summaryrefslogtreecommitdiffstats
path: root/source4/rpc_server
Commit message (Collapse)AuthorAgeFilesLines
* backupkey: Remove an unused variableVolker Lendecke2015-03-041-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* backupkey: Fix CID 1273293 Uninitialized scalar variableVolker Lendecke2015-03-041-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* backupkey: Fix a memleakVolker Lendecke2015-03-041-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* backupkey: Simplify get_lsa_secretVolker Lendecke2015-03-041-2/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* backupkey: Slightly simplify bkrp_do_retrieve_server_wrap_keyVolker Lendecke2015-03-041-1/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* Fix whitespaceVolker Lendecke2015-03-041-50/+48
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* Fix the O3 developer buildVolker Lendecke2015-03-031-10/+15
| | | | | | | | | | Different gcc versions complain at different places Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Mar 3 13:14:53 CET 2015 on sn-devel-104
* Fix the developer O3 buildVolker Lendecke2015-02-253-6/+7
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
* backupkey: Explain more why we use GnuTLS hereAndrew Bartlett2015-02-251-0/+20
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* backupkey: replace heimdal rsa key generation with GnuTLSGarming Sam2015-02-251-44/+82
| | | | | | | | | | | We use GnuTLS because it can reliably generate 2048 bit keys every time. Windows clients strictly require 2048, no more since it won't fit and no less either. Heimdal would almost always generate a smaller key. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
* backupkey: Better handling for different wrap version headersAndrew Bartlett2015-02-251-12/+19
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Change expected error codes to match Windows 2008R2 and Windows ↵Andrew Bartlett2015-02-251-2/+2
| | | | | | | | | 2012R2 This is done in both smbtoture and in our server Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Implement ServerWrap DecryptAndrew Bartlett2015-02-251-51/+186
| | | | | | | | | | | We implement both modes in BACKUPKEY_RESTORE_GUID, as it may decrypt both ServerWrap and ClientWrap data, and we implement BACKUPKEY_RESTORE_GUID_WIN2K. BUG: https://bugzilla.samba.org/attachment.cgi?bugid=11097 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Handle more clearly the case where we find the secret, but it has ↵Andrew Bartlett2015-02-251-45/+33
| | | | | | | | | no value This happen on the RODC, a case that we try not to permit at all. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Improve variable names to make clear this is client-provided dataAndrew Bartlett2015-02-251-13/+13
| | | | | | | The values we return here are client-provided passwords or other keys, that we decrypt for them. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Use the name lsa_secret rather than just secretAndrew Bartlett2015-02-251-20/+20
| | | | | | | | This makes it clear that this is the data stored on the LSA secrets store and not the client-provided data to be encrypted. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Implement ServerWrap Encrypt protocolAndrew Bartlett2015-02-251-13/+299
| | | | | | | BUG: https://bugzilla.samba.org/attachment.cgi?bugid=11097 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Improve function names and comments for clarityAndrew Bartlett2015-02-251-8/+34
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: Move SID comparison to inside get_and_verify_access_check()Andrew Bartlett2015-02-251-29/+26
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* backupkey: begin by factoring out the server wrap functionsGarming Sam2015-02-251-3/+15
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-backupkey: consistent naming of werr variableArvid Requate2015-02-251-10/+10
| | | | | | Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: improve variable nameArvid Requate2015-02-251-2/+2
| | | | | | Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: typo fixArvid Requate2015-02-251-2/+2
| | | | | | Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: IDL for ServerWrap subprotocolArvid Requate2015-02-251-0/+12
