); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { diff --git a/source4/ntvfs/ipc/vfs_ipc.c b/source4/ntvfs/ipc/vfs_ipc.c index 20b00f24e3..95ad1c51fb 100644 --- a/source4/ntvfs/ipc/vfs_ipc.c +++ b/source4/ntvfs/ipc/vfs_ipc.c @@ -258,7 +258,8 @@ static NTSTATUS ipc_open_generic(struct ntvfs_module_context *ntvfs, one of the interfaces attached to this pipe endpoint. */ ep_description->transport = NCACN_NP; - ep_description->endpoint = talloc_reference(ep_description, p->pipe_name); + ep_description->endpoint = talloc_strdup(ep_description, p->pipe_name); + NT_STATUS_HAVE_NO_MEMORY(ep_description->endpoint); /* The session info is refcount-increased in the * dcesrv_endpoint_search_connect() function diff --git a/source4/ntvfs/posix/pvfs_resolve.c b/source4/ntvfs/posix/pvfs_resolve.c index c33323350e..8e8da72e1f 100644 --- a/source4/ntvfs/posix/pvfs_resolve.c +++ b/source4/ntvfs/posix/pvfs_resolve.c @@ -796,7 +796,10 @@ NTSTATUS pvfs_resolve_parent(struct pvfs_state *pvfs, TALLOC_CTX *mem_ctx, (*name)->has_wildcard = false; /* we can't get the correct 'original_name', but for the purposes of this call this is close enough */ - (*name)->original_name = talloc_reference(*name, child->original_name); + (*name)->original_name = talloc_strdup(*name, child->original_name); + if ((*name)->original_name == NULL) { + return NT_STATUS_NO_MEMORY; + } (*name)->stream_name = NULL; (*name)->stream_id = 0; diff --git a/source4/ntvfs/unixuid/vfs_unixuid.c b/source4/ntvfs/unixuid/vfs_unixuid.c index 3ef341d61a..97c306f7c3 100644 --- a/source4/ntvfs/unixuid/vfs_unixuid.c +++ b/source4/ntvfs/unixuid/vfs_unixuid.c @@ -310,9 +310,9 @@ static NTSTATUS unixuid_connect(struct ntvfs_module_context *ntvfs, return NT_STATUS_INTERNAL_ERROR; } - ntvfs->private_data = priv; priv->last_sec_ctx = NULL; priv->last_token = NULL; + ntvfs->private_data = priv; tevent_loop_set_nesting_hook(ntvfs->ctx->event_ctx, unixuid_event_nesting_hook, diff --git a/source4/rpc_server/config.mk b/source4/rpc_server/config.mk index f3dc074125..32669db37a 100644 --- a/source4/rpc_server/config.mk +++ b/source4/rpc_server/config.mk @@ -19,7 +19,7 @@ PUBLIC_HEADERS += $(rpc_serversrcdir)/common/common.h [MODULE::dcerpc_rpcecho] INIT_FUNCTION = dcerpc_server_rpcecho_init SUBSYSTEM = dcerpc_server -PRIVATE_DEPENDENCIES = NDR_ECHO LIBEVENTS +PRIVATE_DEPENDENCIES = NDR_STANDARD LIBEVENTS # End MODULE dcerpc_rpcecho ################################################ @@ -69,7 +69,7 @@ $(eval $(call proto_header_template,$(rpc_serversrcdir)/srvsvc/proto.h,$(dcerpc_ INIT_FUNCTION = dcerpc_server_wkssvc_init SUBSYSTEM = dcerpc_server PRIVATE_DEPENDENCIES = \ - DCERPC_COMMON NDR_WKSSVC + DCERPC_COMMON NDR_STANDARD # End MODULE dcerpc_wkssvc ################################################ @@ -99,7 +99,7 @@ SUBSYSTEM = dcerpc_server PRIVATE_DEPENDENCIES = \ SAMDB \ DCERPC_COMMON \ - NDR_SAMR + NDR_STANDARD # End MODULE dcesrv_samr ################################################ @@ -114,7 +114,7 @@ INIT_FUNCTION = dcerpc_server_winreg_init SUBSYSTEM = dcerpc_server OUTPUT_TYPE = MERGED_OBJ PRIVATE_DEPENDENCIES = \ - registry NDR_WINREG + registry NDR_STANDARD # End MODULE dcerpc_winreg ################################################ @@ -128,7 +128,7 @@ SUBSYSTEM = dcerpc_server PRIVATE_DEPENDENCIES = \ DCERPC_COMMON \ SCHANNELDB \ - NDR_NETLOGON \ + NDR_STANDARD \ auth_sam \ LIBSAMBA-HOSTCONFIG # End MODULE dcerpc_netlogon @@ -144,7 +144,7 @@ SUBSYSTEM = dcerpc_server PRIVATE_DEPENDENCIES = \ SAMDB \ DCERPC_COMMON \ - NDR_LSA \ + NDR_STANDARD \ LIBCLI_AUTH \ NDR_DSSETUP # End MODULE dcerpc_lsa diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index cbadf654fb..2b4a891556 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1378,7 +1378,7 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_ = samdb_result_uint(msg, "posixOffset", 0); return fill_trust_domain_ex(mem_ctx, msg, &info->full_info2_internal.info.info_ex); - case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES: + case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES: info->enc_types.enc_types = samdb_result_uint(msg, "msDs-supportedEncryptionTypes", KERB_ENCTYPE_RC4_HMAC_MD5); break; diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c index dc47d3783a..005c7d4f06 100644 --- a/source4/rpc_server/lsa/lsa_lookup.c +++ b/source4/rpc_server/lsa/lsa_lookup.c @@ -394,7 +394,7 @@ static NTSTATUS dcesrv_lsa_lookup_name(struct tevent_context *ev_ctx, atype = samdb_result_uint(res[i], "sAMAccountType", 0); - *rtype = samdb_atype_map(atype); + *rtype = ds_atype_map(atype); if (*rtype == SID_NAME_UNKNOWN) { return STATUS_SOME_UNMAPPED; } @@ -503,7 +503,7 @@ static NTSTATUS dcesrv_lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX atype = samdb_result_uint(res[0], "sAMAccountType", 0); - *rtype = samdb_atype_map(atype); + *rtype = ds_atype_map(atype); return NT_STATUS_OK; } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index dc2d078d6b..2095bf6fa5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -27,7 +27,7 @@ #include "auth/auth.h" #include "auth/auth_sam_reply.h" #include "dsdb/samdb/samdb.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "rpc_server/samr/proto.h" #include "../lib/util/util_ldb.h" #include "libcli/auth/libcli_auth.h" @@ -151,8 +151,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca } /* pull the user attributes */ - num_records = gendb_search((struct ldb_context *)sam_ctx, - mem_ctx, NULL, &msgs, + num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, trust_dom_attrs, "(&(trustPartner=%s)(objectclass=trustedDomain))", encoded_account); @@ -184,8 +183,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca } /* pull the user attributes */ - num_records = gendb_search((struct ldb_context *)sam_ctx, mem_ctx, - NULL, &msgs, attrs, + num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", ldb_binary_encode_string(mem_ctx, account_name)); @@ -852,7 +850,7 @@ static WERROR dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_C struct netr_GetDcName *r) { const char * const attrs[] = { NULL }; - void *sam_ctx; + struct ldb_context *sam_ctx; struct ldb_message **res; struct ldb_dn *domain_dn; int ret; @@ -865,13 +863,13 @@ static WERROR dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_C return WERR_DS_SERVICE_UNAVAILABLE; } - domain_dn = samdb_domain_to_dn((struct ldb_context *)sam_ctx, mem_ctx, + domain_dn = samdb_domain_to_dn(sam_ctx, mem_ctx, r->in.domainname); if (domain_dn == NULL) { return WERR_DS_SERVICE_UNAVAILABLE; } - ret = gendb_search_dn((struct ldb_context *)sam_ctx, mem_ctx, + ret = gendb_search_dn(sam_ctx, mem_ctx, domain_dn, &res, attrs); if (ret != 1) { return WERR_NO_SUCH_DOMAIN; @@ -1401,7 +1399,7 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce struct netr_DsrEnumerateDomainTrusts *r) { struct netr_DomainTrustList *trusts; - void *sam_ctx; + struct ldb_context *sam_ctx; int ret; struct ldb_message **dom_res; const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL }; @@ -1413,7 +1411,7 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce return WERR_GENERAL_FAILURE; } - ret = gendb_search_dn((struct ldb_context *)sam_ctx, mem_ctx, NULL, + ret = gendb_search_dn(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs); if (ret == -1) { return WERR_GENERAL_FAILURE; diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 03acf97cab..c755601230 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -29,7 +29,7 @@ #include "system/time.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "dsdb/samdb/samdb.h" #include "libcli/ldap/ldap_ndr.h" #include "libcli/security/security.h" @@ -1360,7 +1360,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_SERVER_TRUST_ACCOUNT)); - user_account_control |= samdb_acb2uf(r->in.acct_flags); + user_account_control |= ds_acb2uf(r->in.acct_flags); talloc_free(msg); msg = ldb_msg_new(mem_ctx); @@ -1876,7 +1876,7 @@ static NTSTATUS dcesrv_samr_LookupNames(struct dcesrv_call_state *dce_call, TALL continue; } - rtype = samdb_atype_map(atype); + rtype = ds_atype_map(atype); if (rtype == SID_NAME_UNKNOWN) { status = STATUS_SOME_UNMAPPED; @@ -1962,7 +1962,7 @@ static NTSTATUS dcesrv_samr_LookupRids(struct dcesrv_call_state *dce_call, TALLO continue; } - ids[i] = samdb_atype_map(atype); + ids[i] = ds_atype_map(atype); if (ids[i] == SID_NAME_UNKNOWN) { status = STATUS_SOME_UNMAPPED; diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index ec83cbfdc9..6f12d2f119 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -26,7 +26,7 @@ #include "rpc_server/samr/dcesrv_samr.h" #include "system/time.h" #include "../lib/crypto/crypto.h" -#include "dsdb/common/flags.h" +#include "../libds/common/flags.h" #include "libcli/ldap/ldap.h" #include "dsdb/samdb/samdb.h" #include "auth/auth.h" diff --git a/source4/script/installmisc.sh b/source4/script/installmisc.sh index 2bd34b119f..0666ae1ade 100755 --- a/source4/script/installmisc.sh +++ b/source4/script/installmisc.sh @@ -8,11 +8,15 @@ cd $SRCDIR || exit 1 echo "Installing setup templates" mkdir -p $SETUPDIR || exit 1 +mkdir -p $SETUPDIR/ad-schema || exit 1 +cp setup/ad-schema/*.txt $SETUPDIR/ad-schema || exit 1 +for p in enableaccount newuser provision provision-backend setexpiry setpassword +do + chmod 0555 setup/$p + cp setup/$p $SETUPDIR || exit 1 +done cp setup/schema-map-* $SETUPDIR || exit 1 cp setup/DB_CONFIG $SETUPDIR || exit 1 -cp setup/provision-backend $SETUPDIR || exit 1 -cp setup/provision $SETUPDIR || exit 1 -cp setup/newuser $SETUPDIR || exit 1 cp setup/*.inf $SETUPDIR || exit 1 cp setup/*.ldif $SETUPDIR || exit 1 cp setup/*.reg $SETUPDIR || exit 1 diff --git a/source4/scripting/python/pyglue.c b/source4/scripting/python/pyglue.c index 5816d9637d..0869d2feac 100644 --- a/source4/scripting/python/pyglue.c +++ b/source4/scripting/python/pyglue.c @@ -46,6 +46,15 @@ } */\ ldb = PyLdb_AsLdbContext(py_ldb); +static void PyErr_SetLdbError(PyObject *error, int ret, struct ldb_context *ldb_ctx) +{ + if (ret == LDB_ERR_PYTHON_EXCEPTION) + return; /* Python exception should already be set, just keep that */ + + PyErr_SetObject(error, + Py_BuildValue(discard_const_p(char, "(i,s)"), ret, + ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); +} static PyObject *py_ldb_get_exception(void) { @@ -204,6 +213,63 @@ static PyObject *py_dsdb_set_ntds_invocation_id(PyObject *self, PyObject *args) Py_RETURN_NONE; } +static PyObject *py_dsdb_set_opaque_integer(PyObject *self, PyObject *args) +{ + PyObject *py_ldb; + int value; + int *old_val, *new_val; + char *py_opaque_name, *opaque_name_talloc; + struct ldb_context *ldb; + TALLOC_CTX *tmp_ctx; + + if (!PyArg_ParseTuple(args, "Osi", &py_ldb, &py_opaque_name, &value)) + return NULL; + + PyErr_LDB_OR_RAISE(py_ldb, ldb); + + /* see if we have a cached copy */ + old_val = (int *)ldb_get_opaque(ldb, + py_opaque_name); + + if (old_val) { + *old_val = value; + Py_RETURN_NONE; + } + + tmp_ctx = talloc_new(ldb); + if (tmp_ctx == NULL) { + goto failed; + } + + new_val = talloc(tmp_ctx, int); + if (!new_val) { + goto failed; + } + + opaque_name_talloc = talloc_strdup(tmp_ctx, py_opaque_name); + if (!opaque_name_talloc) { + goto failed; + } + + *new_val = value; + + /* cache the domain_sid in the ldb */ + if (ldb_set_opaque(ldb, opaque_name_talloc, new_val) != LDB_SUCCESS) { + goto failed; + } + + talloc_steal(ldb, new_val); + talloc_steal(ldb, opaque_name_talloc); + talloc_free(tmp_ctx); + + Py_RETURN_NONE; + +failed: + talloc_free(tmp_ctx); + PyErr_SetString(PyExc_RuntimeError, "Failed to set opaque integer into the ldb!\n"); + return NULL; +} + static PyObject *py_dsdb_set_global_schema(PyObject *self, PyObject *args) { PyObject *py_ldb; @@ -284,6 +350,8 @@ static PyMethodDef py_misc_methods[] = { "Register Samba-specific LDB modules and schemas." }, { "dsdb_set_ntds_invocation_id", (PyCFunction)py_dsdb_set_ntds_invocation_id, METH_VARARGS, NULL }, + { "dsdb_set_opaque_integer", (PyCFunction)py_dsdb_set_opaque_integer, METH_VARARGS, + NULL }, { "dsdb_set_global_schema", (PyCFunction)py_dsdb_set_global_schema, METH_VARARGS, NULL }, { "dsdb_attach_schema_from_ldif", (PyCFunction)py_dsdb_attach_schema_from_ldif, METH_VARARGS, @@ -303,5 +371,11 @@ void initglue(void) return; PyModule_AddObject(m, "version", PyString_FromString(SAMBA_VERSION_STRING)); + + PyModule_AddObject(m, "DS_BEHAVIOR_WIN2000", PyInt_FromLong(DS_BEHAVIOR_WIN2000)); + PyModule_AddObject(m, "DS_BEHAVIOR_WIN2003_INTERIM", PyInt_FromLong(DS_BEHAVIOR_WIN2003_INTERIM)); + PyModule_AddObject(m, "DS_BEHAVIOR_WIN2003", PyInt_FromLong(DS_BEHAVIOR_WIN2003)); + PyModule_AddObject(m, "DS_BEHAVIOR_WIN2008", PyInt_FromLong(DS_BEHAVIOR_WIN2008)); + } diff --git a/source4/scripting/python/samba/__init__.py b/source4/scripting/python/samba/__init__.py index 60a7919136..164803bb65 100644 --- a/source4/scripting/python/samba/__init__.py +++ b/source4/scripting/python/samba/__init__.py @@ -42,7 +42,6 @@ else: import ldb -import credentials import glue class Ldb(ldb.Ldb): @@ -73,6 +72,8 @@ class Ldb(ldb.Ldb): self.set_modules_dir(modules_dir) elif default_ldb_modules_dir is not None: self.set_modules_dir(default_ldb_modules_dir) + elif lp is not None: + self.set_modules_dir(os.path.join(lp.get("modules dir"), "ldb")) if credentials is not None: self.set_credentials(credentials) @@ -242,3 +243,8 @@ def valid_netbios_name(name): return True version = glue.version + +DS_BEHAVIOR_WIN2000 = glue.DS_BEHAVIOR_WIN2000 +DS_BEHAVIOR_WIN2003_INTERIM = glue.DS_BEHAVIOR_WIN2003_INTERIM +DS_BEHAVIOR_WIN2003 = glue.DS_BEHAVIOR_WIN2003 +DS_BEHAVIOR_WIN2008 = glue.DS_BEHAVIOR_WIN2008 diff --git a/source4/scripting/python/samba/getopt.py b/source4/scripting/python/samba/getopt.py index c12245f6c5..8b756b2d6f 100644 --- a/source4/scripting/python/samba/getopt.py +++ b/source4/scripting/python/samba/getopt.py @@ -20,7 +20,7 @@ """Support for parsing Samba-related command-line options.""" import optparse -from credentials import Credentials, AUTO_USE_KERBEROS, DONT_USE_KERBEROS, MUST_USE_KERBEROS +from credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS from hostconfig import Hostconfig __docformat__ = "restructuredText" diff --git a/source4/scripting/python/samba/idmap.py b/source4/scripting/python/samba/idmap.py index f8eeb18925..ee79be1af9 100644 --- a/source4/scripting/python/samba/idmap.py +++ b/source4/scripting/python/samba/idmap.py @@ -23,8 +23,6 @@ __docformat__ = "restructuredText" import samba -import glue -import ldb class IDmapDB(samba.Ldb): """The IDmap database.""" diff --git a/source4/scripting/python/samba/ms_schema.py b/source4/scripting/python/samba/ms_schema.py index 2e8050e503..a0abc337ce 100644 --- a/source4/scripting/python/samba/ms_schema.py +++ b/source4/scripting/python/samba/ms_schema.py @@ -226,6 +226,7 @@ def __transform_entry(entry, objectClass): assert(cn) entry.insert(0, ["dn", "CN=%s,${SCHEMADN}" % cn]) entry.insert(1, ["objectClass", ["top", objectClass]]) + entry.insert(2, ["cn", cn]) for l in entry: key = l[0].lower() diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 189c93a1fc..8a7ed6a86e 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -37,13 +37,13 @@ import param import registry import samba from auth import system_session -from samba import Ldb, substitute_var, valid_netbios_name, check_all_substituted +from samba import version, Ldb, substitute_var, valid_netbios_name, check_all_substituted, \ + DS_BEHAVIOR_WIN2008 from samba.samdb import SamDB from samba.idmap import IDmapDB from samba.dcerpc import security import urllib -from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, \ - timestring, CHANGETYPE_MODIFY, CHANGETYPE_NONE +from ldb import SCOPE_SUBTREE, LdbError, timestring from ms_schema import read_ms_schema __docformat__ = "restructuredText" @@ -729,7 +729,7 @@ def setup_samdb_rootdse(samdb, setup_path, names): def setup_self_join(samdb, names, machinepass, dnspass, domainsid, invocationid, setup_path, - policyguid): + policyguid, domainControllerFunctionality): """Join a host to its own domain.""" assert isinstance(invocationid, str) setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), { @@ -745,7 +745,9 @@ def setup_self_join(samdb, names, "DNSPASS_B64": b64encode(dnspass), "REALM": names.realm, "DOMAIN": names.domain, - "DNSDOMAIN": names.dnsdomain}) + "DNSDOMAIN": names.dnsdomain, + "SAMBA_VERSION_STRING": version, + "DOMAIN_CONTROLLER_FUNCTIONALITY": str(domainControllerFunctionality)}) setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), { "POLICYGUID": policyguid, "DNSDOMAIN": names.dnsdomain, @@ -765,6 +767,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, :note: This will wipe the main SAM database file! """ + domainFunctionality = DS_BEHAVIOR_WIN2008 + forestFunctionality = DS_BEHAVIOR_WIN2008 + domainControllerFunctionality = DS_BEHAVIOR_WIN2008 + erase = (fill != FILL_DRS) # Also wipes the database @@ -780,6 +786,11 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, return samdb message("Pre-loading the Samba 4 and AD schema") + + samdb.set_opaque_integer("domainFunctionality", domainFunctionality) + samdb.set_opaque_integer("forestFunctionality", forestFunctionality) + samdb.set_opaque_integer("domainControllerFunctionality", domainControllerFunctionality) + samdb.set_domain_sid(str(domainsid)) if serverrole == "domain controller": samdb.set_invocation_id(invocationid) @@ -818,6 +829,7 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, "POLICYGUID": policyguid, "DOMAINDN": names.domaindn, "DOMAINGUID_MOD": domainguid_mod, + "DOMAIN_FUNCTIONALITY": str(domainFunctionality) }) message("Adding configuration container (permitted to fail)") @@ -864,7 +876,8 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, "DOMAIN": names.domain, "SCHEMADN": names.schemadn, "DOMAINDN": names.domaindn, - "SERVERDN": names.serverdn + "SERVERDN": names.serverdn, + "FOREST_FUNCTIONALALITY": str(forestFunctionality) }) message("Setting up display specifiers") @@ -908,7 +921,7 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, dnspass=dnspass, machinepass=machinepass, domainsid=domainsid, policyguid=policyguid, - setup_path=setup_path) + setup_path=setup_path, domainControllerFunctionality=domainControllerFunctionality) except: samdb.transaction_cancel() diff --git a/source4/scripting/python/samba/samba3.py b/source4/scripting/python/samba/samba3.py index c8ddbc8864..179efa2700 100644 --- a/source4/scripting/python/samba/samba3.py +++ b/source4/scripting/python/samba/samba3.py @@ -502,7 +502,7 @@ TDBSAM_USER_PREFIX = "USER_" class LdapSam(object): """Samba 3 LDAP passdb backend reader.""" def __init__(self, url): - self.ldap_url = ldap_url + self.ldap_url = url class TdbSam(TdbDatabase): @@ -692,7 +692,7 @@ class ParamFile(object): (k, v) = l.split("=", 1) self._sections[section][self._sanitize_name(k)] = v else: - raise Error("Unable to parser line %d: %r" % (i+1,l)) + raise Exception("Unable to parser line %d: %r" % (i+1,l)) def get(self, param, section=None): """Return the value of a parameter. diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index bc76cd3c5f..6cb2469846 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -231,6 +231,14 @@ userPassword:: %s """ glue.dsdb_set_ntds_invocation_id(self, invocation_id) + def set_opaque_integer(self, name, value): + """Set an integer as an opaque (a flag or other value) value on the database + + :param name: The name for the opaque value + :param value: The integer value + """ + glue.dsdb_set_opaque_integer(self, name, value) + def setexpiry(self, user, expiry_seconds, noexpiry): """Set the account expiry for a user diff --git a/source4/scripting/python/samba/tests/shares.py b/source4/scripting/python/samba/tests/shares.py new file mode 100644 index 0000000000..9130c36780 --- /dev/null +++ b/source4/scripting/python/samba/tests/shares.py @@ -0,0 +1,74 @@ +#!/usr/bin/python + +# Unix SMB/CIFS implementation. Tests for shares +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2009 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +from samba.shares import SharesContainer +from unittest import TestCase + + +class MockService(object): + + def __init__(self, data): + self.data = data + + def __getitem__(self, name): + return self.data[name] + + +class MockLoadParm(object): + + def __init__(self, data): + self.data = data + + def __getitem__(self, name): + return MockService(self.data[name]) + + def __contains__(self, name): + return name in self.data + + def __len__(self): + return len(self.data) + + def services(self): + return self.data.keys() + + +class ShareTests(TestCase): + + def _get_shares(self, conf): + return SharesContainer(MockLoadParm(conf)) + + def test_len_no_global(self): + shares = self._get_shares({}) + self.assertEquals(0, len(shares)) + + def test_iter(self): + self.assertEquals([], list(self._get_shares({}))) + self.assertEquals([], list(self._get_shares({"global":{}}))) + self.assertEquals(["bla"], list(self._get_shares({"global":{}, "bla":{}}))) + + def test_len(self): + shares = self._get_shares({"global": {}}) + self.assertEquals(0, len(shares)) + + def test_getitem_nonexistant(self): + shares = self._get_shares({"global": {}}) + self.assertRaises(KeyError, shares.__getitem__, "bla") + + def test_getitem_global(self): + shares = self._get_shares({"global": {}}) + self.assertRaises(KeyError, shares.