From 945eedc4c1b578d22707d070eacfab82f5619a04 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Jul 2008 13:36:59 +0200
Subject: libnet/become_dc: add a comment and explain why it's important to
 specify krb5

metze
(This used to be commit 26d1f9366d8611af1a69095b4cede2d2c95c982d)
---
 source4/libnet/libnet_become_dc.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'source4/libnet')

diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 556ba8045d..31a9206d86 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1516,6 +1516,15 @@ static void becomeDC_drsuapi_connect_send(struct libnet_BecomeDC_state *s,
 	drsuapi->s = s;
 
 	if (!drsuapi->binding) {
+		/*
+		 * Note: It's important to pass 'krb5' as auth_type here
+		 *       otherwise the replication will not work with
+		 *       Windows 2000. If NTLMSSP is used Windows 2000
+		 *       returns garbage in the DsGetNCChanges() response
+		 *       if encrypted password attributes would be in the response.
+		 *       That means the replication of the schema and configuration
+		 *       partition works fine, but it fails for the domain partition.
+		 */
 		if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", "print", false)) {
 			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,print,seal]", s->source_dsa.dns_name);
 			if (composite_nomem(binding_str, c)) return;
-- 
cgit 


From 46bb8aa357ba11ff79af0281b749e70706774217 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 23 Jul 2008 15:18:57 +0200
Subject: libnet_become_cd: teach becomeDC_drsuapi_bind_recv() DsBindInfo48.

To work with w2k8.

Michael
(This used to be commit 7d80fab912576923c7474d77b8ed960b01296914)
---
 source4/libnet/libnet_become_dc.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'source4/libnet')

diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 31a9206d86..067f76d6b8 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1649,6 +1649,15 @@ static WERROR becomeDC_drsuapi_bind_recv(struct libnet_BecomeDC_state *s,
 			drsuapi->remote_info28.repl_epoch		= 0;
 			break;
 		}
+		case 48: {
+			struct drsuapi_DsBindInfo48 *info48;
+			info48 = &drsuapi->bind_r.out.bind_info->info.info48;
+			drsuapi->remote_info28.supported_extensions	= info48->supported_extensions;
+			drsuapi->remote_info28.site_guid		= info48->site_guid;
+			drsuapi->remote_info28.pid			= info48->pid;
+			drsuapi->remote_info28.repl_epoch		= info48->repl_epoch;
+			break;
+		}
 		case 28:
 			drsuapi->remote_info28 = drsuapi->bind_r.out.bind_info->info.info28;
 			break;
-- 
cgit 


From e269804b04c3658fb6228ba104a0b61cf24139c8 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 23 Jul 2008 15:21:44 +0200
Subject: libnet_unbecome_dc: teach unbecomeDC_drsuapi_bind_recv()
 DsBindInfo48.

..to work agains w2k8.

Michael
(This used to be commit 97e8d5813df19cae294b6de2a880606f0f8c2c59)
---
 source4/libnet/libnet_unbecome_dc.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'source4/libnet')

diff --git a/source4/libnet/libnet_unbecome_dc.c b/source4/libnet/libnet_unbecome_dc.c
index e01af25f3f..4463569e71 100644
--- a/source4/libnet/libnet_unbecome_dc.c
+++ b/source4/libnet/libnet_unbecome_dc.c
@@ -616,6 +616,15 @@ static void unbecomeDC_drsuapi_bind_recv(struct rpc_request *req)
 			s->drsuapi.remote_info28.repl_epoch		= 0;
 			break;
 		}
+		case 48: {
+			struct drsuapi_DsBindInfo48 *info48;
+			info48 = &s->drsuapi.bind_r.out.bind_info->info.info48;
+			s->drsuapi.remote_info28.supported_extensions	= info48->supported_extensions;
+			s->drsuapi.remote_info28.site_guid		= info48->site_guid;
+			s->drsuapi.remote_info28.pid			= info48->pid;
+			s->drsuapi.remote_info28.repl_epoch		= info48->repl_epoch;
+			break;
+		}
 		case 28:
 			s->drsuapi.remote_info28 = s->drsuapi.bind_r.out.bind_info->info.info28;
 			break;
-- 
cgit 


From 1f20ca14cc1a2604a7af41e6ca03852f0398d88a Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 23 Jul 2008 15:34:45 +0200
Subject: drsuapi: always set the pid field of the outgoing DsBindInfo to 0.

This is for debugging and informational purposes only.
The assignment is implementation specific.
(WSPP docs, sec. 5.35).

