From 71022daac2ad07bf48d42d016b15313727edcd08 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Oct 2008 12:18:01 +1100 Subject: Add samba4kpasswd and rkpty binaries smaba4kpasswd will be used to test the kpasswdd componet of the KDC (which is up until now untested), and rkpty is an expect-like wrapper we can use to blackbox that utility. Andrew Bartlett --- source4/heimdal/kpasswd/kpasswd.c | 247 ++++++++++++++++++++++++ source4/heimdal/kpasswd/kpasswd_locl.h | 104 ++++++++++ source4/heimdal/lib/krb5/prog_setup.c | 66 +++++++ source4/heimdal/lib/roken/rkpty.c | 336 +++++++++++++++++++++++++++++++++ source4/heimdal_build/internal.m4 | 8 + source4/heimdal_build/internal.mk | 35 +++- 6 files changed, 789 insertions(+), 7 deletions(-) create mode 100644 source4/heimdal/kpasswd/kpasswd.c create mode 100644 source4/heimdal/kpasswd/kpasswd_locl.h create mode 100644 source4/heimdal/lib/krb5/prog_setup.c create mode 100644 source4/heimdal/lib/roken/rkpty.c (limited to 'source4') diff --git a/source4/heimdal/kpasswd/kpasswd.c b/source4/heimdal/kpasswd/kpasswd.c new file mode 100644 index 0000000000..b844628f6f --- /dev/null +++ b/source4/heimdal/kpasswd/kpasswd.c @@ -0,0 +1,247 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kpasswd_locl.h" +RCSID("$Id: kpasswd.c 19078 2006-11-20 18:12:41Z lha $"); + +static int version_flag; +static int help_flag; +static char *admin_principal_str; +static char *cred_cache_str; + +static struct getargs args[] = { + { "admin-principal", 0, arg_string, &admin_principal_str }, + { "cache", 'c', arg_string, &cred_cache_str }, + { "version", 0, arg_flag, &version_flag }, + { "help", 0, arg_flag, &help_flag } +}; + +static void +usage (int ret, struct getargs *a, int num_args) +{ + arg_printusage (a, num_args, NULL, "[principal ...]"); + exit (ret); +} + +static int +change_password(krb5_context context, + krb5_principal principal, + krb5_ccache id) +{ + krb5_data result_code_string, result_string; + int result_code; + krb5_error_code ret; + char pwbuf[BUFSIZ]; + char *msg, *name; + + krb5_data_zero (&result_code_string); + krb5_data_zero (&result_string); + + name = msg = NULL; + if (principal == NULL) + asprintf(&msg, "New password: "); + else { + ret = krb5_unparse_name(context, principal, &name); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name"); + + asprintf(&msg, "New password for %s: ", name); + } + + if (msg == NULL) + krb5_errx (context, 1, "out of memory"); + + ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg, 1); + free(msg); + if (name) + free(name); + if (ret != 0) { + return 1; + } + + ret = krb5_set_password_using_ccache (context, id, pwbuf, + principal, + &result_code, + &result_code_string, + &result_string); + if (ret) { + krb5_warn (context, ret, "krb5_set_password_using_ccache"); + return 1; + } + + printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code), + result_string.length > 0 ? " : " : "", + (int)result_string.length, + result_string.length > 0 ? (char *)result_string.data : ""); + + krb5_data_free (&result_code_string); + krb5_data_free (&result_string); + + return ret != 0; +} + + +int +main (int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_principal principal; + int optind = 0; + krb5_get_init_creds_opt *opt; + krb5_ccache id = NULL; + int exit_value; + + optind = krb5_program_setup(&context, argc, argv, + args, sizeof(args) / sizeof(args[0]), usage); + + if (help_flag) + usage (0, args, sizeof(args) / sizeof(args[0])); + + if(version_flag){ + print_version (NULL); + exit(0); + } + + argc -= optind; + argv += optind; + + ret = krb5_init_context (&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + ret = krb5_get_init_creds_opt_alloc (context, &opt); + if (ret) + krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); + + krb5_get_init_creds_opt_set_tkt_life (opt, 300); + krb5_get_init_creds_opt_set_forwardable (opt, FALSE); + krb5_get_init_creds_opt_set_proxiable (opt, FALSE); + + if (cred_cache_str) { + ret = krb5_cc_resolve(context, cred_cache_str, &id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_resolve"); + } else { + ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_gen_new"); + } + + if (cred_cache_str == NULL) { + krb5_principal admin_principal = NULL; + krb5_creds cred; + + if (admin_principal_str) { + ret = krb5_parse_name (context, admin_principal_str, + &admin_principal); + if (ret) + krb5_err (context, 1, ret, "krb5_parse_name"); + } else if (argc == 1) { + ret = krb5_parse_name (context, argv[0], &admin_principal); + if (ret) + krb5_err (context, 1, ret, "krb5_parse_name"); + } else { + ret = krb5_get_default_principal (context, &admin_principal); + if (ret) + krb5_err (context, 1, ret, "krb5_get_default_principal"); + } + + ret = krb5_get_init_creds_password (context, + &cred, + admin_principal, + NULL, + krb5_prompter_posix, + NULL, + 0, + "kadmin/changepw", + opt); + switch (ret) { + case 0: + break; + case KRB5_LIBOS_PWDINTR : + return 1; + case KRB5KRB_AP_ERR_BAD_INTEGRITY : + case KRB5KRB_AP_ERR_MODIFIED : + krb5_errx(context, 1, "Password incorrect"); + break; + default: + krb5_err(context, 1, ret, "krb5_get_init_creds"); + } + + krb5_get_init_creds_opt_free(context, opt); + + ret = krb5_cc_initialize(context, id, admin_principal); + krb5_free_principal(context, admin_principal); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_store_cred(context, id, &cred); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_store_cred"); + + krb5_free_cred_contents (context, &cred); + } + + if (argc == 0) { + exit_value = change_password(context, NULL, id); + } else { + exit_value = 0; + + while (argc-- > 0) { + + ret = krb5_parse_name (context, argv[0], &principal); + if (ret) + krb5_err (context, 1, ret, "krb5_parse_name"); + + ret = change_password(context, principal, id); + if (ret) + exit_value = 1; + krb5_free_principal(context, principal); + argv++; + } + } + + if (cred_cache_str == NULL) { + ret = krb5_cc_destroy(context, id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_destroy"); + } else { + ret = krb5_cc_close(context, id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_close"); + } + + krb5_free_context (context); + return ret; +} diff --git a/source4/heimdal/kpasswd/kpasswd_locl.h b/source4/heimdal/kpasswd/kpasswd_locl.h new file mode 100644 index 0000000000..b797ceb26d --- /dev/null +++ b/source4/heimdal/kpasswd/kpasswd_locl.h @@ -0,0 +1,104 @@ +/* + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: kpasswd_locl.h 11444 2002-09-10 20:03:49Z joda $ */ + +#ifndef __KPASSWD_LOCL_H__ +#define __KPASSWD_LOCL_H__ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_FCNTL_H +#include +#endif +#ifdef HAVE_SYS_UIO_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#ifdef HAVE_PWD_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_NETINET_IN6_H +#include +#endif +#ifdef HAVE_NETINET6_IN6_H +#include +#endif + +#ifdef HAVE_ARPA_INET_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_ERRNO_H +#include +#endif +#ifdef HAVE_DLFCN_H +#include +#endif +#ifdef HAVE_UTIL_H +#include +#endif +#ifdef HAVE_LIBUTIL_H +#include +#endif +#include +#include +#include +#include +#include "crypto-headers.h" /* for des_read_pw_string */ + +#endif /* __KPASSWD_LOCL_H__ */ diff --git a/source4/heimdal/lib/krb5/prog_setup.c b/source4/heimdal/lib/krb5/prog_setup.c new file mode 100644 index 0000000000..0586155ac4 --- /dev/null +++ b/source4/heimdal/lib/krb5/prog_setup.c @@ -0,0 +1,66 @@ +/* + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +#include +#include + +RCSID("$Id: prog_setup.c 15470 2005-06-17 04:29:41Z lha $"); + +void KRB5_LIB_FUNCTION +krb5_std_usage(int code, struct getargs *args, int num_args) +{ + arg_printusage(args, num_args, NULL, ""); + exit(code); +} + +int KRB5_LIB_FUNCTION +krb5_program_setup(krb5_context *context, int argc, char **argv, + struct getargs *args, int num_args, + void (*usage)(int, struct getargs*, int)) +{ + krb5_error_code ret; + int optidx = 0; + + if(usage == NULL) + usage = krb5_std_usage; + + setprogname(argv[0]); + ret = krb5_init_context(context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + if(getarg(args, num_args, argc, argv, &optidx)) + (*usage)(1, args, num_args); + return optidx; +} diff --git a/source4/heimdal/lib/roken/rkpty.c b/source4/heimdal/lib/roken/rkpty.c new file mode 100644 index 0000000000..e29b2c5aca --- /dev/null +++ b/source4/heimdal/lib/roken/rkpty.c @@ -0,0 +1,336 @@ +/* + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_WAIT_H +#include +#endif +#include +#include +#include +#ifdef HAVE_PTY_H +#include +#endif +#ifdef HAVE_UTIL_H +#include +#endif + +#include "roken.h" +#include + +struct command { + enum { CMD_EXPECT = 0, CMD_SEND, CMD_PASSWORD } type; + unsigned int lineno; + char *str; + struct command *next; +}; + +/* + * + */ + +static struct command *commands, **next = &commands; + +static sig_atomic_t alarmset = 0; + +static int timeout = 10; +static int verbose; +static int help_flag; +static int version_flag; + +static int master; +static int slave; +static char line[256] = { 0 }; + +static void +caught_signal(int signo) +{ + alarmset = signo; +} + + +static void +open_pty(void) +{ +#if defined(HAVE_OPENPTY) || defined(__linux) || defined(__osf__) /* XXX */ + if(openpty(&master, &slave, line, 0, 0) == 0) + return; +#endif /* HAVE_OPENPTY .... */ + /* more cases, like open /dev/ptmx, etc */ + + exit(77); +} + +/* + * + */ + +static char * +iscmd(const char *buf, const char *s) +{ + size_t len = strlen(s); + if (strncmp(buf, s, len) != 0) + return NULL; + return estrdup(buf + len); +} + +static void +parse_configuration(const char *fn) +{ + struct command *c; + char s[1024]; + char *str; + unsigned int lineno = 0; + FILE *cmd; + + cmd = fopen(fn, "r"); + if (cmd == NULL) + err(1, "open: %s", fn); + + while (fgets(s, sizeof(s), cmd) != NULL) { + + s[strcspn(s, "#\n")] = '\0'; + lineno++; + + c = calloc(1, sizeof(*c)); + if (c == NULL) + errx(1, "malloc"); + + c->lineno = lineno; + (*next) = c; + next = &(c->next); + + if ((str = iscmd(s, "expect ")) != NULL) { + c->type = CMD_EXPECT; + c->str = str; + } else if ((str = iscmd(s, "send ")) != NULL) { + c->type = CMD_SEND; + c->str = str; + } else if ((str = iscmd(s, "password ")) != NULL) { + c->type = CMD_PASSWORD; + c->str = str; + } else + errx(1, "Invalid command on line %d: %s", lineno, s); + } + + fclose(cmd); +} + + +/* + * + */ + +static int +eval_parent(pid_t pid) +{ + struct command *c; + char in; + size_t len = 0; + ssize_t sret; + + for (c = commands; c != NULL; c = c->next) { + switch(c->type) { + case CMD_EXPECT: + if (verbose) + printf("[expecting %s]", c->str); + len = 0; + alarm(timeout); + while((sret = read(master, &in, sizeof(in))) > 0) { + alarm(timeout); + printf("%c", in); + if (c->str[len] != in) { + len = 0; + continue; + } + len++; + if (c->str[len] == '\0') + break; + } + alarm(0); + if (alarmset == SIGALRM) + errx(1, "timeout waiting for %s (line %u)", + c->str, c->lineno); + else if (alarmset) + errx(1, "got a signal %d waiting for %s (line %u)", + alarmset, c->str, c->lineno); + if (sret <= 0) + errx(1, "end command while waiting for %s (line %u)", + c->str, c->lineno); + break; + case CMD_SEND: + case CMD_PASSWORD: { + size_t i = 0; + const char *msg = (c->type == CMD_PASSWORD) ? "****" : c->str; + + if (verbose) + printf("[send %s]", msg); + + len = strlen(c->str); + + while (i < len) { + if (c->str[i] == '\\' && i < len - 1) { + char ctrl; + i++; + switch(c->str[i]) { + case 'n': ctrl = '\n'; break; + case 'r': ctrl = '\r'; break; + case 't': ctrl = '\t'; break; + default: + errx(1, "unknown