Update RPC-LSA to (almost) pass against Windows 2008.

source/librpc/idl/lsa.idl

@@ -14,6 +14,7 @@ import "misc.idl", "security.idl";
 ] interface lsarpc
 {
 	typedef bitmap security_secinfo security_secinfo;
+	typedef bitmap kerb_EncTypes kerb_EncTypes;
 
 	typedef [public,noejs] struct {
 		[value(2*strlen_m(string))] uint16 length;
@@ -507,22 +508,53 @@ import "misc.idl", "security.idl";
 	} lsa_DATA_BUF2;
 
 	typedef enum {
-		LSA_TRUSTED_DOMAIN_INFO_NAME             = 1,
-		LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS_INFO = 2,
-		LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET     = 3,
-		LSA_TRUSTED_DOMAIN_INFO_PASSWORD         = 4,
-		LSA_TRUSTED_DOMAIN_INFO_BASIC            = 5,
-		LSA_TRUSTED_DOMAIN_INFO_INFO_EX          = 6,
-		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO        = 7,
-		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO        = 8,
-		LSA_TRUSTED_DOMAIN_INFO_11               = 11,
-		LSA_TRUSTED_DOMAIN_INFO_INFO_ALL         = 12
+		LSA_TRUSTED_DOMAIN_INFO_NAME                  = 1,
+		LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS           = 2,
+		LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET          = 3,
+		LSA_TRUSTED_DOMAIN_INFO_PASSWORD              = 4,
+		LSA_TRUSTED_DOMAIN_INFO_BASIC                 = 5,
+		LSA_TRUSTED_DOMAIN_INFO_INFO_EX               = 6,
+		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO             = 7,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO             = 8,
+		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL    = 9,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL    = 10,
+		LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL     = 11,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL  = 12,
+		LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES = 13
 	} lsa_TrustDomInfoEnum;
 
+	typedef [public,bitmap32bit] bitmap {
+		LSA_TRUST_DIRECTION_INBOUND  = 0x00000001,
+		LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
+	} lsa_TrustDirection;
+
+	typedef [v1_enum] enum {
+		LSA_TRUST_TYPE_DOWNLEVEL  = 0x00000001,
+		LSA_TRUST_TYPE_UPLEVEL    = 0x00000002,
+		LSA_TRUST_TYPE_MIT        = 0x00000003
+	} lsa_TrustType;
+
+	typedef [public,bitmap32bit] bitmap {
+		LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE      = 0x00000001,
+		LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY        = 0x00000002,
+		LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN  = 0x00000004,
+		LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE   = 0x00000008,
+		LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION  = 0x00000010,
+		LSA_TRUST_ATTRIBUTE_WITHIN_FOREST       = 0x00000020,
+		LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL   = 0x00000040,
+		LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION = 0x00000080
+	} lsa_TrustAttributes;
+
 	typedef struct {
 		lsa_StringLarge  netbios_name;
 	} lsa_TrustDomainInfoName;
 
+
+	typedef struct {
+		uint32 entries;
+		[size_is(entries)] lsa_StringLarge  *netbios_names;
+	} lsa_TrustDomainInfoControllers;
+
 	typedef struct {
 		uint32         posix_offset;
 	} lsa_TrustDomainInfoPosixOffset;
@@ -540,10 +572,10 @@ import "misc.idl", "security.idl";
 	typedef struct {
 		lsa_StringLarge     domain_name;
 		lsa_StringLarge     netbios_name;
-		dom_sid2      *sid;
-		uint32         trust_direction;
-		uint32         trust_type;
-		uint32         trust_attributes;
+		dom_sid2           *sid;
+		lsa_TrustDirection  trust_direction;
+		lsa_TrustType       trust_type;
+		lsa_TrustAttributes trust_attributes;
 	} lsa_TrustDomainInfoInfoEx;
 
