From 387cd89af403ef6c9501e6617622269508b34355 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 26 Aug 2008 10:32:49 +1000 Subject: Fix LSA server to pass more of RPC-LSA and match Windows 2008 This fixes some info levels in the QueryTrustedDomainInfo call, and changes from implementing lsa_Delete to lsa_DeleteObject (which has an explicit close and reutrns a NULL handle). Andrew Bartlett (This used to be commit 1f12c368b2566b378a6c521c389b8b1bafbcf916) --- source4/rpc_server/lsa/dcesrv_lsa.c | 49 ++++++++++++++++++++++++------------- 1 file changed, 32 insertions(+), 17 deletions(-) (limited to 'source4/rpc_server') diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index f02e2325a0..096bba3c9f 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -94,6 +94,16 @@ static NTSTATUS dcesrv_lsa_Close(struct dcesrv_call_state *dce_call, TALLOC_CTX */ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct lsa_Delete *r) +{ + return NT_STATUS_NOT_SUPPORTED; +} + + +/* + lsa_DeleteObject +*/ +static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct lsa_DeleteObject *r) { struct dcesrv_handle *h; int ret; @@ -121,6 +131,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX return NT_STATUS_INVALID_HANDLE; } + ZERO_STRUCTP(r->out.handle); + return NT_STATUS_OK; } else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) { struct lsa_trusted_domain_state *trusted_domain_state = h->data; @@ -131,6 +143,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX return NT_STATUS_INVALID_HANDLE; } + ZERO_STRUCTP(r->out.handle); + return NT_STATUS_OK; } else if (h->wire_handle.handle_type == LSA_HANDLE_ACCOUNT) { struct lsa_RightSet *rights; @@ -167,6 +181,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX if (!NT_STATUS_IS_OK(status)) { return status; } + + ZERO_STRUCTP(r->out.handle); } return NT_STATUS_INVALID_HANDLE; @@ -861,7 +877,7 @@ static NTSTATUS dcesrv_lsa_DeleteTrustedDomain(struct dcesrv_call_state *dce_cal { NTSTATUS status; struct lsa_OpenTrustedDomain open; - struct lsa_Delete delete; + struct lsa_DeleteObject delete; struct dcesrv_handle *h; open.in.handle = r->in.handle; @@ -880,7 +896,8 @@ static NTSTATUS dcesrv_lsa_DeleteTrustedDomain(struct dcesrv_call_state *dce_cal talloc_steal(mem_ctx, h); delete.in.handle = open.out.trustdom_handle; - status = dcesrv_lsa_Delete(dce_call, mem_ctx, &delete); + delete.out.handle = open.out.trustdom_handle; + status = dcesrv_lsa_DeleteObject(dce_call, mem_ctx, &delete); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -924,6 +941,7 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_ "trustDirection", "trustType", "trustAttributes", + "msDs-supportedEncryptionTypes", NULL }; @@ -967,12 +985,19 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_ ZERO_STRUCT(r->out.info->full_info); return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->full_info.info_ex); - case LSA_TRUSTED_DOMAIN_INFO_INFO_ALL: - ZERO_STRUCT(r->out.info->info_all); - return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info_all.info_ex); + case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL: + ZERO_STRUCT(r->out.info->info2_internal); + r->out.info->info2_internal.posix_offset.posix_offset + = samdb_result_uint(msg, "posixOffset", 0); + return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info2_internal.info_ex); + + case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES: + r->out.info->enc_types.enc_types + = samdb_result_uint(msg, "msDs-supportedEncryptionTypes", KERB_ENCTYPE_RC4_HMAC_MD5); + break; - case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS_INFO: - case LSA_TRUSTED_DOMAIN_INFO_11: + case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS: + case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL: /* oops, we don't want to return the info after all */ talloc_free(r->out.info); r->out.info = NULL; @@ -2310,16 +2335,6 @@ static NTSTATUS dcesrv_lsa_LookupPrivDisplayName(struct dcesrv_call_state *dce_c } -/* - lsa_DeleteObject -*/ -static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct lsa_DeleteObject *r) -{ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -} - - /* lsa_EnumAccountsWithUserRight */ -- cgit From a85ee07046b80e9e87d2ac0cf5fe95ddaaa0f5c9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 26 Aug 2008 10:33:41 +1000 Subject: Implement matching logic to Windows 2008 on handling of secrets. This is enforced by the new RPC-LSA test. Andrew Bartlett (This used to be commit da200ac64485fd9531b1aa048570c682b680b012) --- source4/rpc_server/lsa/dcesrv_lsa.c | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) (limited to 'source4/rpc_server') diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 096bba3c9f..7ed3b63540 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -2011,22 +2011,14 @@ static NTSTATUS dcesrv_lsa_SetSecret(struct dcesrv_call_state *dce_call, TALLOC_ } if (!r->in.new_val) { - /* This behaviour varies depending of if this is a local, or a global secret... */ - if (secret_state->global) { - /* set old value mtime */ - if (samdb_msg_add_uint64(secret_state->sam_ldb, - mem_ctx, msg, "lastSetTime", nt_now) != 0) { - return NT_STATUS_NO_MEMORY; - } - } else { - if (samdb_msg_add_delete(secret_state->sam_ldb, - mem_ctx, msg, "currentValue")) { - return NT_STATUS_NO_MEMORY; - } - if (samdb_msg_add_delete(secret_state->sam_ldb, - mem_ctx, msg, "lastSetTime")) { - return NT_STATUS_NO_MEMORY; - } + /* set old value mtime */ + if (samdb_msg_add_uint64(secret_state->sam_ldb, + mem_ctx, msg, "lastSetTime", nt_now) != 0) { + return NT_STATUS_NO_MEMORY; + } + if (samdb_msg_add_delete(secret_state->sam_ldb, + mem_ctx, msg, "currentValue")) { + return NT_STATUS_NO_MEMORY; } } } -- cgit From 4eba234a7352094e1640e8ff9d80a20f8d4705a3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 26 Aug 2008 12:18:26 +1000 Subject: More LSA server and testuite work. - Implement QueryDomainInformationPolicy in Samba4 - Allow RPC-LSA to pass against Windows 2008 (which does not allow the Audit privilage to be removed) Andrew Bartlett (This used to be commit d94c7bbcd6eee6d975eac32a1d172f4164c97137) --- source4/rpc_server/lsa/dcesrv_lsa.c | 39 ++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server') diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 7ed3b63540..f67b5dee10 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -23,6 +23,8 @@ #include "rpc_server/lsa/lsa.h" #include "util/util_ldb.h" #include "libcli/ldap/ldap_ndr.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" /* this type allows us to distinguish handle types @@ -2502,7 +2504,42 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state TALLOC_CTX *mem_ctx, struct lsa_QueryDomainInformationPolicy *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + r->out.info = talloc(mem_ctx, union lsa_DomainInformationPolicy); + if (!r->out.info) { + return NT_STATUS_NO_MEMORY; + } + + switch (r->in.level) { + case LSA_DOMAIN_INFO_POLICY_EFS: + talloc_free(r->out.info); + r->out.info = NULL; + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + case LSA_DOMAIN_INFO_POLICY_KERBEROS: + { + struct lsa_DomainInfoKerberos *k = &r->out.info->kerberos_info; + struct smb_krb5_context *smb_krb5_context; + int ret = smb_krb5_init_context(mem_ctx, + dce_call->event_ctx, + dce_call->conn->dce_ctx->lp_ctx, + &smb_krb5_context); + if (ret != 0) { + talloc_free(r->out.info); + r->out.info = NULL; + return NT_STATUS_INTERNAL_ERROR; + } + k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */ + k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */ + k->user_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */ + k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */ + k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context); + talloc_free(smb_krb5_context); + return NT_STATUS_OK; + } + default: + talloc_free(r->out.info); + r->out.info = NULL; + return NT_STATUS_INVALID_INFO_CLASS; + } } /* -- cgit