From 2bafb4ccbb99dfde533acad7bf0162ca2618c716 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 31 Mar 2011 17:46:56 +0200 Subject: s3-net: Add delete op for net trust utility MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Günther Deschner --- source3/utils/net_rpc_trust.c | 212 +++++++++++++++++++++++++++++++----------- 1 file changed, 159 insertions(+), 53 deletions(-) (limited to 'source3') diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c index 71aa6a39fc..654b0f158f 100644 --- a/source3/utils/net_rpc_trust.c +++ b/source3/utils/net_rpc_trust.c @@ -34,6 +34,11 @@ #define ARG_OTHERNETBIOSDOMAIN "other_netbios_domain=" #define ARG_TRUSTPW "trustpw=" +enum trust_op { + TRUST_CREATE, + TRUST_DELETE +}; + struct other_dom_data { char *host; char *user_name; @@ -70,6 +75,32 @@ static NTSTATUS close_handle(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +static NTSTATUS delete_trust(TALLOC_CTX *mem_ctx, + struct dcerpc_binding_handle *bind_hnd, + struct policy_handle *pol_hnd, + struct dom_sid *domsid) +{ + NTSTATUS status; + struct lsa_DeleteTrustedDomain dr; + + dr.in.handle = pol_hnd; + dr.in.dom_sid = domsid; + + status = dcerpc_lsa_DeleteTrustedDomain_r(bind_hnd, mem_ctx, &dr); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("dcerpc_lsa_DeleteTrustedDomain_r failed with [%s]\n", + nt_errstr(status))); + return status; + } + if (!NT_STATUS_IS_OK(dr.out.result)) { + DEBUG(0, ("DeleteTrustedDomain returned [%s]\n", + nt_errstr(dr.out.result))); + return dr.out.result; + } + + return NT_STATUS_OK; +} + static NTSTATUS create_trust(TALLOC_CTX *mem_ctx, struct dcerpc_binding_handle *bind_hnd, struct policy_handle *pol_hnd, @@ -336,6 +367,22 @@ failed: return ret; } +static void print_trust_delete_usage(void) +{ + d_printf( "%s\n" + "net rpc trust delete [options]\n" + "\nOptions:\n" + "\totherserver=DC in other domain\n" + "\totheruser=Admin user in other domain\n" + "\totherdomainsid=SID of other domain\n" + "\nExamples:\n" + "\tnet rpc trust delete otherserver=oname otheruser=ouser -S lname -U luser\n" + "\tnet rpc trust delete otherdomainsid=S-... -S lname -U luser\n" + " %s\n", + _("Usage:"), + _("Remove trust between two domains")); +} + static void print_trust_usage(void) { d_printf( "%s\n" @@ -355,8 +402,8 @@ static void print_trust_usage(void) _("Create trust between two domains")); } -static int rpc_trust_create(struct net_context *net_ctx, int argc, - const char **argv) +static int rpc_trust_common(struct net_context *net_ctx, int argc, + const char **argv, enum trust_op op) { TALLOC_CTX *mem_ctx; NTSTATUS status; @@ -373,11 +420,21 @@ static int rpc_trust_create(struct net_context *net_ctx, int argc, struct dom_data dom_data[2]; if (net_ctx->display_usage) { - print_trust_usage(); + switch (op) { + case TRUST_CREATE: + print_trust_usage(); + break; + case TRUST_DELETE: + print_trust_delete_usage(); + break; + default: + DEBUG(0, ("Unsupported trust operation.\n")); + return -1; + } return 0; } - mem_ctx = talloc_init("trust create"); + mem_ctx = talloc_init("trust op"); if (mem_ctx == NULL) { DEBUG(0, ("talloc_init failed.\n")); return -1; @@ -409,8 +466,9 @@ static int rpc_trust_create(struct net_context *net_ctx, int argc, dom_data[1].dns_domain_name = other_dom_data->dns_domain_name; if (dom_data[1].domsid == NULL || - dom_data[1].domain_name == NULL || - dom_data[1].dns_domain_name == NULL) { + (op == TRUST_CREATE && + (dom_data[1].domain_name == NULL || + dom_data[1].dns_domain_name == NULL))) { DEBUG(0, ("Missing required argument.\n")); print_trust_usage(); goto done; @@ -436,52 +494,31 @@ static int rpc_trust_create(struct net_context *net_ctx, int argc, } } - if (trust_pw == NULL) { - if (other_net_ctx == NULL) { - DEBUG(0, ("Missing either trustpw or otherhost.\n")); - goto done; + if (op == TRUST_CREATE) { + if (trust_pw == NULL) { + if (other_net_ctx == NULL) { + DEBUG(0, ("Missing either trustpw or otherhost.\n")); + goto done; + } + + DEBUG(0, ("Using random trust password.\n")); + /* FIXME: why only 8 characters work? Would it be possible to use a + * random binary password? */ + trust_pw = generate_random_str(mem_ctx, 8); + if (trust_pw == NULL) { + DEBUG(0, ("generate_random_str failed.\n")); + goto done; + } + } else { + DEBUG(0, ("Using user provided password.