sizeof(ninfo.challenge));
if (nt_hash) {
ninfo.nt.length = 24;
- ninfo.nt.data = talloc(mem_ctx, 24);
+ ninfo.nt.data = talloc_size(mem_ctx, 24);
SMBOWFencrypt(nt_hash->hash, ninfo.challenge, ninfo.nt.data);
} else {
ninfo.nt.length = 0;
if (lm_hash) {
ninfo.lm.length = 24;
- ninfo.lm.data = talloc(mem_ctx, 24);
+ ninfo.lm.data = talloc_size(mem_ctx, 24);
SMBOWFencrypt(lm_hash->hash, ninfo.challenge, ninfo.lm.data);
} else {
ninfo.lm.length = 0;
struct samsync_secret *prev, *next;
DATA_BLOB secret;
char *name;
+ NTTIME mtime;
};
struct samsync_trusted_domain {
}
o.in.connect_handle = samsync_state->connect_handle;
- o.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
o.in.sid = l.out.sid;
o.out.domain_handle = domain_handle;
} \
} while (0)
+#define TEST_SID_EQUAL(s1, s2) do {\
+ if (!dom_sid_equal(s1, s2)) {\
+ printf("dom_sid mismatch: " #s1 ":%s != " #s2 ": %s\n", \
+ dom_sid_string(mem_ctx, s1), dom_sid_string(mem_ctx, s2));\
+ ret = False;\
+ } \
+} while (0)
+
/* The ~SEC_DESC_SACL_PRESENT is because we don't, as administrator,
* get back the SACL part of the SD when we ask over SAMR */
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
- r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.in.rid = rid;
r.out.user_handle = &user_handle;
TEST_INT_EQUAL(q.out.info->info21.logon_hours.units_per_week,
user->logon_hours.units_per_week);
if (ret) {
- if (memcmp(q.out.info->info21.logon_hours.bitmap, user->logon_hours.bitmap,
+ if (memcmp(q.out.info->info21.logon_hours.bits, user->logon_hours.bits,
q.out.info->info21.logon_hours.units_per_week/8) != 0) {
printf("Logon hours mismatch\n");
ret = False;
} else if (NT_STATUS_IS_OK(nt_status)) {
TEST_INT_EQUAL(user->rid, info3->base.rid);
TEST_INT_EQUAL(user->primary_gid, info3->base.primary_gid);
- TEST_INT_EQUAL(user->acct_flags, info3->base.acct_flags);
- TEST_STRING_EQUAL(user->account_name, info3->base.account_name);
+ /* this is 0x0 from NT4 sp6 */
+ if (info3->base.acct_flags) {
+ TEST_INT_EQUAL(user->acct_flags, info3->base.acct_flags);
+ }
+ /* this is NULL from NT4 sp6 */
+ if (info3->base.account_name.string) {
+ TEST_STRING_EQUAL(user->account_name, info3->base.account_name);
+ }
TEST_STRING_EQUAL(user->full_name, info3->base.full_name);
TEST_STRING_EQUAL(user->logon_script, info3->base.logon_script);
TEST_STRING_EQUAL(user->profile_path, info3->base.profile_path);
* doco I read -- abartlet) */
/* This copes with the two different versions of 0 I see */
+ /* with NT4 sp6 we have the || case */
if (!((user->last_logoff == 0)
- && (info3->base.last_logoff == 0x7fffffffffffffffLL))) {
+ || (info3->base.last_logoff == 0x7fffffffffffffffLL))) {
TEST_TIME_EQUAL(user->last_logoff, info3->base.last_logoff);
}
return ret;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
- r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.in.rid = rid;
r.out.alias_handle = &alias_handle;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
- r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.in.rid = rid;
r.out.group_handle = &group_handle;
struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
const char *name = delta->delta_id_union.name;
struct samsync_secret *new = talloc_p(samsync_state, struct samsync_secret);
+ struct samsync_secret *old = talloc_p(mem_ctx, struct samsync_secret);
struct lsa_QuerySecret q;
struct lsa_OpenSecret o;
struct policy_handle sec_handle;
struct lsa_DATA_BUF_PTR bufp1;
+ struct lsa_DATA_BUF_PTR bufp2;
NTTIME new_mtime;
+ NTTIME old_mtime;
BOOL ret = True;
DATA_BLOB lsa_blob1, lsa_blob_out, session_key;
NTSTATUS status;
new->name = talloc_reference(new, name);
new->secret = data_blob_talloc(new, secret->current_cipher.cipher_data, secret->current_cipher.maxlen);
+ new->mtime = secret->current_cipher_set_time;
DLIST_ADD(samsync_state->secrets, new);
+ old->name = talloc_reference(old, name);
+ old->secret = data_blob_const(secret->old_cipher.cipher_data, secret->old_cipher.maxlen);
