From d94c7bbcd6eee6d975eac32a1d172f4164c97137 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 26 Aug 2008 12:18:26 +1000
Subject: [PATCH 1/1] More LSA server and testuite work.

 - Implement QueryDomainInformationPolicy in Samba4

 - Allow RPC-LSA to pass against Windows 2008 (which does not allow
   the Audit privilage to be removed)

Andrew Bartlett
---
 source/rpc_server/lsa/dcesrv_lsa.c | 39 +++++++++++++++++++++++++++++-
 source/torture/rpc/lsa.c           | 32 ++++++++++++++++++------
 2 files changed, 63 insertions(+), 8 deletions(-)

diff --git a/source/rpc_server/lsa/dcesrv_lsa.c b/source/rpc_server/lsa/dcesrv_lsa.c
index 7ed3b63540b..f67b5dee104 100644
--- a/source/rpc_server/lsa/dcesrv_lsa.c
+++ b/source/rpc_server/lsa/dcesrv_lsa.c
@@ -23,6 +23,8 @@
 #include "rpc_server/lsa/lsa.h"
 #include "util/util_ldb.h"
 #include "libcli/ldap/ldap_ndr.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
 
 /*
   this type allows us to distinguish handle types
@@ -2502,7 +2504,42 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state
 						 TALLOC_CTX *mem_ctx,
 						 struct lsa_QueryDomainInformationPolicy *r)
 {
-	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+	r->out.info = talloc(mem_ctx, union lsa_DomainInformationPolicy);
+	if (!r->out.info) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	switch (r->in.level) {
+	case LSA_DOMAIN_INFO_POLICY_EFS:
+		talloc_free(r->out.info);
+		r->out.info = NULL;
+		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+	case LSA_DOMAIN_INFO_POLICY_KERBEROS:
+	{
+		struct lsa_DomainInfoKerberos *k = &r->out.info->kerberos_info;
+		struct smb_krb5_context *smb_krb5_context;
+		int ret = smb_krb5_init_context(mem_ctx, 
+							dce_call->event_ctx, 
+							dce_call->conn->dce_ctx->lp_ctx,
+							&smb_krb5_context);
+		if (ret != 0) {
+			talloc_free(r->out.info);
+			r->out.info = NULL;
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+		k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */
+		k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */
+		k->user_tkt_lifetime = 0;    /* Need to find somewhere to store this, and query in KDC too */
+		k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */
+		k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context);
+		talloc_free(smb_krb5_context);
+		return NT_STATUS_OK;
+	}
+	default:
+		talloc_free(r->out.info);
+		r->out.info = NULL;
+		return NT_STATUS_INVALID_INFO_CLASS;
+	}
 }
 
 /*
diff --git a/source/torture/rpc/lsa.c b/source/torture/rpc/lsa.c
index 31dc38500db..ec74426ac64 100644
--- a/source/torture/rpc/lsa.c
+++ b/source/torture/rpc/lsa.c
@@ -779,6 +779,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p,
 
 static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, 
 					     TALLOC_CTX *mem_ctx, 				  
+					     struct policy_handle *handle,
 					     struct policy_handle *acct_handle,
 					     struct lsa_LUID *luid)
 {
@@ -801,7 +802,25 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p,
 
 	status = dcerpc_lsa_RemovePrivilegesFromAccount(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("RemovePrivilegesFromAccount failed - %s\n", nt_errstr(status));
+		
+		struct lsa_LookupPrivName r_name;
+		
+		r_name.in.handle = handle;
+		r_name.in.luid = luid;
+		
+		status = dcerpc_lsa_LookupPrivName(p, mem_ctx, &r_name);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
+			return false;
+		}
+		/* Windows 2008 does not allow this to be removed */
+		if (strcmp("SeAuditPrivilege", r_name.out.name->string) == 0) {
+			return ret;
+		}
+
+		printf("RemovePrivilegesFromAccount failed to remove %s - %s\n", 
+		       r_name.out.name->string, 
+		       nt_errstr(status));
 		return false;
 	}
 
@@ -864,7 +883,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p,
 					    &r.out.privs->set[i].luid);
 		}
 
-		ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, acct_handle, 
+		ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, handle, acct_handle, 
 							&r.out.privs->set[0].luid);
 		ret &= test_AddPrivilegesToAccount(p, mem_ctx, acct_handle, 
 						   &r.out.privs->set[0].luid);
@@ -2036,10 +2055,6 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
 	NTSTATUS status;
 	int i;
 	bool ret = true;
-	if (torture_setting_bool(tctx, "samba4", false)) {
-		printf("skipping QueryDomainInformationPolicy test against Samba4\n");
-		return true;
-	}
 
 	printf("\nTesting QueryDomainInformationPolicy\n");
 
@@ -2051,7 +2066,10 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
 
 		status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r);
 
-		if (!NT_STATUS_IS_OK(status)) {
+		/* If the server does not support EFS, then this is the correct return */
+		if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+			continue;
+		} else if (!NT_STATUS_IS_OK(status)) {
 			printf("QueryDomainInformationPolicy failed - %s\n", nt_errstr(status));
 			ret = false;
 			continue;
-- 
2.34.1