Michael
(This used to be commit 1f5704e2dee5900e8d1d87699b76f67c0e12854e)
---
 source4/libnet/libnet_become_dc.c   | 7 +------
 source4/libnet/libnet_unbecome_dc.c | 2 +-
 2 files changed, 2 insertions(+), 7 deletions(-)

(limited to 'source4/libnet')

diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 067f76d6b8..6a13974236 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1611,12 +1611,7 @@ static void becomeDC_drsuapi_bind_send(struct libnet_BecomeDC_state *s,
 	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS;
 #endif
 	bind_info28->site_guid			= s->dest_dsa.site_guid;
-	if (s->domain.behavior_version == 2) {
-		/* TODO: find out how this is really triggered! */
-		bind_info28->pid		= 528;
-	} else {
-		bind_info28->pid		= 516;
-	}
+	bind_info28->pid			= 0;
 	bind_info28->repl_epoch			= 0;
 
 	drsuapi->bind_info_ctr.length		= 28;
diff --git a/source4/libnet/libnet_unbecome_dc.c b/source4/libnet/libnet_unbecome_dc.c
index 4463569e71..6a42fa2370 100644
--- a/source4/libnet/libnet_unbecome_dc.c
+++ b/source4/libnet/libnet_unbecome_dc.c
@@ -574,7 +574,7 @@ static void unbecomeDC_drsuapi_bind_send(struct libnet_UnbecomeDC_state *s)
 	bind_info28				= &s->drsuapi.local_info28;
 	bind_info28->supported_extensions	= 0;
 	bind_info28->site_guid			= GUID_zero();
-	bind_info28->pid			= 508;
+	bind_info28->pid			= 0;
 	bind_info28->repl_epoch			= 0;
 
 	s->drsuapi.bind_info_ctr.length		= 28;
-- 
cgit 


From c71030bd04eee5f50be56ac2460393dfbe2fdd23 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 23 Jul 2008 17:54:25 +0200
Subject: libnet_become_cd: add boolean option "become_dc:force krb5" to
 control krb5 auth.

This allows controlling whether krb5 auth is forced for the rpc bind in
libnet_become_dc. It defaults to "yes". For Windows 2000, DsGetNCChanges
only krb5 auth works due to a bug in Windows (it returns garbage - a
positive object count is returned along with first object == NULL).
For Windows 2008, on the other hand, krb5 auth does not work currently
due to the lack of support for AES keys. (Metze is working on that.)

Michael
(This used to be commit af85aad8147b85a0b9ea2ccc66b8f04efdfe5cf3)
---
 source4/libnet/libnet_become_dc.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

(limited to 'source4/libnet')

diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 6a13974236..8b7fd57780 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1516,22 +1516,30 @@ static void becomeDC_drsuapi_connect_send(struct libnet_BecomeDC_state *s,
 	drsuapi->s = s;
 
 	if (!drsuapi->binding) {
+		char *krb5_str = "";
+		char *print_str = "";
 		/*
-		 * Note: It's important to pass 'krb5' as auth_type here
-		 *       otherwise the replication will not work with
-		 *       Windows 2000. If NTLMSSP is used Windows 2000
-		 *       returns garbage in the DsGetNCChanges() response
+		 * Note: Replication only works with Windows 2000 when 'krb5' is
+		 *       passed as auth_type here. If NTLMSSP is used, Windows
+		 *       2000 returns garbage in the DsGetNCChanges() response
 		 *       if encrypted password attributes would be in the response.
 		 *       That means the replication of the schema and configuration
 		 *       partition works fine, but it fails for the domain partition.
 		 */
-		if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", "print", false)) {
-			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,print,seal]", s->source_dsa.dns_name);
-			if (composite_nomem(binding_str, c)) return;
-		} else {
-			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,seal]", s->source_dsa.dns_name);
-			if (composite_nomem(binding_str, c)) return;
+		if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc",
+				 "force krb5", true))
+		{
+			krb5_str = "krb5,";
 		}
+		if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc",
+				 "print", false))
+		{
+			print_str = "print,";
+		}
+		binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[%s%sseal]",
+					      s->source_dsa.dns_name,
+					      krb5_str, print_str);
+		if (composite_nomem(binding_str, c)) return;
 		c->status = dcerpc_parse_binding(s, binding_str, &drsuapi->binding);
 		talloc_free(binding_str);
 		if (!composite_is_ok(c)) return;
-- 
cgit 


From db36f37b8f324ca2a45b05800d4abfb72c566447 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 23 Jul 2008 16:23:31 +0200
Subject: libnet_become_dc: send msDS_Behavior_Version == 3 (win2k8) in
 DsAddEntry

instead of version 2 (win2k3).
This makes the NET-API-BECOME-DC test work against windows 2003 and 2008.

Michael
(This used to be commit a7bfa1fb1bc6fb8e412990b7ff4c3ce9bc55099d)
---
 source4/libnet/libnet_become_dc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source4/libnet')

diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 8b7fd57780..1ce067c321 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -2104,7 +2104,7 @@ static void becomeDC_drsuapi1_add_entry_send(struct libnet_BecomeDC_state *s)
 		vd[0] = data_blob_talloc(vd, NULL, 4);
 		if (composite_nomem(vd[0].data, c)) return;
 
-		SIVAL(vd[0].data, 0, DS_BEHAVIOR_WIN2003);
+		SIVAL(vd[0].data, 0, DS_BEHAVIOR_WIN2008);
 
 		vs[0].blob		= &vd[0];
 
-- 
cgit