diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl index a294ed9..9a6e4a2 100644 --- a/source4/librpc/idl/lsa.idl +++ b/source4/librpc/idl/lsa.idl @@ -240,12 +240,10 @@ import "misc.idl", "security.idl"; LSA_POLICY_INFO_ROLE=6, LSA_POLICY_INFO_REPLICA=7, LSA_POLICY_INFO_QUOTA=8, - LSA_POLICY_INFO_MOD=9, + LSA_POLICY_INFO_DB=9, LSA_POLICY_INFO_AUDIT_FULL_SET=10, LSA_POLICY_INFO_AUDIT_FULL_QUERY=11, - LSA_POLICY_INFO_DNS=12, - LSA_POLICY_INFO_DNS_INT=13, - LSA_POLICY_INFO_L_ACCOUNT_DOMAIN=14 + LSA_POLICY_INFO_DNS=12 } lsa_PolicyInfo; typedef [switch_type(uint16)] union { @@ -257,12 +255,10 @@ import "misc.idl", "security.idl"; [case(LSA_POLICY_INFO_ROLE)] lsa_ServerRole role; [case(LSA_POLICY_INFO_REPLICA)] lsa_ReplicaSourceInfo replica; [case(LSA_POLICY_INFO_QUOTA)] lsa_DefaultQuotaInfo quota; - [case(LSA_POLICY_INFO_MOD)] lsa_ModificationInfo mod; + [case(LSA_POLICY_INFO_DB)] lsa_ModificationInfo db; [case(LSA_POLICY_INFO_AUDIT_FULL_SET)] lsa_AuditFullSetInfo auditfullset; [case(LSA_POLICY_INFO_AUDIT_FULL_QUERY)] lsa_AuditFullQueryInfo auditfullquery; [case(LSA_POLICY_INFO_DNS)] lsa_DnsDomainInfo dns; - [case(LSA_POLICY_INFO_DNS_INT)] lsa_DnsDomainInfo dns_int; - [case(LSA_POLICY_INFO_L_ACCOUNT_DOMAIN)] lsa_DomainInfo l_account_domain; } lsa_PolicyInformation; NTSTATUS lsa_QueryInfoPolicy ( @@ -490,39 +486,23 @@ import "misc.idl", "security.idl"; /* Function: 0x16 */ [todo] NTSTATUS lsa_SetQuotasForAccount(); - typedef [bitmap32bit] bitmap { - LSA_POLICY_MODE_INTERACTIVE = 0x00000001, - LSA_POLICY_MODE_NETWORK = 0x00000002, - LSA_POLICY_MODE_BATCH = 0x00000004, - LSA_POLICY_MODE_SERVICE = 0x00000010, - LSA_POLICY_MODE_PROXY = 0x00000020, - LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040, - LSA_POLICY_MODE_DENY_NETWORK = 0x00000080, - LSA_POLICY_MODE_DENY_BATCH = 0x00000100, - LSA_POLICY_MODE_DENY_SERVICE = 0x00000200, - LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400, - LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800, - LSA_POLICY_MODE_ALL = 0x00000FF7, - LSA_POLICY_MODE_ALL_NT4 = 0x00000037 - } lsa_SystemAccessModeFlags; - /* Function: 0x17 */ NTSTATUS lsa_GetSystemAccessAccount( - [in] policy_handle *handle, + [in] policy_handle *handle, [out,ref] uint32 *access_mask ); /* Function: 0x18 */ NTSTATUS lsa_SetSystemAccessAccount( - [in] policy_handle *handle, - [in] uint32 access_mask + [in] policy_handle *handle, + [in] uint32 access_mask ); /* Function: 0x19 */ NTSTATUS lsa_OpenTrustedDomain( [in] policy_handle *handle, [in] dom_sid2 *sid, - [in] uint32 access_mask, + [in] uint32 access_mask, [out] policy_handle *trustdom_handle ); diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index edfeb0a..7b15241 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -393,19 +393,6 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal return WERR_INVALID_PARAM; } -/* - fill in the AuditEvents info -*/ -static NTSTATUS dcesrv_lsa_info_AuditEvents(struct lsa_policy_state *state, - TALLOC_CTX *mem_ctx, struct lsa_AuditEventsInfo *info) -{ - /* TODO: auditing disabled at the moment */ - info->auditing_mode = 0; - info->settings = NULL; - info->count = 0; - - return NT_STATUS_OK; -} /* fill in the AccountDomain info @@ -457,26 +444,15 @@ static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call, ZERO_STRUCTP(r->out.info); switch (r->in.level) { - case LSA_POLICY_INFO_AUDIT_EVENTS: - return dcesrv_lsa_info_AuditEvents(state, mem_ctx, &r->out.info->audit_events); - case LSA_POLICY_INFO_DOMAIN: - return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->domain); - case LSA_POLICY_INFO_ACCOUNT_DOMAIN: return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->account_domain); case LSA_POLICY_INFO_DNS: return