More LSA server and testuite work.

 - Implement QueryDomainInformationPolicy in Samba4

 - Allow RPC-LSA to pass against Windows 2008 (which does not allow
   the Audit privilage to be removed)

Andrew Bartlett

diff --git a/source/rpc_server/lsa/dcesrv_lsa.c b/source/rpc_server/lsa/dcesrv_lsa.c
index 7ed3b63540b85a1b079c5410e6b981658db20921..f67b5dee10467e91b5c37c680f99dd67431c2e43 100644 (file)
--- a/source/rpc_server/lsa/dcesrv_lsa.c
+++ b/source/rpc_server/lsa/dcesrv_lsa.c
@@ -23,6 +23,8 @@
 #include "rpc_server/lsa/lsa.h"
 #include "util/util_ldb.h"
 #include "libcli/ldap/ldap_ndr.h"
 #include "rpc_server/lsa/lsa.h"
 #include "util/util_ldb.h"
 #include "libcli/ldap/ldap_ndr.h"

+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"

 
 /*
   this type allows us to distinguish handle types
 
 /*
   this type allows us to distinguish handle types


@@ -2502,7 +2504,42 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state
                                                 TALLOC_CTX *mem_ctx,
                                                 struct lsa_QueryDomainInformationPolicy *r)
 {
                                                 TALLOC_CTX *mem_ctx,
                                                 struct lsa_QueryDomainInformationPolicy *r)
 {

-       DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+       r->out.info = talloc(mem_ctx, union lsa_DomainInformationPolicy);
+       if (!r->out.info) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       switch (r->in.level) {
+       case LSA_DOMAIN_INFO_POLICY_EFS:
+               talloc_free(r->out.info);
+               r->out.info = NULL;
+               return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+       case LSA_DOMAIN_INFO_POLICY_KERBEROS:
+       {
+               struct lsa_DomainInfoKerberos *k = &r->out.info->kerberos_info;
+               struct smb_krb5_context *smb_krb5_context;
+               int ret = smb_krb5_init_context(mem_ctx, 
+                                                       dce_call->event_ctx, 
+                                                       dce_call->conn->dce_ctx->lp_ctx,
+                                                       &smb_krb5_context);
+               if (ret != 0) {
+                       talloc_free(r->out.info);
+                       r->out.info = NULL;
+                       return NT_STATUS_INTERNAL_ERROR;
+               }
+               k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */
+               k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */
+               k->user_tkt_lifetime = 0;    /* Need to find somewhere to store this, and query in KDC too */
+               k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */
+               k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context);
+               talloc_free(smb_krb5_context);
+               return NT_STATUS_OK;
+       }
+       default:
+               talloc_free(r->out.info);
+               r->out.info = NULL;
+               return NT_STATUS_INVALID_INFO_CLASS;
+       }

 }
 
 /*
 }
 
 /*

diff --git a/source/torture/rpc/lsa.c b/source/torture/rpc/lsa.c
index 31dc38500db599b3c5c19149b2f57dab91b4d52c..ec74426ac6487be632441ca925342eac2466914b 100644 (file)
--- a/source/torture/rpc/lsa.c
+++ b/source/torture/rpc/lsa.c
@@ -779,6 +779,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p,
 
 static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, 
                                             TALLOC_CTX *mem_ctx,                                 
 
 static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, 
                                             TALLOC_CTX *mem_ctx,                                 

+                                            struct policy_handle *handle,

                                             struct policy_handle *acct_handle,
                                             struct lsa_LUID *luid)
 {
                                             struct policy_handle *acct_handle,
                                             struct lsa_LUID *luid)
 {


@@ -801,7 +802,25 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p,
 
        status = dcerpc_lsa_RemovePrivilegesFromAccount(p, mem_ctx, &r);
        if (!NT_STATUS_IS_OK(status)) {
 
        status = dcerpc_lsa_RemovePrivilegesFromAccount(p, mem_ctx, &r);
        if (!NT_STATUS_IS_OK(status)) {

-               printf("RemovePrivilegesFromAccount failed - %s\n", nt_errstr(status));
+               
+               struct lsa_LookupPrivName r_name;
+               
+               r_name.in.handle = handle;
+               r_name.in.luid = luid;
+               
+               status = dcerpc_lsa_LookupPrivName(p, mem_ctx, &r_name);
+               if (!NT_STATUS_IS_OK(status)) {
+                       printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
+                       return false;
+               }
+               /* Windows 2008 does not allow this to be removed */
+               if (strcmp("SeAuditPrivilege", r_name.out.name->string) == 0) {
+                       return ret;
+               }
+
+               printf("RemovePrivilegesFromAccount failed to remove %s - %s\n", 
+                      r_name.out.name->string, 
+                      nt_errstr(status));

                return false;
        }
 
                return false;
        }
 


@@ -864,7 +883,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p,
                                            &r.out.privs->set[i].luid);
                }
 
                                            &r.out.privs->set[i].luid);
                }
 

-               ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, acct_handle, 
+               ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, handle, acct_handle, 

                                                        &r.out.privs->set[0].luid);
                ret &= test_AddPrivilegesToAccount(p, mem_ctx, acct_handle, 
                                                   &r.out.privs->set[0].luid);
                                                        &r.out.privs->set[0].luid);
                ret &= test_AddPrivilegesToAccount(p, mem_ctx, acct_handle, 
                                                   &r.out.privs->set[0].luid);


@@ -2036,10 +2055,6 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
        NTSTATUS status;
        int i;
        bool ret = true;
        NTSTATUS status;
        int i;
        bool ret = true;

-       if (torture_setting_bool(tctx, "samba4", false)) {
-               printf("skipping QueryDomainInformationPolicy test against Samba4\n");
-               return true;
-       }

 
        printf("\nTesting QueryDomainInformationPolicy\n");
 
 
        printf("\nTesting QueryDomainInformationPolicy\n");
 


@@ -2051,7 +2066,10 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
 
                status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r);
 
 
                status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r);
 

-               if (!NT_STATUS_IS_OK(status)) {
+               /* If the server does not support EFS, then this is the correct return */
+               if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+                       continue;
+               } else if (!NT_STATUS_IS_OK(status)) {

                        printf("QueryDomainInformationPolicy failed - %s\n", nt_errstr(status));
                        ret = false;
                        continue;
                        printf("QueryDomainInformationPolicy failed - %s\n", nt_errstr(status));
                        ret = false;
                        continue;