 	typedef struct {
@@ -570,25 +602,46 @@ import "misc.idl", "security.idl";
 	typedef struct {
 		lsa_TrustDomainInfoInfoEx      info_ex;
 		lsa_DATA_BUF2                  data1;
-	} lsa_TrustDomainInfo11;
+	} lsa_TrustDomainInfoInfoEx2Internal;
 
 	typedef struct {
 		lsa_TrustDomainInfoInfoEx      info_ex;
 		lsa_DATA_BUF2                  data1;
 		lsa_TrustDomainInfoPosixOffset posix_offset;
 		lsa_TrustDomainInfoAuthInfo    auth_info;
-	} lsa_TrustDomainInfoInfoAll;
+	} lsa_TrustDomainInfoInfo2Internal;
+
+	typedef struct {
+		kerb_EncTypes enc_types;
+	} lsa_TrustDomainInfoSupportedEncTypes;
 
 	typedef [switch_type(lsa_TrustDomInfoEnum)] union {
-		[case(LSA_TRUSTED_DOMAIN_INFO_NAME)]         lsa_TrustDomainInfoName        name;
-		[case(LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET)] lsa_TrustDomainInfoPosixOffset posix_offset;
-		[case(LSA_TRUSTED_DOMAIN_INFO_PASSWORD)]     lsa_TrustDomainInfoPassword    password;
-		[case(LSA_TRUSTED_DOMAIN_INFO_BASIC)]        lsa_TrustDomainInfoBasic       info_basic;
-		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX)]      lsa_TrustDomainInfoInfoEx      info_ex;
-		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO)]    lsa_TrustDomainInfoAuthInfo    auth_info;
-		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]    lsa_TrustDomainInfoFullInfo    full_info;
-		[case(LSA_TRUSTED_DOMAIN_INFO_11)]           lsa_TrustDomainInfo11          info11;
-		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_ALL)]     lsa_TrustDomainInfoInfoAll     info_all;
+		[case(LSA_TRUSTED_DOMAIN_INFO_NAME)]
+		        lsa_TrustDomainInfoName              name;
+		[case(LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS)]
+		        lsa_TrustDomainInfoControllers   controllers;
+		[case(LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET)]
+		        lsa_TrustDomainInfoPosixOffset       posix_offset;
+		[case(LSA_TRUSTED_DOMAIN_INFO_PASSWORD)]
+		        lsa_TrustDomainInfoPassword          password;
+		[case(LSA_TRUSTED_DOMAIN_INFO_BASIC)]
+		        lsa_TrustDomainInfoBasic             info_basic;
+		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX)]
+		        lsa_TrustDomainInfoInfoEx            info_ex;
+		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO)]
+		        lsa_TrustDomainInfoAuthInfo          auth_info;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]
+		        lsa_TrustDomainInfoFullInfo          full_info;
+		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL)]
+		        lsa_TrustDomainInfoAuthInfo          auth_info_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL)]
+		        lsa_TrustDomainInfoFullInfo          full_info_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL)]
+		        lsa_TrustDomainInfoInfoEx2Internal   info_ex2_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL)]
+		        lsa_TrustDomainInfoInfo2Internal     info2_internal;
+		[case(LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES)]
+		        lsa_TrustDomainInfoSupportedEncTypes enc_types;
 	} lsa_TrustedDomainInfo;
 
 	/* Function:       0x1a */
@@ -658,8 +711,12 @@ import "misc.idl", "security.idl";
 		[in]         uint16 unknown
 		);
 
-	/* Function:        0x22 */
-	[todo] NTSTATUS lsa_DeleteObject();
+	/*******************/
+	/* Function:  0x22 */
+	NTSTATUS lsa_DeleteObject (
+		[in,out]     policy_handle *handle
+		);
+
 