dcesrv_lsa_info_DNS(state, mem_ctx, &r->out.info->dns); - - case LSA_POLICY_INFO_DNS_INT: - return dcesrv_lsa_info_DNS(state, mem_ctx, &r->out.info->dns_int); - - case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN: - return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->l_account_domain); - - case LSA_POLICY_INFO_MOD: + case LSA_POLICY_INFO_DB: case LSA_POLICY_INFO_AUDIT_FULL_SET: + case LSA_POLICY_INFO_AUDIT_FULL_QUERY: return NT_STATUS_INVALID_PARAMETER; } @@ -1975,36 +1951,7 @@ static NTSTATUS dcesrv_lsa_SetQuotasForAccount(struct dcesrv_call_state *dce_cal static NTSTATUS dcesrv_lsa_GetSystemAccessAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct lsa_GetSystemAccessAccount *r) { - int i; - NTSTATUS status; - struct lsa_EnumPrivsAccount enumPrivs; - - enumPrivs.in.handle = r->in.handle; - - status = dcesrv_lsa_EnumPrivsAccount(dce_call, mem_ctx, &enumPrivs); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - *(r->out.access_mask) = 0x00000000; - - for (i = 0; i < enumPrivs.out.privs->count; i++) { - int priv = enumPrivs.out.privs->set[i].luid.low; - - switch (priv) { - case SEC_PRIV_INTERACTIVE_LOGON: - *(r->out.access_mask) |= LSA_POLICY_MODE_INTERACTIVE; - break; - case SEC_PRIV_NETWORK_LOGON: - *(r->out.access_mask) |= LSA_POLICY_MODE_NETWORK; - break; - case SEC_PRIV_REMOTE_INTERACTIVE_LOGON: - *(r->out.access_mask) |= LSA_POLICY_MODE_REMOTE_INTERACTIVE; - break; - } - } - - return NT_STATUS_OK; + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 91294b1..af5ee4f 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -46,7 +46,7 @@ static bool test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) NTSTATUS status; uint16_t system_name = '\\'; - printf("\nTesting OpenPolicy\n"); + printf("\ntesting OpenPolicy\n"); qos.len = 0; qos.impersonation_level = 2; @@ -88,7 +88,7 @@ bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct lsa_OpenPolicy2 r; NTSTATUS status; - printf("\nTesting OpenPolicy2\n"); + printf("\ntesting OpenPolicy2\n"); *handle = talloc(mem_ctx, struct policy_handle); if (!*handle) { @@ -780,7 +780,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p, } static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct policy_handle *acct_handle, struct lsa_LUID *luid) @@ -790,7 +790,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("\nTesting RemovePrivilegesFromAccount\n"); + printf("Testing RemovePrivilegesFromAccount\n"); r.in.handle = acct_handle; r.in.remove_all = 0; @@ -830,7 +830,7 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, } static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *acct_handle, struct lsa_LUID *luid) { @@ -839,7 +839,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, struct lsa_PrivilegeSet privs; bool ret = true; - printf("\nTesting AddPrivilegesToAccount\n"); + printf("Testing AddPrivilegesToAccount\n"); r.in.handle = acct_handle; r.in.privs = &privs; @@ -860,7 +860,7 @@ static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p, } static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct policy_handle *acct_handle) { @@ -868,7 +868,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, struct lsa_EnumPrivsAccount r; bool ret = true; - printf("\nTesting EnumPrivsAccount\n"); + printf("Testing EnumPrivsAccount\n"); r.in.handle = acct_handle; @@ -894,60 +894,6 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p, return ret; } -static bool test_GetSystemAccessAccount(struct dcerpc_pipe *p, - TALLOC_CTX *mem_ctx, - struct policy_handle *handle, - struct policy_handle *acct_handle) -{ - NTSTATUS status; - uint32_t access_mask; - struct lsa_GetSystemAccessAccount r; - - printf("\nTesting GetSystemAccessAccount\n"); - - r.in.handle = acct_handle; - r.out.access_mask = &access_mask; - - status = dcerpc_lsa_GetSystemAccessAccount(p, mem_ctx, &r); - if (!NT_STATUS_IS_OK(status)) { - printf("GetSystemAccessAccount failed - %s\n", nt_errstr(status)); - return false; - } - - if (r.out.access_mask != NULL) { - printf("Rights:"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE) - printf(" LSA_POLICY_MODE_INTERACTIVE"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK) - printf(" LSA_POLICY_MODE_NETWORK"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH) - printf(" LSA_POLICY_MODE_BATCH"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE) - printf(" LSA_POLICY_MODE_SERVICE"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY) - printf(" LSA_POLICY_MODE_PROXY"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE) - printf(" LSA_POLICY_MODE_DENY_INTERACTIVE"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK) - printf(" LSA_POLICY_MODE_DENY_NETWORK"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH) - printf(" LSA_POLICY_MODE_DENY_BATCH"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE) - printf(" LSA_POLICY_MODE_DENY_SERVICE"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE) - printf(" LSA_POLICY_MODE_REMOTE_INTERACTIVE"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE) - printf(" LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL) - printf(" LSA_POLICY_MODE_ALL"); - if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4) - printf(" LSA_POLICY_MODE_ALL_NT4"); - printf("\n"); - } - - return true; -} - static bool test_Delete(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle) @@ -955,7 +901,7 @@ static bool test_Delete(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_Delete r; - printf("\nTesting Delete\n"); + printf("testing Delete\n"); r.in.handle = handle; status = dcerpc_lsa_Delete(p, mem_ctx, &r); @@ -974,13 +920,13 @@ static bool test_DeleteObject(struct dcerpc_pipe *p, NTSTATUS status; struct lsa_DeleteObject r; - printf("\nTesting DeleteObject\n"); + printf("testing DeleteObject\n"); r.in.handle = handle; r.out.handle = handle; status = dcerpc_lsa_DeleteObject(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("DeleteObject failed - %s\n", nt_errstr(status)); + printf("Delete failed - %s\n", nt_errstr(status)); return false; } @@ -999,7 +945,7 @@ static bool test_CreateAccount(struct dcerpc_pipe *p, newsid = dom_sid_parse_talloc(mem_ctx, "S-1-5-12349876-4321-2854"); - printf("\nTesting CreateAccount\n"); + printf("Testing CreateAccount\n"); r.in.handle = handle; r.in.sid = newsid; @@ -1051,7 +997,7 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p, status = dcerpc_lsa_OpenTrustedDomainByName(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); + printf("lsa_OpenTrustedDomainByName failed - %s\n", nt_errstr(status)); return false; } @@ -1079,7 +1025,7 @@ static bool test_DeleteTrustedDomainBySid(struct dcerpc_pipe *p, status = dcerpc_lsa_DeleteTrustedDomain(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("DeleteTrustedDomain failed - %s\n", nt_errstr(status)); + printf("lsa_DeleteTrustedDomain failed - %s\n", nt_errstr(status)); return false; } @@ -1125,7 +1071,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p, secname[GLOBAL] = talloc_asprintf(mem_ctx, "G$torturesecret-%u", (uint_t)random()); for (i=0; i< 2; i++) { - printf("\nTesting CreateSecret of %s\n", secname[i]); + printf("Testing CreateSecret of %s\n", secname[i]); init_lsa_String(&r.in.name, secname[i]); @@ -1437,7 +1383,7 @@ static bool test_EnumAccountRights(struct dcerpc_pipe *p, struct lsa_EnumAccountRights r; struct lsa_RightSet rights; - printf("\nTesting EnumAccountRights\n"); + printf("Testing EnumAccountRights\n"); r.in.handle = acct_handle; r.in.sid = sid; @@ -1463,11 +1409,11 @@ static bool test_QuerySecurity(struct dcerpc_pipe *p, struct lsa_QuerySecurity r; if (torture_setting_bool(tctx, "samba4", false)) { - printf("\nskipping QuerySecurity test against Samba4\n"); + printf("skipping QuerySecurity test against Samba4\n"); return true; } - printf("\nTesting QuerySecurity\n"); + printf("Testing QuerySecurity\n"); r.in.handle = acct_handle; r.in.sec_info = 7; @@ -1490,7 +1436,7 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, struct lsa_OpenAccount r; struct policy_handle acct_handle; - printf("\nTesting OpenAccount\n"); + printf("Testing OpenAccount\n"); r.in.handle = handle; r.in.sid = sid; @@ -1507,10 +1453,6 @@ static bool test_OpenAccount(struct dcerpc_pipe *p, return false; } - if (!test_GetSystemAccessAccount(p, mem_ctx, handle, &acct_handle)) { - return false; - } - if (!test_QuerySecurity(p, mem_ctx, handle, &acct_handle)) { return false; } @@ -1529,7 +1471,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\nTesting EnumAccounts\n"); + printf("\ntesting EnumAccounts\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -1560,7 +1502,7 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p, * be on schannel, or we would not be able to do the * rest */ - printf("Testing all accounts\n"); + printf("testing all accounts\n"); for (i=0;istring); + printf("testing LookupPrivDisplayName(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1633,7 +1575,7 @@ static bool test_EnumAccountsWithUserRight(struct dcerpc_pipe *p, ZERO_STRUCT(sids); - printf("\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string); + printf("testing EnumAccountsWithUserRight(%s)\n", priv_name->string); r.in.handle = handle; r.in.name = priv_name; @@ -1666,7 +1608,7 @@ static bool test_EnumPrivs(struct dcerpc_pipe *p, int i; bool ret = true; - printf("\nTesting EnumPrivs\n"); + printf("\ntesting EnumPrivs\n"); r.in.handle = handle; r.in.resume_handle = &resume_handle; @@ -2048,7 +1990,7 @@ static bool test_CreateTrustedDomain(struct dcerpc_pipe *p, struct lsa_QueryTrustedDomainInfo q; int i; - printf("\nTesting CreateTrustedDomain for 12 domains\n"); + printf("Testing CreateTrustedDomain for 12 domains\n"); if (!test_EnumTrustDom(p, mem_ctx, handle)) { ret = false; @@ -2144,7 +2086,7 @@ static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p, enum ndr_err_code ndr_err; int i; - printf("\nTesting CreateTrustedDomainEx2 for 12 domains\n"); + printf("Testing CreateTrustedDomainEx2 for 12 domains\n"); status = dcerpc_fetch_session_key(p, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -2272,7 +2214,7 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, r.in.handle = handle; r.in.level = i; - printf("\nTrying QueryDomainInformationPolicy level %d\n", i); + printf("\ntrying QueryDomainInformationPolicy level %d\n", i); status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r); @@ -2290,56 +2232,38 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p, } -static bool test_QueryInfoPolicyCalls( bool version2, - struct dcerpc_pipe *p, - struct torture_context *tctx, - struct policy_handle *handle) +static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle) { struct lsa_QueryInfoPolicy r; NTSTATUS status; int i; bool ret = true; + printf("\nTesting QueryInfoPolicy\n"); - if (version2) - printf("\nTesting QueryInfoPolicy2\n"); - else - printf("\nTesting QueryInfoPolicy\n"); - - for (i=1;i<15;i++) { + for (i=1;i<13;i++) { r.in.handle = handle; r.in.level = i; - if (version2) - printf("\nTrying QueryInfoPolicy2 level %d\n", i); - else - printf("\nTrying QueryInfoPolicy level %d\n", i); + printf("\ntrying QueryInfoPolicy level %d\n", i); - if (version2) - /* We can perform the cast, because both types