Age | Commit message (Collapse) | Author | Files | Lines |
|
This commit cleans up a number of aspects of the LSA interface.
Firstly, we do 2 simple searches on opening the LSA policy, to obtain
the basic information we need. This also avoids us searching for
dnsDomain (an invented attribute).
While I was at it, I added and tested new LSA calls, including the
enumTrustedDomainsEx call. I have also merged the identical structures
lsa_DomainInformation and lsa_DomainList.
Also in this commit: Fix netlogon use of uninitialised variables.
Andrew Bartlett
(This used to be commit 3f3fa7f466df56612064029143fbae8effb668aa)
|
|
- creation of ForeignSecurityPrincipals
- template duplication code
Rework much of the LSA server to pass the RPC-LSA test. Much of the
server code was untested. In implementing the LSA Accounts feature, I
have opted to have it only create entires when privilages are applied,
and not to delete entries, but to delete the privilages.
We skip some parts of the test, but it is much better than not testing
it at all.
Andrew Bartlett
(This used to be commit 10eeea6da465564ed9f785d06e2d2ed06cfe29a4)
|
|
which is very useful for analysing a windows machine remotely
with this I found that vista-beta2 doesn't have an 'administrator' account
and mapps any not known user to MACHINENAME\Guest
metze
(This used to be commit 97ae93627527f65b6ecded9884a26d4cffa1409d)
|
|
metze
(This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf)
|
|
(This used to be commit 3c7a5ce29108dd82210dc3e1f00414f545949e1d)
|
|
(This used to be commit f7312dab3b9aba2b2b82e8a6e0c483a32a03a63a)
|
|
(This used to be commit 7054ebf0249930843a2baf4d023ae8f62cedb109)
|
|
functions for rpc out of torture/torture.c
(This used to be commit 1d2d970f3b8aef3f36c2befb94b5dd72c0086639)
|
|
(This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
|
|
file dependencies
(This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
|
|
metze
(This used to be commit 833efdf8a943b210ba8e5b219dc754260001bedb)
|
|
torture prototypes in seperate header
(This used to be commit 73610639b23ca3743077193fa0b1de7c7f65944d)
|
|
(This used to be commit ce77c0e8bf4127027edd6291d2ae5d868e3372a1)
|
|
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
|
|
requests. If it's
not there (it's not yet on *any* call... :-)), the rpc client strictly
sequences calls to an rpc pipe. Might need some more work on the exact
sequencing semantics when a pipe with both sync and async calls is actually
deployed, but I want it in for winbind simplification.
Volker
(This used to be commit b8f324e4f000971b7dafc263c16dd4af958ee7f9)
|
|
volker's urging on the use of -O1.
Andrew Bartlett
(This used to be commit 6a7bb391ba62a4f90f57aa76c5dcc0d35fca54a4)
|
|
Win2k3 SP1.
Only a few operations are supported (LookupSids3 and LookupNames4),
and these are only supported under schannel. This appears to be the
operations Win2k3 SP1 uses to verify part of the PAC back to the
server.
The test is setup to pass, but not enforce (so far) this new
behaviour.
Andrew Bartlett
(This used to be commit e15e39866e9775ba662f669a19836d33f7633f6f)
|
|
Guenther
(This used to be commit d717e878bdc05b06adcc50c3527c339be8164145)
|
|
Now, to try and figure out why this logic failed for jra...
Andrew Bartlett
(This used to be commit a32066a9ecf7cd82f66eb8381e07d014f5ac5eff)
|
|
server as to the CIFS session key.
JRA had pain with this being wrong against NT4 (without spnego), hence
this specific test.
Andrew Bartlett
(This used to be commit 47f433708ba38db9bf569567cc048e65f2786ebe)
|
|
metze needs a working tree...
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
|
|
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
|
|
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
|
|
Add my copyright to the SAMR server.
Andrew Bartlett
(This used to be commit 51e94fa26cc602ddca652776c213cd7096f9703a)
|
|
test. This way, it must have at least one domain to enumerate.
Andrew Bartlett
(This used to be commit c19f1850ee76db07d4ab5654039bc1f78377994d)
|
|
- Use templates for Secrets and the new trusted domains
- Auto-add modifiedTime, createdTime and objectGUID to records in the
samdb layer.
Andrew Bartlett
(This used to be commit 271c8faadfe2d9e0f3d523a1cdc831f5f9e35d19)
|
|
(The behaviour is a little odd, but we wanted bug-for-bug, right? :-)
Andrew Bartlett
(This used to be commit 6a09a84320c9ab18568a66efb3839a8dcde834af)
|
|
This uses LDB (a local secrets.ldb and the global samdb) to fill out
the secrets from an LSA perspective.