control char %c (line %u)", + c->str[i], c->lineno); + } + if (net_write(master, &ctrl, 1) != 1) + errx(1, "command refused input (line %u)", c->lineno); + } else { + if (net_write(master, &c->str[i], 1) != 1) + errx(1, "command refused input (line %u)", c->lineno); + } + i++; + } + break; + } + default: + abort(); + } + } + while(read(master, &in, sizeof(in)) > 0) + printf("%c", in); + + if (verbose) + printf("[end of program]\n"); + + /* + * Fetch status from child + */ + { + int ret, status; + + ret = waitpid(pid, &status, 0); + if (ret == -1) + err(1, "waitpid"); + if (WIFEXITED(status) && WEXITSTATUS(status)) + return WEXITSTATUS(status); + else if (WIFSIGNALED(status)) { + printf("killed by signal: %d\n", WTERMSIG(status)); + return 1; + } + } + return 0; +} + +/* + * + */ + +static struct getargs args[] = { + { "timeout", 't', arg_integer, &timeout, "timout", "seconds" }, + { "verbose", 'v', arg_counter, &verbose, "verbose debugging" }, + { "version", 0, arg_flag, &version_flag, "print version" }, + { "help", 0, arg_flag, &help_flag, NULL } +}; + +static void +usage(int ret) +{ + arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "infile command.."); + exit (ret); +} + +int +main(int argc, char **argv) +{ + int optidx = 0; + pid_t pid; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if (version_flag) { + fprintf (stderr, "%s from %s-%s\n", getprogname(), PACKAGE, VERSION); + return 0; + } + + argv += optidx; + argc -= optidx; + + if (argc < 2) + usage(1); + + parse_configuration(argv[0]); + + argv += 1; + argc -= 1; + + open_pty(); + + pid = fork(); + switch (pid) { + case -1: + err(1, "Failed to fork"); + case 0: + + if(setsid()<0) + err(1, "setsid"); + + dup2(slave, STDIN_FILENO); + dup2(slave, STDOUT_FILENO); + dup2(slave, STDERR_FILENO); + closefrom(STDERR_FILENO + 1); + + execvp(argv[0], argv); /* add NULL to end of array ? */ + err(1, "Failed to exec: %s", argv[0]); + default: + close(slave); + { + struct sigaction sa; + + sa.sa_handler = caught_signal; + sa.sa_flags = 0; + sigemptyset (&sa.sa_mask); + + sigaction(SIGALRM, &sa, NULL); + } + + return eval_parent(pid); + } +} diff --git a/source4/heimdal_build/internal.m4 b/source4/heimdal_build/internal.m4 index 038c4d9417..06e798ce27 100644 --- a/source4/heimdal_build/internal.m4 +++ b/source4/heimdal_build/internal.m4 @@ -49,6 +49,7 @@ AC_CHECK_HEADERS([ \ errno.h \ inttypes.h \ netdb.h \ + pty.h \ signal.h \ sys/bswap.h \ sys/file.h \ @@ -158,6 +159,13 @@ m4_include(heimdal/cf/find-func-no-libs.m4) m4_include(heimdal/cf/find-func-no-libs2.m4) m4_include(heimdal/cf/resolv.m4) + +AC_CHECK_LIB_EXT(util, OPENPTY_LIBS, openpty) + +SMB_ENABLE(OPENPTY,YES) + +SMB_EXT_LIB(OPENPTY,[${OPENPTY_LIBS}],[${OPENPTY_CFLAGS}],[${OPENPTY_CPPFLAGS}],[${OPENPTY_LDFLAGS}]) + smb_save_LIBS=$LIBS RESOLV_LIBS="" LIBS="" diff --git a/source4/heimdal_build/internal.mk b/source4/heimdal_build/internal.mk index 67fda9dd58..7b1c9f5153 100644 --- a/source4/heimdal_build/internal.mk +++ b/source4/heimdal_build/internal.mk @@ -322,6 +322,7 @@ HEIMDAL_KRB5_OBJ_FILES = \ $(heimdalsrcdir)/lib/krb5/pkinit.o \ $(heimdalsrcdir)/lib/krb5/plugin.o \ $(heimdalsrcdir)/lib/krb5/principal.o \ + $(heimdalsrcdir)/lib/krb5/prog_setup.o \ $(heimdalsrcdir)/lib/krb5/pac.o \ $(heimdalsrcdir)/lib/krb5/prompter_posix.o \ $(heimdalsrcdir)/lib/krb5/rd_cred.o \ @@ -600,6 +601,7 @@ HEIMDAL_ROKEN_OBJ_FILES = \ $(heimdalsrcdir)/lib/roken/dumpdata.o \ $(heimdalsrcdir)/lib/roken/emalloc.o \ $(heimdalsrcdir)/lib/roken/ecalloc.o \ + $(heimdalsrcdir)/lib/roken/getarg.o \ $(heimdalsrcdir)/lib/roken/get_window_size.o \ $(heimdalsrcdir)/lib/roken/h_errno.o \ $(heimdalsrcdir)/lib/roken/issuid.o \ @@ -612,6 +614,7 @@ HEIMDAL_ROKEN_OBJ_FILES = \ $(heimdalsrcdir)/lib/roken/roken_gethostby.o \ $(heimdalsrcdir)/lib/roken/signal.o \ $(heimdalsrcdir)/lib/roken/vis.o \ + $(heimdalsrcdir)/lib/roken/setprogname.o \ $(heimdalsrcdir)/lib/roken/strlwr.o \ $(heimdalsrcdir)/lib/roken/strsep_copy.o \ $(heimdalsrcdir)/lib/roken/strsep.o \ @@ -677,8 +680,6 @@ dist:: $(heimdalsrcdir)/lib/asn1/lex.c asn1_compile_OBJ_FILES = \ $(asn1_compile_ASN1_OBJ_FILES) \ $(heimdalsrcdir)/lib/roken/emalloc.ho \ - $(heimdalsrcdir)/lib/roken/getarg.ho \ - $(heimdalsrcdir)/lib/roken/setprogname.ho \ $(heimdalsrcdir)/lib/roken/strupr.ho \ $(heimdalsrcdir)/lib/roken/get_window_size.ho \ $(heimdalsrcdir)/lib/roken/estrdup.ho \ @@ -713,10 +714,8 @@ compile_et_OBJ_FILES = $(heimdalsrcdir)/lib/vers/print_version.ho \ $(heimdalsrcdir)/lib/com_err/parse.ho \ $(heimdalsrcdir)/lib/com_err/lex.ho \ $(heimdalsrcdir)/lib/com_err/compile_et.ho \ - $(heimdalsrcdir)/lib/roken/getarg.ho \ $(heimdalsrcdir)/lib/roken/get_window_size.ho \ $(heimdalsrcdir)/lib/roken/strupr.ho \ - $(heimdalsrcdir)/lib/roken/setprogname.ho \ $(socketwrappersrcdir)/socket_wrapper.ho \ $(heimdalbuildsrcdir)/replace.ho @@ -761,8 +760,30 @@ PRIVATE_DEPENDENCIES = HEIMDAL_KRB5 HEIMDAL_NTLM ####################### samba4kinit_OBJ_FILES = $(heimdalsrcdir)/kuser/kinit.o \ - $(heimdalsrcdir)/lib/vers/print_version.o \ - $(heimdalsrcdir)/lib/roken/setprogname.o \ - $(heimdalsrcdir)/lib/roken/getarg.o + $(heimdalsrcdir)/lib/vers/print_version.o $(samba4kinit_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken + +####################### +# Start BINARY compile_et +[BINARY::samba4kpasswd] +PRIVATE_DEPENDENCIES = HEIMDAL_KRB5 HEIMDAL_NTLM +# End BINARY compile_et +####################### + +samba4kpasswd_OBJ_FILES = $(heimdalsrcdir)/kpasswd/kpasswd.o \ + $(heimdalsrcdir)/lib/vers/print_version.o + +$(samba4kpasswd_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken + +####################### +# Start BINARY compile_et +[BINARY::rkpty] +PRIVATE_DEPENDENCIES = HEIMDAL_ROKEN OPENPTY +# End BINARY compile_et +####################### + +rkpty_OBJ_FILES = $(heimdalsrcdir)/lib/roken/rkpty.o \ + $(socketwrappersrcdir)/socket_wrapper.o + +$(rkpty_OBJ_FILES): CFLAGS+=-I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/roken -DPACKAGE=\"Samba\" -- cgit From c41cc6772203862e1015f7fc60ad0a06eca3051c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Oct 2008 14:21:21 +1100 Subject: Ensure the hdb_method structure is not on the stack. We supply this to krb5 as a plugin, so we must keep it around as long as the krb5_context. Andrew Bartlett --- source4/kdc/kdc.