The Samba-Bugzilla – Attachment 18379 Details for
Bug 15680
Trust domains are not created
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Draft patches for a fix...
bfixes-tmp.diff.txt (text/plain), 15.96 KB, created by
Stefan Metzmacher
on 2024-07-18 16:18:50 UTC
(
hide
)
Description:
Draft patches for a fix...
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2024-07-18 16:18:50 UTC
Size:
15.96 KB
patch
obsolete
>From bc56157aecce9f4d0df2ea15d18096c09af38ac7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:01:24 +0200 >Subject: [PATCH 1/8] dcesrv_core: public dcesrv_call_disconnect_after() > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > librpc/rpc/dcesrv_core.c | 4 ++-- > librpc/rpc/dcesrv_core.h | 3 +++ > 2 files changed, 5 insertions(+), 2 deletions(-) > >diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c >index c0a4150e3b3c..f291247e1e28 100644 >--- a/librpc/rpc/dcesrv_core.c >+++ b/librpc/rpc/dcesrv_core.c >@@ -768,8 +768,8 @@ static void dcesrv_call_set_list(struct dcesrv_call_state *call, > } > } > >-static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call, >- const char *reason) >+void dcesrv_call_disconnect_after(struct dcesrv_call_state *call, >+ const char *reason) > { > struct dcesrv_auth *a = NULL; > >diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h >index 3758c8d7de2e..384ab08a608f 100644 >--- a/librpc/rpc/dcesrv_core.h >+++ b/librpc/rpc/dcesrv_core.h >@@ -564,6 +564,9 @@ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state *call, > NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call, > DATA_BLOB *session_key); > >+void dcesrv_call_disconnect_after(struct dcesrv_call_state *call, >+ const char *reason); >+ > /* a useful macro for generating a RPC fault in the backend code */ > #define DCESRV_FAULT(code) do { \ > dce_call->fault_code = code; \ >-- >2.34.1 > > >From 0dd68a20c133837e9c7b40fcc4e216e066482261 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:02:57 +0200 >Subject: [PATCH 2/8] dcesrv_fault_with_flags => DCERPC_FAULT_ACCESS_DENIED => > dcesrv_call_disconnect_after > >--- > librpc/rpc/dcesrv_reply.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/librpc/rpc/dcesrv_reply.c b/librpc/rpc/dcesrv_reply.c >index 4890169c98b0..59a6790d5aa4 100644 >--- a/librpc/rpc/dcesrv_reply.c >+++ b/librpc/rpc/dcesrv_reply.c >@@ -102,6 +102,11 @@ NTSTATUS dcesrv_fault_with_flags(struct dcesrv_call_state *call, > return NT_STATUS_OK; > } > >+ if (fault_code == DCERPC_FAULT_ACCESS_DENIED) { >+ dcesrv_call_disconnect_after(call, >+ "DCERPC_FAULT_ACCESS_DENIED"); >+ } >+ > /* setup a fault */ > dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx)); > pkt.auth_length = 0; >-- >2.34.1 > > >From b136fba38ebb85bdd9d03884246a5dcca5a45526 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:04:56 +0200 >Subject: [PATCH 3/8] smb2_ioctl_named_pipe: make use of nt_status_np_pipe() > >We should return NT_STATUS_PIPE_DISCONNECTED or >NT_STATUS_PIPE_BROKEN in the same way SMB2 read/write do it. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/smbd/smb2_ioctl_named_pipe.c | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source3/smbd/smb2_ioctl_named_pipe.c b/source3/smbd/smb2_ioctl_named_pipe.c >index f9e3dec049c0..4c1967cca67a 100644 >--- a/source3/smbd/smb2_ioctl_named_pipe.c >+++ b/source3/smbd/smb2_ioctl_named_pipe.c >@@ -123,6 +123,7 @@ static void smbd_smb2_ioctl_pipe_write_done(struct tevent_req *subreq) > > TALLOC_FREE(subreq); > if (!NT_STATUS_IS_OK(status)) { >+ status = nt_status_np_pipe(status); > tevent_req_nterror(req, status); > return; > } >@@ -173,6 +174,7 @@ static void smbd_smb2_ioctl_pipe_read_done(struct tevent_req *subreq) > > TALLOC_FREE(subreq); > if (!NT_STATUS_IS_OK(status)) { >+ status = nt_status_np_pipe(status); > tevent_req_nterror(req, status); > return; > } >-- >2.34.1 > > >From 46b68a82eb0c0706f8a50ad7a0348129bd49d4ba Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:11:49 +0200 >Subject: [PATCH 4/8] py_dcerpc_interface_init_helper > dcerpc_secondary_auth_connection > >--- > source4/librpc/rpc/pyrpc_util.c | 67 +++++++++++++++++++++++++++++---- > 1 file changed, 59 insertions(+), 8 deletions(-) > >diff --git a/source4/librpc/rpc/pyrpc_util.c b/source4/librpc/rpc/pyrpc_util.c >index 43c29af0e76a..5b11cab1aeec 100644 >--- a/source4/librpc/rpc/pyrpc_util.c >+++ b/source4/librpc/rpc/pyrpc_util.c >@@ -160,6 +160,8 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py > struct dcerpc_pipe *base_pipe; > PyObject *py_base; > PyTypeObject *ClientConnection_Type; >+ struct loadparm_context *lp_ctx = NULL; >+ struct cli_credentials *credentials = NULL; > > py_base = PyImport_ImportModule("samba.dcerpc.base"); > if (py_base == NULL) { >@@ -204,16 +206,65 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py > return NULL; > } > >- status = dcerpc_secondary_context(base_pipe, &ret->pipe, table); >- if (!NT_STATUS_IS_OK(status)) { >- PyErr_SetNTSTATUS(status); >- Py_DECREF(ret); >- Py_DECREF(py_base); >- Py_DECREF(ClientConnection_Type); >- return NULL; >+ if (py_lp_ctx != Py_None) { >+ lp_ctx = lpcfg_from_py_object(ret->ev, py_lp_ctx); >+ if (lp_ctx == NULL) { >+ PyErr_SetString(PyExc_TypeError, "Expected loadparm context"); >+ Py_DECREF(ret); >+ return NULL; >+ } >+ } >+ >+ if (py_credentials != Py_None) { >+ credentials = cli_credentials_from_py_object(py_credentials); >+ if (credentials == NULL) { >+ PyErr_SetString(PyExc_TypeError, "Expected credentials"); >+ Py_DECREF(ret); >+ return NULL; >+ } >+ } >+ >+ if (credentials != NULL && lp_ctx != NULL) { >+ struct dcerpc_binding *binding = NULL; >+ >+ status = dcerpc_parse_binding(ret->mem_ctx, >+ binding_string, >+ &binding); >+ if (!NT_STATUS_IS_OK(status)) { >+ PyErr_SetNTSTATUS(status); >+ Py_DECREF(ret); >+ Py_DECREF(py_base); >+ Py_DECREF(ClientConnection_Type); >+ return NULL; >+ } >+ >+ status = dcerpc_secondary_auth_connection(base_pipe, >+ binding, >+ table, >+ credentials, >+ lp_ctx, >+ ret->mem_ctx, >+ &ret->pipe); >+ // TALLOC_FREE(binding); >+ if (!NT_STATUS_IS_OK(status)) { >+ PyErr_SetNTSTATUS(status); >+ Py_DECREF(ret); >+ Py_DECREF(py_base); >+ Py_DECREF(ClientConnection_Type); >+ return NULL; >+ } >+ } else { >+ status = dcerpc_secondary_context(base_pipe, &ret->pipe, table); >+ if (!NT_STATUS_IS_OK(status)) { >+ PyErr_SetNTSTATUS(status); >+ Py_DECREF(ret); >+ Py_DECREF(py_base); >+ Py_DECREF(ClientConnection_Type); >+ return NULL; >+ } >+ ret->pipe = talloc_steal(ret->mem_ctx, ret->pipe); > } > >- ret->pipe = talloc_steal(ret->mem_ctx, ret->pipe); > Py_XDECREF(ClientConnection_Type); > Py_XDECREF(py_base); > } else { >-- >2.34.1 > > >From 16289009b461d8210dca36dc166a27cef9bdfb73 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:12:31 +0200 >Subject: [PATCH 5/8] OpenPolicyFallback based on in_revision_info is not None > caller fallback > >--- > python/samba/lsa_utils.py | 19 ++++++++----------- > 1 file changed, 8 insertions(+), 11 deletions(-) > >diff --git a/python/samba/lsa_utils.py b/python/samba/lsa_utils.py >index 043e65f3341b..5eaf23af2bad 100644 >--- a/python/samba/lsa_utils.py >+++ b/python/samba/lsa_utils.py >@@ -48,7 +48,7 @@ def OpenPolicyFallback( > > attr.sec_qos = qos > >- try: >+ if in_revision_info is not None: > out_version, out_rev_info, policy = conn.OpenPolicy3( > system_name, > attr, >@@ -56,16 +56,13 @@ def OpenPolicyFallback( > in_version, > in_revision_info > ) >- except NTSTATUSError as e: >- if