Some small changes to come, but the bulk of the work is now done.
A re-provision is required after this change.
Andrew Bartlett
(This used to be commit ded33033521a6a1c7ea80758c5c5aeeebb182a51)
|
|
only the OLD secret value.
Andrew Bartlett
(This used to be commit 5853af89c8dd5c4d6220f395bcc18708398999af)
|
|
This call uses a new IDL type, NTTIME_hyper. This is 8-byte aligned,
as the name suggests.
Expand the QuerySecret LSA calls in RPC-SAMLOGON and RPC-LSA, to
validate the behaviour of times, and of the old secrets.
Thanks to tridge for spotting the use of HYPER!
Andrew Bartlett
(This used to be commit 1fed79cb0f2ae7940639d08ef99576559d4cd06e)
|
|
Andrew Bartlett
(This used to be commit 357d9114f002a607f80985588bbac150fa40d2bc)
|
|
Andrew Bartlett
(This used to be commit a17a8fbf9a843c2c9e10940878b43ad8e1583091)
|
|
just does a simple LSA/DSSETUP combo, which is what w2k does in the
ACL editor rpc calls that triggered this work
(This used to be commit 0129ec947aa1fa5a7104dc3a666af3cb9bd104f1)
|
|
Andrew Bartlett
(This used to be commit 96806136ead3d1949516b2cfe7350a4e10681c28)
|
|
w2k3 does) or
NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED (as longhorn does) to be an error.
fixed the CreateTrustedDomain test to cope with the "torturedomain" being left over
from a previous aborted run
(This used to be commit 429d79815c260781fae6eed28160d7507e780f34)
|
|
(This used to be commit d37f556258ba12479e4e9acc5cdb5535ebf41d7f)
|
|
For some reason I am getting ACCESS_DENIED from w2k3 on
lsa_LookupSids3(). I will investigate.
(This used to be commit c759fa0000e37c3e93a7529a7701998af6727612)
|
|
metze
(This used to be commit f8ea82cbd1856f589132e2a96b8d658745036b3e)
|
|
(This used to be commit f78506697ad23456fcac6e8916d0dad05b0df6cc)
|
|
why does samba3 return domain_name as in the unknown_name field in the code
and on the wire it returns DCERPC_FAULT_OP_RNG_ERROR?
all of my test machines NT4,W2K,W2K3,XP returned NULL
and if I file the string in the .in.* the server echos the strings back
and returns NT_STATUS_INVALID_PARAMETER
metze
(This used to be commit 67e765b7e984d7aac2a7786b5bd0c80d10d6de5d)
|
|
metze
PS: <tridge> "silly tridge forgot a out [ref] var" :-)
(This used to be commit a46c68a80001f5fe9d37cc4ce374071b6fe63076)
|
|
lsa_RemovePrivilegesFromAccount()
(This used to be commit 705b870c73995609c8d3ebb24418538bfe20c05b)
|
|
- expanded the lsa test suite to better test lsa_EnumAccounts()
(This used to be commit bafdb1772977d98fd57bb31a328af7cb1deee788)
|
|
(This used to be commit 7bddd4740332017bb5f4bddcc9ba0234d05378bd)
|
|
(This used to be commit 80d15fa3402a9d1183467463f6b21c0b674bc442)
|
|
This removes the duplicate named SEC_RIGHTS_MAXIMUM_ALLOWED and
SEC_RIGHTS_FULL_CONTROL, which are just other names for
SEC_FLAG_MAXIMUM_ALLOWED and SEC_RIGHTS_FILE_ALL. The latter names
match the new naming conventions in security.idl
Also added names for the generic->specific mappings for files are
directories
(This used to be commit 17a4e0b3aca227b40957ed1e0c57e498debc6ddf)
|
|
(This used to be commit 9da455ed56ebc167f295b231c2730e3ff9c94617)
|
|
names and other assistance from the ethereal sources.
More work needs to be done to validate some of the levels, which do
not appear in the query - perhaps they are modification levels.
Andrew Bartlett
(This used to be commit 63635533693fa364b0c697a3fe1010b3eb8b17d3)
|
|
seem to be 'shortcut' RPCs, that just avoid an open/query pair).
Rename a few others to give us a slightly sensible pattern.
Andrew Bartlett
(This used to be commit d6a7ab57e74ab89dd163d5f9f5f901e586b0aad4)
|
|
* Add new IDL to LSA, to query information about trusted domains (for
cross-check with SamSync).
Andrew Bartlett
(This used to be commit 174c0778421b5154ff2ba809688ea6ef38a1478b)
|