\n")); } - DEBUG(0, ("Using random trust password.\n")); -/* FIXME: why only 8 characters work? Would it be possible to use a random - * binary password? */ - trust_pw = generate_random_str(mem_ctx, 8); - if (trust_pw == NULL) { - DEBUG(0, ("generate_random_str failed.\n")); + if (!get_trust_domain_passwords_auth_blob(mem_ctx, trust_pw, + &auth_blob)) { + DEBUG(0, ("get_trust_domain_passwords_auth_blob failed\n")); goto done; } - } else { - DEBUG(0, ("Using user provided password.\n")); - } - - if (!get_trust_domain_passwords_auth_blob(mem_ctx, trust_pw, - &auth_blob)) { - DEBUG(0, ("get_trust_domain_passwords_auth_blob failed\n")); - goto done; - } - - authinfo.auth_blob.data = talloc_memdup(mem_ctx, auth_blob.data, - auth_blob.length); - if (authinfo.auth_blob.data == NULL) { - goto done; - } - authinfo.auth_blob.size = auth_blob.length; - - arcfour_crypt_blob(authinfo.auth_blob.data, authinfo.auth_blob.size, - &cli[0]->user_session_key); - status = create_trust(mem_ctx, pipe_hnd[0]->binding_handle, &pol_hnd[0], - dom_data[1].domain_name, - dom_data[1].dns_domain_name, dom_data[1].domsid, - &authinfo); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("create_trust failed with error [%s].\n", - nt_errstr(status))); - goto done; - } - - if (other_net_ctx != NULL) { - talloc_free(authinfo.auth_blob.data); authinfo.auth_blob.data = talloc_memdup(mem_ctx, auth_blob.data, auth_blob.length); if (authinfo.auth_blob.data == NULL) { @@ -489,18 +526,67 @@ static int rpc_trust_create(struct net_context *net_ctx, int argc, } authinfo.auth_blob.size = auth_blob.length; - arcfour_crypt_blob(authinfo.auth_blob.data, authinfo.auth_blob.size, - &cli[1]->user_session_key); + arcfour_crypt_blob(authinfo.auth_blob.data, + authinfo.auth_blob.size, + &cli[0]->user_session_key); - status = create_trust(mem_ctx, pipe_hnd[1]->binding_handle, - &pol_hnd[1], dom_data[0].domain_name, - dom_data[0].dns_domain_name, - dom_data[0].domsid, &authinfo); + status = create_trust(mem_ctx, pipe_hnd[0]->binding_handle, + &pol_hnd[0], + dom_data[1].domain_name, + dom_data[1].dns_domain_name, + dom_data[1].domsid, + &authinfo); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("create_trust failed with error [%s].\n", nt_errstr(status))); goto done; } + + if (other_net_ctx != NULL) { + talloc_free(authinfo.auth_blob.data); + authinfo.auth_blob.data = talloc_memdup(mem_ctx, + auth_blob.data, + auth_blob.length); + if (authinfo.auth_blob.data == NULL) { + goto done; + } + authinfo.auth_blob.size = auth_blob.length; + + arcfour_crypt_blob(authinfo.auth_blob.data, + authinfo.auth_blob.size, + &cli[1]->user_session_key); + + status = create_trust(mem_ctx, + pipe_hnd[1]->binding_handle, + &pol_hnd[1], + dom_data[0].domain_name, + dom_data[0].dns_domain_name, + dom_data[0].domsid, &authinfo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("create_trust failed with error [%s].\n", + nt_errstr(status))); + goto done; + } + } + } else if (op == TRUST_DELETE) { + status = delete_trust(mem_ctx, pipe_hnd[0]->binding_handle, + &pol_hnd[0], dom_data[1].domsid); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("delete_trust failed with [%s].\n", + nt_errstr(status))); + goto done; + } + + if (other_net_ctx != NULL) { + status = delete_trust(mem_ctx, + pipe_hnd[1]->binding_handle, + &pol_hnd[1], dom_data[0].domsid); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("delete_trust failed with [%s].\n", + nt_errstr(status))); + goto done; + } + } } status = close_handle(mem_ctx, pipe_hnd[0]->binding_handle, @@ -530,6 +616,18 @@ done: return success; } +static int rpc_trust_create(struct net_context *net_ctx, int argc, + const char **argv) +{ + return rpc_trust_common(net_ctx, argc, argv, TRUST_CREATE); +} + +static int rpc_trust_delete(struct net_context *net_ctx, int argc, + const char **argv) +{ + return rpc_trust_common(net_ctx, argc, argv, TRUST_DELETE); +} + int net_rpc_trust(struct net_context *c, int argc, const char **argv) { struct functable func[] = { @@ -541,6 +639,14 @@ int net_rpc_trust(struct net_context *c, int argc, const char **argv) N_("net rpc trust create\n" " Create trusts") }, + { + "delete", + rpc_trust_delete, + NET_TRANSPORT_RPC, + N_("Remove trusts"), + N_("net rpc trust delete\n" + " Remove trusts") + }, {NULL, NULL, 0, NULL, NULL} }; -- cgit