__getitem__, "global") diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index 0c83604e82..81945525e6 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -9,17 +9,16 @@ __docformat__ = "restructuredText" -from provision import findnss, provision, FILL_DRS +from provision import provision, FILL_DRS import grp import ldb import time import pwd -import uuid import registry from samba import Ldb -from samba.samdb import SamDB +from samba.param import LoadParm -def import_sam_policy(samldb, samba3_policy, domaindn): +def import_sam_policy(samldb, policy, dn): """Import a Samba 3 policy database.""" samldb.modify_ldif(""" dn: %s @@ -394,7 +393,7 @@ def upgrade_smbconf(oldconf,mark): kept in the new configuration as "samba3:<name>" """ data = oldconf.data() - newconf = param_init() + newconf = LoadParm() for s in data: for p in data[s]: diff --git a/source4/selftest/knownfail b/source4/selftest/knownfail index 91180418b8..68d406ab9b 100644 --- a/source4/selftest/knownfail +++ b/source4/selftest/knownfail @@ -40,6 +40,7 @@ rpc.netlogon.*.DatabaseRedo rpc.netlogon.*.ServerGetTrustInfo samba4.rpc.samr.passwords.pwdlastset # Not provided by Samba 4 yet samba4.rpc.samr.users.privileges +samba4.rpc.spoolss.printer # Not provided by Samba 4 yet base.charset.*.Testing partial surrogate .*net.api.delshare.* # DelShare isn't implemented yet rap.*netservergetinfo diff --git a/source4/setup/provision b/source4/setup/provision index 5cb851ceb7..d7fa6aa54f 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -22,9 +22,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # -import getopt import optparse -import os import sys # Find right directory when running from source tree @@ -34,7 +32,6 @@ import samba from samba.credentials import DONT_USE_KERBEROS from samba.auth import system_session import samba.getopt as options -from samba import param from samba.provision import provision, FILL_FULL, FILL_NT4SYNC, FILL_DRS, find_setup_dir # how do we make this case insensitive?? @@ -121,7 +118,6 @@ if not opts.interactive and (opts.realm is None or opts.domain is None): if opts.interactive: from getpass import getpass - import readline import socket def ask(prompt, default=None): if default is not None: diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index e5b20d03e1..9f50b45dff 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -1,7 +1,28 @@ +dn: CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: builtinDomain +forceLogoff: -9223372036854775808 +lockoutDuration: -18000000000 +lockOutObservationWindow: -18000000000 +lockoutThreshold: 0 +maxPwdAge: -37108517437440 +minPwdAge: 0 +minPwdLength: 0 +modifiedCountAtLastProm: 0 +nextRid: 1000 +pwdProperties: 0 +pwdHistoryLength: 0 +objectSid: S-1-5-32 +serverState: 1 +uASCompat: 1 +modifiedCount: 1 +systemFlags: -1946157056 +isCriticalSystemObject: TRUE +showInAdvancedViewOnly: FALSE + dn: OU=Domain Controllers,${DOMAINDN} objectClass: top objectClass: organizationalUnit -cn: Domain Controllers description: Default container for domain controllers systemFlags: -1946157056 isCriticalSystemObject: TRUE @@ -10,82 +31,171 @@ showInAdvancedViewOnly: FALSE dn: CN=ForeignSecurityPrincipals,${DOMAINDN} objectClass: top objectClass: container -cn: ForeignSecurityPrincipals description: Default container for security identifiers (SIDs) associated with objects from external, trusted domains systemFlags: -1946157056 isCriticalSystemObject: TRUE showInAdvancedViewOnly: FALSE +dn: CN=Infrastructure,${DOMAINDN} +objectClass: top +objectClass: infrastructureUpdate +systemFlags: -1946157056 +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} +isCriticalSystemObject: TRUE + +dn: CN=LostAndFound,${DOMAINDN} +objectClass: top +objectClass: lostAndFound +description: Default container for orphaned objects +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=NTDS Quotas,${DOMAINDN} +objectClass: top +objectClass: msDS-QuotaContainer +description: Quota specifications container +msDS-TombstoneQuotaFactor: 100 +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=Program Data,${DOMAINDN} +objectClass: top +objectClass: container +description: Default location for storage of application data. + +dn: CN=Microsoft,CN=Program Data,${DOMAINDN} +objectClass: top +objectClass: container +description: Default location for storage of Microsoft application data. + dn: CN=System,${DOMAINDN} objectClass: top objectClass: container -cn: System description: Builtin system settings systemFlags: -1946157056 isCriticalSystemObject: TRUE -dn: CN=RID Manager$,CN=System,${DOMAINDN} -objectclass: top -objectclass: rIDManager -cn: RID Manager$ +dn: CN=AdminSDHolder,CN=System,${DOMAINDN} +objectClass: top +objectClass: container systemFlags: -1946157056 isCriticalSystemObject: TRUE -fSMORoleOwner: CN=NTDS Settings,${SERVERDN} -rIDAvailablePool: 4611686014132423217 + +dn: CN=ComPartitions,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=ComPartitionSets,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=Default Domain Policy,CN=System,${DOMAINDN} +objectClass: top +objectClass: leaf +objectClass: domainPolicy +isCriticalSystemObject: TRUE + +dn: CN=AppCategories,CN=Default Domain Policy,CN=System,${DOMAINDN} +objectClass: top +objectClass: classStore +isCriticalSystemObject: TRUE + +dn: CN=Dfs-Configuration,CN=System,${DOMAINDN} +objectClass: top +objectClass: dfsConfiguration +isCriticalSystemObject: TRUE +showInAdvancedViewOnly: FALSE dn: CN=DomainUpdates,CN=System,${DOMAINDN} objectClass: top objectClass: container -cn: DomainUpdates + +dn: CN=Operations,CN=DomainUpdates,CN=System,${DOMAINDN} +objectClass: top +objectClass: container dn: CN=Windows2003Update,CN=DomainUpdates,CN=System,${DOMAINDN} objectClass: top objectClass: container -cn: Windows2003Update revision: 8 -dn: CN=Infrastructure,${DOMAINDN} -objectclass: top -objectclass: infrastructureUpdate -cn: Infrastructure +dn: CN=File Replication Service,CN=System,${DOMAINDN} +objectClass: top +objectClass: applicationSettings +objectClass: nTFRSSettings systemFlags: -1946157056 isCriticalSystemObject: TRUE -fSMORoleOwner: CN=NTDS Settings,${SERVERDN} -dn: CN=Builtin,${DOMAINDN} +dn: CN=FileLinks,CN=System,${DOMAINDN} objectClass: top -objectClass: builtinDomain -cn: Builtin -forceLogoff: -9223372036854775808 -lockoutDuration: -18000000000 -lockOutObservationWindow: -18000000000 -lockoutThreshold: 0 -maxPwdAge: -37108517437440 -minPwdAge: 0 -minPwdLength: 0 -modifiedCountAtLastProm: 0 -nextRid: 1000 -pwdProperties: 0 -pwdHistoryLength: 0 -objectSid: S-1-5-32 -serverState: 1 -uASCompat: 1 -modifiedCount: 1 +objectClass: fileLinkTracking +systemFlags: -1946157056 isCriticalSystemObject: TRUE -showInAdvancedViewOnly: FALSE + +dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,${DOMAINDN} +objectClass: top +objectClass: fileLinkTracking +objectClass: linkTrackObjectMoveTable +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=VolumeTable,CN=FileLinks,CN=System,${DOMAINDN} +objectClass: top +objectClass: fileLinkTracking +objectClass: linkTrackVolumeTable systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=IP Security,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +isCriticalSystemObject: TRUE + +dn: CN=Meetings,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +isCriticalSystemObject: TRUE dn: CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container systemFlags: -1946157056 +isCriticalSystemObject: TRUE -dn: CN=IP Security,CN=System,${DOMAINDN} +dn: CN=RAS and IAS Servers Access Check,CN=System,${DOMAINDN} objectClass: top objectClass: container +systemFlags: -1946157056 +isCriticalSystemObject: TRUE -dn: CN=ComPartitionSets,CN=System,${DOMAINDN} +dn: CN=RID Manager$,CN=System,${DOMAINDN} +objectClass: top +objectClass: rIDManager +systemFlags: -1946157056 +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} +rIDAvailablePool: 4611686014132423217 +isCriticalSystemObject: TRUE + +dn: CN=RpcServices,CN=System,${DOMAINDN} objectClass: top objectClass: container +objectClass: rpcContainer systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=Server,CN=System,${DOMAINDN} +objectClass: top +objectClass: securityObject +objectClass: samServer +systemFlags: -1946157056 +revision: 65543 +isCriticalSystemObject: TRUE +dn: CN=WinsockServices,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +isCriticalSystemObject: TRUE diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif index a7f3ce985c..29ba75be98 100644 --- a/source4/setup/provision_basedn_modify.ldif +++ b/source4/setup/provision_basedn_modify.ldif @@ -47,10 +47,10 @@ replace: serverState serverState: 1 - replace: nTMixedDomain -nTMixedDomain: 1 +nTMixedDomain: 0 - replace: msDS-Behavior-Version -msDS-Behavior-Version: 0 +msDS-Behavior-Version: ${DOMAIN_FUNCTIONALITY} - replace: ridManagerReference ridManagerReference: CN=RID Manager$,CN=System,${DOMAINDN} @@ -67,9 +67,6 @@ fSMORoleOwner: CN=NTDS Settings,${SERVERDN} replace: systemFlags systemFlags: -1946157056 - -replace: isCriticalSystemObject -isCriticalSystemObject: TRUE -- replace: subRefs subRefs: ${CONFIGDN} - @@ -84,4 +81,7 @@ wellKnownObjects: B:32:a361b2ffffd211d1aa4b00c04fd7d83a:OU=Domain Controllers,${ wellKnownObjects: B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN} wellKnownObjects: B:32:a9d1ca15768811d1aded00c04fd8d5cd:CN=Users,${DOMAINDN} - +replace: isCriticalSystemObject +isCriticalSystemObject: TRUE +- ${DOMAINGUID_MOD} diff --git a/source4/setup/provision_computers_modify.ldif b/source4/setup/provision_computers_modify.ldif index 110c44c356..b3d9dc1fa8 100644 --- a/source4/setup/provision_computers_modify.ldif +++ b/source4/setup/provision_computers_modify.ldif @@ -3,11 +3,11 @@ changetype: modify replace: description description: Default container for upgraded computer accounts - -replace: showInAdvancedViewOnly -showInAdvancedViewOnly: FALSE -- replace: systemFlags systemFlags: -1946157056 - replace: isCriticalSystemObject isCriticalSystemObject: TRUE +- +replace: showInAdvancedViewOnly +showInAdvancedViewOnly: FALSE diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index e84ac8517e..4109c2236c 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -6,8 +6,9 @@ objectClass: top objectClass: crossRefContainer cn: Partitions systemFlags: -2147483648 -msDS-Behavior-Version: 0 +msDS-Behavior-Version: ${FOREST_FUNCTIONALALITY} fSMORoleOwner: CN=NTDS Settings,${SERVERDN} +showInAdvancedViewOnly: TRUE dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN} objectClass: top diff --git a/source4/setup/provision_group_policy.ldif b/source4/setup/provision_group_policy.ldif index d6a4659250..65ab1eaf5f 100644 --- a/source4/setup/provision_group_policy.ldif +++ b/source4/setup/provision_group_policy.ldif @@ -1,14 +1,3 @@ -dn: CN=Default Domain Policy,CN=System,${DOMAINDN} -objectClass: top -objectClass: leaf -objectClass: domainPolicy -isCriticalSystemObject: TRUE - -dn: CN=AppCategories,CN=Default Domain Policy,CN=System,${DOMAINDN} -objectClass: top -objectClass: classStore -isCriticalSystemObject: TRUE - dn: CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container diff --git a/source4/setup/provision_rootdse_add.ldif b/source4/setup/provision_rootdse_add.ldif index e4e4309a90..f9ee4e5904 100644 --- a/source4/setup/provision_rootdse_add.ldif +++ b/source4/setup/provision_rootdse_add.ldif @@ -11,9 +11,6 @@ supportedLDAPVersion: 2 dnsHostName: ${DNSNAME} ldapServiceName: ${DNSDOMAIN}:${NETBIOSNAME}$@${REALM} serverName: ${SERVERDN} -domainFunctionality: 0 -forestFunctionality: 0 -domainControllerFunctionality: 2 isSynchronized: FALSE vendorName: Samba Team (http://samba.org) supportedCapabilities: 1.2.840.113556.1.4.800 diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index b7ca872319..da8c5b9e1d 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -13,9 +13,8 @@ primaryGroupID: 516 accountExpires: 9223372036854775807 sAMAccountName: ${NETBIOSNAME}$ operatingSystem: Samba -operatingSystemVersion: 4.0 +operatingSystemVersion: ${SAMBA_VERSION_STRING} dNSHostName: ${DNSNAME} -isCriticalSystemObject: TRUE userPassword:: ${MACHINEPASS_B64} servicePrincipalName: HOST/${DNSNAME} servicePrincipalName: HOST/${NETBIOSNAME} @@ -23,6 +22,7 @@ servicePrincipalName: HOST/${DNSNAME}/${REALM} servicePrincipalName: HOST/${NETBIOSNAME}/${REALM} servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN} +isCriticalSystemObject: TRUE #Provide a account for DNS keytab export dn: CN=dns,CN=Users,${DOMAINDN} @@ -36,9 +36,8 @@ userAccountControl: 514 accountExpires: 9223372036854775807 sAMAccountName: dns servicePrincipalName: DNS/${DNSDOMAIN} -isCriticalSystemObject: TRUE userPassword:: ${DNSPASS_B64} -showInAdvancedViewOnly: TRUE +isCriticalSystemObject: TRUE dn: ${SERVERDN} objectClass: top @@ -57,7 +56,7 @@ options: 1 systemFlags: 33554432 dMDLocation: ${SCHEMADN} invocationId: ${INVOCATIONID} -msDS-Behavior-Version: 2 +msDS-Behavior-Version: ${DOMAIN_CONTROLLER_FUNCTIONALITY} msDS-hasMasterNCs: ${CONFIGDN} msDS-hasMasterNCs: ${SCHEMADN} msDS-hasMasterNCs: ${DOMAINDN} diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index 88146d8cac..47240a9d07 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -7,8 +7,8 @@ objectSid: ${DOMAINSID}-500 adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator -isCriticalSystemObject: TRUE userPassword:: ${ADMINPASS_B64} +isCriticalSystemObject: TRUE dn: CN=Guest,CN=Users,${DOMAINDN} objectClass: user @@ -45,8 +45,8 @@ adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: krbtgt servicePrincipalName: kadmin/changepw -isCriticalSystemObject: TRUE userPassword:: ${KRBTGTPASS_B64} +isCriticalSystemObject: TRUE dn: CN=Domain Computers,CN=Users,${DOMAINDN} objectClass: top @@ -187,16 +187,6 @@ sAMAccountName: Event Log Readers groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=IIS_IUSRS,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: IIS_IUSRS -description: IIS_IUSRS -objectSid: ${DOMAINSID}-568 -sAMAccountName: IIS_IUSRS -groupType: -2147483644 -isCriticalSystemObject: TRUE - dn: CN=Administrators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -210,7 +200,6 @@ adminCount: 1 sAMAccountName: Administrators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeSecurityPrivilege privilege: SeBackupPrivilege privilege: SeRestorePrivilege @@ -235,6 +224,7 @@ privilege: SeEnableDelegationPrivilege privilege: SeInteractiveLogonRight privilege: SeNetworkLogonRight privilege: SeRemoteInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Users,CN=Builtin,${DOMAINDN} objectClass: top @@ -271,10 +261,10 @@ adminCount: 1 sAMAccountName: Print Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeLoadDriverPrivilege privilege: SeShutdownPrivilege privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Backup Operators,CN=Builtin,${DOMAINDN} objectClass: top @@ -286,11 +276,11 @@ adminCount: 1 sAMAccountName: Backup Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeBackupPrivilege privilege: SeRestorePrivilege privilege: SeShutdownPrivilege privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Replicator,CN=Builtin,${DOMAINDN} objectClass: top @@ -358,13 +348,13 @@ adminCount: 1 sAMAccountName: Server Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeBackupPrivilege privilege: SeSystemtimePrivilege privilege: SeRemoteShutdownPrivilege privilege: SeRestorePrivilege privilege: SeShutdownPrivilege privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Account Operators,CN=Builtin,${DOMAINDN} objectClass: top @@ -376,8 +366,8 @@ adminCount: 1 sAMAccountName: Account Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} objectClass: top @@ -388,9 +378,9 @@ objectSid: S-1-5-32-554 sAMAccountName: Pre-Windows 2000 Compatible Access systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeRemoteInteractiveLogonRight privilege: SeChangeNotifyPrivilege +isCriticalSystemObject: TRUE dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} objectClass: top diff --git a/source4/setup/provision_users_modify.ldif b/source4/setup/provision_users_modify.ldif index a7e8a4336a..6a2e180b15 100644 --- a/source4/setup/provision_users_modify.ldif +++ b/source4/setup/provision_users_modify.ldif @@ -3,11 +3,11 @@ changetype: modify replace: description description: Default container for upgraded user accounts - -replace: showInAdvancedViewOnly -showInAdvancedViewOnly: FALSE -- replace: systemFlags systemFlags: -1946157056 - replace: isCriticalSystemObject isCriticalSystemObject: TRUE +- +replace: showInAdvancedViewOnly +showInAdvancedViewOnly: FALSE diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif index c11e65e465..591aefbb75 100644 --- a/source4/setup/schema_samba4.ldif +++ b/source4/setup/schema_samba4.ldif @@ -220,7 +220,6 @@ objectClass: classSchema subClassOf: top governsID: 1.3.6.1.4.1.7165.4.2.2 rDNAttID: cn -showInAdvancedViewOnly: TRUE adminDisplayName: Samba4-Local-Domain adminDescription: Samba4-Local-Domain systemMayContain: msDS-Behavior-Version @@ -243,7 +242,6 @@ subClassOf: top governsID: 1.3.6.1.4.1.7165.4.2.1 mayContain: msDS-ObjectReferenceBL rDNAttID: cn -showInAdvancedViewOnly: TRUE adminDisplayName: Samba4TopTop adminDescription: Attributes used in top in Samba4 that OpenLDAP does not objectClassCategory: 3 @@ -344,7 +342,6 @@ objectClass: classSchema subClassOf: top governsID: 1.3.6.1.4.1.7165.4.2.3 rDNAttID: cn -showInAdvancedViewOnly: TRUE adminDisplayName: Samba4TopExtra adminDescription: Attributes used in top in Samba4 that OpenLDAP does not objectClassCategory: 2 diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index fd54863686..076120bfee 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -29,6 +29,7 @@ #include "libcli/security/security.h" #include "torture/torture.h" #include "auth/auth_sam_reply.h" +#include "param/param.h" static bool torture_pac_self_check(struct torture_context *tctx) { diff --git a/source4/torture/rpc/frsapi.c b/source4/torture/rpc/frsapi.c index c8e421a674..e9a19bcf96 100644 --- a/source4/torture/rpc/frsapi.c +++ b/source4/torture/rpc/frsapi.c @@ -114,15 +114,15 @@ static bool test_IsPathReplicated_err(struct torture_context *tctx, { struct frsapi_IsPathReplicated r; struct GUID guid; - uint32_t unknown1, unknown2, unknown3 = 0; + uint32_t replicated, primary, root; ZERO_STRUCT(r); r.in.path = path; r.in.replica_set_type = type; - r.out.unknown1 = &unknown1; - r.out.unknown2 = &unknown2; - r.out.unknown3 = &unknown3; + r.out.replicated = &replicated; + r.out.primary = &primary; + r.out.root = &root; r.out.replica_set_guid = &guid; torture_assert_ntstatus_ok(tctx, @@ -191,11 +191,11 @@ static bool test_ForceReplication(struct torture_context *tctx, ZERO_STRUCT(r); - r.in.guid1 = NULL; - r.in.guid2 = NULL; - r.in.replica_set = talloc_asprintf(tctx, "%s", - lp_realm(tctx->lp_ctx)); - r.in.partner_name = dcerpc_server_name(p); + r.in.replica_set_guid = NULL; + r.in.connection_guid = NULL; + r.in.replica_set_name = talloc_asprintf(tctx, "%s", + lp_realm(tctx->lp_ctx)); + r.in.partner_dns_name = dcerpc_server_name(p); torture_assert_ntstatus_ok(tctx, dcerpc_frsapi_ForceReplication(p, tctx, &r), diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 7d03e7ef9e..b45b565452 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -47,7 +47,7 @@ static bool test_OpenPolicy(struct dcerpc_pipe *p, NTSTATUS status; uint16_t system_name = '\\'; - printf("\nTesting OpenPolicy\n"); + torture_comment(tctx, "\nTesting OpenPolicy\n"); qos.len = 0; qos.impersonation_level = 2; @@ -70,10 +70,10 @@ static bool test_OpenPolicy(struct dcerpc_pipe *p, if (!NT_STATUS_IS_OK(status)) { if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) { - printf("not considering %s to be an error\n", nt_errstr(status)); + torture_comment(tctx, "not considering %s to be an error\n", nt_errstr(status)); return true; } - printf("OpenPolicy failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenPolicy failed - %s\n", nt_errstr(status)); return false; } @@ -90,7 +90,7 @@ bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p, struct lsa_OpenPolicy2 r; NTSTATUS status; - printf("\nTesting OpenPolicy2\n"); + torture_comment(tctx, "\nTesting OpenPolicy2\n"); *handle = talloc(tctx, struct policy_handle); if (!