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source4') diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index cf6dbf0c93..45fa803d04 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -657,6 +657,11 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, } +static struct hdb_method hdb_samba4 = { + .interface_version = HDB_INTERFACE_VERSION, + .prefix = "samba4:", + .create = hdb_samba4_create +}; /* startup the kdc task @@ -667,11 +672,6 @@ static void kdc_task_init(struct task_server *task) NTSTATUS status; krb5_error_code ret; struct interface *ifaces; - struct hdb_method hdb_samba4 = { - .interface_version = HDB_INTERFACE_VERSION, - .prefix = "samba4:", - .create = hdb_samba4_create - }; switch (lp_server_role(task->lp_ctx)) { case ROLE_STANDALONE: -- cgit From 3038bc484ebb1796e40e0eeb72155d9905ff36fa Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Oct 2008 15:19:01 +1100 Subject: Mark clearTextPassword as a privilaged attribute --- source4/setup/provision_init.ldif | 1 + 1 file changed, 1 insertion(+) (limited to 'source4') diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif index a6c591dd51..8e9b68fb30 100644 --- a/source4/setup/provision_init.ldif +++ b/source4/setup/provision_init.ldif @@ -34,6 +34,7 @@ dn: @OPTIONS checkBaseOnSearch: TRUE dn: @KLUDGEACL +passwordAttribute: clearTextPassword passwordAttribute: userPassword passwordAttribute: ntPwdHash passwordAttribute: sambaNTPwdHistory -- cgit From b789ff950f054ede2ef1dfaf94f8ddff062c092b Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Mon, 20 Oct 2008 15:50:07 +1100 Subject: LSA Patch for User Manager New (major) patch ================= - Enhances the "lsa.idl" file in the sense that it adds more values to "PolicyInformation" to improve the "lsa_QueryInfoPolicy*" calls. - Adds a minimal implementation for "AuditEvents" (also lsa_QueryInfoPolicy* calls) to enable the "Audit" option in the "User Manager for Domains" (at least readable). - Adds to the "lsa.idl" file the system access mode flags needed for the calls "lsa_*SystemAccessAccount". - Fill in the "lsa_GetSystemAccessAccount" for enabling the "User Rights" option in the "User Manager for Domains" (at least readable). - Merge the two similar torture tests of the "lsa_QueryInfoPolicy*" calls in one using "if"'s for a few separations. - Add a torture test for "lsa_GetSystemAccessAccount". - Some cosmetic-only changes (unifications) in output strings in the "LSA" torture test. The work has been done using the Microsoft WSPP docs. Signed-off-by: Andrew Bartlett --- source4/librpc/idl/lsa.idl | 32 +++-- source4/rpc_server/lsa/dcesrv_lsa.c | 41 ++++++- source4/torture/rpc/lsa.c | 229 +++++++++++++++++++++--------------- 3 files changed, 195 insertions(+), 107 deletions(-) (limited to 'source4') diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl index dd9791d894..8745385a10 100644 --- a/source4/librpc/idl/lsa.idl +++ b/source4/librpc/idl/lsa.idl @@ -263,11 +263,12 @@ import "misc.idl", "security.idl"; LSA_POLICY_INFO_ROLE=6, LSA_POLICY_INFO_REPLICA=7, LSA_POLICY_INFO_QUOTA=8, - LSA_POLICY_INFO_DB=9, + LSA_POLICY_INFO_MOD=9, LSA_POLICY_INFO_AUDIT_FULL_SET=10, LSA_POLICY_INFO_AUDIT_FULL_QUERY=11, LSA_POLICY_INFO_DNS=12, - LSA_POLICY_INFO_DNS_INT=13 + LSA_POLICY_INFO_DNS_INT=13, + LSA_POLICY_INFO_L_ACCOUNT_DOMAIN=14 } lsa_PolicyInfo; typedef [switch_type(uint16)] union { @@ -279,11 +280,12 @@ import "misc.idl", "security.idl"; [case(LSA_POLICY_INFO_ROLE)] lsa_ServerRole role; [case(LSA_POLICY_INFO_REPLICA)] lsa_ReplicaSourceInfo replica; [case(LSA_POLICY_INFO_QUOTA)] lsa_DefaultQuotaInfo quota; - [case(LSA_POLICY_INFO_DB)] lsa_ModificationInfo db; + [case(LSA_POLICY_INFO_MOD)] lsa_ModificationInfo mod; [case(LSA_POLICY_INFO_AUDIT_FULL_SET)] lsa_AuditFullSetInfo auditfullset; [case(LSA_POLICY_INFO_AUDIT_FULL_QUERY)] lsa_AuditFullQueryInfo auditfullquery; [case(LSA_POLICY_INFO_DNS)] lsa_DnsDomainInfo dns; [case(LSA_POLICY_INFO_DNS_INT)] lsa_DnsDomainInfo dns; + [case(LSA_POLICY_INFO_L_ACCOUNT_DOMAIN)] lsa_DomainInfo l_account_domain; } lsa_PolicyInformation; NTSTATUS lsa_QueryInfoPolicy ( @@ -512,23 +514,39 @@ import "misc.idl", "security.idl"; /* Function: 0x16 */ [todo] NTSTATUS lsa_SetQuotasForAccount(); + typedef [bitmap32bit] bitmap { + LSA_POLICY_MODE_INTERACTIVE = 0x00000001, + LSA_POLICY_MODE_NETWORK = 0x00000002, + LSA_POLICY_MODE_BATCH = 0x00000004, + LSA_POLICY_MODE_SERVICE = 0x00000010, + LSA_POLICY_MODE_PROXY = 0x00000020, + LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040, + LSA_POLICY_MODE_DENY_NETWORK = 0x00000080, + LSA_POLICY_MODE_DENY_BATCH = 0x00000100, + LSA_POLICY_MODE_DENY_SERVICE = 0x00000200, + LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400, + LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800, + LSA_POLICY_MODE_ALL = 0x00000FF7, + LSA_POLICY_MODE_ALL_NT4 = 0x00000037 + } lsa_SystemAccessModeFlags; + /* Function: 0x17 */ NTSTATUS lsa_GetSystemAccessAccount( - [in] policy_handle *handle, + [in] policy_handle *handle, [out,ref] uint32 *access_mask ); /* Function: 0x18 */ NTSTATUS lsa_SetSystemAccessAccount( - [in] policy_handle *handle, - [in] uint32 access_mask + [in] policy_handle *handle, + [in] uint32 access_mask ); /* Function: 0x19 */ NTSTATUS lsa_OpenTrustedDomain( [in] policy_handle *handle, [in] dom_sid2 *sid, - [in] uint32 access_mask, + [in] uint32 access_mask, [out] policy_handle *trustdom_handle ); diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 4c596f1f03..84f11ef3a8 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -399,7 +399,6 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal return WERR_INVALID_PARAM; } - /* fill in the AccountDomain info */ @@ -462,9 +461,15 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call, /* we don't need to fill in any of this */ ZERO_STRUCT(r->out.info->pd); return NT_STATUS_OK; + case LSA_POLICY_INFO_DOMAIN: + return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->domain); case LSA_POLICY_INFO_ACCOUNT_DOMAIN: return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->account_domain); + case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN: + return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->l_account_domain); + + case LSA_POLICY_INFO_ROLE: r->out.info->role.role = LSA_ROLE_PRIMARY; return NT_STATUS_OK; @@ -481,9 +486,8 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call, ZERO_STRUCT(r->out.info->quota); return NT_STATUS_OK; + case LSA_POLICY_INFO_MOD: case LSA_POLICY_INFO_AUDIT_FULL_SET: - case LSA_POLICY_INFO_DB: - case LSA_POLICY_INFO_AUDIT_FULL_QUERY: /* windows gives INVALID_PARAMETER */ r->out.info = NULL; return NT_STATUS_INVALID_PARAMETER; @@ -2050,7 +2054,36 @@ static NTSTATUS dcesrv_lsa_SetQuotasForAccount(struct dcesrv_call_state *dce_cal static NTSTATUS dcesrv_lsa_GetSystemAccessAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct lsa_GetSystemAccessAccount *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + int i; + NTSTATUS status; + struct lsa_EnumPrivsAccount enumPrivs; + + enumPrivs.in.handle = r->in.handle; + + status = dcesrv_lsa_EnumPrivsAccount(dce_call, mem_ctx, &enumPrivs); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + *(r->out.access_mask) = 0x00000000; + + for (i = 0; i < enumPrivs.out.privs->count; i++) { + int priv = enumPrivs.out.privs->set[i].luid.low; + + switch (priv) { + case SEC_PRIV_INTERACTIVE_LOGON: + *(r->out.access_mask) |= LSA_POLICY_MODE_INTERACTIVE; + break; + case SEC_PRIV_NETWORK_LOGON: + *(r->out.access_mask) |= LSA_POLICY_MODE_NETWORK; + break; + case SEC_PRIV_REMOTE_INTERACTIVE_LOGON: + *(r->out.access_mask) |= LSA_POLICY_MODE_REMOTE_INTERACTIVE; + break; + } + } + + return NT_STATUS_OK; } diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 245ed1e41b..875a857522 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -46,7 +46,7 @@ static bool test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) NTSTATUS status; uint16_t system_name = '\\'; - printf("\ntesting OpenPolicy\n"); + printf("\nTesting OpenPolicy\n"); qos.len = 0; qos.impersonation_level = 2; @@ -88,7 +88,7 @@ bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct lsa_OpenPolicy2 r; NTSTATUS status; - printf("\ntesting OpenPolicy2\n"); + printf("\nTesting OpenPolicy2\n"); *handle = talloc(mem_ctx, struct policy_handle); if (!*handle) { @@ -781,7 +781,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p, } static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct policy_handle *acct_handle, struct lsa_LUID *luid) @@ -791,7 +791,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("Testing RemovePrivilegesFromAccount\n"); + printf("\nTesting RemovePrivilegesFromAccount\n"); r.in.handle = acct_handle; r.in.remove_all = 0; @@ -831,7 +831,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, } static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *acct_handle, struct lsa_LUID *luid) { @@ -840,7 +840,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("Testing AddPrivilegesToAccount\n"); + printf("\nTesting AddPrivilegesToAccount\n"); r.in.handle = acct_handle; r.in.privs = &privs; @@ -861,7 +861,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, } static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct policy_handle *acct_handle) { @@ -869,7 +869,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, struct lsa_EnumPrivsAccount r; bool ret = true; - printf("Testing EnumPrivsAccount\n"); + printf("\nTesting EnumPrivsAccount\n"); r.in.handle = acct_handle; @@ -895,6 +895,60 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, return ret; } +static bool test_GetSystemAccessAccount(struct dcerpc_pipe *p, + TALLOC_CTX *mem_ctx, + struct policy_handle *handle, + struct policy_handle *acct_handle) +{ + NTSTATUS status; + uint32_t access_mask; + struct lsa_GetSystemAccessAccount r; + + printf("\nTesting GetSystemAccessAccount\n"); + + r.in.handle = acct_handle; + r.out.access_mask = &access_mask; + + status = dcerpc_lsa_GetSystemAccessAccount(p, mem_ctx, &r); + if (!NT_STATUS_IS_OK(status)) { + printf("GetSystemAccessAccount failed - %s\n", nt_errstr(status)); + return false; + } + + if (r.out.access_mask != NULL) { + printf("Rights:"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE) + printf(" LSA_POLICY_MODE_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK) + printf(" LSA_POLICY_MODE_NETWORK"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH) + printf(" LSA_POLICY_MODE_BATCH"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE) + printf(" LSA_POLICY_MODE_SERVICE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY) + printf(" LSA_POLICY_MODE_PROXY"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE) + printf(" LSA_POLICY_MODE_DENY_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK) + printf(" LSA_POLICY_MODE_DENY_NETWORK"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH) + printf(" LSA_POLICY_MODE_DENY_BATCH"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE) + printf(" LSA_POLICY_MODE_DENY_SERVICE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE) + printf(" LSA_POLICY_MODE_REMOTE_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE) + printf(" LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL) + printf(" LSA_POLICY_MODE_ALL"); + if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4) + printf(" LSA_POLICY_MODE_ALL_NT4"); + printf("\n"); + } + + return