From 17e5aadb888a5ea02caae85988a8f20b68fd52b2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Feb 2025 12:35:20 +0100 Subject: [PATCH 1/8] s3:rpc_client: Add cli_rpc_pipe_reopen_np_noauth() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit d2ac6221db48b93581d7ce48d31f8851c88b77bc) --- source3/rpc_client/cli_pipe.c | 88 +++++++++++++++++++++++++++++++++++ source3/rpc_client/cli_pipe.h | 2 + 2 files changed, 90 insertions(+) diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index e83d31bd703..23adbbc62fa 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -4254,6 +4254,94 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, presult); } +/**************************************************************************** + * Reopen a connection with the same parameters. + * + * This is useful if we try an RPC function the server doesn't know about and + * disconnects us. + ****************************************************************************/ +NTSTATUS cli_rpc_pipe_reopen_np_noauth(struct rpc_pipe_client *rpccli) +{ + TALLOC_CTX *frame = talloc_stackframe(); + enum dcerpc_transport_t transport; + struct cli_state *cli = NULL; + struct rpc_client_association *assoc = NULL; + struct rpc_client_connection *new_conn = NULL; + struct pipe_auth_data *new_auth = NULL; + NTSTATUS status; + + if (rpccli->assoc == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + transport = dcerpc_binding_get_transport(rpccli->assoc->binding); + if (transport != NCACN_NP) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + if (rpccli->np_cli == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER_MIX; + } + cli = rpccli->np_cli; + + /* + * close the old connection + */ + TALLOC_FREE(rpccli->conn); + + /* + * Free the auth context + */ + TALLOC_FREE(rpccli->auth); + + /* + * Reset the association + */ + assoc = talloc_move(frame, &rpccli->assoc); + status = dcerpc_binding_set_assoc_group_id(assoc->binding, 0); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + assoc->features.negotiated = 0; + if (assoc->features.client != 0) { + assoc->features.negotiation_done = false; + } + assoc->next_call_id = 0; + + status = rpc_client_connection_np(cli, + assoc, + &new_conn); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + rpccli->assoc = talloc_move(rpccli, &assoc); + rpccli->conn = talloc_move(rpccli, &new_conn); + + /* rpc_pipe_bind_send should allocate an id... */ + rpccli->pres_context_id = UINT16_MAX; + rpccli->verified_pcontext = false; + + status = rpccli_anon_bind_data(rpccli, &new_auth); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + status = rpc_pipe_bind(rpccli, new_auth); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + TALLOC_FREE(frame); + return NT_STATUS_OK; +} + /**************************************************************************** Open a named pipe to an SMB server and bind using the mech specified diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index d6e472afcf6..e90dd3b9446 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -81,6 +81,8 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, const struct ndr_interface_table *table, struct rpc_pipe_client **presult); +NTSTATUS cli_rpc_pipe_reopen_np_noauth(struct rpc_pipe_client *rpccli); + NTSTATUS cli_rpc_pipe_client_prepare_alter(struct rpc_pipe_client *p, bool new_auth_context, const struct ndr_interface_table *table, -- 2.48.1 From 9d702ca6ee726f41161d6503b9c1c5818915b03f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Feb 2025 14:17:30 +0100 Subject: [PATCH 2/8] s3:rpc_cerver: Use dcerpc_lsa_open_policy3() for internal RPC BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 0c68d9bc0cd5873f7b59be0fe93d64d6d47b5a57) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 1d36fd58df8..896e4e60d5a 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -460,7 +460,7 @@ NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p, return status; } - status = dcerpc_lsa_open_policy_fallback( + status = dcerpc_lsa_open_policy3( h, p->mem_ctx, NULL, -- 2.48.1 From 3ae59d0b9d83e11378449be4fa3ddc52a1dd09a1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Feb 2025 12:45:19 +0100 Subject: [PATCH 3/8] s3:rpc_client: Use cli_rpc_pipe_reopen_np_noauth() for OpenPolicy fallback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 3bbe35d42c4d4a0ce663580dfb035b6beb329ebb) --- source3/lib/netapi/localgroup.c | 2 +- source3/rpc_client/cli_lsarpc.c | 15 ++++++++++- source3/rpc_client/cli_lsarpc.h | 4 +-- source3/rpcclient/cmd_lsarpc.c | 48 ++++++++++++++++----------------- source3/utils/net_rpc.c | 6 ++--- source3/utils/net_rpc_rights.c | 4 +-- source3/utils/net_rpc_trust.c | 2 +- source3/winbindd/winbindd_cm.c | 2 +- source3/wscript_build | 2 +- 9 files changed, 49 insertions(+), 36 deletions(-) diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c index a63fca4366a..db72b1d15b6 100644 --- a/source3/lib/netapi/localgroup.c +++ b/source3/lib/netapi/localgroup.c @@ -984,7 +984,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx, init_lsa_String(&names, name); status = dcerpc_lsa_open_policy_fallback( - b, + lsa_pipe, mem_ctx, lsa_pipe->srv_name_slash, false, diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index cf2572ed61c..fcb0e9b0f1e 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -24,6 +24,7 @@ #include "includes.h" #include "rpc_client/rpc_client.h" +#include "rpc_client/cli_pipe.h" #include "../librpc/gen_ndr/ndr_lsa_c.h" #include "rpc_client/cli_lsarpc.h" #include "rpc_client/init_lsa.h" @@ -167,7 +168,7 @@ NTSTATUS dcerpc_lsa_open_policy3(struct dcerpc_binding_handle *h, result); } -NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, +NTSTATUS dcerpc_lsa_open_policy_fallback(struct rpc_pipe_client *rpccli, TALLOC_CTX *mem_ctx, const char *srv_name_slash, bool sec_qos, @@ -177,7 +178,9 @@ NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, struct policy_handle *pol, NTSTATUS *result) { + struct dcerpc_binding_handle *h = rpccli->binding_handle; NTSTATUS status; + bool policy2 = false; status = dcerpc_lsa_open_policy3(h, mem_ctx, @@ -189,6 +192,16 @@ NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, pol, result); if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { + policy2 = true; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + status = cli_rpc_pipe_reopen_np_noauth(rpccli); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + policy2 = true; + } + + if (policy2) { *out_version = 1; *out_revision_info = (union lsa_revision_info) { .info1 = { diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h index 0a0f399346e..269dec1ec44 100644 --- a/source3/rpc_client/cli_lsarpc.h +++ b/source3/rpc_client/cli_lsarpc.h @@ -120,7 +120,7 @@ NTSTATUS dcerpc_lsa_open_policy3(struct dcerpc_binding_handle *h, * This first calls lsa_open_policy3 and falls back to lsa_open_policy2 in case * it isn't implemented. * - * @param[in] h The dcerpc binding handle to use. + * @param[in] rpccli The rpc pipe client structure to use. * * @param[in] mem_ctx The memory context to use. * @@ -139,7 +139,7 @@ NTSTATUS dcerpc_lsa_open_policy3(struct dcerpc_binding_handle *h, * * @return A corresponding NTSTATUS error code for the connection. */ -NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, +NTSTATUS dcerpc_lsa_open_policy_fallback(struct rpc_pipe_client *rpccli, TALLOC_CTX *mem_ctx, const char *srv_name_slash, bool sec_qos, diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index a5693504cdd..b23e8cf80cd 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -186,7 +186,7 @@ static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli, uint32_t out_version = 0; status = dcerpc_lsa_open_policy_fallback( - b, + cli, mem_ctx, cli->srv_name_slash, true, @@ -938,7 +938,7 @@ static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1004,7 +1004,7 @@ static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1089,7 +1089,7 @@ static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1156,7 +1156,7 @@ static NTSTATUS cmd_lsa_add_acct_rights(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1227,7 +1227,7 @@ static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1295,7 +1295,7 @@ static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1358,7 +1358,7 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli, if (argc == 2) sscanf(argv[1], "%x", &sec_info); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1463,7 +1463,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli, if (argc == 3) info_class = atoi(argv[2]); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1532,7 +1532,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli, if (argc == 3) info_class = atoi(argv[2]); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1613,7 +1613,7 @@ static NTSTATUS cmd_lsa_set_trustdominfo(struct rpc_pipe_client *cli, return