 	
 	/*******************/

source/librpc/idl/security.idl

@@ -386,4 +386,12 @@ interface security
 		SECINFO_PROTECTED_SACL	     = 0x40000000,
 		SECINFO_PROTECTED_DACL	     = 0x80000000
 	} security_secinfo;
+
+	typedef [public,bitmap32bit] bitmap {
+		KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
+		KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
+		KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
+		KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
+		KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
+	} kerb_EncTypes;
 }

source/torture/rpc/lsa.c

@@ -614,7 +614,8 @@ bool test_many_LookupSids(struct dcerpc_pipe *p,
 		if (!test_LookupNames(p, mem_ctx, handle, &names)) {
 			return false;
 		}
-	} else {
+	} else if (p->conn->security_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+		   p->conn->security_state.auth_info->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
 		struct lsa_LookupSids3 r;
 		struct lsa_TransNameArray2 names;
 
@@ -884,6 +885,26 @@ static bool test_Delete(struct dcerpc_pipe *p,
 
 	r.in.handle = handle;
 	status = dcerpc_lsa_Delete(p, mem_ctx, &r);
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+		printf("Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(status));
+		return false;
+	}
+
+	return true;
+}
+
+static bool test_DeleteObject(struct dcerpc_pipe *p, 
+			      TALLOC_CTX *mem_ctx, 
+			      struct policy_handle *handle)
+{
+	NTSTATUS status;
+	struct lsa_DeleteObject r;
+
+	printf("testing DeleteObject\n");
+
+	r.in.handle = handle;
+	r.out.handle = handle;
+	status = dcerpc_lsa_DeleteObject(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("Delete failed - %s\n", nt_errstr(status));
 		return false;
@@ -912,7 +933,19 @@ static bool test_CreateAccount(struct dcerpc_pipe *p,
 	r.out.acct_handle = &acct_handle;
 
 	status = dcerpc_lsa_CreateAccount(p, mem_ctx, &r);
-	if (!NT_STATUS_IS_OK(status)) {
+	if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
+		struct lsa_OpenAccount r_o;
+		r_o.in.handle = handle;
+		r_o.in.sid = newsid;
+		r_o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+		r_o.out.acct_handle = &acct_handle;
+		
+		status = dcerpc_lsa_OpenAccount(p, mem_ctx, &r_o);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("OpenAccount failed - %s\n", nt_errstr(status));
+			return false;
+		}
+	} else if (!NT_STATUS_IS_OK(status)) {
 		printf("CreateAccount failed - %s\n", nt_errstr(status));
 		return false;
 	}
@@ -921,6 +954,10 @@ static bool test_CreateAccount(struct dcerpc_pipe *p,
 		return false;
 	}
 
+	if (!test_DeleteObject(p, mem_ctx, &acct_handle)) {
+		return false;
+	}
+
 	return true;
 }
 
@@ -948,6 +985,10 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p,
 		return false;
 	}
 
+	if (!test_DeleteObject(p, mem_ctx, &trustdom_handle)) {
+		return false;
+	}
+
 	return true;
 }
 
@@ -986,7 +1027,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 	struct lsa_SetSecret r7;
 	struct lsa_QuerySecret r8;
 	struct policy_handle sec_handle, sec_handle2, sec_handle3;
-	struct lsa_Delete d;
+	struct lsa_DeleteObject d_o;
 	struct lsa_DATA_BUF buf1;
 	struct lsa_DATA_BUF_PTR bufp1;
 	struct lsa_DATA_BUF_PTR bufp2;
@@ -1245,35 +1286,16 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 			if (!r8.out.new_val || !r8.out.old_val) {
 				printf("in/out pointers not returned, despite being set on in for QuerySecret\n");
 				ret = false;
-			} else if (r8.out.new_val->buf == NULL) {
-				if (i != LOCAL) { 
-					printf("NEW secret buffer not returned after GLOBAL OLD set\n");
-					ret = false;
-				}
+			} else if (r8.out.new_val->buf != NULL) {
+				printf("NEW secret buffer must not be returned after OLD set\n");
+				ret = false;
 			} else if (r8.out.old_val->buf == NULL) {
-				printf("OLD secret buffer not returned after OLD set\n");
+				printf("OLD secret buffer was not returned after OLD set\n");
 				ret = false;
 			} else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) {
 				printf("Both times not returned after OLD set\n");
 				ret = false;
 			} else {
-				if (i == LOCAL) { 
-					printf("NEW secret buffer should not be returned after LOCAL OLD set\n");
-					ret = false;
-				}
-				blob1.data = r8.out.new_val->buf->data;
-				blob1.length = r8.out.new_val->buf->length;
-				
-				blob2 = data_blob_talloc(mem_ctx, NULL, blob1.length);
-				
-				secret6 = sess_decrypt_string(mem_ctx,
-							      &blob1, &session_key);
-				
-				if (strcmp(secret3, secret4) != 0) {
-					printf("Returned NEW secret '%s' doesn't match '%s'\n", secret4, secret3);
-					ret = false;
-				}
-
 				blob1.data = r8.out.old_val->buf->data;
 				blob1.length = r8.out.old_val->buf->size;
 				