*handle) { @@ -118,12 +118,12 @@ bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p, if (!NT_STATUS_IS_OK(status)) { if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) { - printf("not considering %s to be an error\n", nt_errstr(status)); + torture_comment(tctx, "not considering %s to be an error\n", nt_errstr(status)); talloc_free(*handle); *handle = NULL; return true; } - printf("OpenPolicy2 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenPolicy2 failed - %s\n", nt_errstr(status)); return false; } @@ -161,7 +161,7 @@ static bool test_LookupNames(struct dcerpc_pipe *p, NTSTATUS status; int i; - printf("\nTesting LookupNames with %d names\n", tnames->count); + torture_comment(tctx, "\nTesting LookupNames with %d names\n", tnames->count); sids.count = 0; sids.sids = NULL; @@ -187,30 +187,30 @@ static bool test_LookupNames(struct dcerpc_pipe *p, NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) { for (i=0;i< tnames->count;i++) { if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) { - printf("LookupName of %s was unmapped\n", + torture_comment(tctx, "LookupName of %s was unmapped\n", tnames->names[i].name.string); } else if (i >=count) { - printf("LookupName of %s failed to return a result\n", + torture_comment(tctx, "LookupName of %s failed to return a result\n", tnames->names[i].name.string); } } - printf("LookupNames failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupNames failed - %s\n", nt_errstr(status)); return false; } else if (!NT_STATUS_IS_OK(status)) { - printf("LookupNames failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupNames failed - %s\n", nt_errstr(status)); return false; } for (i=0;i< tnames->count;i++) { if (i < count && sids.sids[i].sid_type != tnames->names[i].sid_type) { - printf("LookupName of %s got unexpected name type: %s\n", + torture_comment(tctx, "LookupName of %s got unexpected name type: %s\n", tnames->names[i].name.string, sid_type_lookup(sids.sids[i].sid_type)); } else if (i >=count) { - printf("LookupName of %s failed to return a result\n", + torture_comment(tctx, "LookupName of %s failed to return a result\n", tnames->names[i].name.string); } } - printf("\n"); + torture_comment(tctx, "\n"); return true; } @@ -235,7 +235,7 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p, name[0].name.string = "NT AUTHORITY\\BOGUS"; name[1].name.string = NULL; - printf("\nTesting LookupNames with bogus names\n"); + torture_comment(tctx, "\nTesting LookupNames with bogus names\n"); sids.count = 0; sids.sids = NULL; @@ -257,11 +257,11 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupNames(p, tctx, &r); if (!NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) { - printf("LookupNames failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupNames failed - %s\n", nt_errstr(status)); return false; } - printf("\n"); + torture_comment(tctx, "\n"); return true; } @@ -274,7 +274,7 @@ static bool test_LookupNames_wellknown(struct dcerpc_pipe *p, struct lsa_TransNameArray tnames; bool ret = true; - printf("Testing LookupNames with well known names\n"); + torture_comment(tctx, "Testing LookupNames with well known names\n"); tnames.names = &name; tnames.count = 1; @@ -330,7 +330,7 @@ static bool test_LookupNames2(struct dcerpc_pipe *p, NTSTATUS status; int i; - printf("\nTesting LookupNames2 with %d names\n", tnames->count); + torture_comment(tctx, "\nTesting LookupNames2 with %d names\n", tnames->count); sids.count = 0; sids.sids = NULL; @@ -354,7 +354,7 @@ static bool test_LookupNames2(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupNames2(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("LookupNames2 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupNames2 failed - %s\n", nt_errstr(status)); return false; } @@ -366,7 +366,7 @@ static bool test_LookupNames2(struct dcerpc_pipe *p, } } - printf("\n"); + torture_comment(tctx, "\n"); return true; } @@ -386,7 +386,7 @@ static bool test_LookupNames3(struct dcerpc_pipe *p, NTSTATUS status; int i; - printf("\nTesting LookupNames3 with %d names\n", tnames->count); + torture_comment(tctx, "\nTesting LookupNames3 with %d names\n", tnames->count); sids.count = 0; sids.sids = NULL; @@ -410,7 +410,7 @@ static bool test_LookupNames3(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupNames3(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("LookupNames3 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupNames3 failed - %s\n", nt_errstr(status)); return false; } @@ -422,7 +422,7 @@ static bool test_LookupNames3(struct dcerpc_pipe *p, } } - printf("\n"); + torture_comment(tctx, "\n"); return true; } @@ -440,7 +440,7 @@ static bool test_LookupNames4(struct dcerpc_pipe *p, NTSTATUS status; int i; - printf("\nTesting LookupNames4 with %d names\n", tnames->count); + torture_comment(tctx, "\nTesting LookupNames4 with %d names\n", tnames->count); sids.count = 0; sids.sids = NULL; @@ -463,7 +463,7 @@ static bool test_LookupNames4(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupNames4(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("LookupNames4 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupNames4 failed - %s\n", nt_errstr(status)); return false; } @@ -475,7 +475,7 @@ static bool test_LookupNames4(struct dcerpc_pipe *p, } } - printf("\n"); + torture_comment(tctx, "\n"); return true; } @@ -492,7 +492,7 @@ static bool test_LookupSids(struct dcerpc_pipe *p, uint32_t count = sids->num_sids; NTSTATUS status; - printf("\nTesting LookupSids\n"); + torture_comment(tctx, "\nTesting LookupSids\n"); names.count = 0; names.names = NULL; @@ -508,11 +508,11 @@ static bool test_LookupSids(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupSids(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("LookupSids failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupSids failed - %s\n", nt_errstr(status)); return false; } - printf("\n"); + torture_comment(tctx, "\n"); if (!test_LookupNames(p, tctx, handle, &names)) { return false; @@ -533,7 +533,7 @@ static bool test_LookupSids2(struct dcerpc_pipe *p, uint32_t count = sids->num_sids; NTSTATUS status; - printf("\nTesting LookupSids2\n"); + torture_comment(tctx, "\nTesting LookupSids2\n"); names.count = 0; names.names = NULL; @@ -551,11 +551,11 @@ static bool test_LookupSids2(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupSids2(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("LookupSids2 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupSids2 failed - %s\n", nt_errstr(status)); return false; } - printf("\n"); + torture_comment(tctx, "\n"); if (!test_LookupNames2(p, tctx, handle, &names, false)) { return false; @@ -578,7 +578,7 @@ static bool test_LookupSids3(struct dcerpc_pipe *p, uint32_t count = sids->num_sids; NTSTATUS status; - printf("\nTesting LookupSids3\n"); + torture_comment(tctx, "\nTesting LookupSids3\n"); names.count = 0; names.names = NULL; @@ -597,15 +597,15 @@ static bool test_LookupSids3(struct dcerpc_pipe *p, if (!NT_STATUS_IS_OK(status)) { if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) { - printf("not considering %s to be an error\n", nt_errstr(status)); + torture_comment(tctx, "not considering %s to be an error\n", nt_errstr(status)); return true; } - printf("LookupSids3 failed - %s - not considered an error\n", + torture_comment(tctx, "LookupSids3 failed - %s - not considered an error\n", nt_errstr(status)); return false; } - printf("\n"); + torture_comment(tctx, "\n"); if (!test_LookupNames4(p, tctx, &names, false)) { return false; @@ -623,7 +623,7 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, struct lsa_SidArray sids; int i; - printf("\nTesting LookupSids with lots of SIDs\n"); + torture_comment(tctx, "\nTesting LookupSids with lots of SIDs\n"); sids.num_sids = 100; @@ -654,11 +654,11 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupSids(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("LookupSids failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupSids failed - %s\n", nt_errstr(status)); return false; } - printf("\n"); + torture_comment(tctx, "\n"); if (!test_LookupNames(p, tctx, handle, &names)) { return false; @@ -672,7 +672,7 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, names.count = 0; names.names = NULL; - printf("\nTesting LookupSids3\n"); + torture_comment(tctx, "\nTesting LookupSids3\n"); r.in.sids = &sids; r.in.names = &names; @@ -688,10 +688,10 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, if (!NT_STATUS_IS_OK(status)) { if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) { - printf("not considering %s to be an error\n", nt_errstr(status)); + torture_comment(tctx, "not considering %s to be an error\n", nt_errstr(status)); return true; } - printf("LookupSids3 failed - %s\n", + torture_comment(tctx, "LookupSids3 failed - %s\n", nt_errstr(status)); return false; } @@ -700,7 +700,7 @@ bool test_many_LookupSids(struct dcerpc_pipe *p, } } - printf("\n"); + torture_comment(tctx, "\n"); @@ -742,7 +742,7 @@ static bool test_LookupSids_async(struct dcerpc_pipe *p, names = talloc_array(tctx, struct lsa_TransNameArray, num_async_requests); r = talloc_array(tctx, struct lsa_LookupSids, num_async_requests); - printf("\nTesting %d async lookupsids request\n", num_async_requests); + torture_comment(tctx, "\nTesting %d async lookupsids request\n", num_async_requests); req = talloc_array(tctx, struct rpc_request *, num_async_requests); @@ -804,7 +804,7 @@ static bool test_LookupPrivValue(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupPrivValue(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("\nLookupPrivValue failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "\nLookupPrivValue failed - %s\n", nt_errstr(status)); return false; } @@ -826,7 +826,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupPrivName(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("\nLookupPrivName failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "\nLookupPrivName failed - %s\n", nt_errstr(status)); return false; } @@ -844,7 +844,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("\nTesting RemovePrivilegesFromAccount\n"); + torture_comment(tctx, "\nTesting RemovePrivilegesFromAccount\n"); r.in.handle = acct_handle; r.in.remove_all = 0; @@ -868,7 +868,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupPrivName(p, tctx, &r_name); if (!NT_STATUS_IS_OK(status)) { - printf("\nLookupPrivName failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "\nLookupPrivName failed - %s\n", nt_errstr(status)); return false; } /* Windows 2008 does not allow this to be removed */ @@ -876,7 +876,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, return ret; } - printf("RemovePrivilegesFromAccount failed to remove %s - %s\n", + torture_comment(tctx, "RemovePrivilegesFromAccount failed to remove %s - %s\n", name->string, nt_errstr(status)); return false; @@ -895,7 +895,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("\nTesting AddPrivilegesToAccount\n"); + torture_comment(tctx, "\nTesting AddPrivilegesToAccount\n"); r.in.handle = acct_handle; r.in.privs = &privs; @@ -908,7 +908,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, status = dcerpc_lsa_AddPrivilegesToAccount(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("AddPrivilegesToAccount failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "AddPrivilegesToAccount failed - %s\n", nt_errstr(status)); return false; } @@ -925,14 +925,14 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet *privs = NULL; bool ret = true; - printf("\nTesting EnumPrivsAccount\n"); + torture_comment(tctx, "\nTesting EnumPrivsAccount\n"); r.in.handle = acct_handle; r.out.privs = &privs; status = dcerpc_lsa_EnumPrivsAccount(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("EnumPrivsAccount failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "EnumPrivsAccount failed - %s\n", nt_errstr(status)); return false; } @@ -961,46 +961,46 @@ static bool test_GetSystemAccessAccount(struct dcerpc_pipe *p, uint32_t access_mask; struct lsa_GetSystemAccessAccount r; - printf("\nTesting GetSystemAccessAccount\n"); + torture_comment(tctx, "\nTesting GetSystemAccessAccount\n"); r.in.handle = acct_handle; r.out.access_mask = &access_mask; status = dcerpc_lsa_GetSystemAccessAccount(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("GetSystemAccessAccount failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "GetSystemAccessAccount failed - %s\n", nt_errstr(status)); return false; } if (r.out.access_mask != NULL) { - printf("Rights:"); + torture_comment(tctx, "Rights:"); if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE) - printf(" LSA_POLICY_MODE_INTERACTIVE"); + torture_comment(tctx, " LSA_POLICY_MODE_INTERACTIVE"); if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK) - printf(" LSA_POLICY_MODE_NETWORK"); + torture_comment(tctx, " LSA_POLICY_MODE_NETWORK"); if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH) - printf(" LSA_POLICY_MODE_BATCH"); + torture_comment(tctx, " LSA_POLICY_MODE_BATCH"); if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE) - printf(" LSA_POLICY_MODE_SERVICE"); + torture_comment(tctx, " LSA_POLICY_MODE_SERVICE"); if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY) - printf(" LSA_POLICY_MODE_PROXY"); + torture_comment(tctx, " LSA_POLICY_MODE_PROXY"); if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE) - printf(" LSA_POLICY_MODE_DENY_INTERACTIVE"); + torture_comment(tctx, " LSA_POLICY_MODE_DENY_INTERACTIVE"); if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK) - printf(" LSA_POLICY_MODE_DENY_NETWORK"); + torture_comment(tctx, " LSA_POLICY_MODE_DENY_NETWORK"); if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH) - printf(" LSA_POLICY_MODE_DENY_BATCH"); + torture_comment(tctx, " LSA_POLICY_MODE_DENY_BATCH"); if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE) - printf(" LSA_POLICY_MODE_DENY_SERVICE"); + torture_comment(tctx, " LSA_POLICY_MODE_DENY_SERVICE"); if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE) - printf(" LSA_POLICY_MODE_REMOTE_INTERACTIVE"); + torture_comment(tctx, " LSA_POLICY_MODE_REMOTE_INTERACTIVE"); if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE) - printf(" LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE"); + torture_comment(tctx, " LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE"); if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL) - printf(" LSA_POLICY_MODE_ALL"); + torture_comment(tctx, " LSA_POLICY_MODE_ALL"); if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4) - printf(" LSA_POLICY_MODE_ALL_NT4"); - printf("\n"); + torture_comment(tctx, " LSA_POLICY_MODE_ALL_NT4"); + torture_comment(tctx, "\n"); } return true; @@ -1013,12 +1013,12 @@ static bool test_Delete(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_Delete r; - printf("\nTesting Delete\n"); + torture_comment(tctx, "\nTesting Delete\n"); r.in.handle = handle; status = dcerpc_lsa_Delete(p, tctx, &r); if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { - printf("Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(status)); + torture_comment(tctx, "Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(status)); return false; } @@ -1032,13 +1032,13 @@ static bool test_DeleteObject(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_DeleteObject r; - printf("\nTesting DeleteObject\n"); + torture_comment(tctx, "\nTesting DeleteObject\n"); r.in.handle = handle; r.out.handle = handle; status = dcerpc_lsa_DeleteObject(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("DeleteObject failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "DeleteObject failed - %s\n", nt_errstr(status)); return false; } @@ -1057,7 +1057,7 @@ static bool test_CreateAccount(struct dcerpc_pipe *p, newsid = dom_sid_parse_talloc(tctx, "S-1-5-12349876-4321-2854"); - printf("\nTesting CreateAccount\n"); + torture_comment(tctx, "\nTesting CreateAccount\n"); r.in.handle = handle; r.in.sid = newsid; @@ -1074,11 +1074,11 @@ static bool test_CreateAccount(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenAccount(p, tctx, &r_o); if (!NT_STATUS_IS_OK(status)) { - printf("OpenAccount failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenAccount failed - %s\n", nt_errstr(status)); return false; } } else if (!NT_STATUS_IS_OK(status)) { - printf("CreateAccount failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "CreateAccount failed - %s\n", nt_errstr(status)); return false; } @@ -1109,7 +1109,7 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenTrustedDomainByName(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); return false; } @@ -1137,7 +1137,7 @@ static bool test_DeleteTrustedDomainBySid(struct dcerpc_pipe *p, status = dcerpc_lsa_DeleteTrustedDomain(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("DeleteTrustedDomain failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "DeleteTrustedDomain failed - %s\n", nt_errstr(status)); return false; } @@ -1183,7 +1183,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, secname[GLOBAL] = talloc_asprintf(tctx, "G$torturesecret-%u", (uint_t)random()); for (i=0; i< 2; i++) { - printf("\nTesting CreateSecret of %s\n", secname[i]); + torture_comment(tctx, "\nTesting CreateSecret of %s\n", secname[i]); init_lsa_String(&r.in.name, secname[i]); @@ -1193,7 +1193,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, status = dcerpc_lsa_CreateSecret(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("CreateSecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "CreateSecret failed - %s\n", nt_errstr(status)); return false; } @@ -1203,7 +1203,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, status = dcerpc_lsa_CreateSecret(p, tctx, &r); if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) { - printf("CreateSecret should have failed OBJECT_NAME_COLLISION - %s\n", nt_errstr(status)); + torture_comment(tctx, "CreateSecret should have failed OBJECT_NAME_COLLISION - %s\n", nt_errstr(status)); return false; } @@ -1212,17 +1212,17 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, r2.in.name = r.in.name; r2.out.sec_handle = &sec_handle2; - printf("Testing OpenSecret\n"); + torture_comment(tctx, "Testing OpenSecret\n"); status = dcerpc_lsa_OpenSecret(p, tctx, &r2); if (!NT_STATUS_IS_OK(status)) { - printf("OpenSecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenSecret failed - %s\n", nt_errstr(status)); return false; } status = dcerpc_fetch_session_key(p, &session_key); if (!NT_STATUS_IS_OK(status)) { - printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "dcerpc_fetch_session_key failed - %s\n", nt_errstr(status)); return false; } @@ -1235,11 +1235,11 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, r3.in.new_val->length = enc_key.length; r3.in.new_val->size = enc_key.length; - printf("Testing SetSecret\n"); + torture_comment(tctx, "Testing SetSecret\n"); status = dcerpc_lsa_SetSecret(p, tctx, &r3); if (!NT_STATUS_IS_OK(status)) { - printf("SetSecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(status)); return false; } @@ -1253,11 +1253,11 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, /* break the encrypted data */ enc_key.data[0]++; - printf("Testing SetSecret with broken key\n"); + torture_comment(tctx, "Testing SetSecret with broken key\n"); status = dcerpc_lsa_SetSecret(p, tctx, &r3); if (!NT_STATUS_EQUAL(status, NT_STATUS_UNKNOWN_REVISION)) { - printf("SetSecret should have failed UNKNOWN_REVISION - %s\n", nt_errstr(status)); + torture_comment(tctx, "SetSecret should have failed UNKNOWN_REVISION - %s\n", nt_errstr(status)); ret = false; } @@ -1275,14 +1275,14 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, bufp1.buf = NULL; - printf("Testing QuerySecret\n"); + torture_comment(tctx, "Testing QuerySecret\n"); status = dcerpc_lsa_QuerySecret(p, tctx, &r4); if (!NT_STATUS_IS_OK(status)) { - printf("QuerySecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(status)); ret = false; } else { if (r4.out.new_val == NULL || r4.out.new_val->buf == NULL) { - printf("No secret buffer returned\n"); + torture_comment(tctx, "No secret buffer returned\n"); ret = false; } else { blob1.data = r4.out.new_val->buf->data; @@ -1294,7 +1294,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, &blob1, &session_key); if (strcmp(secret1, secret2) != 0) { - printf("Returned secret (r4) '%s' doesn't match '%s'\n", + torture_comment(tctx, "Returned secret (r4) '%s' doesn't match '%s'\n", secret2, secret1); ret = false; } @@ -1312,11 +1312,11 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, msleep(200); - printf("Testing SetSecret (existing value should move to old)\n"); + torture_comment(tctx, "Testing SetSecret (existing value should move to old)\n"); status = dcerpc_lsa_SetSecret(p, tctx, &r5); if (!NT_STATUS_IS_OK(status)) { - printf("SetSecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(status)); ret = false; } @@ -1337,14 +1337,14 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, status = dcerpc_lsa_QuerySecret(p, tctx, &r6); if (!NT_STATUS_IS_OK(status)) { - printf("QuerySecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(status)); ret = false; secret4 = NULL; } else { if (r6.out.new_val->buf == NULL || r6.out.old_val->buf == NULL || r6.out.new_mtime == NULL || r6.out.old_mtime == NULL) { - printf("Both secret buffers and both times not returned\n"); + torture_comment(tctx, "Both secret buffers and both times not returned\n"); ret = false; secret4 = NULL; } else { @@ -1357,7 +1357,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, &blob1, &session_key); if (strcmp(secret3, secret4) != 0) { - printf("Returned NEW secret %s doesn't match %s\n", secret4, secret3); + torture_comment(tctx, "Returned NEW secret %s doesn't match %s\n", secret4, secret3); ret = false; } @@ -1370,12 +1370,12 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, &blob1, &session_key); if (strcmp(secret1, secret2) != 0) { - printf("Returned OLD secret %s doesn't match %s\n", secret2, secret1); + torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret2, secret1); ret = false; } if (*r6.out.new_mtime == *r6.out.old_mtime) { - printf("Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s\n", + torture_comment(tctx, "Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s\n", i, secname[i], nt_time_string(tctx, *r6.out.old_mtime), @@ -1394,11 +1394,11 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, r7.in.old_val->size = enc_key.length; r7.in.new_val = NULL; - printf("Testing SetSecret of old Secret only\n"); + torture_comment(tctx, "Testing SetSecret of old Secret only\n"); status = dcerpc_lsa_SetSecret(p, tctx, &r7); if (!NT_STATUS_IS_OK(status)) { - printf("SetSecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(status)); ret = false; } @@ -1416,20 +1416,20 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, status = dcerpc_lsa_QuerySecret(p, tctx, &r8); if (!NT_STATUS_IS_OK(status)) { - printf("QuerySecret failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(status)); ret = false; } else { if (!r8.out.new_val || !r8.out.old_val) { - printf("in/out pointers