| | | | | | | | | | This adds some IDL structs for the ServerWrap subprotocol, allowing parsing of the incoming RPC calls and returning WERR_NOT_SUPPORTED instead of WERR_INVALID_PARAM. Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: Comply with [MS-BKRP] 2.2.1Arvid Requate2015-02-251-2/+1
| | | | | | | | | | | | | | [MS-BKRP] 2.2.1 specifies "The Common Name field of the Subject name field SHOULD contain the name of the DNS domain assigned to the server." In fact Windows 7 clients don't seem to care. Also in certificates generated by native AD the domain name (after CN=) is encoded as UTF-16LE. Since hx509_parse_name only supports UTF-8 strings currently we just leave the encoding as it is for now. Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: Set defined cert serialnumberArvid Requate2015-02-251-1/+22
| | | | | | | | | | | | [MS-BKRP] 2.2.1 specifies that the serialnumber of the certificate should be set identical to the subjectUniqueID. In fact certificates generated by native AD have this field encoded in little-endian format. See also https://www.mail-archive.com/cifs-protocol@cifs.org/msg01364.html Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: de-duplicate error handlingArvid Requate2015-02-251-39/+20
| | | | | | Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: check for talloc failureArvid Requate2015-02-251-0/+3
| | | | | | | | Check for talloc_memdup failure for uniqueid.data. Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: Cert lifetime of 365 days, not secsArvid Requate2015-02-251-1/+1
| | | | | | | | | | | | | | | hx509_ca_tbs_set_notAfter_lifetime expects the lifetime value in in seconds. The Windows 7 client didn't seem to care that the lifetime was only 6'03''. Two other TODOs in this implementation: * Since notBefore is not set explicietely to "now", the heimdal code default of now-(24 hours) is applied. * Server side validity checks and cert renewal are missing. Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-backupkey: Ensure RSA modulus is 2048 bitsArvid Requate2015-02-251-5/+10
| | | | | | | | | | | | | | | | | | | RSA_generate_key_ex doesn't always generate a modulus of requested bit length. Tests with Windows 7 clients showed that they decline x509 certificates (MS-BKRP 2.2.1) in cases where the modulus length is smaller than the specified 2048 bits. For the user this resulted in DPAPI failing to retrieve stored credentials after the user password has been changed at least two times. On the server side log.samba showed that the client also called the as yet unlimplemented ServerWrap sub- protocol function BACKUPKEY_BACKUP_KEY_GUID after it had called the ClientWarp function BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. After enabling DPAPI auditing on the Windows Clients the Event Viewer showed Event-ID 4692 failing with a FailureReason value of 0x7a in these cases. Signed-off-by: Arvid Requate <requate@univention.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
* s4:rpc_server: add support for DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEMStefan Metzmacher2015-01-262-0/+39
| | | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Jan 26 14:23:50 CET 2015 on sn-devel-104
* s4:rpc_server: pass the remote address to gensec_set_remote_address()Stefan Metzmacher2015-01-261-1/+15
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/lsa: add dcesrv_lsa_OpenTrustedDomain_common()Stefan Metzmacher2015-01-261-75/+101
| | | | | | | | | | | | | dcesrv_lsa_OpenTrustedDomain() and dcesrv_lsa_OpenTrustedDomainByName() need to use the same logic and make sure trusted_domain_user_dn is valid. Otherwise dcesrv_lsa_OpenTrustedDomainByName() followed by dcesrv_lsa_DeleteObject() will leave the trust domain account in the database. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/netlogon: fix bugs in dcesrv_netr_DsRGetDCNameEx2()Stefan Metzmacher2015-01-261-8/+14
| | | | | | | | We should return the our ip address the client is connected too. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow ↵Andrew Bartlett2015-01-151-1/+14
| | | | | | | | | | | | | | | | changes to userAccountControl This requires an additional control to be used in the LSA server to add domain trust account objects. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104
* s4:rpc_server/lsa: remove msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is ↵Stefan Metzmacher2015-01-061-1/+24
