sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code
99,662 Commits 60 Branches 1,145 Tags 452 MiB
bc71251433
Commit Graph

2094 Commits

Author SHA1 Message Date
Stefan Metzmacher
fcc6b5c56a s4:rpc_server/netlogon: check domain state in netr_*GetForestTrustInformation() 
This should only work on a forest root domain controller and a forest function
level >= 2003.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:22 +02:00
Stefan Metzmacher
ef8f55ad8a s4:rpc_server/netlogon: make use of dsdb_trust_xref_forest_info() 
This collects the whole information about the local forest,
including all domains and defined top level names (uPNSuffixes and
msDS-SPNSuffixes).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:22 +02:00
Stefan Metzmacher
9af2561325 s4:rpc_server/netlogon: implement netr_DsRGetForestTrustInformation with trusted domains 
We redirect this to remote DC as netr_GetForestTrustInformation() via an IRPC
call to winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:22 +02:00
Stefan Metzmacher
70cea2b85c s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} 
We pass NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} to
winbindd and do the hard work there, while we answer NETLOGON_CONTROL_QUERY
directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:22 +02:00
Stefan Metzmacher
f9246d78f7 s4:rpc_server/lsa: remove unused code 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:22 +02:00
Stefan Metzmacher
c98f96d1b1 s4:rpc_server/lsa: use dsdb_trust_*() helper functions in dcesrv_lsa_lsaRSetForestTrustInformation() 
This means we return mostly the same error codes as a Windows
and also normalize the given information before storing.

Storing is now done within a transaction in order to avoid races
and inconsistent values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
ac4c4a95e5 s4:rpc_server/lsa: implement dcesrv_lsa_lsaRQueryForestTrustInformation() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
98dc4100ab s4:rpc_server/lsa: improve dcesrv_lsa_CreateTrustedDomain_base() 
We need to make sure a trusted domain has 'flatName', 'trustPartner'
and 'securityIdentifier' values, which are unique.

Otherwise other code will get INTERNAL_DB_CORRUPTION errors.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
df7f745099 s4:rpc_server/lsa: fix dcesrv_lsa_CreateTrustedDomain() 
It needs to pass 'name' as 'netbios_name' and also 'dns_name'.

flatName and trustPartner have the same value for downlevel trusts.
And both are required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
c57fef89e1 s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet() 
We just need to call dcesrv_netr_ServerGetTrustInfo() and ignore trust_info.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a02300c0c7 s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
0b4bdee4a1 s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback to the previous hash for trusts 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a56d9fe5da s4:rpc_server/netlogon: extract and pass down the password version in dcesrv_netr_ServerPasswordSet2() 
For domain trusts we need to extract NL_PASSWORD_VERSION from the password
buffer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
aded6f6551 s4:dsdb/common: pass optional new_version to samdb_set_password_sid() 
For trust account we need to store version number provided by the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
69c1b4b7c1 s4:rpc_server: fix padding caclucation in dcesrv_auth_response() 
This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-06-23 14:38:53 +02:00
Stefan Metzmacher
1bf7ab49b4 s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error 
Don't send plaintext on the wire because of an internal error...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-06-23 14:38:53 +02:00
Stefan Metzmacher
16f3837e02 s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload 
The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-06-23 14:38:53 +02:00
Stefan Metzmacher
3fbdb255e3 s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-06-23 14:38:53 +02:00
Douglas Bagnall
caf74b7df5 s4-rpc_server/drsuapi: Fix timeouts on forwarded DsExecuteKCC IRPC call 
This matches other forwarded calls

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-05-28 07:25:07 +02:00
Volker Lendecke
838218db63 Fix the O3 developer build 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-04-28 18:11:13 +02:00
Jeremy Allison
49030649db s4: rpc: Refactor dcesrv_alter() function into setup and send steps. 
Fixes bug:

https://bugzilla.samba.org/show_bug.cgi?id=11236

Based on code from Julien Kerihuel <j.kerihuel@openchange.org>

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 25 02:43:22 CEST 2015 on sn-devel-104
 2015-04-25 02:43:22 +02:00
Julien Kerihuel
fd90d270c7 Add DCERPC flag to call unbind hooks without destroying the connection itself upon termination of a connection with outstanding pending calls. 
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 14 20:39:34 CEST 2015 on sn-devel-104
 2015-04-14 20:39:34 +02:00
Rajesh Joseph
b57c77849a rpc_server: Coverity fix for CID 1273079 
leaked_storage: Variable pk going out of scope leaks the storage it points to.

On failure get_pk_from_raw_keypair_params function should free up
the private key (pk) it allocates internally.

Signed-off-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr  2 19:38:22 CEST 2015 on sn-devel-104
 2015-04-02 19:38:22 +02:00
Stefan Metzmacher
6f8b868a29 s4:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them 
The number of current and previous elements need to match and we have to
fill TRUST_AUTH_TYPE_NONE if needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-30 13:41:25 +02:00
Stefan Metzmacher
73a4387ab9 s4:rpc_server/lsa: notify winbindd about new trusted domains 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-30 13:41:25 +02:00
Stefan Metzmacher
654d63b94b s4:rpc_server/lsa: implement the policy security descriptor 
We now check the requested access mask in OpenPolicy*()
and return NT_STATUS_ACCESS_DENIED if the request is not granted.

