diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 39 | ||||
-rw-r--r-- | source4/torture/rpc/lsa.c | 32 |
2 files changed, 63 insertions, 8 deletions
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 7ed3b63540..f67b5dee10 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -23,6 +23,8 @@ #include "rpc_server/lsa/lsa.h" #include "util/util_ldb.h" #include "libcli/ldap/ldap_ndr.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" /* this type allows us to distinguish handle types @@ -2502,7 +2504,42 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state TALLOC_CTX *mem_ctx, struct lsa_QueryDomainInformationPolicy *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + r->out.info = talloc(mem_ctx, union lsa_DomainInformationPolicy); + if (!r->out.info) { + return NT_STATUS_NO_MEMORY; + } + + switch (r->in.level) { + case LSA_DOMAIN_INFO_POLICY_EFS: + talloc_free(r->out.info); + r->out.info = NULL; + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + case LSA_DOMAIN_INFO_POLICY_KERBEROS: + { + struct lsa_DomainInfoKerberos *k = &r->out.info->kerberos_info; + struct smb_krb5_context *smb_krb5_context; + int ret = smb_krb5_init_context(mem_ctx, + dce_call->event_ctx, + dce_call->conn->dce_ctx->lp_ctx, + &smb_krb5_context); + if (ret != 0) { + talloc_free(r->out.info); + r->out.info = NULL; + return NT_STATUS_INTERNAL_ERROR; + } + k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */ + k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */ + k->user_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */ + k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */ + k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context); + talloc_free(smb_krb5_context); + return NT_STATUS_OK; + } + default: + talloc_free(r->out.info); + r->out.info = NULL; + return NT_STATUS_INVALID_INFO_CLASS; + } } /* diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 31dc38500d..ec74426ac6 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -779,6 +779,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p, static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + struct policy_handle *handle, struct policy_handle *acct_handle, struct lsa_LUID *luid) { @@ -801,7 +802,25 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, status = dcerpc_lsa_RemovePrivilegesFromAccount(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("RemovePrivilegesFromAccount failed - %s\n", nt_errstr(status)); + + struct lsa_LookupPrivName r_name; + + r_name.in.handle = handle; + r_name.in.luid = luid; + + status = dcerpc_lsa_LookupPrivName(p, mem_ctx, &r_name); + if (!NT_STATUS_IS_OK(status)) { + printf("\nLookupPrivName failed - %s\n", nt_errstr(status)); + return false; + } + /* Windows 2008 does not allow this to be removed */ + if (strcmp("SeAuditPrivilege", r_name.out.name->string) == 0) { + return ret; + } + + printf("RemovePrivilegesFromAccount failed to remove %s - %s\n", + r_name.out.name->string, + nt_errstr(status)); return false; } @@ -864,7 +883,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, &r.out.privs->set[i].luid); } - ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, acct_handle, + ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, handle, acct_handle, &r.out.privs->set[0].luid); ret &= test_AddPrivilegesToAccount(p, mem_ctx, acct_handle, &r.out.privs->set[0].luid); @@ -2036,10 +2055,6 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, NTSTATUS status; int i; bool ret = true; - if (torture_setting_bool(tctx, "samba4", false)) { - printf("skipping QueryDomainInformationPolicy test against Samba4\n"); - return true; - } printf("\nTesting QueryDomainInformationPolicy\n"); @@ -2051,7 +2066,10 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r); - if (!NT_STATUS_IS_OK(status)) { + /* If the server does not support EFS, then this is the correct return */ + if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { + continue; + } else if (!NT_STATUS_IS_OK(status)) { printf("QueryDomainInformationPolicy failed - %s\n", nt_errstr(status)); ret = false; continue; |