mirror of
https://github.com/samba-team/samba.git
synced 2025-10-25 19:33:18 +03:00
s3:rpc_server: Implement lsa_CreateTrustedDomain_common()
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider
committed by
Andrew Bartlett
Andrew Bartlett
parent
3385c2fe44
commit
8df1728e12
@@ -1910,6 +1910,99 @@ static NTSTATUS lsa_CreateTrustedDomain_precheck(
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
static NTSTATUS lsa_CreateTrustedDomain_common(
|
||||
struct pipes_struct *p,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct auth_session_info *session_info,
|
||||
struct lsa_info *policy,
|
||||
uint32_t access_mask,
|
||||
struct lsa_TrustDomainInfoInfoEx *info,
|
||||
struct trustDomainPasswords *auth_struct,
|
||||
struct policy_handle **ptrustdom_handle)
|
||||
{
|
||||
struct security_descriptor *psd = NULL;
|
||||
size_t sd_size = 0;
|
||||
uint32_t acc_granted = 0;
|
||||
struct pdb_trusted_domain td = {
|
||||
.trust_type = 0,
|
||||
};
|
||||
NTSTATUS status;
|
||||
|
||||
/* Work out max allowed. */
|
||||
map_max_allowed_access(session_info->security_token,
|
||||
session_info->unix_token,
|
||||
&access_mask);
|
||||
|
||||
/* map the generic bits to the lsa policy ones */
|
||||
se_map_generic(&access_mask, &lsa_account_mapping);
|
||||
|
||||
status = make_lsa_object_sd(
|
||||
mem_ctx, &psd, &sd_size, &lsa_trusted_domain_mapping, NULL, 0);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
status = access_check_object(psd,
|
||||
session_info->security_token,
|
||||
SEC_PRIV_INVALID,
|
||||
SEC_PRIV_INVALID,
|
||||
0,
|
||||
access_mask,
|
||||
&acc_granted,
|
||||
"lsa_CreateTrustedDomain_common");
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
td.domain_name = talloc_strdup(mem_ctx, info->domain_name.string);
|
||||
if (td.domain_name == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
td.netbios_name = talloc_strdup(mem_ctx, info->netbios_name.string);
|
||||
if (td.netbios_name == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
sid_copy(&td.security_identifier, info->sid);
|
||||
td.trust_direction = info->trust_direction;
|
||||
td.trust_type = info->trust_type;
|
||||
td.trust_attributes = info->trust_attributes;
|
||||
|
||||
status = get_trustauth_inout_blob(mem_ctx,
|
||||
&auth_struct->incoming,
|
||||
&td.trust_auth_incoming);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
status = get_trustauth_inout_blob(mem_ctx,
|
||||
&auth_struct->outgoing,
|
||||
&td.trust_auth_outgoing);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
status = pdb_set_trusted_domain(info->domain_name.string, &td);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DBG_ERR("pdb_set_trusted_domain failed: %s\n",
|
||||
nt_errstr(status));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = create_lsa_policy_handle(mem_ctx, p,
|
||||
LSA_HANDLE_TRUST_TYPE,
|
||||
acc_granted,
|
||||
info->sid,
|
||||
info->netbios_name.string,
|
||||
psd,
|
||||
*ptrustdom_handle);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
pdb_del_trusted_domain(info->netbios_name.string);
|
||||
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
||||
}
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/***************************************************************************
|
||||
_lsa_CreateTrustedDomainEx2
|
||||
***************************************************************************/
|
||||
@@ -1922,12 +2015,10 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
|
||||
dcesrv_call_session_info(dce_call);
|
||||
struct lsa_info *policy;
|
||||
NTSTATUS status;
|
||||
uint32_t acc_granted;
|
||||
struct security_descriptor *psd;
|
||||
size_t sd_size;
|
||||
struct pdb_trusted_domain td;
|
||||
struct trustDomainPasswords auth_struct;