are - structurally equal */ - status = dcerpc_lsa_QueryInfoPolicy2(p, tctx, - (struct lsa_QueryInfoPolicy2*) &r); - else - status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r); + status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r); switch (i) { - case LSA_POLICY_INFO_MOD: + case LSA_POLICY_INFO_DB: case LSA_POLICY_INFO_AUDIT_FULL_SET: + case LSA_POLICY_INFO_AUDIT_FULL_QUERY: if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf("Server should have failed level %u: %s\n", i, nt_errstr(status)); + printf("server should have failed level %u: %s\n", i, nt_errstr(status)); ret = false; } break; case LSA_POLICY_INFO_DOMAIN: case LSA_POLICY_INFO_ACCOUNT_DOMAIN: - case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN: case LSA_POLICY_INFO_DNS: - case LSA_POLICY_INFO_DNS_INT: if (!NT_STATUS_IS_OK(status)) { - if (version2) - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - else - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; @@ -2347,24 +2271,17 @@ static bool test_QueryInfoPolicyCalls( bool version2, if (torture_setting_bool(tctx, "samba4", false)) { /* Other levels not implemented yet */ if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { - if (version2) - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - else - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } } else if (!NT_STATUS_IS_OK(status)) { - if (version2) - printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); - else - printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); + printf("QueryInfoPolicy failed - %s\n", nt_errstr(status)); ret = false; } break; } - if (NT_STATUS_IS_OK(status) && (i == LSA_POLICY_INFO_DNS - || i == LSA_POLICY_INFO_DNS_INT)) { + if (NT_STATUS_IS_OK(status) && i == LSA_POLICY_INFO_DNS) { /* Let's look up some of these names */ struct lsa_TransNameArray tnames; @@ -2406,18 +2323,56 @@ static bool test_QueryInfoPolicyCalls( bool version2, return ret; } -static bool test_QueryInfoPolicy(struct dcerpc_pipe *p, - struct torture_context *tctx, - struct policy_handle *handle) -{ - return test_QueryInfoPolicyCalls(false, p, tctx, handle); -} - static bool test_QueryInfoPolicy2(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle) { - return test_QueryInfoPolicyCalls(true, p, tctx, handle); + struct lsa_QueryInfoPolicy2 r; + NTSTATUS status; + int i; + bool ret = true; + printf("\nTesting QueryInfoPolicy2\n"); + for (i=1;i<13;i++) { + r.in.handle = handle; + r.in.level = i; + + printf("\ntrying QueryInfoPolicy2 level %d\n", i); + + status = dcerpc_lsa_QueryInfoPolicy2(p, tctx, &r); + + switch (i) { + case LSA_POLICY_INFO_DB: + case LSA_POLICY_INFO_AUDIT_FULL_SET: + case LSA_POLICY_INFO_AUDIT_FULL_QUERY: + if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + printf("server should have failed level %u: %s\n", i, nt_errstr(status)); + ret = false; + } + break; + case LSA_POLICY_INFO_DOMAIN: + case LSA_POLICY_INFO_ACCOUNT_DOMAIN: + case LSA_POLICY_INFO_DNS: + if (!NT_STATUS_IS_OK(status)) { + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + ret = false; + } + break; + default: + if (torture_setting_bool(tctx, "samba4", false)) { + /* Other levels not implemented yet */ + if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + ret = false; + } + } else if (!NT_STATUS_IS_OK(status)) { + printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status)); + ret = false; + } + break; + } + } + + return ret; } static bool test_GetUserName(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) @@ -2452,7 +2407,7 @@ bool test_lsa_Close(struct dcerpc_pipe *p, struct lsa_Close r; struct policy_handle handle2; - printf("\nTesting Close\n"); + printf("\ntesting Close\n"); r.in.handle = handle; r.out.handle = &handle2;