true; +} + static bool test_Delete(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle) @@ -902,7 +956,7 @@ static bool test_Delete(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_Delete r; - printf("testing Delete\n"); + printf("\nTesting Delete\n"); r.in.handle = handle; status = dcerpc_lsa_Delete(p, mem_ctx, &r); @@ -921,13 +975,13 @@ static bool test_DeleteObject(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_DeleteObject r; - printf("testing DeleteObject\n"); + printf("\nTesting DeleteObject\n"); r.in.handle = handle; r.out.handle = handle; status = dcerpc_lsa_DeleteObject(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("Delete failed - %s\n", nt_errstr(status)); + printf("DeleteObject failed - %s\n", nt_errstr(status)); return false; } @@ -946,7 +1000,7 @@ static bool test_CreateAccount(struct dcerpc_pipe *p, newsid = dom_sid_parse_talloc(mem_ctx, "S-1-5-12349876-4321-2854"); - printf("Testing CreateAccount\n"); + printf("\nTesting CreateAccount\n"); r.in.handle = handle; r.in.sid = newsid; @@ -998,7 +1052,7 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenTrustedDomainByName(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("lsa_OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); + printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); return false; } @@ -1026,7 +1080,7 @@ static bool test_DeleteTrustedDomainBySid(struct dcerpc_pipe *p, status = dcerpc_lsa_DeleteTrustedDomain(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("lsa_DeleteTrustedDomain failed - %s\n", nt_errstr(status)); + printf("DeleteTrustedDomain failed - %s\n", nt_errstr(status)); return false; } @@ -1072,7 +1126,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, secname[GLOBAL] = talloc_asprintf(mem_ctx, "G$torturesecret-%u", (uint_t)random()); for (i=0; i< 2; i++) { - printf("Testing CreateSecret of %s\n", secname[i]); + printf("\nTesting CreateSecret of %s\n", secname[i]); init_lsa_String(&r.in.name, secname[i]); @@ -1384,7 +1438,7 @@ static bool test_EnumAccountRights(struct dcerpc_pipe *p, struct lsa_EnumAccountRights r; struct lsa_RightSet rights; - printf("Testing EnumAccountRights\n"); + printf("\nTesting EnumAccountRights\n"); r.in.handle = acct_handle; r.in.sid = sid; @@ -1410,11 +1464,11 @@ static bool test_QuerySecurity(struct dcerpc_pipe *p, struct lsa_QuerySecurity r; if (torture_setting_bool(tctx, "samba4", false)) { - printf("skipping QuerySecurity test against Samba4\n"); + printf("\nskipping QuerySecurity test against Samba4\n"); return true; } - printf("Testing QuerySecurity\n"); + printf("\nTesting QuerySecurity\n"); r.in.handle = acct_handle; r.in.sec_info = 7; @@ -1437,7 +1491,7 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, struct lsa_OpenAccount r; struct policy_handle acct_handle; - printf("Testing OpenAccount\n"); + printf("\nTesting OpenAccount\n"); r.in.handle = handle; r.in.sid = sid; @@ -1454,6 +1508,10 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, return false; } + if (!test_GetSystemAccessAccount(p, mem_ctx, handle, &acct_handle)) { + return false; + } + if (!test_QuerySecurity(p, mem_ctx, handle, &acct_handle)) { return false; } @@ -1472,7 +1530,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\ntesting EnumAccounts\n"); + printf("\nTesting EnumAccounts\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -1503,7 +1561,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, * be on schannel, or we would not be able to do the * rest */ - printf("testing all accounts\n"); + printf("Testing all accounts\n"); for (i=0;istring); + printf("\nTesting LookupPrivDisplayName(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1576,7 +1634,7 @@ static bool test_EnumAccountsWithUserRight(struct dcerpc_pipe *p, ZERO_STRUCT(sids); - printf("testing EnumAccountsWithUserRight(%s)\n", priv_name->string); + printf("\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1609,7 +1667,7 @@ static bool test_EnumPrivs(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\ntesting EnumPrivs\n"); + printf("\nTesting EnumPrivs\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -1999,7 +2057,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p, struct lsa_QueryTrustedDomainInfo q; int i; - printf("Testing CreateTrustedDomain for 12 domains\n"); + printf("\nTesting CreateTrustedDomain for 12 domains\n"); if (!test_EnumTrustDom(p, mem_ctx, handle)) { ret = false; @@ -2095,7 +2153,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, enum ndr_err_code ndr_err; int i; - printf("Testing CreateTrustedDomainEx2 for 12 domains\n"); + printf("\nTesting CreateTrustedDomainEx2 for 12 domains\n"); status = dcerpc_fetch_session_key(p, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -2226,7 +2284,7 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, r.in.handle = handle; r.in.level = i; - printf("\ntrying QueryDomainInformationPolicy level %d\n", i); + printf("\nTrying QueryDomainInformationPolicy level %d\n", i); status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r); @@ -2244,35 +2302,49 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, } -static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, - struct torture_context *tctx, - struct policy_handle *handle) +static bool test_QueryInfoPolicyCalls( bool version2, + struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle) { struct lsa_QueryInfoPolicy r; NTSTATUS status; int i; bool ret = true; - printf("\nTesting QueryInfoPolicy\n"); - for (i=1;i<=13;i++) { + if (version2) + printf("\nTesting QueryInfoPolicy2\n"); + else + printf("\nTesting