| | | | | | | | | | cleared Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Simo Sorce <idra@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jan 6 22:50:23 CET 2015 on sn-devel-104
* s4:rpc_server/lsa: allow LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed.Stefan Metzmacher2015-01-061-5/+15
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>
* s4:rpc_server/lsa: fix segfault in check_ft_info()Stefan Metzmacher2014-12-191-0/+2
| | | | | | | | | | | This is triggered by lsa_lsaRSetForestTrustInformation() with ForestTrustInfo elements using FOREST_TRUST_TOP_LEVEL_NAME. The nb_name variable was uninitialized and dereferenced without checking. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/lsa: remove unused allow_warnings=TrueStefan Metzmacher2014-12-191-1/+0
| | | | | | | | We compile without warnings now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/lsa: remove trustAuthIncoming/trustAuthOutgoing when the ↵Stefan Metzmacher2014-12-191-12/+20
| | | | | | | | | | | related flag is removed. When LSA_TRUST_DIRECTION_INBOUND or LSA_TRUST_DIRECTION_OUTBOUND flags is cleared we should also remove the related credentials. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/lsa: pass the correct variable to setInfoTrustedDomain_base()Stefan Metzmacher2014-12-191-4/+3
| | | | | | | | | | | | This requires 'struct lsa_policy_state', we now pass this directly instead of a instead of an opaque 'struct dcesrv_handle'. dcesrv_lsa_SetInformationTrustedDomain() passes in a 'struct dcesrv_handle' with 'struct lsa_trusted_domain_state' before, which results in segfaults. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addressesGuenter Kukkukk2014-11-264-38/+151
| | | | | | | | | | | | | In the initial implementation only IPv4 addresses were supported. Add IPv6 (and mixed IPv4/IPv6) support and all further needed conversion routines to support w2k, dotnet, longhorn clients. Signed-off-by: Guenter Kukkukk <linux@kukkukk.com> Reviewed-by: Amitay Isaacs <amitay@gmail.com> Autobuild-User(master): Amitay Isaacs <amitay@samba.org> Autobuild-Date(master): Wed Nov 26 03:44:07 CET 2014 on sn-devel-104
* Initialize dwFlags field of DNS_RPC_NODE structureSamuel Cabrero2014-10-211-0/+1
| | | | | | | | | This fixes issue #9791, where the MMC shows random data listing the zone contents. Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idlAndrew Bartlett2014-09-272-4/+5
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:rpc_server: ignore ncacn_http endpoints for nowStefan Metzmacher2014-09-221-0/+10
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-rpc: dnsserver: return DNS_RANK_NS_GLUE recors when explicitly asked forStefan Metzmacher2014-09-041-0/+9
| | | | | | | | | | | | | | | | | | | | | | | NS records should be included in the query for sub-domains. NS records got dropped when the rank for NS records was correctly set to NS_GLUE from ZONE in commit 2036cbd9249c84d9b46370f0e8cd6a0264c737ba. samba-tool dns query 172.31.9.161 s4xdom.base @ ALL => Name=glue, Records=0, Children=0 samba-tool dns query 172.31.9.161 s4xdom.base glue ALL => Name=, Records=1, Children=0 NS: glue.dns.private. (flags=40000082, serial=21, ttl=900) Bug: https://bugzilla.samba.org/show_bug.cgi?id=10751 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com> Autobuild-User(master): Amitay Isaacs <amitay@samba.org> Autobuild-Date(master): Thu Sep 4 14:37:51 CEST 2014 on sn-devel-104
* s4-rpc: dnsserver: handle updates of tombstoned dnsNode objectsStefan Metzmacher2014-09-041-2/+15
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10749 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
* s4-rpc: dnsserver: Do not search for deleted DNS entriesAmitay Isaacs2014-09-041-7/+11
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10749 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-netlogond: Give a better error if we do not have a flatname attributeAndrew Bartlett2014-09-011-0/+2
| | | | | | | | | Change-Id: I3bc283b6fab4326131084d1abb89cb486af7b35a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Sep 1 02:58:46 CEST 2014 on sn-devel-104
* s4-rpc: dnsserver: Do not return NS_GLUE records with VIEW_GLUE_DATA filterAmitay Isaacs2014-08-211-1/+1
| | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10751 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Aug 21 11:36:55 CEST 2014 on sn-devel-104
generated by cgit (git 2.34.1) at 2025-06-16 02:04:02 +0000