not returned, despite being set on in for QuerySecret\n"); + torture_comment(tctx, "in/out pointers not returned, despite being set on in for QuerySecret\n"); ret = false; } else if (r8.out.new_val->buf != NULL) { - printf("NEW secret buffer must not be returned after OLD set\n"); + torture_comment(tctx, "NEW secret buffer must not be returned after OLD set\n"); ret = false; } else if (r8.out.old_val->buf == NULL) { - printf("OLD secret buffer was not returned after OLD set\n"); + torture_comment(tctx, "OLD secret buffer was not returned after OLD set\n"); ret = false; } else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) { - printf("Both times not returned after OLD set\n"); + torture_comment(tctx, "Both times not returned after OLD set\n"); ret = false; } else { blob1.data = r8.out.old_val->buf->data; @@ -1441,12 +1441,12 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, &blob1, &session_key); if (strcmp(secret5, secret6) != 0) { - printf("Returned OLD secret %s doesn't match %s\n", secret5, secret6); + torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret5, secret6); ret = false; } if (*r8.out.new_mtime != *r8.out.old_mtime) { - printf("Returned secret (r8) %s did not had same mtime for both secrets: %s != %s\n", + torture_comment(tctx, "Returned secret (r8) %s did not had same mtime for both secrets: %s != %s\n", secname[i], nt_time_string(tctx, *r8.out.old_mtime), nt_time_string(tctx, *r8.out.new_mtime)); @@ -1467,15 +1467,15 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, d_o.out.handle = &sec_handle2; status = dcerpc_lsa_DeleteObject(p, tctx, &d_o); if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) { - printf("Second delete expected INVALID_HANDLE - %s\n", nt_errstr(status)); + torture_comment(tctx, "Second delete expected INVALID_HANDLE - %s\n", nt_errstr(status)); ret = false; } else { - printf("Testing OpenSecret of just-deleted secret\n"); + torture_comment(tctx, "Testing OpenSecret of just-deleted secret\n"); status = dcerpc_lsa_OpenSecret(p, tctx, &r2); if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { - printf("OpenSecret expected OBJECT_NAME_NOT_FOUND - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenSecret expected OBJECT_NAME_NOT_FOUND - %s\n", nt_errstr(status)); ret = false; } } @@ -1495,7 +1495,7 @@ static bool test_EnumAccountRights(struct dcerpc_pipe *p, struct lsa_EnumAccountRights r; struct lsa_RightSet rights; - printf("\nTesting EnumAccountRights\n"); + torture_comment(tctx, "\nTesting EnumAccountRights\n"); r.in.handle = acct_handle; r.in.sid = sid; @@ -1503,7 +1503,7 @@ static bool test_EnumAccountRights(struct dcerpc_pipe *p, status = dcerpc_lsa_EnumAccountRights(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("EnumAccountRights of %s failed - %s\n", + torture_comment(tctx, "EnumAccountRights of %s failed - %s\n", dom_sid_string(tctx, sid), nt_errstr(status)); return false; } @@ -1522,19 +1522,21 @@ static bool test_QuerySecurity(struct dcerpc_pipe *p, struct sec_desc_buf *sdbuf = NULL; if (torture_setting_bool(tctx, "samba4", false)) { - printf("\nskipping QuerySecurity test against Samba4\n"); + torture_comment(tctx, "\nskipping QuerySecurity test against Samba4\n"); return true; } - printf("\nTesting QuerySecurity\n"); + torture_comment(tctx, "\nTesting QuerySecurity\n"); r.in.handle = acct_handle; - r.in.sec_info = 7; + r.in.sec_info = SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; r.out.sdbuf = &sdbuf; status = dcerpc_lsa_QuerySecurity(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("QuerySecurity failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QuerySecurity failed - %s\n", nt_errstr(status)); return false; } @@ -1550,7 +1552,7 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, struct lsa_OpenAccount r; struct policy_handle acct_handle; - printf("\nTesting OpenAccount\n"); + torture_comment(tctx, "\nTesting OpenAccount\n"); r.in.handle = handle; r.in.sid = sid; @@ -1559,7 +1561,7 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenAccount(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("OpenAccount failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenAccount failed - %s\n", nt_errstr(status)); return false; } @@ -1589,7 +1591,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\nTesting EnumAccounts\n"); + torture_comment(tctx, "\nTesting EnumAccounts\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -1604,7 +1606,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, break; } if (!NT_STATUS_IS_OK(status)) { - printf("EnumAccounts failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "EnumAccounts failed - %s\n", nt_errstr(status)); return false; } @@ -1620,31 +1622,31 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, * be on schannel, or we would not be able to do the * rest */ - printf("Testing all accounts\n"); + torture_comment(tctx, "Testing all accounts\n"); for (i=0;i<sids1.num_sids;i++) { ret &= test_OpenAccount(p, tctx, handle, sids1.sids[i].sid); ret &= test_EnumAccountRights(p, tctx, handle, sids1.sids[i].sid); } - printf("\n"); + torture_comment(tctx, "\n"); } if (sids1.num_sids < 3) { return ret; } - printf("Trying EnumAccounts partial listing (asking for 1 at 2)\n"); + torture_comment(tctx, "Trying EnumAccounts partial listing (asking for 1 at 2)\n"); resume_handle = 2; r.in.num_entries = 1; r.out.sids = &sids2; status = dcerpc_lsa_EnumAccounts(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("EnumAccounts failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "EnumAccounts failed - %s\n", nt_errstr(status)); return false; } if (sids2.num_sids != 1) { - printf("Returned wrong number of entries (%d)\n", sids2.num_sids); + torture_comment(tctx, "Returned wrong number of entries (%d)\n", sids2.num_sids); return false; } @@ -1664,7 +1666,7 @@ static bool test_LookupPrivDisplayName(struct dcerpc_pipe *p, uint16_t returned_language_id = 0; struct lsa_StringLarge *disp_name = NULL; - printf("\nTesting LookupPrivDisplayName(%s)\n", priv_name->string); + torture_comment(tctx, "\nTesting LookupPrivDisplayName(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1675,10 +1677,10 @@ static bool test_LookupPrivDisplayName(struct dcerpc_pipe *p, status = dcerpc_lsa_LookupPrivDisplayName(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("LookupPrivDisplayName failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "LookupPrivDisplayName failed - %s\n", nt_errstr(status)); return false; } - printf("%s -> \"%s\" (language 0x%x/0x%x)\n", + torture_comment(tctx, "%s -> \"%s\" (language 0x%x/0x%x)\n", priv_name->string, disp_name->string, r.in.language_id, *r.out.returned_language_id); @@ -1696,7 +1698,7 @@ static bool test_EnumAccountsWithUserRight(struct dcerpc_pipe *p, ZERO_STRUCT(sids); - printf("\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string); + torture_comment(tctx, "\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1710,7 +1712,7 @@ static bool test_EnumAccountsWithUserRight(struct dcerpc_pipe *p, } if (!NT_STATUS_IS_OK(status)) { - printf("EnumAccountsWithUserRight failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "EnumAccountsWithUserRight failed - %s\n", nt_errstr(status)); return false; } @@ -1729,7 +1731,7 @@ static bool test_EnumPrivs(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\nTesting EnumPrivs\n"); + torture_comment(tctx, "\nTesting EnumPrivs\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -1740,7 +1742,7 @@ static bool test_EnumPrivs(struct dcerpc_pipe *p, resume_handle = 0; status = dcerpc_lsa_EnumPrivs(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("EnumPrivs failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "EnumPrivs failed - %s\n", nt_errstr(status)); return false; } @@ -1766,10 +1768,10 @@ static bool test_QueryForestTrustInformation(struct dcerpc_pipe *p, struct lsa_String string; struct lsa_ForestTrustInformation info, *info_ptr; - printf("\nTesting lsaRQueryForestTrustInformation\n"); + torture_comment(tctx, "\nTesting lsaRQueryForestTrustInformation\n"); if (torture_setting_bool(tctx, "samba4", false)) { - printf("skipping QueryForestTrustInformation against Samba4\n"); + torture_comment(tctx, "skipping QueryForestTrustInformation against Samba4\n"); return true; } @@ -1789,7 +1791,7 @@ static bool test_QueryForestTrustInformation(struct dcerpc_pipe *p, status = dcerpc_lsa_lsaRQueryForestTrustInformation(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(status)); + torture_comment(tctx, "lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(status)); ret = false; } @@ -1824,7 +1826,7 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, int i,j; bool ret = true; - printf("\nTesting OpenTrustedDomain, OpenTrustedDomainByName and QueryInfoTrustedDomain\n"); + torture_comment(tctx, "\nTesting OpenTrustedDomain, OpenTrustedDomainByName and QueryInfoTrustedDomain\n"); for (i=0; i< domains->count; i++) { struct lsa_OpenTrustedDomain trust; struct lsa_OpenTrustedDomainByName trust_by_name; @@ -1844,7 +1846,7 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenTrustedDomain(p, tctx, &trust); if (!NT_STATUS_IS_OK(status)) { - printf("OpenTrustedDomain failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenTrustedDomain failed - %s\n", nt_errstr(status)); return false; } @@ -1862,11 +1864,11 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, q.out.info = &info; status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q); if (!NT_STATUS_IS_OK(status) && ok[j]) { - printf("QueryTrustedDomainInfo level %d failed - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n", levels[j], nt_errstr(status)); ret = false; } else if (NT_STATUS_IS_OK(status) && !ok[j]) { - printf("QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n", levels[j], nt_errstr(status)); ret = false; } @@ -1874,7 +1876,7 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, status = dcerpc_lsa_CloseTrustedDomainEx(p, tctx, &c_trust); if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { - printf("Expected CloseTrustedDomainEx to return NT_STATUS_NOT_IMPLEMENTED, instead - %s\n", nt_errstr(status)); + torture_comment(tctx, "Expected CloseTrustedDomainEx to return NT_STATUS_NOT_IMPLEMENTED, instead - %s\n", nt_errstr(status)); return false; } @@ -1883,7 +1885,7 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, status = dcerpc_lsa_Close(p, tctx, &c); if (!NT_STATUS_IS_OK(status)) { - printf("Close of trusted domain failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(status)); return false; } @@ -1902,11 +1904,11 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, status = dcerpc_lsa_QueryTrustedDomainInfoBySid(p, tctx, &q); if (!NT_STATUS_IS_OK(status) && ok[j]) { - printf("QueryTrustedDomainInfoBySid level %d failed - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d failed - %s\n", levels[j], nt_errstr(status)); ret = false; } else if (NT_STATUS_IS_OK(status) && !ok[j]) { - printf("QueryTrustedDomainInfoBySid level %d unexpectedly succeeded - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d unexpectedly succeeded - %s\n", levels[j], nt_errstr(status)); ret = false; } @@ -1921,7 +1923,7 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenTrustedDomainByName(p, tctx, &trust_by_name); if (!NT_STATUS_IS_OK(status)) { - printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); return false; } @@ -1933,11 +1935,11 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, q.out.info = &info; status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q); if (!NT_STATUS_IS_OK(status) && ok[j]) { - printf("QueryTrustedDomainInfo level %d failed - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n", levels[j], nt_errstr(status)); ret = false; } else if (NT_STATUS_IS_OK(status) && !ok[j]) { - printf("QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n", levels[j], nt_errstr(status)); ret = false; } @@ -1948,7 +1950,7 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, status = dcerpc_lsa_Close(p, tctx, &c); if (!NT_STATUS_IS_OK(status)) { - printf("Close of trusted domain failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(status)); return false; } @@ -1965,11 +1967,11 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p, q.out.info = &info; status = dcerpc_lsa_QueryTrustedDomainInfoByName(p, tctx, &q); if (!NT_STATUS_IS_OK(status) && ok[j]) { - printf("QueryTrustedDomainInfoByName level %d failed - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfoByName level %d failed - %s\n", levels[j], nt_errstr(status)); ret = false; } else if (NT_STATUS_IS_OK(status) && !ok[j]) { - printf("QueryTrustedDomainInfoByName level %d unexpectedly succeeded - %s\n", + torture_comment(tctx, "QueryTrustedDomainInfoByName level %d unexpectedly succeeded - %s\n", levels[j], nt_errstr(status)); ret = false; } @@ -1990,7 +1992,7 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, struct lsa_DomainListEx domains_ex; bool ret = true; - printf("\nTesting EnumTrustDom\n"); + torture_comment(tctx, "\nTesting EnumTrustDom\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -2002,11 +2004,11 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, if (NT_STATUS_IS_OK(enum_status)) { if (domains.count == 0) { - printf("EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); + torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); return false; } } else if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) { - printf("EnumTrustDom of zero size failed - %s\n", nt_errstr(enum_status)); + torture_comment(tctx, "EnumTrustDom of zero size failed - %s\n", nt_errstr(enum_status)); return false; } @@ -2027,24 +2029,24 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, if (domains.count == 0) { return true; } - printf("EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n"); + torture_comment(tctx, "EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n"); return false; } else if (NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) { /* Windows 2003 gets this off by one on the first run */ if (r.out.domains->count < 3 || r.out.domains->count > 4) { - printf("EnumTrustDom didn't fill the buffer we " + torture_comment(tctx, "EnumTrustDom didn't fill the buffer we " "asked it to (got %d, expected %d / %d == %d entries)\n", r.out.domains->count, LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3, LSA_ENUM_TRUST_DOMAIN_MULTIPLIER, r.in.max_size); ret = false; } } else if (!NT_STATUS_IS_OK(enum_status)) { - printf("EnumTrustDom failed - %s\n", nt_errstr(enum_status)); + torture_comment(tctx, "EnumTrustDom failed - %s\n", nt_errstr(enum_status)); return false; } if (domains.count == 0) { - printf("EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); + torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); return false; } @@ -2052,7 +2054,7 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, } while ((NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES))); - printf("\nTesting EnumTrustedDomainsEx\n"); + torture_comment(tctx, "\nTesting EnumTrustedDomainsEx\n"); r_ex.in.handle = handle; r_ex.in.resume_handle = &resume_handle; @@ -2063,7 +2065,7 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, enum_status = dcerpc_lsa_EnumTrustedDomainsEx(p, tctx, &r_ex); if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) { - printf("EnumTrustedDomainEx of zero size failed - %s\n", nt_errstr(enum_status)); + torture_comment(tctx, "EnumTrustedDomainEx of zero size failed - %s\n", nt_errstr(enum_status)); return false; } @@ -2082,12 +2084,12 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, if (domains_ex.count == 0) { return true; } - printf("EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n"); + torture_comment(tctx, "EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n"); return false; } else if (NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) { /* Windows 2003 gets this off by one on the first run */ if (r_ex.out.domains->count < 3 || r_ex.out.domains->count > 4) { - printf("EnumTrustDom didn't fill the buffer we " + torture_comment(tctx, "EnumTrustDom didn't fill the buffer we " "asked it to (got %d, expected %d / %d == %d entries)\n", r_ex.out.domains->count, r_ex.in.max_size, @@ -2095,12 +2097,12 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER); } } else if (!NT_STATUS_IS_OK(enum_status)) { - printf("EnumTrustedDomainEx failed - %s\n", nt_errstr(enum_status)); + torture_comment(tctx, "EnumTrustedDomainEx failed - %s\n", nt_errstr(enum_status)); return false; } if (domains_ex.count == 0) { - printf("EnumTrustDomainEx failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); + torture_comment(tctx, "EnumTrustDomainEx failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); return false; } @@ -2125,7 +2127,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p, union lsa_TrustedDomainInfo *info = NULL; int i; - printf("\nTesting CreateTrustedDomain for 12 domains\n"); + torture_comment(tctx, "\nTesting CreateTrustedDomain for 12 domains\n"); if (!test_EnumTrustDom(p, tctx, handle)) { ret = false; @@ -2151,7 +2153,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p, status = dcerpc_lsa_CreateTrustedDomain(p, tctx, &r); } if (!NT_STATUS_IS_OK(status)) { - printf("CreateTrustedDomain failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "CreateTrustedDomain failed - %s\n", nt_errstr(status)); ret = false; } else { @@ -2160,28 +2162,28 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p, q.out.info = &info; status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q); if (!NT_STATUS_IS_OK(status)) { - printf("QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(status)); ret = false; } else if (!q.out.info) { ret = false; } else { if (strcmp(info->info_ex.netbios_name.string, trustinfo.name.string) != 0) { - printf("QueryTrustedDomainInfo returned inconsistant short name: %s != %s\n", + torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistant short name: %s != %s\n", info->info_ex.netbios_name.string, trustinfo.name.string); ret = false; } if (info->info_ex.trust_type != LSA_TRUST_TYPE_DOWNLEVEL) { - printf("QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n", + torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n", trust_name, info->info_ex.trust_type, LSA_TRUST_TYPE_DOWNLEVEL); ret = false; } if (info->info_ex.trust_attributes != 0) { - printf("QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n", + torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n", trust_name, info->info_ex.trust_attributes, 0); ret = false; } if (info->info_ex.trust_direction != LSA_TRUST_DIRECTION_OUTBOUND) { - printf("QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n", + torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n", trust_name, info->info_ex.trust_direction, LSA_TRUST_DIRECTION_OUTBOUND); ret = false; } @@ -2222,11 +2224,11 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, enum ndr_err_code ndr_err; int i; - printf("\nTesting CreateTrustedDomainEx2 for 12 domains\n"); + torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for 12 domains\n"); status = dcerpc_fetch_session_key(p, &session_key); if (!NT_STATUS_IS_OK(status)) { - printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "dcerpc_fetch_session_key failed - %s\n", nt_errstr(status)); return false; } @@ -2263,7 +2265,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, ndr_err = ndr_push_struct_blob(&auth_blob, tctx, lp_iconv_convenience(tctx->lp_ctx), &auth_struct, (ndr_push_flags_fn_t)ndr_push_trustDomainPasswords); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - printf("ndr_push_struct_blob of trustDomainPasswords structure failed"); + torture_comment(tctx, "ndr_push_struct_blob of trustDomainPasswords structure failed"); ret = false; } @@ -2284,7 +2286,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, status = dcerpc_lsa_CreateTrustedDomainEx2(p, tctx, &r); } if (!NT_STATUS_IS_OK(status)) { - printf("CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status)); + torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status)); ret = false; } else { @@ -2293,29 +2295,29 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, q.out.info = &info; status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q); if (!NT_STATUS_IS_OK(status)) { - printf("QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(status)); ret = false; } else if (!q.out.info) { - printf("QueryTrustedDomainInfo level 1 failed to return an info pointer\n"); + torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed to return an info pointer\n"); ret = false; } else { if (strcmp(info->info_ex.netbios_name.string, trustinfo.netbios_name.string) != 0) { - printf("QueryTrustedDomainInfo returned inconsistant short name: %s != %s\n", + torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistant short name: %s != %s\n", info->info_ex.netbios_name.string, trustinfo.netbios_name.string); ret = false; } if (info->info_ex.trust_type != trustinfo.trust_type) { - printf("QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n", + torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n", trust_name, info->info_ex.trust_type, trustinfo.trust_type); ret = false; } if (info->info_ex.trust_attributes != LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION) { - printf("QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n", + torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n", trust_name, info->info_ex.trust_attributes, LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION); ret = false; } if (info->info_ex.trust_direction != trustinfo.trust_direction) { - printf("QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n", + torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n", trust_name, info->info_ex.trust_direction, trustinfo.trust_direction); ret = false; } @@ -2325,13 +2327,13 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, /* now that we have some domains to look over, we can test the enum calls */ if (!test_EnumTrustDom(p, tctx, handle)) { - printf("test_EnumTrustDom failed\n"); + torture_comment(tctx, "test_EnumTrustDom failed\n"); ret = false; } for (i=0; i<12; i++) { if (!test_DeleteTrustedDomainBySid(p, tctx, handle, domsid[i])) { - printf("test_DeleteTrustedDomainBySid failed\n"); + torture_comment(tctx, "test_DeleteTrustedDomainBySid failed\n"); ret = false; } } @@ -2349,14 +2351,14 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\nTesting QueryDomainInformationPolicy\n"); + torture_comment(tctx, "\nTesting QueryDomainInformationPolicy\n"); for (i=2;i<4;i++) { r.in.handle = handle; r.in.level = i; r.out.info = &info; - printf("\nTrying QueryDomainInformationPolicy level %d\n", i); + torture_comment(tctx, "\nTrying QueryDomainInformationPolicy level %d\n", i); status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r); @@ -2364,7 +2366,7 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { continue; } else if (!NT_STATUS_IS_OK(status)) { - printf("QueryDomainInformationPolicy failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryDomainInformationPolicy failed - %s\n", nt_errstr(status)); ret = false; continue; } @@ -2386,9 +2388,9 @@ static bool test_QueryInfoPolicyCalls( bool version2, bool ret = true; if (version2) - printf("\nTesting QueryInfoPolicy2\n"); + torture_comment(tctx, "\nTesting QueryInfoPolicy2\n"); else - printf("\nTesting QueryInfoPolicy\n"); + torture_comment(tctx, "\nTesting QueryInfoPolicy\n"); for (i=1;i<=14;i++) { r.in.handle = handle; @@ -2396,9 +2398,9 @@ static bool test_QueryInfoPolicyCalls( bool version2, r.out.info = &info; if (version2) - printf("\nTrying QueryInfoPolicy2 level %d\n", i); + torture_comment(tctx, "\nTrying QueryInfoPolicy2 level %d\n", i); else - printf("\nTrying QueryInfoPolicy level %d\n", i); + torture_comment(tctx, "\nTrying QueryInfoPolicy level %d\n", i); if (version2) /* We can perform the cast, because both types are @@ -2413,7 +2415,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, case LSA_POLICY_INFO_AUDIT_FULL_SET: case LSA_POLICY_INFO_AUDIT_FULL_QUERY: if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf("Server should have failed level %u: %s\n", i, nt_errstr(status)); + torture_comment(tctx, "Server should have failed level %u: %s\n", i, nt_errstr(status)); ret = false; } break; @@ -2430,9 +2432,9 @@ static bool test_QueryInfoPolicyCalls( bool version2, case LSA_POLICY_INFO_PD: if (!NT_STATUS_IS_OK(status)) { if (version2) - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); else - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; @@ -2441,16 +2443,16 @@ static bool test_QueryInfoPolicyCalls( bool version2, /* Other levels not implemented yet */ if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { if (version2) - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); else - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } } else if (!NT_STATUS_IS_OK(status)) { if (version2) - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); else - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; @@ -2522,7 +2524,7 @@ static bool test_GetUserName(struct dcerpc_pipe *p, struct lsa_String *authority_name_p = NULL; struct lsa_String *account_name_p = NULL; - printf("\nTesting GetUserName\n"); + torture_comment(tctx, "\nTesting GetUserName\n"); r.in.system_name = "\\"; r.in.account_name = &account_name_p; @@ -2532,7 +2534,7 @@ static bool test_GetUserName(struct dcerpc_pipe *p, status = dcerpc_lsa_GetUserName(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("GetUserName failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "GetUserName failed - %s\n", nt_errstr(status)); ret = false; } @@ -2544,7 +2546,7 @@ static bool test_GetUserName(struct dcerpc_pipe *p, status = dcerpc_lsa_GetUserName(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("GetUserName failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "GetUserName failed - %s\n", nt_errstr(status)); ret = false; } @@ -2559,25 +2561,25 @@ bool test_lsa_Close(struct dcerpc_pipe *p, struct lsa_Close r; struct policy_handle handle2; - printf("\nTesting Close\n"); + torture_comment(tctx, "\nTesting Close\n"); r.in.handle = handle; r.out.handle = &handle2; status = dcerpc_lsa_Close(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("Close failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "Close failed - %s\n", nt_errstr(status)); return false; } status = dcerpc_lsa_Close(p, tctx, &r); /* its really a fault - we need a status code for rpc fault */ if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) { - printf("Close failed - %s\n", nt_errstr(status)); + torture_comment(tctx, "Close failed - %s\n", nt_errstr(status)); return false; } - printf("\n"); + torture_comment(tctx, "\n"); return true; } @@ -2625,28 +2627,9 @@ bool torture_rpc_lsa(struct torture_context *tctx) ret = false; } - if (!test_CreateAccount(p, tctx, handle)) { - ret = false; - } - if (!test_CreateSecret(p, tctx, handle)) { ret = false; } - if (!test_CreateTrustedDomain(p, tctx, handle)) { - ret = false; - } - - if (!test_CreateTrustedDomainEx2(p, tctx, handle)) { - ret = false; - } - - if (!test_EnumAccounts(p, tctx, handle)) { - ret = false; - } - - if (!test_EnumPrivs(p, tctx, handle)) { - ret = false; - } if (!test_QueryInfoPolicy(p, tctx, handle)) { ret = false; @@ -2766,3 +2749,104 @@ struct torture_suite *torture_rpc_lsa_lookup_names(TALLOC_CTX *mem_ctx) return suite; } + +static bool testcase_TrustedDomains(struct torture_context *tctx, + struct dcerpc_pipe *p) +{ + bool ret = true; + struct policy_handle *handle; + + if (!test_OpenPolicy(p, tctx)) { + ret = false; + } + + if (!test_lsa_OpenPolicy2(p, tctx, &handle)) { + ret = false; + } + + if (!handle) { + ret = false; + } + + if (!test_CreateTrustedDomain(p, tctx, handle)) { + ret = false; + } + + if (!test_CreateTrustedDomainEx2(p, tctx, handle)) { + ret = false; + } + + if (!test_lsa_Close(p, tctx, handle)) { + ret = false; + } + + return ret; +} + +struct torture_suite *torture_rpc_lsa_trusted_domains(TALLOC_CTX *mem_ctx) +{ + struct torture_suite *suite; + struct torture_rpc_tcase *tcase; + + suite = torture_suite_create(mem_ctx, "LSA-TRUSTED-DOMAINS"); + + tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa", + &ndr_table_lsarpc); + torture_rpc_tcase_add_test(tcase, "TrustedDomains", + testcase_TrustedDomains); + + return suite; +} + +static bool testcase_Privileges(struct torture_context *tctx, + struct dcerpc_pipe *p) +{ + bool ret = true; + struct policy_handle *handle; + + if (!test_OpenPolicy(p, tctx)) { + ret = false; + } + + if (!test_lsa_OpenPolicy2(p, tctx, &handle)) { + ret = false; + } + + if (!handle) { + ret = false; + } + + if (!test_CreateAccount(p, tctx, handle)) { + ret = false; + } + + if (!test_EnumAccounts(p, tctx, handle)) { + ret = false; + } + + if (!test_EnumPrivs(p, tctx, handle)) { + ret = false; + } + + if (!test_lsa_Close(p, tctx, handle)) { + ret = false; + } + + return ret; +} + + +struct torture_suite *torture_rpc_lsa_privileges(TALLOC_CTX *mem_ctx) +{ + struct torture_suite *suite; + struct torture_rpc_tcase *tcase; + + suite = torture_suite_create(mem_ctx, "LSA-PRIVILEGES"); + + tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa", + &ndr_table_lsarpc); + torture_rpc_tcase_add_test(tcase, "Privileges", + testcase_Privileges); + + return suite; +} diff --git a/source4/torture/rpc/object_uuid.c b/source4/torture/rpc/object_uuid.c index a70266697e..53d03a3ce9 100644 --- a/source4/torture/rpc/object_uuid.c +++ b/source4/torture/rpc/object_uuid.c @@ -35,7 +35,6 @@ static bool test_random_uuid(struct torture_context *torture) { NTSTATUS status; struct dcerpc_pipe *p1, *p2; - struct rpc_request *req; struct GUID uuid; struct dssetup_DsRoleGetPrimaryDomainInformation r1; struct lsa_GetUserName r2; diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c index 4043562ab5..ffdd748470 100644 --- a/source4/torture/rpc/rpc.c +++ b/source4/torture/rpc/rpc.c @@ -431,6 +431,8 @@ NTSTATUS torture_rpc_init(void) torture_suite_add_suite(suite, torture_rpc_lsa_lookup_sids(suite)); torture_suite_add_suite(suite, torture_rpc_lsa_lookup_names(suite)); torture_suite_add_suite(suite, torture_rpc_lsa_secrets(suite)); + torture_suite_add_suite(suite, torture_rpc_lsa_trusted_domains(suite)); + torture_suite_add_suite(suite, torture_rpc_lsa_privileges(suite)); torture_suite_add_suite(suite, torture_rpc_echo(suite)); torture_suite_add_simple_test(suite, "DFS", torture_rpc_dfs); torture_suite_add_suite(suite, torture_rpc_frsapi(suite)); @@ -444,6 +446,7 @@ NTSTATUS torture_rpc_init(void) torture_suite_add_simple_test(suite, "SPOOLSS", torture_rpc_spoolss); torture_suite_add_suite(suite, torture_rpc_spoolss_notify(suite)); torture_suite_add_suite(suite, torture_rpc_spoolss_win(suite)); + torture_suite_add_suite(suite, torture_rpc_spoolss_printer(suite)); torture_suite_add_simple_test(suite, "SAMR", torture_rpc_samr); torture_suite_add_simple_test(suite, "SAMR-USERS", torture_rpc_samr_users); torture_suite_add_simple_test(suite, "SAMR-PASSWORDS", torture_rpc_samr_passwords); diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c index 10e18e1531..ddc14f33a2 100644 --- a/source4/torture/rpc/spoolss.c +++ b/source4/torture/rpc/spoolss.c @@ -26,6 +26,11 @@ #include "torture/rpc/rpc.h" #include "librpc/gen_ndr/ndr_spoolss_c.h" +#define TORTURE_WELLKNOWN_PRINTER "torture_wkn_printer" +#define TORTURE_PRINTER "torture_printer" +#define TORTURE_WELLKNOWN_PRINTER_EX "torture_wkn_printer_ex" +#define TORTURE_PRINTER_EX "torture_printer_ex" + struct test_spoolss_context { /* print server handle */ struct policy_handle server_handle; @@ -75,20 +80,22 @@ struct test_spoolss_context { #define COMPARE_STRING_ARRAY(tctx, c,r,e) -static bool test_OpenPrinter_server(struct torture_context *tctx, struct dcerpc_pipe *p, struct test_spoolss_context *ctx) +static bool test_OpenPrinter_server(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *server_handle) { NTSTATUS status; struct spoolss_OpenPrinter op; - op.in.printername = talloc_asprintf(ctx, "\\\\%s", dcerpc_server_name(p)); + op.in.printername = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); op.in.datatype = NULL; op.in.devmode_ctr.devmode= NULL; op.in.access_mask = 0; - op.out.handle = &ctx->server_handle; + op.out.handle = server_handle; torture_comment(tctx, "Testing OpenPrinter(%s)\n", op.in.printername); - status = dcerpc_spoolss_OpenPrinter(p, ctx, &op); + status = dcerpc_spoolss_OpenPrinter(p, tctx, &op); torture_assert_ntstatus_ok(tctx, status, "dcerpc_spoolss_OpenPrinter failed"); torture_assert_werr_ok(tctx, op.out.result, "dcerpc_spoolss_OpenPrinter failed"); @@ -810,6 +817,564 @@ static bool test_GetPrinter(struct torture_context *tctx, return true; } +static bool test_SetPrinter_errors(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle) +{ + struct spoolss_SetPrinter r; + uint16_t levels[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; + int i; + + struct spoolss_SetPrinterInfoCtr info_ctr; + struct spoolss_DevmodeContainer devmode_ctr; + struct sec_desc_buf secdesc_ctr; + + info_ctr.level = 0; + info_ctr.info.info0 = NULL; + + ZERO_STRUCT(devmode_ctr); + ZERO_STRUCT(secdesc_ctr); + + r.in.handle = handle; + r.in.info_ctr = &info_ctr; + r.in.devmode_ctr = &devmode_ctr; + r.in.secdesc_ctr = &secdesc_ctr; + r.in.command = 0; + + torture_comment(tctx, "Testing SetPrinter all zero\n"); + + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_SetPrinter(p, tctx, &r), + "failed to call SetPrinter"); + torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_PARAM, + "failed to call SetPrinter"); + + again: + for (i=0; i < ARRAY_SIZE(levels); i++) { + + struct spoolss_SetPrinterInfo0 info0; + struct spoolss_SetPrinterInfo1 info1; + struct spoolss_SetPrinterInfo2 info2; + struct spoolss_SetPrinterInfo3 info3; + struct spoolss_SetPrinterInfo4 info4; + struct spoolss_SetPrinterInfo5 info5; + struct spoolss_SetPrinterInfo6 info6; + struct spoolss_SetPrinterInfo7 info7; + struct spoolss_DeviceModeInfo info8; + struct spoolss_DeviceModeInfo info9; + + + info_ctr.level = levels[i]; + switch (levels[i]) { + case 0: + ZERO_STRUCT(info0); + info_ctr.info.info0 = &info0; + break; + case 1: + ZERO_STRUCT(info1); + info_ctr.info.info1 = &info1; + break; + case 2: + ZERO_STRUCT(info2); + info_ctr.info.info2 = &info2; + break; + case 3: + ZERO_STRUCT(info3); + info_ctr.info.info3 = &info3; + break; + case 4: + ZERO_STRUCT(info4); + info_ctr.info.info4 = &info4; + break; + case 5: + ZERO_STRUCT(info5); + info_ctr.info.info5 = &info5; + break; + case 6: + ZERO_STRUCT(info6); + info_ctr.info.info6 = &info6; + break; + case 7: + ZERO_STRUCT(info7); + info_ctr.info.info7 = &info7; + break; + case 8: + ZERO_STRUCT(info8); + info_ctr.info.info8 = &info8; + break; + case 9: + ZERO_STRUCT(info9); + info_ctr.info.info9 = &info9; + break; + } + + torture_comment(tctx, "Testing SetPrinter level %d, command %d\n", + info_ctr.level, r.in.command); + + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_SetPrinter(p, tctx, &r), + "failed to call SetPrinter"); + + switch (r.in.command) { + case SPOOLSS_PRINTER_CONTROL_UNPAUSE: /* 0 */ + /* is ignored for all levels other then 0 */ + if (info_ctr.level > 0) { + /* ignored then */ + break; + } + case SPOOLSS_PRINTER_CONTROL_PAUSE: /* 1 */ + case SPOOLSS_PRINTER_CONTROL_RESUME: /* 2 */ + case SPOOLSS_PRINTER_CONTROL_PURGE: /* 3 */ + if (info_ctr.level > 0) { + /* is invalid for all levels other then 0 */ + torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_PRINTER_COMMAND, + "unexpected error code returned"); + continue; + } else { + torture_assert_werr_ok(tctx, r.out.result, + "failed to call SetPrinter with non 0 command"); + continue; + } + break; + + case SPOOLSS_PRINTER_CONTROL_SET_STATUS: /* 4 */ + /* FIXME: gd needs further investigation */ + default: + torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_PRINTER_COMMAND, + "unexpected error code returned"); + continue; + } + + switch (info_ctr.level) { + case 1: + torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL, + "unexpected error code returned"); + break; + case 2: + torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_PRINTER_DRIVER, + "unexpected error code returned"); + break; + case 3: + case 4: + case 5: + case 7: + torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_PARAM, + "unexpected error code returned"); + break; + case 9: + torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, + "unexpected error code returned"); + break; + default: + torture_assert_werr_ok(tctx, r.out.result, + "failed to call SetPrinter"); + break; + } + } + + if (r.in.command < 5) { + r.in.command++; + goto again; + } + + return true; +} + +static void clear_info2(struct spoolss_SetPrinterInfoCtr *r) +{ + if ((r->level == 2) && (r->info.info2)) { + r->info.info2->secdesc = NULL; + r->info.info2->devmode = NULL; + } +} + +static bool test_PrinterInfo(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle) +{ + NTSTATUS status; + struct spoolss_SetPrinter s; + struct spoolss_GetPrinter q; + struct spoolss_GetPrinter q0; + struct spoolss_SetPrinterInfoCtr info_ctr; + union spoolss_PrinterInfo info; + struct spoolss_DevmodeContainer devmode_ctr; + struct sec_desc_buf secdesc_ctr; + uint32_t needed; + bool ret = true; + int i; + + uint32_t status_list[] = { + /* these do not stick + PRINTER_STATUS_PAUSED, + PRINTER_STATUS_ERROR, + PRINTER_STATUS_PENDING_DELETION, */ + PRINTER_STATUS_PAPER_JAM, + PRINTER_STATUS_PAPER_OUT, + PRINTER_STATUS_MANUAL_FEED, + PRINTER_STATUS_PAPER_PROBLEM, + PRINTER_STATUS_OFFLINE, + PRINTER_STATUS_IO_ACTIVE, + PRINTER_STATUS_BUSY, + PRINTER_STATUS_PRINTING, + PRINTER_STATUS_OUTPUT_BIN_FULL, + PRINTER_STATUS_NOT_AVAILABLE, + PRINTER_STATUS_WAITING, + PRINTER_STATUS_PROCESSING, + PRINTER_STATUS_INITIALIZING, + PRINTER_STATUS_WARMING_UP, + PRINTER_STATUS_TONER_LOW, + PRINTER_STATUS_NO_TONER, + PRINTER_STATUS_PAGE_PUNT, + PRINTER_STATUS_USER_INTERVENTION, + PRINTER_STATUS_OUT_OF_MEMORY, + PRINTER_STATUS_DOOR_OPEN, + PRINTER_STATUS_SERVER_UNKNOWN, + PRINTER_STATUS_POWER_SAVE, + /* these do not stick + 0x02000000, + 0x04000000, + 0x08000000, + 0x10000000, + 0x20000000, + 0x40000000, + 0x80000000 */ + }; + uint32_t default_attribute = PRINTER_ATTRIBUTE_LOCAL; + uint32_t attribute_list[] = { + PRINTER_ATTRIBUTE_QUEUED, + /* fails with WERR_INVALID_DATATYPE: + PRINTER_ATTRIBUTE_DIRECT, */ + /* does not stick + PRINTER_ATTRIBUTE_DEFAULT, */ + PRINTER_ATTRIBUTE_SHARED, + /* does not stick + PRINTER_ATTRIBUTE_NETWORK, */ + PRINTER_ATTRIBUTE_HIDDEN, + PRINTER_ATTRIBUTE_LOCAL, + PRINTER_ATTRIBUTE_ENABLE_DEVQ, + PRINTER_ATTRIBUTE_KEEPPRINTEDJOBS, + PRINTER_ATTRIBUTE_DO_COMPLETE_FIRST, + PRINTER_ATTRIBUTE_WORK_OFFLINE, + /* does not stick + PRINTER_ATTRIBUTE_ENABLE_BIDI, */ + /* fails with WERR_INVALID_DATATYPE: + PRINTER_ATTRIBUTE_RAW_ONLY, */ + /* these do not stick + PRINTER_ATTRIBUTE_PUBLISHED, + PRINTER_ATTRIBUTE_FAX, + PRINTER_ATTRIBUTE_TS, + 0x00010000, + 0x00020000, + 0x00040000, + 0x00080000, + 0x00100000, + 0x00200000, + 0x00400000, + 0x00800000, + 0x01000000, + 0x02000000, + 0x04000000, + 0x08000000, + 0x10000000, + 0x20000000, + 0x40000000, + 0x80000000 */ + }; + + ZERO_STRUCT(devmode_ctr); + ZERO_STRUCT(secdesc_ctr); + + s.in.handle = handle; + s.in.command = 0; + s.in.info_ctr = &info_ctr; + s.in.devmode_ctr = &devmode_ctr; + s.in.secdesc_ctr = &secdesc_ctr; + + q.in.handle = handle; + q.out.info = &info; + q0 = q; + +#define TESTGETCALL(call, r) \ + r.in.buffer = NULL; \ + r.in.offered = 0;\ + r.out.needed = &needed; \ + status = dcerpc_spoolss_ ##call(p, tctx, &r); \ + if (!NT_STATUS_IS_OK(status)) { \ + torture_comment(tctx, #call " level %u failed - %s (%s)\n", \ + r.in.level, nt_errstr(status), __location__); \ + ret = false; \ + break; \ + }\ + if (W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) {\ + DATA_BLOB blob = data_blob_talloc(tctx, NULL, needed); \ + data_blob_clear(&blob); \ + r.in.buffer = &blob; \ + r.in.offered = needed; \ + }\ + status = dcerpc_spoolss_ ##call(p, tctx, &r); \ + if (!NT_STATUS_IS_OK(status)) { \ + torture_comment(tctx, #call " level %u failed - %s (%s)\n", \ + r.in.level, nt_errstr(status), __location__); \ + ret = false; \ + break; \ + } \ + if (!W_ERROR_IS_OK(r.out.result)) { \ + torture_comment(tctx, #call " level %u failed - %s (%s)\n", \ + r.in.level, win_errstr(r.out.result), __location__); \ + ret = false; \ + break; \ + } + + +#define TESTSETCALL_EXP(call, r, err) \ + clear_info2(&info_ctr);\ + status = dcerpc_spoolss_ ##call(p, tctx, &r); \ + if (!NT_STATUS_IS_OK(status)) { \ + torture_comment(tctx, #call " level %u failed - %s (%s)\n", \ + r.in.info_ctr->level, nt_errstr(status), __location__); \ + ret = false; \ + break; \ + } \ + if (!W_ERROR_IS_OK(err)) { \ + if (!W_ERROR_EQUAL(err, r.out.result)) { \ + torture_comment(tctx, #call " level %u failed - %s, expected %s (%s)\n", \ + r.in.info_ctr->level, win_errstr(r.out.result), win_errstr(err), __location__); \ + ret = false; \ + } \ + break; \ + } \ + if (!W_ERROR_IS_OK(r.out.result)) { \ + torture_comment(tctx, #call " level %u failed - %s (%s)\n", \ + r.in.info_ctr->level, win_errstr(r.out.result), __location__); \ + ret = false; \ + break; \ + } + +#define TESTSETCALL(call, r) \ + TESTSETCALL_EXP(call, r, WERR_OK) + +#define STRING_EQUAL(s1, s2, field) \ + if ((s1 && !s2) || (s2 && !s1) || strcmp(s1, s2)) { \ + torture_comment(tctx, "Failed to set %s to '%s' (%s)\n", \ + #field, s2, __location__); \ + ret = false; \ + break; \ + } + +#define MEM_EQUAL(s1, s2, length, field) \ + if ((s1 && !s2) || (s2 && !s1) || memcmp(s1, s2, length)) { \ + torture_comment(tctx, "Failed to set %s to '%s' (%s)\n", \ + #field, (const char *)s2, __location__); \ + ret = false; \ + break; \ + } + +#define INT_EQUAL(i1, i2, field) \ + if (i1 != i2) { \ + torture_comment(tctx, "Failed to set %s to 0x%llx - got 0x%llx (%s)\n", \ + #field, (unsigned long long)i2, (unsigned long long)i1, __location__); \ + ret = false; \ + break; \ + } + +#define TEST_PRINTERINFO_STRING_EXP_ERR(lvl1, field1, lvl2, field2, value, err) do { \ + torture_comment(tctx, "field test %d/%s vs %d/%s\n", lvl1, #field1, lvl2, #field2); \ + q.in.level = lvl1; \ + TESTGETCALL(GetPrinter, q) \ + info_ctr.level = lvl1; \ + info_ctr.info.info ## lvl1 = (struct spoolss_SetPrinterInfo ## lvl1 *)&q.out.info->info ## lvl1; \ + info_ctr.info.info ## lvl1->field1 = value;\ + TESTSETCALL_EXP(SetPrinter, s, err) \ + info_ctr.info.info ## lvl1->field1 = ""; \ + TESTGETCALL(GetPrinter, q) \ + info_ctr.info.info ## lvl1->field1 = value; \ + STRING_EQUAL(info_ctr.info.info ## lvl1->field1, value, field1); \ + q.in.level = lvl2; \ + TESTGETCALL(GetPrinter, q) \ + info_ctr.info.info ## lvl2 = (struct spoolss_SetPrinterInfo ## lvl2 *)&q.out.info->info ## lvl2; \ + STRING_EQUAL(info_ctr.info.info ## lvl2->field2, value, field2); \ + } while (0) + +#define TEST_PRINTERINFO_STRING(lvl1, field1, lvl2, field2, value) do { \ + TEST_PRINTERINFO_STRING_EXP_ERR(lvl1, field1, lvl2, field2, value, WERR_OK); \ + } while (0); + +#define