QueryInfoPolicy\n"); + + for (i=1;i<=14;i++) { r.in.handle = handle; r.in.level = i; - printf("\ntrying QueryInfoPolicy level %d\n", i); + if (version2) + printf("\nTrying QueryInfoPolicy2 level %d\n", i); + else + printf("\nTrying QueryInfoPolicy level %d\n", i); - status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r); + if (version2) + /* We can perform the cast, because both types are + structurally equal */ + status = dcerpc_lsa_QueryInfoPolicy2(p, tctx, + (struct lsa_QueryInfoPolicy2*) &r); + else + status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r); switch (i) { - case LSA_POLICY_INFO_DB: + case LSA_POLICY_INFO_MOD: case LSA_POLICY_INFO_AUDIT_FULL_SET: - case LSA_POLICY_INFO_AUDIT_FULL_QUERY: if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf("server should have failed level %u: %s\n", i, nt_errstr(status)); + printf("Server should have failed level %u: %s\n", i, nt_errstr(status)); ret = false; } break; case LSA_POLICY_INFO_DOMAIN: case LSA_POLICY_INFO_ACCOUNT_DOMAIN: + case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN: case LSA_POLICY_INFO_DNS_INT: case LSA_POLICY_INFO_DNS: case LSA_POLICY_INFO_REPLICA: @@ -2282,7 +2354,10 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, case LSA_POLICY_INFO_AUDIT_EVENTS: case LSA_POLICY_INFO_PD: if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + if (version2) + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + else + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; @@ -2290,17 +2365,24 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, if (torture_setting_bool(tctx, "samba4", false)) { /* Other levels not implemented yet */ if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + if (version2) + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + else + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } } else if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + if (version2) + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + else + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; } - if (NT_STATUS_IS_OK(status) && i == LSA_POLICY_INFO_DNS) { + if (NT_STATUS_IS_OK(status) && (i == LSA_POLICY_INFO_DNS + || i == LSA_POLICY_INFO_DNS_INT)) { /* Let's look up some of these names */ struct lsa_TransNameArray tnames; @@ -2342,63 +2424,18 @@ static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, return ret; } +static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle) +{ + return test_QueryInfoPolicyCalls(false, p, tctx, handle); +} + static bool test_QueryInfoPolicy2(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle) { - struct lsa_QueryInfoPolicy2 r; - NTSTATUS status; - int i; - bool ret = true; - printf("\nTesting QueryInfoPolicy2\n"); - for (i=1;i<13;i++) { - r.in.handle = handle; - r.in.level = i; - - printf("\ntrying QueryInfoPolicy2 level %d\n", i); - - status = dcerpc_lsa_QueryInfoPolicy2(p, tctx, &r); - - switch (i) { - case LSA_POLICY_INFO_DB: - case LSA_POLICY_INFO_AUDIT_FULL_SET: - case LSA_POLICY_INFO_AUDIT_FULL_QUERY: - if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf("server should have failed level %u: %s\n", i, nt_errstr(status)); - ret = false; - } - break; - case LSA_POLICY_INFO_DOMAIN: - case LSA_POLICY_INFO_ACCOUNT_DOMAIN: - case LSA_POLICY_INFO_DNS_INT: - case LSA_POLICY_INFO_DNS: - case LSA_POLICY_INFO_REPLICA: - case LSA_POLICY_INFO_QUOTA: - case LSA_POLICY_INFO_ROLE: - case LSA_POLICY_INFO_AUDIT_LOG: - case LSA_POLICY_INFO_AUDIT_EVENTS: - case LSA_POLICY_INFO_PD: - if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - ret = false; - } - break; - default: - if (torture_setting_bool(tctx, "samba4", false)) { - /* Other levels not implemented yet */ - if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - ret = false; - } - } else if (!NT_STATUS_IS_OK(status)) { - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - ret = false; - } - break; - } - } - - return ret; + return test_QueryInfoPolicyCalls(true, p, tctx, handle); } static bool test_GetUserName(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) @@ -2433,7 +2470,7 @@ bool test_lsa_Close(struct dcerpc_pipe *p, struct lsa_Close r; struct policy_handle handle2; - printf("\ntesting Close\n"); + printf("\nTesting Close\n"); r.in.handle = handle; r.out.handle = &handle2; -- cgit From 85acd7eccca127ab701f1515a27747b8af089cab Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Oct 2008 16:12:37 +1100 Subject: Make the updated RPC-LSA pass against Win2008, and Samba4 to match --- source4/rpc_server/lsa/dcesrv_lsa.c | 1 + source4/torture/rpc/lsa.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 84f11ef3a8..b009d2f2f8 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -488,6 +488,7 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call, case LSA_POLICY_INFO_MOD: case LSA_POLICY_INFO_AUDIT_FULL_SET: + case LSA_POLICY_INFO_AUDIT_FULL_QUERY: /* windows gives INVALID_PARAMETER */ r->out.info = NULL; return NT_STATUS_INVALID_PARAMETER; diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 875a857522..69df965f19 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -1727,7 +1727,7 @@ static bool test_QueryForestTrustInformation(struct dcerpc_pipe *p, status = dcerpc_lsa_lsaRQueryForestTrustInformation(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("lsaRQueryForestTrustInformation failed - %s\n", nt_errstr(status)); + printf("lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(status)); ret = false; } @@ -2337,6 +2337,7 @@ static bool test_QueryInfoPolicyCalls( bool version2, switch (i) { case LSA_POLICY_INFO_MOD: case LSA_POLICY_INFO_AUDIT_FULL_SET: + case LSA_POLICY_INFO_AUDIT_FULL_QUERY: if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { printf("Server should have failed level %u: %s\n", i, nt_errstr(status)); ret = false; -- cgit From a55afef6d3dbd40b938e19c7c077e3b0ca535bcc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Oct 2008 17:48:59 +1100 Subject: Rework mkrelease.sh to exclude Samba3 files This matches my proposal to samba-technical, and should allow a Samba4 release to be made shortly. Andrew Bartlett --- source4/script/mkrelease.