E.g. validating a domain trust via the Windows gui requires this
in order prompt the user for the credentials. Otherwise
we fail any other call with ACCESS_DENIED later and the
gui just displays a strange error message.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-30 13:41:25 +02:00
Stefan Metzmacher
a09f9cfd2f s4:rpc_server/lsa: normalize the access_mask for lsa account objects 
We still grant all access in the access_mask, but we don't check the
mask at all yet...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-30 13:41:25 +02:00
Stefan Metzmacher
a15600727f s4:rpc_server/lsa: correctly set *r->out.resume_handle with NT_STATUS_OK in lsa_EnumTrustedDomainsEx() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:15 +01:00
Julien Kerihuel
caaf89e899 Add multiplex state to dcerpc flags and control over multiplex PFC flag in bind_ack and and dcesrv_alter replies 
Signed-off-by: Julien Kerihuel <j.kerihuel@openchange.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
 2015-03-25 22:21:13 +01:00
Günther Deschner
ad0fd58972 s4-rpc_server: only build backup_key rpc service when Heimdal is available. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:52 +01:00
Stefan Metzmacher
41c75a776e s4:rpc_server/samr: remove allow_warnings=True 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:12 +01:00
Stefan Metzmacher
c67550b6d8 s4:rpc_server/samr: use the same logic in *info_DomInfo7() as in info_DomGeneralInformation() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:12 +01:00
Stefan Metzmacher
5e563ba27b s4:rpc_server/samr: handle ROLE_AUTO explicit to avoid a compiler warning 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:12 +01:00
Stefan Metzmacher
544ee5becf s4:rpc_server/samr: remove unused variables 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:11 +01:00
Stefan Metzmacher
f1e653c76d s4:rpc_server/drsuapi: remove allow_warnings=True 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:11 +01:00
Stefan Metzmacher
cd9a6a35ad s4:rpc_server/drsuapi: fix const warning in writespn_check_spn() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:11 +01:00
Stefan Metzmacher
c772fe8b1d s4:rpc_server/drsuapi: remove unused variable in dcesrv_drsuapi_DsWriteAccountSpn() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:11 +01:00
Stefan Metzmacher
07d29da5a7 s4:rpc_server/drsuapi: fix warnings in dcesrv_drsuapi_DsGetDomainControllerInfo_1() 
'default' is already handled in an earlier switch statement,
so this won't be reached but avoids a warning.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2015-03-20 20:43:11 +01:00
Andrew Bartlett
e617e3e74b backupkey: Use ndr_pull_struct_blob_all() 
This avoids bad decrypts from falling down to later code and getting
the error code wrong, by strictly requiring the NDR parse to use all the
data.  A bad decyrpt is very unlikely to get the length correct, and
so fall down to the other checks.

This should fix:
UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_decrypt_wrong_r2(ad_dc_ntvfs)
REASON: Exception: Exception: ../source4/torture/rpc/backupkey.c:1926: r.out.result was WERR_INVALID_ACCESS, expected WERR_INVALID_PARAM: decrypt should fail with WERR_INVALID_PARAM

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11174
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org>
 2015-03-20 13:49:26 +01:00
Andrew Bartlett
733435f858 backupkey: Explicitly link to gnutls and gcrypt 
The gcrypt link will be disabled if gnutls is > 3.0.0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2015-03-12 22:24:07 +01:00
Andrew Bartlett
61d962bdfd lib/tls: Fix behaviour of --disable-gnutls and remove link to gcrypt 
We no longer link against gcrypt if gnutls > 3.0.0 is found, as these
versions use libnettle.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2015-03-12 22:24:07 +01:00
Stefan Metzmacher
ac45921981 s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation() 
If there're no collisions we should not fill the collision_info pointer.

Otherwise Windows fails to create a forest trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-12 17:13:44 +01:00
Stefan Metzmacher
080db5f60a lsa.idl: improve idl for lsa_ForestTrust*Record* 
The meaning of lsa_ForestTrustRecordFlags is based lsa_ForestTrustRecordType,
but the type is not always available so it's not possible to use an union.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-12 17:13:44 +01:00
Günther Deschner
a0700dd275 netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-12 17:13:43 +01:00
Volker Lendecke
4891a98e20 backupkey: Remove an unused variable 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-04 14:46:07 +01:00
Volker Lendecke
969519b3b5 backupkey: Fix CID 1273293 Uninitialized scalar variable 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-04 14:46:07 +01:00
Volker Lendecke
7e4daaacb6 backupkey: Fix a memleak 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-04 14:46:07 +01:00
Volker Lendecke
00e751d2be backupkey: Simplify get_lsa_secret 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-04 14:46:07 +01:00
Volker Lendecke
5ea5d876bf backupkey: Slightly simplify bkrp_do_retrieve_server_wrap_key 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-04 14:46:07 +01:00
Volker Lendecke
569c8700d6 Fix whitespace 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-04 14:46:07 +01:00