TEST_PRINTERINFO_INT_EXP(lvl1, field1, lvl2, field2, value, exp_value) do { \ + torture_comment(tctx, "field test %d/%s vs %d/%s\n", lvl1, #field1, lvl2, #field2); \ + q.in.level = lvl1; \ + TESTGETCALL(GetPrinter, q) \ + info_ctr.level = lvl1; \ + info_ctr.info.info ## lvl1 = (struct spoolss_SetPrinterInfo ## lvl1 *)&q.out.info->info ## lvl1; \ + info_ctr.info.info ## lvl1->field1 = value; \ + TESTSETCALL(SetPrinter, s) \ + info_ctr.info.info ## lvl1->field1 = 0; \ + TESTGETCALL(GetPrinter, q) \ + info_ctr.info.info ## lvl1 = (struct spoolss_SetPrinterInfo ## lvl1 *)&q.out.info->info ## lvl1; \ + INT_EQUAL(info_ctr.info.info ## lvl1->field1, exp_value, field1); \ + q.in.level = lvl2; \ + TESTGETCALL(GetPrinter, q) \ + info_ctr.info.info ## lvl2 = (struct spoolss_SetPrinterInfo ## lvl2 *)&q.out.info->info ## lvl2; \ + INT_EQUAL(info_ctr.info.info ## lvl2->field2, exp_value, field1); \ + } while (0) + +#define TEST_PRINTERINFO_INT(lvl1, field1, lvl2, field2, value) do { \ + TEST_PRINTERINFO_INT_EXP(lvl1, field1, lvl2, field2, value, value); \ + } while (0) + + q0.in.level = 0; + do { TESTGETCALL(GetPrinter, q0) } while (0); + + TEST_PRINTERINFO_STRING(2, comment, 1, comment, "xx2-1 comment"); + TEST_PRINTERINFO_STRING(2, comment, 2, comment, "xx2-2 comment"); + + /* level 0 printername does not stick */ +/* TEST_PRINTERINFO_STRING(2, printername, 0, printername, "xx2-0 printer"); */ + TEST_PRINTERINFO_STRING(2, printername, 1, name, "xx2-1 printer"); + TEST_PRINTERINFO_STRING(2, printername, 2, printername, "xx2-2 printer"); + TEST_PRINTERINFO_STRING(2, printername, 4, printername, "xx2-4 printer"); + TEST_PRINTERINFO_STRING(2, printername, 5, printername, "xx2-5 printer"); +/* TEST_PRINTERINFO_STRING(4, printername, 0, printername, "xx4-0 printer"); */ + TEST_PRINTERINFO_STRING(4, printername, 1, name, "xx4-1 printer"); + TEST_PRINTERINFO_STRING(4, printername, 2, printername, "xx4-2 printer"); + TEST_PRINTERINFO_STRING(4, printername, 4, printername, "xx4-4 printer"); + TEST_PRINTERINFO_STRING(4, printername, 5, printername, "xx4-5 printer"); +/* TEST_PRINTERINFO_STRING(5, printername, 0, printername, "xx5-0 printer"); */ + TEST_PRINTERINFO_STRING(5, printername, 1, name, "xx5-1 printer"); + TEST_PRINTERINFO_STRING(5, printername, 2, printername, "xx5-2 printer"); + TEST_PRINTERINFO_STRING(5, printername, 4, printername, "xx5-4 printer"); + TEST_PRINTERINFO_STRING(5, printername, 5, printername, "xx5-5 printer"); + + /* servername can be set but does not stick + TEST_PRINTERINFO_STRING(2, servername, 0, servername, "xx2-0 servername"); + TEST_PRINTERINFO_STRING(2, servername, 2, servername, "xx2-2 servername"); + TEST_PRINTERINFO_STRING(2, servername, 4, servername, "xx2-4 servername"); + */ + + /* passing an invalid port will result in WERR_UNKNOWN_PORT */ + TEST_PRINTERINFO_STRING_EXP_ERR(2, portname, 2, portname, "xx2-2 portname", WERR_UNKNOWN_PORT); + TEST_PRINTERINFO_STRING_EXP_ERR(2, portname, 5, portname, "xx2-5 portname", WERR_UNKNOWN_PORT); + TEST_PRINTERINFO_STRING_EXP_ERR(5, portname, 2, portname, "xx5-2 portname", WERR_UNKNOWN_PORT); + TEST_PRINTERINFO_STRING_EXP_ERR(5, portname, 5, portname, "xx5-5 portname", WERR_UNKNOWN_PORT); + + TEST_PRINTERINFO_STRING(2, sharename, 2, sharename, "xx2-2 sharename"); + /* passing an invalid driver will result in WERR_UNKNOWN_PRINTER_DRIVER */ + TEST_PRINTERINFO_STRING_EXP_ERR(2, drivername, 2, drivername, "xx2-2 drivername", WERR_UNKNOWN_PRINTER_DRIVER); + TEST_PRINTERINFO_STRING(2, location, 2, location, "xx2-2 location"); + /* passing an invalid sepfile will result in WERR_INVALID_SEPARATOR_FILE */ + TEST_PRINTERINFO_STRING_EXP_ERR(2, sepfile, 2, sepfile, "xx2-2 sepfile", WERR_INVALID_SEPARATOR_FILE); + /* passing an invalid printprocessor will result in WERR_UNKNOWN_PRINTPROCESSOR */ + TEST_PRINTERINFO_STRING_EXP_ERR(2, printprocessor, 2, printprocessor, "xx2-2 printprocessor", WERR_UNKNOWN_PRINTPROCESSOR); + TEST_PRINTERINFO_STRING(2, datatype, 2, datatype, "xx2-2 datatype"); + TEST_PRINTERINFO_STRING(2, parameters, 2, parameters, "xx2-2 parameters"); + + for (i=0; i < ARRAY_SIZE(attribute_list); i++) { +/* TEST_PRINTERINFO_INT_EXP(2, attributes, 1, flags, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); */ + TEST_PRINTERINFO_INT_EXP(2, attributes, 2, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); + TEST_PRINTERINFO_INT_EXP(2, attributes, 4, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); + TEST_PRINTERINFO_INT_EXP(2, attributes, 5, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); +/* TEST_PRINTERINFO_INT_EXP(4, attributes, 1, flags, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); */ + TEST_PRINTERINFO_INT_EXP(4, attributes, 2, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); + TEST_PRINTERINFO_INT_EXP(4, attributes, 4, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); + TEST_PRINTERINFO_INT_EXP(4, attributes, 5, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); +/* TEST_PRINTERINFO_INT_EXP(5, attributes, 1, flags, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); */ + TEST_PRINTERINFO_INT_EXP(5, attributes, 2, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); + TEST_PRINTERINFO_INT_EXP(5, attributes, 4, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); + TEST_PRINTERINFO_INT_EXP(5, attributes, 5, attributes, + attribute_list[i], + (attribute_list[i] | default_attribute) + ); + } + + for (i=0; i < ARRAY_SIZE(status_list); i++) { + /* level 2 sets do not stick + TEST_PRINTERINFO_INT(2, status, 0, status, status_list[i]); + TEST_PRINTERINFO_INT(2, status, 2, status, status_list[i]); + TEST_PRINTERINFO_INT(2, status, 6, status, status_list[i]); */ + TEST_PRINTERINFO_INT(6, status, 0, status, status_list[i]); + TEST_PRINTERINFO_INT(6, status, 2, status, status_list[i]); + TEST_PRINTERINFO_INT(6, status, 6, status, status_list[i]); + } + + /* priorities need to be between 0 and 99 + passing an invalid priority will result in WERR_INVALID_PRIORITY */ + TEST_PRINTERINFO_INT(2, priority, 2, priority, 0); + TEST_PRINTERINFO_INT(2, priority, 2, priority, 1); + TEST_PRINTERINFO_INT(2, priority, 2, priority, 99); + /* TEST_PRINTERINFO_INT(2, priority, 2, priority, 100); */ + TEST_PRINTERINFO_INT(2, defaultpriority,2, defaultpriority, 0); + TEST_PRINTERINFO_INT(2, defaultpriority,2, defaultpriority, 1); + TEST_PRINTERINFO_INT(2, defaultpriority,2, defaultpriority, 99); + /* TEST_PRINTERINFO_INT(2, defaultpriority,2, defaultpriority, 100); */ + + TEST_PRINTERINFO_INT(2, starttime, 2, starttime, __LINE__); + TEST_PRINTERINFO_INT(2, untiltime, 2, untiltime, __LINE__); + + /* does not stick + TEST_PRINTERINFO_INT(2, cjobs, 2, cjobs, __LINE__); + TEST_PRINTERINFO_INT(2, averageppm, 2, averageppm, __LINE__); */ + + /* does not stick + TEST_PRINTERINFO_INT(5, device_not_selected_timeout, 5, device_not_selected_timeout, __LINE__); + TEST_PRINTERINFO_INT(5, transmission_retry_timeout, 5, transmission_retry_timeout, __LINE__); */ + + /* FIXME: gd also test devmode and secdesc behavior */ + + { + /* verify composition of level 1 description field */ + const char *description; + const char *tmp; + + q0.in.level = 1; + do { TESTGETCALL(GetPrinter, q0) } while (0); + + description = talloc_strdup(tctx, q0.out.info->info1.description); + + q0.in.level = 2; + do { TESTGETCALL(GetPrinter, q0) } while (0); + + tmp = talloc_asprintf(tctx, "%s,%s,%s", + q0.out.info->info2.printername, + q0.out.info->info2.drivername, + q0.out.info->info2.location); + + do { STRING_EQUAL(description, tmp, "description")} while (0); + } + + return ret; +} + static bool test_ClosePrinter(struct torture_context *tctx, struct dcerpc_pipe *p, @@ -1972,12 +2537,45 @@ static bool test_EnumPrinters_old(struct torture_context *tctx, struct dcerpc_pi return ret; } -#if 0 -static bool test_GetPrinterDriver2(struct dcerpc_pipe *p, +static bool test_GetPrinterDriver(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle, + const char *driver_name) +{ + struct spoolss_GetPrinterDriver r; + uint32_t needed; + + r.in.handle = handle; + r.in.architecture = "W32X86"; + r.in.level = 1; + r.in.buffer = NULL; + r.in.offered = 0; + r.out.needed = &needed; + + torture_comment(tctx, "Testing GetPrinterDriver level %d\n", r.in.level); + + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_GetPrinterDriver(p, tctx, &r), + "failed to call GetPrinterDriver"); + if (W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) { + DATA_BLOB blob = data_blob_talloc(tctx, NULL, needed); + data_blob_clear(&blob); + r.in.buffer = &blob; + r.in.offered = needed; + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_GetPrinterDriver(p, tctx, &r), + "failed to call GetPrinterDriver"); + } + + torture_assert_werr_ok(tctx, r.out.result, + "failed to call GetPrinterDriver"); + + return true; +} + +static bool test_GetPrinterDriver2(struct torture_context *tctx, + struct dcerpc_pipe *p, struct policy_handle *handle, const char *driver_name) { - NTSTATUS status; struct spoolss_GetPrinterDriver2 r; uint32_t needed; uint32_t server_major_version; @@ -1994,34 +2592,24 @@ static bool test_GetPrinterDriver2(struct dcerpc_pipe *p, r.out.server_major_version = &server_major_version; r.out.server_minor_version = &server_minor_version; - printf("Testing GetPrinterDriver2\n"); - - status = dcerpc_spoolss_GetPrinterDriver2(p, tctx, &r); - if (!NT_STATUS_IS_OK(status)) { - printf("GetPrinterDriver2 failed - %s\n", nt_errstr(status)); - return false; - } + torture_comment(tctx, "Testing GetPrinterDriver2 level %d\n", r.in.level); + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_GetPrinterDriver2(p, tctx, &r), + "failed to call GetPrinterDriver2"); if (W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) { + DATA_BLOB blob = data_blob_talloc(tctx, NULL, needed); + data_blob_clear(&blob); + r.in.buffer = &blob; r.in.offered = needed; - status = dcerpc_spoolss_GetPrinterDriver2(p, tctx, &r); - } - - if (!NT_STATUS_IS_OK(status)) { - printf("GetPrinterDriver2 failed - %s\n", - nt_errstr(status)); - return false; + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_GetPrinterDriver2(p, tctx, &r), + "failed to call GetPrinterDriver2"); } - if (!W_ERROR_IS_OK(r.out.result)) { - printf("GetPrinterDriver2 failed - %s\n", - win_errstr(r.out.result)); - return false; - } + torture_assert_werr_ok(tctx, r.out.result, + "failed to call GetPrinterDriver2"); return true; } -#endif static bool test_EnumPrinterDrivers_old(struct torture_context *tctx, struct dcerpc_pipe *p) @@ -2073,6 +2661,432 @@ static bool test_EnumPrinterDrivers_old(struct torture_context *tctx, return true; } +static bool test_DeletePrinter(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle) +{ + struct spoolss_DeletePrinter r; + + torture_comment(tctx, "Testing DeletePrinter\n"); + + r.in.handle = handle; + + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_DeletePrinter(p, tctx, &r), + "failed to delete printer"); + torture_assert_werr_ok(tctx, r.out.result, + "failed to delete printer"); + + return true; +} + +static bool test_EnumPrinters_findname(struct torture_context *tctx, + struct dcerpc_pipe *p, + uint32_t flags, + uint32_t level, + const char *name, + bool *found) +{ + struct spoolss_EnumPrinters e; + uint32_t count; + union spoolss_PrinterInfo *info; + uint32_t needed; + int i; + + *found = false; + + e.in.flags = flags; + e.in.server = NULL; + e.in.level = level; + e.in.buffer = NULL; + e.in.offered = 0; + e.out.count = &count; + e.out.info = &info; + e.out.needed = &needed; + + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_EnumPrinters(p, tctx, &e), + "failed to enum printers"); + + if (W_ERROR_EQUAL(e.out.result, WERR_INSUFFICIENT_BUFFER)) { + DATA_BLOB blob = data_blob_talloc(tctx, NULL, needed); + data_blob_clear(&blob); + e.in.buffer = &blob; + e.in.offered = needed; + + torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_EnumPrinters(p, tctx, &e), + "failed to enum printers"); + } + + torture_assert_werr_ok(tctx, e.out.result, + "failed to enum printers"); + + for (i=0; i < count; i++) { + + const char *current = NULL; + + switch (level) { + case 1: + current = info[i].info1.name; + break; + } + + if (strequal(current, name)) { + *found = true; + break; + } + } + + return true; +} + +static bool test_AddPrinter_wellknown(struct torture_context *tctx, + struct dcerpc_pipe *p, + const char *printername, + bool ex) +{ + WERROR result; + struct spoolss_AddPrinter r; + struct spoolss_AddPrinterEx rex; + struct spoolss_SetPrinterInfoCtr info_ctr; + struct spoolss_SetPrinterInfo1 info1; + struct spoolss_DevmodeContainer devmode_ctr; + struct sec_desc_buf secdesc_ctr; + struct spoolss_UserLevelCtr userlevel_ctr; + struct policy_handle handle; + bool found = false; + + ZERO_STRUCT(devmode_ctr); + ZERO_STRUCT(secdesc_ctr); + ZERO_STRUCT(userlevel_ctr); + ZERO_STRUCT(info1); + + torture_comment(tctx, "Testing AddPrinter%s level 1\n", ex ? "Ex":""); + + /* try to add printer to wellknown printer list (level 1) */ + + userlevel_ctr.level = 1; + + info_ctr.info.info1 = &info1; + info_ctr.level = 1; + + rex.in.server = NULL; + rex.in.info_ctr = &info_ctr; + rex.in.devmode_ctr = &devmode_ctr; + rex.in.secdesc_ctr = &secdesc_ctr; + rex.in.userlevel_ctr = &userlevel_ctr; + rex.out.handle = &handle; + + r.in.server = NULL; + r.in.info_ctr = &info_ctr; + r.in.devmode_ctr = &devmode_ctr; + r.in.secdesc_ctr = &secdesc_ctr; + r.out.handle = &handle; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_equal(tctx, result, WERR_INVALID_PRINTER_NAME, + "unexpected result code"); + + info1.name = printername; + info1.flags = PRINTER_ATTRIBUTE_SHARED; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_equal(tctx, result, WERR_PRINTER_ALREADY_EXISTS, + "unexpected result code"); + + /* bizarre protocol, WERR_PRINTER_ALREADY_EXISTS means success here, + better do a real check to see the printer is really there */ + + torture_assert(tctx, test_EnumPrinters_findname(tctx, p, + PRINTER_ENUM_NETWORK, 1, + printername, + &found), + "failed to enum printers"); + + torture_assert(tctx, found, "failed to find newly added printer"); + + info1.flags = 0; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_equal(tctx, result, WERR_PRINTER_ALREADY_EXISTS, + "unexpected result code"); + + /* bizarre protocol, WERR_PRINTER_ALREADY_EXISTS means success here, + better do a real check to see the printer has really been removed + from the well known printer list */ + + found = false; + + torture_assert(tctx, test_EnumPrinters_findname(tctx, p, + PRINTER_ENUM_NETWORK, 1, + printername, + &found), + "failed to enum printers"); +#if 0 + torture_assert(tctx, !found, "printer still in well known printer list"); +#endif + return true; +} + +static bool test_AddPrinter_normal(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle_p, + const char *printername, + const char *drivername, + const char *portname, + bool ex) +{ + WERROR result; + struct spoolss_AddPrinter r; + struct spoolss_AddPrinterEx rex; + struct spoolss_SetPrinterInfoCtr info_ctr; + struct spoolss_SetPrinterInfo2 info2; + struct spoolss_DevmodeContainer devmode_ctr; + struct sec_desc_buf secdesc_ctr; + struct spoolss_UserLevelCtr userlevel_ctr; + struct policy_handle handle; + bool found = false; + + ZERO_STRUCT(devmode_ctr); + ZERO_STRUCT(secdesc_ctr); + ZERO_STRUCT(userlevel_ctr); + + torture_comment(tctx, "Testing AddPrinter%s level 2\n", ex ? "Ex":""); + + userlevel_ctr.level = 1; + + rex.in.server = NULL; + rex.in.info_ctr = &info_ctr; + rex.in.devmode_ctr = &devmode_ctr; + rex.in.secdesc_ctr = &secdesc_ctr; + rex.in.userlevel_ctr = &userlevel_ctr; + rex.out.handle = &handle; + + r.in.server = NULL; + r.in.info_ctr = &info_ctr; + r.in.devmode_ctr = &devmode_ctr; + r.in.secdesc_ctr = &secdesc_ctr; + r.out.handle = &handle; + + again: + + /* try to add printer to printer list (level 2) */ + + ZERO_STRUCT(info2); + + info_ctr.info.info2 = &info2; + info_ctr.level = 2; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_equal(tctx, result, WERR_INVALID_PRINTER_NAME, + "unexpected result code"); + + info2.printername = printername; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + + if (W_ERROR_EQUAL(result, WERR_PRINTER_ALREADY_EXISTS)) { + struct policy_handle printer_handle; + + torture_assert(tctx, call_OpenPrinterEx(tctx, p, printername, &printer_handle), + "failed to open printer handle"); + + torture_assert(tctx, test_DeletePrinter(tctx, p, &printer_handle), + "failed to delete printer"); + + torture_assert(tctx, test_ClosePrinter(tctx, p, &printer_handle), + "failed to close server handle"); + + goto again; + } + + torture_assert_werr_equal(tctx, result, WERR_UNKNOWN_PORT, + "unexpected result code"); + + info2.portname = portname; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_equal(tctx, result, WERR_UNKNOWN_PRINTER_DRIVER, + "unexpected result code"); + + info2.drivername = drivername; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_equal(tctx, result, WERR_UNKNOWN_PRINTPROCESSOR, + "unexpected result code"); + + info2.printprocessor = "winprint"; + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_ok(tctx, result, + "failed to add printer"); + + *handle_p = handle; + + /* we are paranoid, really check if the printer is there now */ + + torture_assert(tctx, test_EnumPrinters_findname(tctx, p, + PRINTER_ENUM_LOCAL, 1, + printername, + &found), + "failed to enum printers"); + torture_assert(tctx, found, "failed to find newly added printer"); + + torture_assert_ntstatus_ok(tctx, ex ? dcerpc_spoolss_AddPrinterEx(p, tctx, &rex) : + dcerpc_spoolss_AddPrinter(p, tctx, &r), + "failed to add printer"); + result = ex ? rex.out.result : r.out.result; + torture_assert_werr_equal(tctx, result, WERR_PRINTER_ALREADY_EXISTS, + "unexpected result code"); + + return true; +} + +static bool test_AddPrinterEx(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle_p, + const char *printername, + const char *drivername, + const char *portname) +{ + bool ret = true; + + if (!torture_setting_bool(tctx, "samba3", false)) { + if (!test_AddPrinter_wellknown(tctx, p, TORTURE_WELLKNOWN_PRINTER_EX, true)) { + torture_comment(tctx, "failed to add printer to well known list\n"); + ret = false; + } + } + + if (!test_AddPrinter_normal(tctx, p, handle_p, + printername, drivername, portname, + true)) { + torture_comment(tctx, "failed to add printer to printer list\n"); + ret = false; + } + + return ret; +} + +static bool test_AddPrinter(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle_p, + const char *printername, + const char *drivername, + const char *portname) +{ + bool ret = true; + + if (!torture_setting_bool(tctx, "samba3", false)) { + if (!test_AddPrinter_wellknown(tctx, p, TORTURE_WELLKNOWN_PRINTER, false)) { + torture_comment(tctx, "failed to add printer to well known list\n"); + ret = false; + } + } + + if (!test_AddPrinter_normal(tctx, p, handle_p, + printername, drivername, portname, + false)) { + torture_comment(tctx, "failed to add printer to printer list\n"); + ret = false; + } + + return ret; +} + +static bool test_printer_info(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct policy_handle *handle) +{ + bool ret = true; + + if (!test_PrinterInfo(tctx, p, handle)) { + ret = false; + } + + if (!test_SetPrinter_errors(tctx, p, handle)) { + ret = false; + } + + return ret; +} + +static bool test_printer(struct torture_context *tctx, + struct dcerpc_pipe *p) +{ + bool ret = true; + struct policy_handle handle[2]; + bool found = false; + const char *drivername = "Microsoft XPS Document Writer"; + const char *portname = "LPT1:"; + + /* test printer created via AddPrinter */ + + if (!test_AddPrinter(tctx, p, &handle[0], TORTURE_PRINTER, drivername, portname)) { + return false; + } + + if (!test_printer_info(tctx, p, &handle[0])) { + ret = false; + } + + if (!test_DeletePrinter(tctx, p, &handle[0])) { + ret = false; + } + + if (!test_EnumPrinters_findname(tctx, p, PRINTER_ENUM_LOCAL, 1, + TORTURE_PRINTER, &found)) { + ret = false; + } + + torture_assert(tctx, !found, "deleted printer still there"); + + /* test printer created via AddPrinterEx */ + + if (!test_AddPrinterEx(tctx, p, &handle[1], TORTURE_PRINTER_EX, drivername, portname)) { + return false; + } + + if (!test_printer_info(tctx, p, &handle[1])) { + ret = false; + } + + if (!test_DeletePrinter(tctx, p, &handle[1])) { + ret = false; + } + + if (!test_EnumPrinters_findname(tctx, p, PRINTER_ENUM_LOCAL, 1, + TORTURE_PRINTER_EX, &found)) { + ret = false; + } + + torture_assert(tctx, !found, "deleted printer still there"); + + return ret; +} + bool torture_rpc_spoolss(struct torture_context *torture) { NTSTATUS status; @@ -2087,7 +3101,7 @@ bool torture_rpc_spoolss(struct torture_context *torture) ctx = talloc_zero(torture, struct test_spoolss_context); - ret &= test_OpenPrinter_server(torture, p, ctx); + ret &= test_OpenPrinter_server(torture, p, &ctx->server_handle); ret &= test_GetPrinterData(torture, p, &ctx->server_handle, "W3SvcInstalled"); ret &= test_GetPrinterData(torture, p, &ctx->server_handle, "BeepEnabled"); @@ -2129,3 +3143,15 @@ bool torture_rpc_spoolss(struct torture_context *torture) return ret; } + +struct torture_suite *torture_rpc_spoolss_printer(TALLOC_CTX *mem_ctx) +{ + struct torture_suite *suite = torture_suite_create(mem_ctx, "SPOOLSS-PRINTER"); + + struct torture_rpc_tcase *tcase = torture_suite_add_rpc_iface_tcase(suite, + "printer", &ndr_table_spoolss); + + torture_rpc_tcase_add_test(tcase, "printer", test_printer); + + return suite; +} diff --git a/source4/torture/smb2/config.mk b/source4/torture/smb2/config.mk index bc4fc15e07..b321b41bdd 100644 --- a/source4/torture/smb2/config.mk +++ b/source4/torture/smb2/config.mk @@ -22,6 +22,7 @@ TORTURE_SMB2_OBJ_FILES = $(addprefix $(torturesrcdir)/smb2/, \ smb2.o \ durable_open.o \ oplocks.o \ + dir.o \ lease.o \ create.o \ read.o \ diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c index bd1abce827..fd32b52111 100644 --- a/source4/torture/smb2/connect.c +++ b/source4/torture/smb2/connect.c @@ -200,6 +200,8 @@ bool torture_smb2_connect(struct torture_context *torture) return false; } + smb2_util_unlink(tree, "test9.dat"); + h1 = torture_smb2_createfile(tree, "test9.dat"); h2 = torture_smb2_createfile(tree, "test9.dat"); status = torture_smb2_write(torture, tree, h1); diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c index 58cf2229bc..4b44a50bbd 100644 --- a/source4/torture/smb2/dir.c +++ b/source4/torture/smb2/dir.c @@ -1,20 +1,22 @@ -/* +/* Unix SMB/CIFS implementation. SMB2 dir list test suite Copyright (C) Andrew Tridgell 2005 - + Copyright (C) Zachary Loafman 2009 + Copyright (C) Aravind Srinivasan 2009 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -22,72 +24,1307 @@ #include "includes.h" #include "libcli/smb2/smb2.h" #include "libcli/smb2/smb2_calls.h" +#include "libcli/smb_composite/smb_composite.h" +#include "libcli/raw/libcliraw.h" +#include "libcli/raw/raw_proto.h" +#include "libcli/libcli.h" #include "torture/torture.h" #include "torture/smb2/proto.h" +#include "torture/util.h" + +#include "system/filesys.h" + +#define CHECK_STATUS(status, correct) do { \ + if (!NT_STATUS_EQUAL(status, correct)) { \ + torture_result(tctx, TORTURE_FAIL, __location__": \ + Incorrect status %s - should be %s", \ + nt_errstr(status), nt_errstr(correct)); \ + ret = false; \ + goto done; \ + }} while (0) + +#define CHECK_VALUE(v, correct) torture_assert_int_equal(tctx, (v), \ + (correct), "incorrect value"); + +#define DNAME "smb2_dir" +#define NFILES 100 + +struct file_elem { + char *name; + bool found; +}; + +static NTSTATUS populate_tree(struct torture_context *tctx, + TALLOC_CTX *mem_ctx, + struct smb2_tree *tree, + struct file_elem *files, + int nfiles, + struct smb2_handle *h_out) +{ + struct smb2_create create; + NTSTATUS status; + bool ret; + int i; + + smb2_deltree(tree, DNAME); + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_DIR_ALL; + create.