Follow MS-LSAD 3.1.4.7.12 and set defaults when creating a trust.

Also check we get the defaults correct with a query in the torture
suite.

Andrew Bartlett
(This used to be commit b55a1b63cc2f7de889f046e975e3414bc5000613)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index f67b5dee10467e91b5c37c680f99dd67431c2e43..923b1e400c5056327314a16bf0398cd3568ce6db 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -672,6 +672,12 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_cal
        }
 
        samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "objectClass", "trustedDomain");
+
+       samdb_msg_add_int(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "trustType", LSA_TRUST_TYPE_DOWNLEVEL);
+
+       samdb_msg_add_int(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "trustAttributes", 0);
+
+       samdb_msg_add_int(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "trustDirection", LSA_TRUST_DIRECTION_OUTBOUND);
        
        trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
 

diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index ec74426ac6487be632441ca925342eac2466914b..edfc12f9f1f0a63640453090531faea936285162 100644 (file)
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -2016,7 +2016,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p,
                } else {
                
                        q.in.trustdom_handle = &trustdom_handle[i];
-                       q.in.level = LSA_TRUSTED_DOMAIN_INFO_NAME;
+                       q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
                        status = dcerpc_lsa_QueryTrustedDomainInfo(p, mem_ctx, &q);
                        if (!NT_STATUS_IS_OK(status)) {
                                printf("QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(status));
@@ -2024,9 +2024,24 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p,
                        } else if (!q.out.info) {
                                ret = false;
                        } else {
-                               if (strcmp(q.out.info->name.netbios_name.string, trustinfo.name.string) != 0) {
+                               if (strcmp(q.out.info->info_ex.netbios_name.string, trustinfo.name.string) != 0) {
                                        printf("QueryTrustedDomainInfo returned inconsistant short name: %s != %s\n",
-                                              q.out.info->name.netbios_name.string, trustinfo.name.string);
+                                              q.out.info->info_ex.netbios_name.string, trustinfo.name.string);
+                                       ret = false;
+                               }
+                               if (q.out.info->info_ex.trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
+                                       printf("QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n", 
+                                              trust_name, q.out.info->info_ex.trust_type, LSA_TRUST_TYPE_DOWNLEVEL);
+                                       ret = false;
+                               }
+                               if (q.out.info->info_ex.trust_attributes != 0) {
+                                       printf("QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n", 
+                                              trust_name, q.out.info->info_ex.trust_attributes, 0);
+                                       ret = false;
+                               }
+                               if (q.out.info->info_ex.trust_direction != LSA_TRUST_DIRECTION_OUTBOUND) {
+                                       printf("QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n", 
+                                              trust_name, q.out.info->info_ex.trust_direction, LSA_TRUST_DIRECTION_OUTBOUND);
                                        ret = false;
                                }
                        }