e.args[0] == NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE: >- out_version = 1 >- out_rev_info = lsa.revision_info1() >- out_rev_info.revision = 1 >- out_rev_info.supported_features = 0 >- >- policy = conn.OpenPolicy2(system_name, attr, access_mask) >- else: >- raise >+ else: >+ out_version = 1 >+ out_rev_info = lsa.revision_info1() >+ out_rev_info.revision = 1 >+ out_rev_info.supported_features = 0 >+ >+ policy = conn.OpenPolicy2(system_name, attr, access_mask) > > return out_version, out_rev_info, policy > >-- >2.34.1 > > >From 791a51440c90ad485064886d2d10ab58311f280b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:13:56 +0200 >Subject: [PATCH 6/8] python/samba/netcmd/domain/trust.py OpenPolicyFallback 3 > => 2 > >--- > python/samba/netcmd/domain/trust.py | 66 +++++++++++++++++++++++------ > 1 file changed, 54 insertions(+), 12 deletions(-) > >diff --git a/python/samba/netcmd/domain/trust.py b/python/samba/netcmd/domain/trust.py >index 0784fa5e2822..a2e15d3550f9 100644 >--- a/python/samba/netcmd/domain/trust.py >+++ b/python/samba/netcmd/domain/trust.py >@@ -52,10 +52,12 @@ class DomainTrustCommand(Command): > self.local_server = None > self.local_binding_string = None > self.local_creds = None >+ self._last_local_lsa = None > > self.remote_server = None > self.remote_binding_string = None > self.remote_creds = None >+ self._last_remote_lsa = None > > def _uint32(self, v): > return ctypes.c_uint32(v).value >@@ -125,8 +127,13 @@ class DomainTrustCommand(Command): > self.local_creds = local_creds > return self.local_server > >- def new_local_lsa_connection(self): >- return lsa.lsarpc(self.local_binding_string, self.local_lp, self.local_creds) >+ def new_local_lsa_connection(self, basis_connection=None): >+ conn = lsa.lsarpc(self.local_binding_string, self.local_lp, >+ self.local_creds, >+ basis_connection=basis_connection) >+ if basis_connection is None: >+ self._last_local_lsa = conn >+ return conn > > def new_local_netlogon_connection(self): > return netlogon.netlogon(self.local_binding_string, self.local_lp, self.local_creds) >@@ -203,8 +210,12 @@ class DomainTrustCommand(Command): > self.remote_creds = remote_creds > return self.remote_server > >- def new_remote_lsa_connection(self): >- return lsa.lsarpc(self.remote_binding_string, self.local_lp, self.remote_creds) >+ def new_remote_lsa_connection(self, basis_connection=None): >+ conn = lsa.lsarpc(self.remote_binding_string, self.local_lp, >+ self.remote_creds, basis_connection=basis_connection) >+ if basis_connection is None: >+ self._last_remote_lsa = conn >+ return conn > > def new_remote_netlogon_connection(self): > return netlogon.netlogon(self.remote_binding_string, self.local_lp, self.remote_creds) >@@ -217,17 +228,40 @@ class DomainTrustCommand(Command): > lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER > ) > >- out_version, out_revision_info1, policy = OpenPolicyFallback( >- conn, >- b''.decode('utf-8'), >- in_version, >- in_revision_info1, >- policy_access >- ) >+ try: >+ out_version, out_revision_info1, policy = OpenPolicyFallback( >+ conn, >+ b''.decode('utf-8'), >+ in_version, >+ in_revision_info1, >+ policy_access >+ ) >+ except NTSTATUSError as e: >+ if e.args[0] != ntstatus.NT_STATUS_ACCESS_DENIED: >+ raise >+ if self._last_local_lsa is conn: >+ new_conn_fn = self.new_local_lsa_connection >+ self._last_local_lsa = None >+ if self._last_remote_lsa is conn: >+ new_conn_fn = self.new_remote_lsa_connection >+ self._last_remote_lsa = None >+ >+ in_revision_info1 = None >+ >+ if in_revision_info1 is None: >+ conn = new_conn_fn(basis_connection=conn) >+ >+ out_version, out_revision_info1, policy = OpenPolicyFallback( >+ conn, >+ b''.decode('utf-8'), >+ in_version, >+ in_revision_info1, >+ policy_access >+ ) > > info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS) > >- return (policy, out_version, out_revision_info1, info) >+ return (conn, policy, out_version, out_revision_info1, info) > > def get_netlogon_dc_unc(self, conn, server, domain): > try: >@@ -515,6 +549,7 @@ class cmd_domain_trust_show(DomainTrustCommand): > try: > local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION > ( >+ local_lsa, > local_policy, > local_version, > local_revision_info1, >@@ -656,6 +691,7 @@ class cmd_domain_trust_modify(DomainTrustCommand): > try: > local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION > ( >+ local_lsa, > local_policy, > local_version, > local_revision_info1, >@@ -914,6 +950,7 @@ class cmd_domain_trust_create(DomainTrustCommand): > > try: > ( >+ local_lsa, > local_policy, > local_version, > local_revision_info1, >@@ -939,6 +976,7 @@ class cmd_domain_trust_create(DomainTrustCommand): > > try: > ( >+ remote_lsa, > remote_policy, > remote_version, > remote_revision_info1, >@@ -1303,6 +1341,7 @@ class cmd_domain_trust_delete(DomainTrustCommand): > > try: > ( >+ local_lsa, > local_policy, > local_version, > local_revision_info1, >@@ -1344,6 +1383,7 @@ class cmd_domain_trust_delete(DomainTrustCommand): > > try: > ( >+ remote_lsa, > remote_policy, > remote_version, > remote_revision_info1, >@@ -1456,6 +1496,7 @@ class cmd_domain_trust_validate(DomainTrustCommand): > > try: > ( >+ local_lsa, > local_policy, > local_version, > local_revision_info1, >@@ -1896,6 +1937,7 @@ class cmd_domain_trust_namespaces(DomainTrustCommand): > > try: > ( >+ local_lsa, > local_policy, > local_version, > local_revision_info1, >-- >2.34.1 > > >From 747032021a725196c56b71a8a7275d884c465f91 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:14:28 +0200 >Subject: [PATCH 7/8] HACK dcerpc_lsa_open_policy_fallback only 2 > >--- > source3/rpc_client/cli_lsarpc.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > >diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c >index 73b4872a2c4a..61469411a37c 100644 >--- a/source3/rpc_client/cli_lsarpc.c >+++ b/source3/rpc_client/cli_lsarpc.c >@@ -179,6 +179,7 @@ NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, > { > NTSTATUS status; > >+ goto policy2; > status = dcerpc_lsa_open_policy3(h, > mem_ctx, > srv_name_slash, >@@ -188,7 +189,10 @@ NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, > out_revision_info, > pol, > result); >- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { >+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) || >+ NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) >+ { >+policy2: > *out_version = 1; > *out_revision_info = (union lsa_revision_info) { > .info1 = { >-- >2.34.1 > > >From c35251cbf55b7f6d73734f567aafdf78f1958b78 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Jul 2024 18:14:46 +0200 >Subject: [PATCH 8/8] HACK dcesrv_lsa_OpenPolicy3 simulate windows <= 2016 > >--- > source4/rpc_server/lsa/lsa_init.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/rpc_server/lsa/lsa_init.c b/source4/rpc_server/lsa/lsa_init.c >index bc5dadd5bd69..76dddd700de9 100644 >--- a/source4/rpc_server/lsa/lsa_init.c >+++ b/source4/rpc_server/lsa/lsa_init.c >@@ -232,7 +232,7 @@ NTSTATUS dcesrv_lsa_OpenPolicy3(struct dcesrv_call_state *dce_call, > struct dcesrv_handle *handle = NULL; > NTSTATUS status; > >- if (transport != NCACN_NP && transport != NCALRPC) { >+ if (transport != NCALRPC) { > DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED); > } > >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18379">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15680
:
18375
|
18378
|
18379
|
18384
|
18571
|
18572
|
18650