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; + create.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; + create.in.share_access = NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE | + NTCREATEX_SHARE_ACCESS_DELETE; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + create.in.fname = DNAME; + + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + *h_out = create.out.file.handle; + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_FILE_ALL; + create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + + for (i = 0; i < nfiles; i++) { + files[i].name = generate_random_str(tctx, 8); + create.in.fname = talloc_asprintf(mem_ctx, "%s\\%s", + DNAME, files[i].name); + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, create.out.file.handle); + } + done: + return status; +} /* test find continue */ -static bool torture_smb2_find_dir(struct smb2_tree *tree) + +static bool test_find(struct torture_context *tctx, + struct smb2_tree *tree) { - struct smb2_handle handle; - NTSTATUS status; - int i; + TALLOC_CTX *mem_ctx = talloc_new(tctx); + struct smb2_handle h; struct smb2_find f; - bool ret = true; union smb_search_data *d; + struct file_elem files[NFILES] = {}; + NTSTATUS status; + bool ret = true; uint_t count; + int i, j, file_count = 0; - status = smb2_util_roothandle(tree, &handle); - if (!NT_STATUS_IS_OK(status)) { - return false; + status = populate_tree(tctx, mem_ctx, tree, files, NFILES, &h); + + ZERO_STRUCT(f); + f.in.file.handle = h; + f.in.pattern = "*"; + f.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE; + f.in.max_response_size = 0x100; + f.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO; + + do { + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + break; + CHECK_STATUS(status, NT_STATUS_OK); + + for (i = 0; i < count; i++) { + bool expected; + const char *found = d[i].both_directory_info.name.s; + + if (!strcmp(found, ".") || !strcmp(found, "..")) + continue; + + expected = false; + for (j = 0; j < NFILES; j++) { + if (!strcmp(files[j].name, found)) { + files[j].found = true; + expected = true; + break; + } + } + + if (expected) + continue; + + torture_result(tctx, TORTURE_FAIL, + "(%s): didn't expect %s\n", + __location__, found); + ret = false; + goto done; + } + + file_count = file_count + i; + f.in.continue_flags = 0; + f.in.max_response_size = 4096; + } while (count != 0); + + CHECK_VALUE(file_count, NFILES + 2); + + for (i = 0; i < NFILES; i++) { + if (files[j].found) + continue; + + torture_result(tctx, TORTURE_FAIL, + "(%s): expected to find %s, but didn't\n", + __location__, files[j].name); + ret = false; + goto done; } + done: + smb2_deltree(tree, DNAME); + talloc_free(mem_ctx); + + return ret; +} + +/* + test fixed enumeration +*/ + +static bool test_fixed(struct torture_context *tctx, + struct smb2_tree *tree) +{ + TALLOC_CTX *mem_ctx = talloc_new(tctx); + struct smb2_create create; + struct smb2_handle h, h2; + struct smb2_find f; + union smb_search_data *d; + struct file_elem files[NFILES] = {}; + NTSTATUS status; + bool ret = true; + uint_t count; + int i; + + status = populate_tree(tctx, mem_ctx, tree, files, NFILES, &h); + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_DIR_ALL; + create.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; + create.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; + create.in.share_access = NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE | + NTCREATEX_SHARE_ACCESS_DELETE; + create.in.create_disposition = NTCREATEX_DISP_OPEN; + create.in.fname = DNAME; + + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + h2 = create.out.file.handle; + ZERO_STRUCT(f); - f.in.file.handle = handle; + f.in.file.handle = h; f.in.pattern = "*"; f.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE; f.in.max_response_size = 0x100; f.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO; + /* Start enumeration on h, then delete all from h2 */ + status = smb2_find_level(tree, tree, &f, &count, &d); + CHECK_STATUS(status, NT_STATUS_OK); + + f.in.file.handle = h2; + do { status = smb2_find_level(tree, tree, &f, &count, &d); - if (!NT_STATUS_IS_OK(status)) { - printf("SMB2_FIND_ID_BOTH_DIRECTORY_INFO failed - %s\n", nt_errstr(status)); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) break; + CHECK_STATUS(status, NT_STATUS_OK); + + for (i = 0; i < count; i++) { + const char *found = d[i].both_directory_info.name.s; + char *path = talloc_asprintf(mem_ctx, "%s\\%s", + DNAME, found); + + if (!strcmp(found, ".") || !strcmp(found, "..")) + continue; + + status = smb2_util_unlink(tree, path); + CHECK_STATUS(status, NT_STATUS_OK); + + talloc_free(path); } - printf("Got %d files\n", count); - for (i=0;i<count;i++) { - printf("\t'%s'\n", - d[i].both_directory_info.name.s); + f.in.continue_flags = 0; + f.in.max_response_size = 4096; + } while (count != 0); + + /* Now finish h enumeration. */ + f.in.file.handle = h; + + do { + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + break; + CHECK_STATUS(status, NT_STATUS_OK); + + for (i = 0; i < count; i++) { + const char *found = d[i].both_directory_info.name.s; + + if (!strcmp(found, ".") || !strcmp(found, "..")) + continue; + + torture_result(tctx, TORTURE_FAIL, + "(%s): didn't expect %s\n", + __location__, found); + ret = false; + goto done; } + f.in.continue_flags = 0; f.in.max_response_size = 4096; } while (count != 0); + done: + smb2_util_close(tree, h); + smb2_util_close(tree, h2); + smb2_deltree(tree, DNAME); + talloc_free(mem_ctx); return ret; } +static struct { + const char *name; + uint8_t level; + enum smb_search_data_level data_level; + int name_offset; + int resume_key_offset; + uint32_t capability_mask; + NTSTATUS status; + union smb_search_data data; +} levels[] = { + {"SMB2_FIND_DIRECTORY_INFO", + SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, + offsetof(union smb_search_data, directory_info.name.s), + offsetof(union smb_search_data, directory_info.file_index), + }, + {"SMB2_FIND_FULL_DIRECTORY_INFO", + SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, + offsetof(union smb_search_data, full_directory_info.name.s), + offsetof(union smb_search_data, full_directory_info.file_index), + }, + {"SMB2_FIND_NAME_INFO", + SMB2_FIND_NAME_INFO, RAW_SEARCH_DATA_NAME_INFO, + offsetof(union smb_search_data, name_info.name.s), + offsetof(union smb_search_data, name_info.file_index), + }, + {"SMB2_FIND_BOTH_DIRECTORY_INFO", + SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, + offsetof(union smb_search_data, both_directory_info.name.s), + offsetof(union smb_search_data, both_directory_info.file_index), + }, + {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", + SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, + offsetof(union smb_search_data, id_full_directory_info.name.s), + offsetof(union smb_search_data, id_full_directory_info.file_index), + }, + {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", + SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, + offsetof(union smb_search_data, id_both_directory_info.name.s), + offsetof(union smb_search_data, id_both_directory_info.file_index), + } +}; + +/* + extract the name from a smb_data structure and level +*/ +static const char *extract_name(union smb_search_data *data, + uint8_t level, + enum smb_search_data_level data_level) +{ + int i; + for (i=0;i<ARRAY_SIZE(levels);i++) { + if (level == levels[i].level && + data_level == levels[i].data_level) { + return *(const char **)(levels[i].name_offset + (char *)data); + } + } + return NULL; +} + +/* find a level in the table by name */ +static union smb_search_data *find(const char *name) +{ + int i; + for (i=0;i<ARRAY_SIZE(levels);i++) { + if (NT_STATUS_IS_OK(levels[i].status) && + strcmp(levels[i].name, name) == 0) { + return &levels[i].data; + } + } + return NULL; +} + +static bool fill_level_data(TALLOC_CTX *mem_ctx, + union smb_search_data *data, + union smb_search_data *d, + uint_t count, + uint8_t level, + enum smb_search_data_level data_level) +{ + int i; + const char *sname = NULL; + for (i=0; i < count ; i++) { + sname = extract_name(&d[i], level, data_level); + if (sname == NULL) + return false; + if (!strcmp(sname, ".") || !strcmp(sname, "..")) + continue; + *data = d[i]; + } + return true; +} + + +NTSTATUS torture_single_file_search(struct smb2_tree *tree, + TALLOC_CTX *mem_ctx, + const char *pattern, + uint8_t level, + enum smb_search_data_level data_level, + int index, + union smb_search_data *d, + uint_t *count, + struct smb2_handle *h) +{ + struct smb2_find f; + NTSTATUS status; + + ZERO_STRUCT(f); + f.in.file.handle = *h; + f.in.pattern = pattern; + f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART; + f.in.max_response_size = 0x100; + f.in.level = level; + + status = smb2_find_level(tree, tree, &f, count, &d); + if (NT_STATUS_IS_OK(status)) + fill_level_data(mem_ctx, &levels[index].data, d, *count, level, + data_level); + return status; +} + +/* + basic testing of all File Information Classes using a single file +*/ +static bool test_one_file(struct torture_context *tctx, + struct smb2_tree *tree) +{ + TALLOC_CTX *mem_ctx = talloc_new(tctx); + bool ret = true; + const char *fname = "torture_search.txt"; + NTSTATUS status; + int i; + uint_t count; + union smb_fileinfo all_info2, alt_info, internal_info; + union smb_search_data *s; + union smb_search_data d; + struct smb2_handle h, h2; + + status = torture_smb2_testdir(tree, DNAME, &h); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb2_create_complex_file(tree, DNAME "\\torture_search.txt", + &h2); + CHECK_STATUS(status, NT_STATUS_OK); + + /* call all the File Information Classes */ + for (i=0;i<ARRAY_SIZE(levels);i++) { + torture_comment(tctx, "testing %s %d\n", levels[i].name, + levels[i].level); + + levels[i].status = torture_single_file_search(tree, mem_ctx, + fname, levels[i].level, levels[i].data_level, + i, &d, &count, &h); + CHECK_STATUS(levels[i].status, NT_STATUS_OK); + } + + /* get the all_info file into to check against */ + all_info2.generic.level = RAW_FILEINFO_SMB2_ALL_INFORMATION; + all_info2.generic.in.file.handle = h2; + status = smb2_getinfo_file(tree, tctx, &all_info2); + torture_assert_ntstatus_ok(tctx, status, + "RAW_FILEINFO_ALL_INFO failed"); + + alt_info.generic.level = RAW_FILEINFO_ALT_NAME_INFORMATION; + alt_info.generic.in.file.handle = h2; + status = smb2_getinfo_file(tree, tctx, &alt_info); + torture_assert_ntstatus_ok(tctx, status, + "RAW_FILEINFO_ALT_NAME_INFO failed"); + + internal_info.generic.level = RAW_FILEINFO_INTERNAL_INFORMATION; + internal_info.generic.in.file.handle = h2; + status = smb2_getinfo_file(tree, tctx, &internal_info); + torture_assert_ntstatus_ok(tctx, status, + "RAW_FILEINFO_INTERNAL_INFORMATION failed"); + +#define CHECK_VAL(name, sname1, field1, v, sname2, field2) do { \ + s = find(name); \ + if (s) { \ + if ((s->sname1.field1) != (v.sname2.out.field2)) { \ + printf("(%s) %s/%s [0x%x] != %s/%s [0x%x]\n", \ + __location__, \ + #sname1, #field1, (int)s->sname1.field1, \ + #sname2, #field2, (int)v.sname2.out.field2); \ + ret = false; \ + } \ + }} while (0) + +#define CHECK_TIME(name, sname1, field1, v, sname2, field2) do { \ + s = find(name); \ + if (s) { \ + if (s->sname1.field1 != \ + (~1 & nt_time_to_unix(v.sname2.out.field2))) { \ + printf("(%s) %s/%s [%s] != %s/%s [%s]\n", \ + __location__, \ + #sname1, #field1, \ + timestring(tctx, s->sname1.field1), \ + #sname2, #field2, \ + nt_time_string(tctx, v.sname2.out.field2)); \ + ret = false; \ + } \ + }} while (0) + +#define CHECK_NTTIME(name, sname1, field1, v, sname2, field2) do { \ + s = find(name); \ + if (s) { \ + if (s->sname1.field1 != v.sname2.out.field2) { \ + printf("(%s) %s/%s [%s] != %s/%s [%s]\n", \ + __location__, \ + #sname1, #field1, \ + nt_time_string(tctx, s->sname1.field1), \ + #sname2, #field2, \ + nt_time_string(tctx, v.sname2.out.field2)); \ + ret = false; \ + } \ + }} while (0) + +#define CHECK_STR(name, sname1, field1, v, sname2, field2) do { \ + s = find(name); \ + if (s) { \ + if (!s->sname1.field1 || \ + strcmp(s->sname1.field1, v.sname2.out.field2.s)) { \ + printf("(%s) %s/%s [%s] != %s/%s [%s]\n", \ + __location__, \ + #sname1, #field1, s->sname1.field1, \ + #sname2, #field2, v.sname2.out.field2.s); \ + ret = false; \ + } \ + }} while (0) + +#define CHECK_WSTR(name, sname1, field1, v, sname2, field2, flags) do { \ + s = find(name); \ + if (s) { \ + if (!s->sname1.field1.s || \ + strcmp(s->sname1.field1.s, v.sname2.out.field2.s)) { \ + printf("(%s) %s/%s [%s] != %s/%s [%s]\n", \ + __location__, \ + #sname1, #field1, s->sname1.field1.s, \ + #sname2, #field2, v.sname2.out.field2.s); \ + ret = false; \ + } \ + }} while (0) + +#define CHECK_NAME(name, sname1, field1, fname, flags) do { \ + s = find(name); \ + if (s) { \ + if (!s->sname1.field1.s || \ + strcmp(s->sname1.field1.s, fname)) { \ + printf("(%s) %s/%s [%s] != %s\n", \ + __location__, \ + #sname1, #field1, s->sname1.field1.s, \ + fname); \ + ret = false; \ + } \ + }} while (0) + +#define CHECK_UNIX_NAME(name, sname1, field1, fname, flags) do { \ + s = find(name); \ + if (s) { \ + if (!s->sname1.field1 || \ + strcmp(s->sname1.field1, fname)) { \ + printf("(%s) %s/%s [%s] != %s\n", \ + __location__, \ + #sname1, #field1, s->sname1.field1, \ + fname); \ + ret = false; \ + } \ + }} while (0) + + /* check that all the results are as expected */ + CHECK_VAL("SMB2_FIND_DIRECTORY_INFO", directory_info, attrib, all_info2, all_info2, attrib); + CHECK_VAL("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, attrib, all_info2, all_info2, attrib); + CHECK_VAL("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, attrib, all_info2, all_info2, attrib); + CHECK_VAL("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, attrib, all_info2, all_info2, attrib); + CHECK_VAL("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, attrib, all_info2, all_info2, attrib); + + CHECK_NTTIME("SMB2_FIND_DIRECTORY_INFO", directory_info, write_time, all_info2, all_info2, write_time); + CHECK_NTTIME("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, write_time, all_info2, all_info2, write_time); + CHECK_NTTIME("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, write_time, all_info2, all_info2, write_time); + CHECK_NTTIME("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, write_time, all_info2, all_info2, write_time); + CHECK_NTTIME("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, write_time, all_info2, all_info2, write_time); + + CHECK_NTTIME("SMB2_FIND_DIRECTORY_INFO", directory_info, create_time, all_info2, all_info2, create_time); + CHECK_NTTIME("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, create_time, all_info2, all_info2, create_time); + CHECK_NTTIME("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, create_time, all_info2, all_info2, create_time); + CHECK_NTTIME("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, create_time, all_info2, all_info2, create_time); + CHECK_NTTIME("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, create_time, all_info2, all_info2, create_time); + CHECK_NTTIME("SMB2_FIND_DIRECTORY_INFO", directory_info, access_time, all_info2, all_info2, access_time); + CHECK_NTTIME("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, access_time, all_info2, all_info2, access_time); + CHECK_NTTIME("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, access_time, all_info2, all_info2, access_time); + CHECK_NTTIME("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, access_time, all_info2, all_info2, access_time); + CHECK_NTTIME("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, access_time, all_info2, all_info2, access_time); + + CHECK_NTTIME("SMB2_FIND_DIRECTORY_INFO", directory_info, change_time, all_info2, all_info2, change_time); + CHECK_NTTIME("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, change_time, all_info2, all_info2, change_time); + CHECK_NTTIME("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, change_time, all_info2, all_info2, change_time); + CHECK_NTTIME("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, change_time, all_info2, all_info2, change_time); + CHECK_NTTIME("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, change_time, all_info2, all_info2, change_time); + + CHECK_VAL("SMB2_FIND_DIRECTORY_INFO", directory_info, size, all_info2, all_info2, size); + CHECK_VAL("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, size, all_info2, all_info2, size); + CHECK_VAL("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, size, all_info2, all_info2, size); + CHECK_VAL("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, size, all_info2, all_info2, size); + CHECK_VAL("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, size, all_info2, all_info2, size); + + CHECK_VAL("SMB2_FIND_DIRECTORY_INFO", directory_info, alloc_size, all_info2, all_info2, alloc_size); + CHECK_VAL("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, alloc_size, all_info2, all_info2, alloc_size); + CHECK_VAL("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, alloc_size, all_info2, all_info2, alloc_size); + CHECK_VAL("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, alloc_size, all_info2, all_info2, alloc_size); + CHECK_VAL("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, alloc_size, all_info2, all_info2, alloc_size); + + CHECK_VAL("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, ea_size, all_info2, all_info2, ea_size); + CHECK_VAL("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, ea_size, all_info2, all_info2, ea_size); + CHECK_VAL("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, ea_size, all_info2, all_info2, ea_size); + CHECK_VAL("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, ea_size, all_info2, all_info2, ea_size); + + CHECK_WSTR("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, short_name, alt_info, alt_name_info, fname, STR_UNICODE); + + CHECK_NAME("SMB2_FIND_DIRECTORY_INFO", directory_info, name, fname, STR_TERMINATE_ASCII); + CHECK_NAME("SMB2_FIND_FULL_DIRECTORY_INFO", full_directory_info, name, fname, STR_TERMINATE_ASCII); + CHECK_NAME("SMB2_FIND_NAME_INFO", name_info, name, fname, STR_TERMINATE_ASCII); + CHECK_NAME("SMB2_FIND_BOTH_DIRECTORY_INFO", both_directory_info, name, fname, STR_TERMINATE_ASCII); + CHECK_NAME("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, name, fname, STR_TERMINATE_ASCII); + CHECK_NAME("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, name, fname, STR_TERMINATE_ASCII); + CHECK_VAL("SMB2_FIND_ID_FULL_DIRECTORY_INFO", id_full_directory_info, file_id, internal_info, internal_information, file_id); + + CHECK_VAL("SMB2_FIND_ID_BOTH_DIRECTORY_INFO", id_both_directory_info, file_id, internal_info, internal_information, file_id); + +done: + smb2_util_close(tree, h); + smb2_util_unlink(tree, fname); + talloc_free(mem_ctx); + + return ret; +} + + +struct multiple_result { + TALLOC_CTX *tctx; + int count; + union smb_search_data *list; +}; + +bool fill_result(void *private_data, + union smb_search_data *file, + int count, + uint8_t level, + enum smb_search_data_level data_level) +{ + int i; + const char *sname; + struct multiple_result *data = (struct multiple_result *)private_data; + + for (i=0; i<count; i++) { + sname = extract_name(&file[i], level, data_level); + if (!strcmp(sname, ".") || !