+ old->mtime = secret->old_cipher_set_time;
+
o.in.handle = samsync_state->lsa_handle;
- o.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
o.in.name.string = name;
o.out.sec_handle = &sec_handle;
return False;
}
- TEST_SEC_DESC_EQUAL(secret->sdbuf, lsa, &sec_handle);
-
+/*
+ We would like to do this, but it is NOT_SUPPORTED on win2k3
+ TEST_SEC_DESC_EQUAL(secret->sdbuf, lsa, &sec_handle);
+*/
status = dcerpc_fetch_session_key(samsync_state->p_lsa, &session_key);
if (!NT_STATUS_IS_OK(status)) {
printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
ZERO_STRUCT(new_mtime);
+ ZERO_STRUCT(old_mtime);
/* fetch the secret back again */
q.in.handle = &sec_handle;
q.in.new_val = &bufp1;
q.in.new_mtime = &new_mtime;
- q.in.old_val = NULL;
- q.in.old_mtime = NULL;
+ q.in.old_val = &bufp2;
+ q.in.old_mtime = &old_mtime;
bufp1.buf = NULL;
+ bufp2.buf = NULL;
status = dcerpc_lsa_QuerySecret(samsync_state->p_lsa, mem_ctx, &q);
- if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
+ /* some things are just off limits */
+ return True;
+ } else if (!NT_STATUS_IS_OK(status)) {
printf("QuerySecret failed - %s\n", nt_errstr(status));
return False;
}
+ if (q.out.old_val->buf == NULL) {
+ /* probably just not available due to ACLs */
+ } else {
+ lsa_blob1.data = q.out.old_val->buf->data;
+ lsa_blob1.length = q.out.old_val->buf->length;
+
+ status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
+ if (!NT_STATUS_IS_OK(status)) {
+ return False;
+ }
+
+ if (!q.out.old_mtime) {
+ printf("OLD mtime not available on LSA for secret %s\n", old->name);
+ ret = False;
+ }
+ if (old->mtime != *q.out.old_mtime) {
+ printf("OLD mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
+ old->name, nt_time_string(mem_ctx, old->mtime),
+ nt_time_string(mem_ctx, *q.out.old_mtime));
+ ret = False;
+ }
+
+ if (old->secret.length != lsa_blob_out.length) {
+ printf("Returned secret %s doesn't match: %d != %d\n",
+ old->name, old->secret.length, lsa_blob_out.length);
+ ret = False;
+ } else if (memcmp(lsa_blob_out.data,
+ old->secret.data, old->secret.length) != 0) {
+ printf("Returned secret %s doesn't match: \n",
+ old->name);
+ DEBUG(1, ("SamSync Secret:\n"));
+ dump_data(1, old->secret.data, old->secret.length);
+ DEBUG(1, ("LSA Secret:\n"));
+ dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
+ ret = False;
+ }
+
+ }
+
if (q.out.new_val->buf == NULL) {
/* probably just not available due to ACLs */
} else {
lsa_blob1.data = q.out.new_val->buf->data;
lsa_blob1.length = q.out.new_val->buf->length;
- lsa_blob_out = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key);
+ status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
+ if (!NT_STATUS_IS_OK(status)) {
+ return False;
+ }
+ if (!q.out.new_mtime) {
+ printf("NEW mtime not available on LSA for secret %s\n", new->name);
+ ret = False;
+ }
+ if (new->mtime != *q.out.new_mtime) {
+ printf("NEW mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
+ new->name, nt_time_string(mem_ctx, new->mtime),
+ nt_time_string(mem_ctx, *q.out.new_mtime));
+ ret = False;
+ }
+
if (new->secret.length != lsa_blob_out.length) {
printf("Returned secret %s doesn't match: %d != %d\n",
new->name, new->secret.length, lsa_blob_out.length);
ret = False;
- }
-
- if (memcmp(lsa_blob_out.data,
+ } else if (memcmp(lsa_blob_out.data,
new->secret.data, new->secret.length) != 0) {
printf("Returned secret %s doesn't match: \n",
new->name);
struct samsync_trusted_domain *new = talloc_p(samsync_state, struct samsync_trusted_domain);
struct lsa_OpenTrustedDomain t;
struct policy_handle trustdom_handle;
- struct lsa_QueryInfoTrustedDomain q;
- union lsa_TrustedDomainInfo info[4];
- int levels [] = {1, 3};
+ struct lsa_QueryTrustedDomainInfo q;
+ union lsa_TrustedDomainInfo *info[9];
+ int levels [] = {1, 3, 8};
int i;
new->name = talloc_reference(new, trusted_domain->domain_name.string);
new->sid = talloc_reference(new, dom_sid);
t.in.handle = samsync_state->lsa_handle;