|
||||
DATA_BLOB auth_blob;
|
||||
struct trustDomainPasswords auth_struct = {
|
||||
.incoming_size = 0,
|
||||
};
|
||||
DATA_BLOB auth_blob = data_blob_null;
|
||||
|
||||
if (!IS_DC) {
|
||||
return NT_STATUS_NOT_SUPPORTED;
|
||||
@@ -1950,90 +2041,34 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
|
||||
return status;
|
||||
}
|
||||
|
||||
/* Work out max allowed. */
|
||||
map_max_allowed_access(session_info->security_token,
|
||||
session_info->unix_token,
|
||||
&r->in.access_mask);
|
||||
|
||||
/* map the generic bits to the lsa policy ones */
|
||||
se_map_generic(&r->in.access_mask, &lsa_account_mapping);
|
||||
if (r->in.auth_info_internal->auth_blob.size == 0) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
|
||||
&lsa_trusted_domain_mapping,
|
||||
NULL, 0);
|
||||
auth_blob = data_blob_const(r->in.auth_info_internal->auth_blob.data,
|
||||
r->in.auth_info_internal->auth_blob.size);
|
||||
|
||||
status = get_trustdom_auth_blob(p,
|
||||
p->mem_ctx,
|
||||
&auth_blob,
|
||||
&auth_struct);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
status = lsa_CreateTrustedDomain_common(p,
|
||||
p->mem_ctx,
|
||||
session_info,
|
||||
policy,
|
||||
r->in.access_mask,
|
||||
r->in.info,
|
||||
&auth_struct,
|
||||
&r->out.trustdom_handle);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
status = access_check_object(psd, session_info->security_token,
|
||||
SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
|
||||
r->in.access_mask, &acc_granted,
|
||||
"_lsa_CreateTrustedDomainEx2");
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
ZERO_STRUCT(td);
|
||||
|
||||
td.domain_name = talloc_strdup(p->mem_ctx,
|
||||
r->in.info->domain_name.string);
|
||||
if (td.domain_name == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
td.netbios_name = talloc_strdup(p->mem_ctx,
|
||||
r->in.info->netbios_name.string);
|
||||
if (td.netbios_name == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
sid_copy(&td.security_identifier, r->in.info->sid);
|
||||
td.trust_direction = r->in.info->trust_direction;
|
||||
td.trust_type = r->in.info->trust_type;
|
||||
td.trust_attributes = r->in.info->trust_attributes;
|
||||
|
||||
if (r->in.auth_info_internal->auth_blob.size != 0) {
|
||||
auth_blob.length = r->in.auth_info_internal->auth_blob.size;
|
||||
auth_blob.data = r->in.auth_info_internal->auth_blob.data;
|
||||
|
||||
status = get_trustdom_auth_blob(p, p->mem_ctx, &auth_blob, &auth_struct);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
status = get_trustauth_inout_blob(p->mem_ctx, &auth_struct.incoming, &td.trust_auth_incoming);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
status = get_trustauth_inout_blob(p->mem_ctx, &auth_struct.outgoing, &td.trust_auth_outgoing);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
} else {
|
||||
td.trust_auth_incoming.data = NULL;
|
||||
td.trust_auth_incoming.length = 0;
|
||||
td.trust_auth_outgoing.data = NULL;
|
||||
td.trust_auth_outgoing.length = 0;
|
||||
}
|
||||
|
||||
status = pdb_set_trusted_domain(r->in.info->domain_name.string, &td);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DBG_ERR("pdb_set_trusted_domain failed: %s\n",
|
||||
nt_errstr(status));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = create_lsa_policy_handle(p->mem_ctx, p,
|
||||
LSA_HANDLE_TRUST_TYPE,
|
||||
acc_granted,
|
||||
r->in.info->sid,
|
||||
r->in.info->netbios_name.string,
|
||||
psd,
|
||||
r->out.trustdom_handle);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
pdb_del_trusted_domain(r->in.info->netbios_name.string);
|
||||
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
||||
}
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user