@@ -1287,14 +1309,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 					ret = false;
 				}
 				
-				if (*r8.out.new_mtime == *r8.out.old_mtime) {
-					if (i != GLOBAL) { 
-						printf("Returned secret %s had same mtime for both secrets: %s\n", 
-						       secname[i],
-						       nt_time_string(mem_ctx, *r8.out.new_mtime));
-						ret = false;
-					}
-				} else {
+				if (*r8.out.new_mtime != *r8.out.old_mtime) {
 					printf("Returned secret %s should have had same mtime for both secrets: %s != %s\n", 
 					       secname[i],
 					       nt_time_string(mem_ctx, *r8.out.old_mtime),
@@ -1308,8 +1323,13 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 			ret = false;
 		}
 		
-		d.in.handle = &sec_handle2;
-		status = dcerpc_lsa_Delete(p, mem_ctx, &d);
+		if (!test_DeleteObject(p, mem_ctx, &sec_handle)) {
+			return false;
+		}
+
+		d_o.in.handle = &sec_handle2;
+		d_o.out.handle = &sec_handle2;
+		status = dcerpc_lsa_DeleteObject(p, mem_ctx, &d_o);
 		if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
 			printf("Second delete expected INVALID_HANDLE - %s\n", nt_errstr(status));
 			ret = false;
@@ -1454,9 +1474,9 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p,
 			return false;
 		}
 
-		if (!test_LookupSids3(p, mem_ctx, &sids1)) {
-			return false;
-		}
+		/* Can't test lookupSids3 here, as clearly we must not
+		 * be on schannel, or we would not be able to do the
+		 * rest */
 
 		printf("testing all accounts\n");
 		for (i=0;i<sids1.num_sids;i++) {
@@ -1667,8 +1687,8 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p,
 		struct policy_handle handle2;
 		struct lsa_Close c;
 		struct lsa_CloseTrustedDomainEx c_trust;
-		int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12};
-		int ok[]      = {1, 0, 1, 0, 0, 1, 0, 1, 0,  0,  0,  1};
+		int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13};
+		int ok[]      = {1, 0, 1, 0, 0, 1, 0, 1, 0,  0,  0,  1, 1};
 
 		if (domains->domains[i].sid) {
 			trust.in.handle = handle;
@@ -1912,8 +1932,6 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
 				       r_ex.in.max_size,
 				       LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER, 
 				       r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER);
-				ret = false;
-				exit(1);
 			}
 		} else if (!NT_STATUS_IS_OK(enum_status)) {
 			printf("EnumTrustedDomainEx failed - %s\n", nt_errstr(enum_status));
@@ -2311,11 +2329,9 @@ bool torture_rpc_lsa(struct torture_context *tctx)
 			ret = false;
 		}
 		
-#if 0
 		if (!test_Delete(p, tctx, handle)) {
 			ret = false;
 		}
-#endif
 		
 		if (!test_many_LookupSids(p, tctx, handle)) {
 			ret = false;