- t.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ t.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
t.in.sid = dom_sid;
t.out.trustdom_handle = &trustdom_handle;
for (i=0; i< ARRAY_SIZE(levels); i++) {
q.in.trustdom_handle = &trustdom_handle;
q.in.level = levels[i];
- q.out.info = &info[levels[i]];
- status = dcerpc_lsa_QueryInfoTrustedDomain(samsync_state->p_lsa, mem_ctx, &q);
+ status = dcerpc_lsa_QueryTrustedDomainInfo(samsync_state->p_lsa, mem_ctx, &q);
if (!NT_STATUS_IS_OK(status)) {
+ if (q.in.level == 8 && NT_STATUS_EQUAL(status,NT_STATUS_INVALID_PARAMETER)) {
+ info[levels[i]] = NULL;
+ continue;
+ }
printf("QueryInfoTrustedDomain level %d failed - %s\n",
levels[i], nt_errstr(status));
return False;
}
+ info[levels[i]] = q.out.info;
}
- TEST_STRING_EQUAL(info[1].info1.domain_name, trusted_domain->domain_name);
- TEST_INT_EQUAL(info[3].info3.flags, trusted_domain->flags);
+ if (info[8]) {
+ TEST_SID_EQUAL(info[8]->full_info.info_ex.sid, dom_sid);
+ TEST_STRING_EQUAL(info[8]->full_info.info_ex.netbios_name, trusted_domain->domain_name);
+ }
+ TEST_STRING_EQUAL(info[1]->name.netbios_name, trusted_domain->domain_name);
+ TEST_INT_EQUAL(info[3]->flags.flags, trusted_domain->flags);
+/*
+ We would like to do this, but it is NOT_SUPPORTED on win2k3
TEST_SEC_DESC_EQUAL(trusted_domain->sdbuf, lsa, &trustdom_handle);
-
+*/
DLIST_ADD(samsync_state->trusted_domains, new);
return ret;
BOOL *found_priv_in_lsa;
a.in.handle = samsync_state->lsa_handle;
- a.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ a.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
a.in.sid = dom_sid;
a.out.acct_handle = &acct_handle;
TEST_SEC_DESC_EQUAL(account->sdbuf, lsa, &acct_handle);
- found_priv_in_lsa = talloc_zero_array_p(mem_ctx, BOOL, account->privilege_entries);
+ found_priv_in_lsa = talloc_zero_array(mem_ctx, BOOL, account->privilege_entries);
e.in.handle = &acct_handle;
status = dcerpc_netr_DatabaseDeltas(samsync_state->p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status) &&
- !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
+ !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
printf("DatabaseDeltas - %s\n", nt_errstr(status));
ret = False;
break;
samsync_state->connect_handle = talloc_zero_p(samsync_state, struct policy_handle);
samsync_state->lsa_handle = talloc_zero_p(samsync_state, struct policy_handle);
c.in.system_name = NULL;
- c.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
c.out.connect_handle = samsync_state->connect_handle;
status = dcerpc_samr_Connect(samsync_state->p_samr, mem_ctx, &c);
r.in.system_name = "\\";
r.in.attr = &attr;
- r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.out.handle = samsync_state->lsa_handle;
status = dcerpc_lsa_OpenPolicy2(samsync_state->p_lsa, mem_ctx, &r);
}
b.flags &= ~DCERPC_AUTH_OPTIONS;
- b.flags |= DCERPC_SCHANNEL_BDC | DCERPC_SIGN | DCERPC_SCHANNEL_128;
+ b.flags |= DCERPC_SCHANNEL_BDC | DCERPC_SIGN;
status = dcerpc_pipe_connect_b(&samsync_state->p, &b,
DCERPC_NETLOGON_UUID,
goto failed;
}
- status = dcerpc_schannel_creds(samsync_state->p->security_state.generic_state, mem_ctx, &samsync_state->creds);
+ status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state, mem_ctx, &samsync_state->creds);
if (!NT_STATUS_IS_OK(status)) {
ret = False;
}
}
b_netlogon_wksta.flags &= ~DCERPC_AUTH_OPTIONS;
- b_netlogon_wksta.flags |= DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN | DCERPC_SCHANNEL_128;
+ b_netlogon_wksta.flags |= DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN;
status = dcerpc_pipe_connect_b(&samsync_state->p_netlogon_wksta, &b_netlogon_wksta,
DCERPC_NETLOGON_UUID,
goto failed;
}
- status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->security_state.generic_state, mem_ctx, &samsync_state->creds_netlogon_wksta);
+ status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
+ mem_ctx, &samsync_state->creds_netlogon_wksta);
if (!NT_STATUS_IS_OK(status)) {
ret = False;
}