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'source4') diff --git a/source4/script/mkrelease.sh b/source4/script/mkrelease.sh index 0af738deb5..6a8c5ae2e7 100755 --- a/source4/script/mkrelease.sh +++ b/source4/script/mkrelease.sh @@ -1,6 +1,6 @@ #!/bin/sh -if [ ! -d ".git" -o `dirname $0` != "./source/script" ]; then +if [ ! -d ".git" -o `dirname $0` != "./source4/script" ]; then echo "Run this script from the top-level directory in the" echo "repository as: ./source/script/mkrelease.sh" exit 1 @@ -9,13 +9,23 @@ fi TMPDIR=`mktemp -d samba-XXXXX` (git archive --format=tar HEAD | (cd $TMPDIR/ && tar xf -)) -( cd $TMPDIR/source || exit 1 +#Prepare the tarball for a Samba4 release, with some generated files, +#but without Samba3 stuff (to avoid confusion) +( cd $TMPDIR/ || exit 1 + rm -rf source3 packaging docs-xml examples swat WHATSNEW.txt MAINTAINERS || exit 1 + cd source4 || exit 1 ./autogen.sh || exit 1 ./configure || exit 1 make dist || exit 1 ) || exit 1 -VERSION=`sed -n 's/^SAMBA_VERSION_STRING=//p' $TMPDIR/source/version.h` +VERSION_FILE=$TMPDIR/source4/version.h +if [ ! -f $VERSION_FILE ]; then + echo "Cannot find version.h at $VERSION_FILE" + exit 1; +fi + +VERSION=`sed -n 's/^SAMBA_VERSION_STRING=//p' $VERSION_FILE` mv $TMPDIR samba-$VERSION || exit 1 tar -cf samba-$VERSION.tar samba-$VERSION || (rm -rf samba-$VERSION; exit 1) rm -rf samba-$VERSION || exit 1 -- cgit From fc8fadf1e93cffcf36bd56ba02894804018b9972 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 20 Oct 2008 11:11:19 +0200 Subject: idl: finally share krb5_pac.idl. Guenther --- source4/librpc/idl/krb5pac.idl | 130 ----------------------------------------- 1 file changed, 130 deletions(-) delete mode 100644 source4/librpc/idl/krb5pac.idl (limited to 'source4') diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl deleted file mode 100644 index bddba04165..0000000000 --- a/source4/librpc/idl/krb5pac.idl +++ /dev/null @@ -1,130 +0,0 @@ -/* - krb5 PAC -*/ - -#include "idl_types.h" - -import "security.idl", "netlogon.idl", "samr.idl"; - -[ - uuid("12345778-1234-abcd-0000-00000000"), - version(0.0), - pointer_default(unique), - helpstring("Active Directory KRB5 PAC") -] -interface krb5pac -{ - typedef struct { - NTTIME logon_time; - [value(2*strlen_m(account_name))] uint16 size; - [charset(UTF16)] uint8 account_name[size]; - } PAC_LOGON_NAME; - - typedef [public,flag(NDR_PAHEX)] struct { - uint32 type; - [flag(NDR_REMAINING)] DATA_BLOB signature; - } PAC_SIGNATURE_DATA; - - typedef [gensize] struct { - netr_SamInfo3 info3; - dom_sid2 *res_group_dom_sid; - samr_RidWithAttributeArray res_groups; - } PAC_LOGON_INFO; - - typedef struct { - [value(2*strlen_m(upn_name))] uint16 upn_size; - uint16 upn_offset; - [value(2*strlen_m(domain_name))] uint16 domain_size; - uint16 domain_offset; - uint16 unknown3; /* 0x01 */ - uint16 unknown4; - uint32 unknown5; - [charset(UTF16)] uint8 upn_name[upn_size+2]; - [charset(UTF16)] uint8 domain_name[domain_size+2]; - uint32 unknown6; /* padding */ - } PAC_UNKNOWN_12; - - typedef [public] struct { - PAC_LOGON_INFO *info; - } PAC_LOGON_INFO_CTR; - - typedef [public,v1_enum] enum { - PAC_TYPE_LOGON_INFO = 1, - PAC_TYPE_SRV_CHECKSUM = 6, - PAC_TYPE_KDC_CHECKSUM = 7, - PAC_TYPE_LOGON_NAME = 10, - PAC_TYPE_CONSTRAINED_DELEGATION = 11, - PAC_TYPE_UNKNOWN_12 = 12 - } PAC_TYPE; - - typedef struct { - [flag(NDR_REMAINING)] DATA_BLOB remaining; - } DATA_BLOB_REM; - - typedef [public,nodiscriminant,gensize] union { - [case(PAC_TYPE_LOGON_INFO)][subcontext(0xFFFFFC01)] PAC_LOGON_INFO_CTR logon_info; - [case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum; - [case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum; - [case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name; - /* when new PAC info types are added they are supposed to be done - in such a way that they are backwards compatible with existing - servers. This makes it safe to just use a [default] for - unknown types, which lets us ignore the data */ - [default] [subcontext(0)] DATA_BLOB_REM unknown; - /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */ - } PAC_INFO; - - typedef [public,nopush,nopull,noprint] struct { - PAC_TYPE type; - [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size; - [relative,switch_is(type),subcontext(0),subcontext_size(_subcontext_size_PAC_INFO(r, ndr->flags)),flag(NDR_ALIGN8)] PAC_INFO *info; - [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */ - } PAC_BUFFER; - - typedef [public] struct { - uint32 num_buffers; - uint32 version; - PAC_BUFFER buffers[num_buffers]; - } PAC_DATA; - - typedef [public] struct { - PAC_TYPE type; - uint32 ndr_size; - [relative,subcontext(0),subcontext_size(NDR_ROUND(ndr_size,8)),flag(NDR_ALIGN8)] DATA_BLOB_REM *info; - [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */ - } PAC_BUFFER_RAW; - - typedef [public] struct { - uint32 num_buffers; - uint32 version; - PAC_BUFFER_RAW buffers[num_buffers]; - } PAC_DATA_RAW; - - const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3; - - typedef [public] struct { - [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType; - uint32 ChecksumLength; - int32 SignatureType; - uint32 SignatureLength; - [flag(NDR_REMAINING)] DATA_BLOB ChecksumAndSignature; - } PAC_Validate; - - void decode_pac( - [in] PAC_DATA pac - ); - - void decode_pac_raw( - [in] PAC_DATA_RAW pac - ); - - void decode_login_info( - [in] PAC_LOGON_INFO logon_info - ); - - void decode_pac_validate( - [in] PAC_Validate pac_validate - ); - - -} -- cgit