(strcmp(sname, ".."))) + continue; + data->count++; + data->list = talloc_realloc(data->tctx, + data->list, + union smb_search_data, + data->count); + data->list[data->count-1] = file[i]; + } + return true; +} + +enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART}; + +static NTSTATUS multiple_smb2_search(struct smb2_tree *tree, + TALLOC_CTX *tctx, + const char *pattern, + uint8_t level, + enum smb_search_data_level data_level, + enum continue_type cont_type, + void *data, + struct smb2_handle *h) +{ + struct smb2_find f; + bool ret = true; + uint_t count = 0; + union smb_search_data *d; + NTSTATUS status; + struct multiple_result *result = (struct multiple_result *)data; + + ZERO_STRUCT(f); + f.in.file.handle = *h; + f.in.pattern = pattern; + f.in.max_response_size = 0x1000; + f.in.level = level; + + /* The search should start from the beginning everytime */ + f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART; + + do { + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + break; + CHECK_STATUS(status, NT_STATUS_OK); + if (!fill_result(result, d, count, level, data_level)) { + return NT_STATUS_UNSUCCESSFUL; + } + + /* + * After the first iteration is complete set the CONTINUE + * FLAGS appropriately + */ + switch (cont_type) { + case CONT_INDEX: + f.in.continue_flags = SMB2_CONTINUE_FLAG_INDEX; + break; + case CONT_SINGLE: + f.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE; + break; + case CONT_RESTART: + default: + /* we should prevent staying in the loop forever */ + f.in.continue_flags = 0; + break; + } + } while (count != 0); +done: + return status; +} + + +static enum smb_search_data_level compare_data_level; +uint8_t level_sort; -/* - basic testing of directory listing with continue +static int search_compare(union smb_search_data *d1, + union smb_search_data *d2) +{ + const char *s1, *s2; + + s1 = extract_name(d1, level_sort, compare_data_level); + s2 = extract_name(d2, level_sort, compare_data_level); + return strcmp_safe(s1, s2); +} + +/* + basic testing of search calls using many files */ -bool torture_smb2_dir(struct torture_context *torture) +static bool test_many_files(struct torture_context *tctx, + struct smb2_tree *tree) { - TALLOC_CTX *mem_ctx = talloc_new(NULL); - struct smb2_tree *tree; + TALLOC_CTX *mem_ctx = talloc_new(tctx); + const int num_files = 700; + int i, t; + char *fname; bool ret = true; + NTSTATUS status; + struct multiple_result result; + struct smb2_create create; + struct smb2_handle h; + struct { + const char *name; + const char *cont_name; + uint8_t level; + enum smb_search_data_level data_level; + enum continue_type cont_type; + } search_types[] = { + {"SMB2_FIND_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_SINGLE}, + {"SMB2_FIND_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_INDEX}, + {"SMB2_FIND_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_RESTART}, + {"SMB2_FIND_DIRECTORY_INFO", "SINGLE", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_SINGLE}, + {"SMB2_FIND_DIRECTORY_INFO", "INDEX", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_INDEX}, + {"SMB2_FIND_DIRECTORY_INFO", "RESTART", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_RESTART}, + {"SMB2_FIND_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_SINGLE}, + {"SMB2_FIND_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_INDEX}, + {"SMB2_FIND_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_RESTART}, + {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE}, + {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX}, + {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART}, + {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE}, + {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX}, + {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART} + }; - if (!torture_smb2_connection(torture, &tree)) { + smb2_deltree(tree, DNAME); + status = torture_smb2_testdir(tree, DNAME, &h); + CHECK_STATUS(status, NT_STATUS_OK); + + torture_comment(tctx, "Testing with %d files\n", num_files); + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_FILE_ALL; + create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + + for (i=num_files-1;i>=0;i--) { + fname = talloc_asprintf(mem_ctx, DNAME "\\t%03d-%d.txt", i, i); + create.in.fname = talloc_asprintf(mem_ctx, "%s", fname); + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, create.out.file.handle); + talloc_free(fname); + } + + for (t=0;t<ARRAY_SIZE(search_types);t++) { + ZERO_STRUCT(result); + result.tctx = talloc_new(tctx); + + torture_comment(tctx, + "Continue %s via %s\n", search_types[t].name, + search_types[t].cont_name); + status = multiple_smb2_search(tree, tctx, "*", + search_types[t].level, + search_types[t].data_level, + search_types[t].cont_type, + &result, &h); + + CHECK_VALUE(result.count, num_files); + + compare_data_level = search_types[t].data_level; + level_sort = search_types[t].level; + + qsort(result.list, result.count, sizeof(result.list[0]), + QSORT_CAST search_compare); + + for (i=0;i<result.count;i++) { + const char *s; + enum smb_search_level level; + level = RAW_SEARCH_SMB2; + s = extract_name(&result.list[i], + search_types[t].level, + compare_data_level); + fname = talloc_asprintf(mem_ctx, "t%03d-%d.txt", i, i); + torture_assert_str_equal(tctx, fname, s, + "Incorrect name"); + talloc_free(fname); + } + talloc_free(result.tctx); + } + +done: + smb2_util_close(tree, h); + smb2_deltree(tree, DNAME); + talloc_free(mem_ctx); + + return ret; +} + +/* + check a individual file result +*/ +static bool check_result(struct multiple_result *result, + const char *name, + bool exist, + uint32_t attrib) +{ + int i; + for (i=0;i<result->count;i++) { + if (strcmp(name, + result->list[i].both_directory_info.name.s) == 0) { + break; + } + } + if (i == result->count) { + if (exist) { + printf("failed: '%s' should exist with attribute %s\n", + name, attrib_string(result->list, attrib)); + return false; + } + return true; + } + + if (!exist) { + printf("failed: '%s' should NOT exist (has attribute %s)\n", + name, attrib_string(result->list, + result->list[i].both_directory_info.attrib)); return false; } - ret &= torture_smb2_find_dir(tree); + if ((result->list[i].both_directory_info.attrib&0xFFF) != attrib) { + printf("failed: '%s' should have attribute 0x%x (has 0x%x)\n", + name, + attrib, result->list[i].both_directory_info.attrib); + return false; + } + return true; +} + +/* + test what happens when the directory is modified during a search +*/ +static bool test_modify_search(struct torture_context *tctx, + struct smb2_tree *tree) +{ + int num_files = 700; + struct multiple_result result; + union smb_setfileinfo sfinfo; + TALLOC_CTX *mem_ctx = talloc_new(tctx); + struct smb2_create create; + struct smb2_handle h; + struct smb2_find f; + union smb_search_data *d; + struct file_elem files[700] = {}; + NTSTATUS status; + bool ret = true; + int i; + uint_t count; + + smb2_deltree(tree, DNAME); + + status = torture_smb2_testdir(tree, DNAME, &h); + CHECK_STATUS(status, NT_STATUS_OK); + + printf("Creating %d files\n", num_files); + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_FILE_ALL; + create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + + for (i = num_files-1; i >= 0; i--) { + files[i].name = talloc_asprintf(mem_ctx, "t%03d-%d.txt", i, i); + create.in.fname = talloc_asprintf(mem_ctx, "%s\\%s", + DNAME, files[i].name); + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, create.out.file.handle); + } + + printf("pulling the first two files\n"); + ZERO_STRUCT(result); + result.tctx = talloc_new(tctx); + + ZERO_STRUCT(f); + f.in.file.handle = h; + f.in.pattern = "*"; + f.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE; + f.in.max_response_size = 0x100; + f.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO; + + do { + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + break; + CHECK_STATUS(status, NT_STATUS_OK); + if (!fill_result(&result, d, count, f.in.level, + RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO)) { + ret = false; + goto done; + } + }while(result.count < 2); + + printf("Changing attributes and deleting\n"); + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_FILE_ALL; + create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + + files[num_files].name = talloc_asprintf(mem_ctx, "T003-03.txt.2"); + create.in.fname = talloc_asprintf(mem_ctx, "%s\\%s", DNAME, + files[num_files].name); + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, create.out.file.handle); + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_FILE_ALL; + create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + + files[num_files + 1].name = talloc_asprintf(mem_ctx, "T013-13.txt.2"); + create.in.fname = talloc_asprintf(mem_ctx, "%s\\%s", DNAME, + files[num_files + 1].name); + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, create.out.file.handle); + + files[num_files + 2].name = talloc_asprintf(mem_ctx, "T013-13.txt.3"); + status = smb2_create_complex_file(tree, DNAME "\\T013-13.txt.3", &h); + CHECK_STATUS(status, NT_STATUS_OK); + + smb2_util_unlink(tree, DNAME "\\T014-14.txt"); + smb2_util_setatr(tree, DNAME "\\T015-15.txt", FILE_ATTRIBUTE_HIDDEN); + smb2_util_setatr(tree, DNAME "\\T016-16.txt", FILE_ATTRIBUTE_NORMAL); + smb2_util_setatr(tree, DNAME "\\T017-17.txt", FILE_ATTRIBUTE_SYSTEM); + smb2_util_setatr(tree, DNAME "\\T018-18.txt", 0); + smb2_util_setatr(tree, DNAME "\\T039-39.txt", FILE_ATTRIBUTE_HIDDEN); + smb2_util_setatr(tree, DNAME "\\T000-0.txt", FILE_ATTRIBUTE_HIDDEN); + sfinfo.generic.level = RAW_SFILEINFO_DISPOSITION_INFORMATION; + sfinfo.generic.in.file.path = DNAME "\\T013-13.txt.3"; + sfinfo.disposition_info.in.delete_on_close = 1; + status = smb2_composite_setpathinfo(tree, &sfinfo); + CHECK_STATUS(status, NT_STATUS_OK); + + /* Reset the numfiles to include the new files and start the + * search from the beginning */ + num_files = num_files + 2; + f.in.pattern = "*"; + f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART; + result.count = 0; + + do { + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + break; + CHECK_STATUS(status, NT_STATUS_OK); + if (!fill_result(&result, d, count, f.in.level, + RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO)) { + ret = false; + goto done; + } + f.in.continue_flags = 0; + f.in.max_response_size = 4096; + } while (count != 0); + + + ret &= check_result(&result, "t039-39.txt", true, FILE_ATTRIBUTE_HIDDEN); + ret &= check_result(&result, "t000-0.txt", true, FILE_ATTRIBUTE_HIDDEN); + ret &= check_result(&result, "t014-14.txt", false, 0); + ret &= check_result(&result, "t015-15.txt", true, FILE_ATTRIBUTE_HIDDEN); + ret &= check_result(&result, "t016-16.txt", true, FILE_ATTRIBUTE_NORMAL); + ret &= check_result(&result, "t017-17.txt", true, FILE_ATTRIBUTE_SYSTEM); + ret &= check_result(&result, "t018-18.txt", true, FILE_ATTRIBUTE_ARCHIVE); + ret &= check_result(&result, "t019-19.txt", true, FILE_ATTRIBUTE_ARCHIVE); + ret &= check_result(&result, "T013-13.txt.2", true, FILE_ATTRIBUTE_ARCHIVE); + ret &= check_result(&result, "T003-3.txt.2", false, 0); + ret &= check_result(&result, "T013-13.txt.3", true, FILE_ATTRIBUTE_NORMAL); + + if (!ret) { + for (i=0;i<result.count;i++) { + printf("%s %s (0x%x)\n", + result.list[i].both_directory_info.name.s, + attrib_string(tctx, + result.list[i].both_directory_info.attrib), + result.list[i].both_directory_info.attrib); + } + } + done: + smb2_util_close(tree, h); + smb2_deltree(tree, DNAME); talloc_free(mem_ctx); return ret; } + +/* + testing if directories always come back sorted +*/ +static bool test_sorted(struct torture_context *tctx, + struct smb2_tree *tree) +{ + TALLOC_CTX *mem_ctx = talloc_new(tctx); + const int num_files = 700; + int i; + struct file_elem files[700] = {}; + bool ret = true; + NTSTATUS status; + struct multiple_result result; + struct smb2_handle h; + + printf("Testing if directories always come back sorted\n"); + status = populate_tree(tctx, mem_ctx, tree, files, num_files, &h); + CHECK_STATUS(status, NT_STATUS_OK); + + ZERO_STRUCT(result); + result.tctx = tctx; + + status = multiple_smb2_search(tree, tctx, "*", + SMB2_FIND_BOTH_DIRECTORY_INFO, + RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, + SMB2_CONTINUE_FLAG_SINGLE, + &result, &h); + + CHECK_VALUE(result.count, num_files); + + for (i=0;i<num_files-1;i++) { + const char *name1, *name2; + name1 = result.list[i].both_directory_info.name.s; + name2 = result.list[i+1].both_directory_info.name.s; + if (strcasecmp_m(name1, name2) > 0) { + printf("non-alphabetical order at entry %d '%s' '%s'" + "\n", i, name1, name2); + torture_comment(tctx, + "Server does not produce sorted directory listings" + "(not an error)\n"); + goto done; + } + } + talloc_free(result.list); +done: + smb2_util_close(tree, h); + smb2_deltree(tree, DNAME); + talloc_free(mem_ctx); + + return ret; +} + +/* test the behavior of file_index field in the SMB2_FIND struct */ + +static bool test_file_index(struct torture_context *tctx, + struct smb2_tree *tree) +{ + TALLOC_CTX *mem_ctx = talloc_new(tctx); + const int num_files = 100; + int resume_index = 4; + int i; + char *fname; + bool ret = true; + NTSTATUS status; + struct multiple_result result; + struct smb2_create create; + struct smb2_find f; + struct smb2_handle h; + union smb_search_data *d; + int count; + + smb2_deltree(tree, DNAME); + + status = torture_smb2_testdir(tree, DNAME, &h); + CHECK_STATUS(status, NT_STATUS_OK); + + printf("Testing the behavior of file_index flag\n"); + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_FILE_ALL; + create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + for (i = num_files-1; i >= 0; i--) { + fname = talloc_asprintf(mem_ctx, DNAME "\\file%u.txt", i); + create.in.fname = fname; + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + talloc_free(fname); + smb2_util_close(tree, create.out.file.handle); + } + + ZERO_STRUCT(result); + result.tctx = tctx; + + ZERO_STRUCT(f); + f.in.file.handle = h; + f.in.pattern = "*"; + f.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE; + f.in.max_response_size = 0x1000; + f.in.level = SMB2_FIND_FULL_DIRECTORY_INFO; + + do { + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + break; + CHECK_STATUS(status, NT_STATUS_OK); + if (!fill_result(&result, d, count, f.in.level, + RAW_SEARCH_DATA_FULL_DIRECTORY_INFO)) { + ret = false; + goto done; + } + } while(result.count < 10); + + if (result.list[0].full_directory_info.file_index == 0) { + torture_comment(tctx, + "Talking to a server that doesn't provide a " + "file index.\nWindows servers using NTFS do " + "not provide a file_index. Skipping test\n"); + goto done; + } else { + /* We are not talking to a Windows based server. Windows + * servers using NTFS do not provide a file_index. Windows + * server using FAT do provide a file index, however in both + * cases they do not honor a file index on a resume request. + * See MS-FSCC <62> and MS-SMB2 <54> for more information. */ + + /* Set the file_index flag to point to the fifth file from the + * previous enumeration and try to start the subsequent + * searches from that point */ + f.in.file_index = + result.list[resume_index].full_directory_info.file_index; + f.in.continue_flags = SMB2_CONTINUE_FLAG_INDEX; + + /* get the name of the next expected file */ + fname = talloc_asprintf(mem_ctx, DNAME "\\%s", + result.list[resume_index].full_directory_info.name.s); + + ZERO_STRUCT(result); + result.tctx = tctx; + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + goto done; + CHECK_STATUS(status, NT_STATUS_OK); + if (!fill_result(&result, d, count, f.in.level, + RAW_SEARCH_DATA_FULL_DIRECTORY_INFO)) { + ret = false; + goto done; + } + if (strcmp(fname, + result.list[0].full_directory_info.name.s)) { + printf("next expected file: %s but the server " + "returned %s\n", fname, + result.list[0].full_directory_info.name.s); + torture_comment(tctx, + "Not an error. Resuming using a file " + "index is an optional feature of the " + "protocol.\n"); + goto done; + } + } +done: + smb2_util_close(tree, h); + smb2_deltree(tree, DNAME); + talloc_free(mem_ctx); + + return ret; +} + +/* + * Tests directory enumeration in a directory containing >1000 files with + * names of varying lengths. + */ +static bool test_large_files(struct torture_context *tctx, + struct smb2_tree *tree) +{ + TALLOC_CTX *mem_ctx = talloc_new(tctx); + const int num_files = 2000; + int i, j = 1, retry_count = 0; + struct file_elem files[2000] = {}; + bool ret = true; + NTSTATUS status; + struct smb2_create create; + struct smb2_find f; + struct smb2_handle h; + union smb_search_data *d; + int count, file_count = 0; + + torture_comment(tctx, + "Testing directory enumeration in a directory with >1000 files\n"); + + smb2_deltree(tree, DNAME); + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_DIR_ALL; + create.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; + create.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; + create.in.share_access = NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE | + NTCREATEX_SHARE_ACCESS_DELETE; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + create.in.fname = DNAME; + + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + h = create.out.file.handle; + + ZERO_STRUCT(create); + create.in.desired_access = SEC_RIGHTS_FILE_ALL; + create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + create.in.create_disposition = NTCREATEX_DISP_CREATE; + + for (i = 0; i < num_files; i++) { + files[i].name = generate_random_str(tctx, j); + create.in.fname = talloc_asprintf(mem_ctx, "%s\\%s", + DNAME, files[i].name); + status = smb2_create(tree, mem_ctx, &create); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, create.out.file.handle); + retry_count = 0; + if (i%9 == 0) + j = j + 1; + } + + ZERO_STRUCT(f); + f.in.file.handle = h; + f.in.pattern = "*"; + f.in.max_response_size = 0x100; + f.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO; + + do { + status = smb2_find_level(tree, tree, &f, &count, &d); + if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) + break; + CHECK_STATUS(status, NT_STATUS_OK); + + for (i = 0; i < count; i++) { + bool expected; + const char *found = d[i].both_directory_info.name.s; + + if (!strcmp(found, ".") || !strcmp(found, "..")) + continue; + + expected = false; + for (j = 0; j < 2000; j++) { + if (!strcmp(files[j].name, found)) { + files[j].found = true; + expected = true; + break; + } + } + + if (expected) + continue; + + torture_result(tctx, TORTURE_FAIL, + "(%s): didn't expect %s\n", + __location__, found); + ret = false; + goto done; + } + file_count = file_count + i; + f.in.continue_flags = 0; + f.in.max_response_size = 4096; + } while (count != 0); + + CHECK_VALUE(file_count, num_files + 2); + + for (i = 0; i < num_files; i++) { + if (files[j].found) + continue; + + torture_result(tctx, TORTURE_FAIL, + "(%s): expected to find %s, but didn't\n", + __location__, files[j].name); + ret = false; + goto done; + } +done: + smb2_util_close(tree, h); + smb2_deltree(tree, DNAME); + talloc_free(mem_ctx); + + return ret; +} + +struct torture_suite *torture_smb2_dir_init(void) +{ + struct torture_suite *suite = + torture_suite_create(talloc_autofree_context(), "DIR"); + + torture_suite_add_1smb2_test(suite, "FIND", test_find); + torture_suite_add_1smb2_test(suite, "FIXED", test_fixed); + torture_suite_add_1smb2_test(suite, "ONE", test_one_file); + torture_suite_add_1smb2_test(suite, "MANY", test_many_files); + torture_suite_add_1smb2_test(suite, "MODIFY", test_modify_search); + torture_suite_add_1smb2_test(suite, "SORTED", test_sorted); + torture_suite_add_1smb2_test(suite, "FILE-INDEX", test_file_index); + torture_suite_add_1smb2_test(suite, "LARGE-FILES", test_large_files); + suite->description = talloc_strdup(suite, "SMB2-DIR tests"); + + return suite; +} diff --git a/source4/torture/smb2/getinfo.c b/source4/torture/smb2/getinfo.c index c4ab31f4cf..166c3f694f 100644 --- a/source4/torture/smb2/getinfo.c +++ b/source4/torture/smb2/getinfo.c @@ -49,9 +49,9 @@ static struct { { LEVEL(RAW_FILEINFO_COMPRESSION_INFORMATION) }, { LEVEL(RAW_FILEINFO_NETWORK_OPEN_INFORMATION) }, { LEVEL(RAW_FILEINFO_ATTRIBUTE_TAG_INFORMATION) }, -/* + { LEVEL(RAW_FILEINFO_SMB2_ALL_EAS) }, -*/ + { LEVEL(RAW_FILEINFO_SMB2_ALL_INFORMATION) }, { LEVEL(RAW_FILEINFO_SEC_DESC) } }; diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c index a5730a7eb3..9766620867 100644 --- a/source4/torture/smb2/smb2.c +++ b/source4/torture/smb2/smb2.c @@ -141,6 +141,7 @@ NTSTATUS torture_smb2_init(void) torture_suite_add_simple_test(suite, "NOTIFY", torture_smb2_notify); torture_suite_add_suite(suite, torture_smb2_durable_open_init()); torture_suite_add_1smb2_test(suite, "OPLOCK-BATCH1", torture_smb2_oplock_batch1); + torture_suite_add_suite(suite, torture_smb2_dir_init()); torture_suite_add_suite(suite, torture_smb2_lease_init()); torture_suite_add_suite(suite, torture_smb2_compound_init()); diff --git a/source4/winbind/wb_cmd_list_users.c b/source4/winbind/wb_cmd_list_users.c index f67f133488..755d45786b 100644 --- a/source4/winbind/wb_cmd_list_users.c +++ b/source4/winbind/wb_cmd_list_users.c @@ -33,7 +33,7 @@ struct cmd_list_users_state { struct wbsrv_domain *domain; char *domain_name; - uint resume_index; + uint32_t resume_index; char *result; }; |