NT_STATUS_INVALID_PARAMETER; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1691,7 +1691,7 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli, if (argc == 3) info_class = atoi(argv[2]); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1812,7 +1812,7 @@ static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1921,7 +1921,7 @@ static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2022,7 +2022,7 @@ static NTSTATUS cmd_lsa_create_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2082,7 +2082,7 @@ static NTSTATUS cmd_lsa_delete_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2161,7 +2161,7 @@ static NTSTATUS cmd_lsa_query_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2265,7 +2265,7 @@ static NTSTATUS cmd_lsa_set_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2357,7 +2357,7 @@ static NTSTATUS cmd_lsa_retrieve_private_data(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2433,7 +2433,7 @@ static NTSTATUS cmd_lsa_store_private_data(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2504,7 +2504,7 @@ static NTSTATUS cmd_lsa_create_trusted_domain(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2595,7 +2595,7 @@ static NTSTATUS cmd_lsa_create_trusted_domain_ex3(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2710,7 +2710,7 @@ static NTSTATUS cmd_lsa_create_trusted_domain_ex2(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2798,7 +2798,7 @@ static NTSTATUS cmd_lsa_delete_trusted_domain(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index f8da9dabb0b..4afb22385af 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -6653,7 +6653,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, b = pipe_hnd->binding_handle; - nt_status = dcerpc_lsa_open_policy_fallback(b, + nt_status = dcerpc_lsa_open_policy_fallback(pipe_hnd, frame, pipe_hnd->srv_name_slash, true, @@ -6938,7 +6938,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc, b = pipe_hnd->binding_handle; - nt_status = dcerpc_lsa_open_policy_fallback(b, + nt_status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, false, @@ -7131,7 +7131,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv) b = pipe_hnd->binding_handle; - nt_status = dcerpc_lsa_open_policy_fallback(b, + nt_status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, true, diff --git a/source3/utils/net_rpc_rights.c b/source3/utils/net_rpc_rights.c index 267ce6576e6..a3b2a6dc80e 100644 --- a/source3/utils/net_rpc_rights.c +++ b/source3/utils/net_rpc_rights.c @@ -507,7 +507,7 @@ static NTSTATUS rpc_rights_grant_internal(struct net_context *c, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, true, @@ -593,7 +593,7 @@ static NTSTATUS rpc_rights_revoke_internal(struct net_context *c, if (!NT_STATUS_IS_OK(status)) return status; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, true, diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c index 4e57d7ce044..5f89689068a 100644 --- a/source3/utils/net_rpc_trust.c +++ b/source3/utils/net_rpc_trust.c @@ -235,7 +235,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx, } status = dcerpc_lsa_open_policy_fallback( - (*pipe_hnd)->binding_handle, + (*pipe_hnd), mem_ctx, (*pipe_hnd)->srv_name_slash, false, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index b59e46430da..420ea961876 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2232,7 +2232,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) return; } - status = dcerpc_lsa_open_policy_fallback(cli->binding_handle, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, diff --git a/source3/wscript_build b/source3/wscript_build index 3ed3b550960..f7136a818d3 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -1045,7 +1045,7 @@ bld.SAMBA3_SUBSYSTEM('LIBCLI_SAMR', bld.SAMBA3_LIBRARY('libcli_lsa3', source='rpc_client/cli_lsarpc.c', - deps='RPC_NDR_LSA INIT_LSA', + deps='RPC_NDR_LSA INIT_LSA msrpc3', private_library=True) bld.SAMBA3_LIBRARY('libcli_netlogon3', -- 2.48.1 From a3ba9a112c14efe0e36f0cd357cb1296e8ce8687 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 17 Jul 2024 17:39:24 +0200 Subject: [PATCH 4/8] dcesrv_core: Make dcesrv_call_disconnect_after() public BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit a094a29e426cc79e23bb4d866334d7735159fb41) --- librpc/rpc/dcesrv_core.c | 4 ++-- librpc/rpc/dcesrv_core.h | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c index 66478001640..7fb23d49d61 100644 --- a/librpc/rpc/dcesrv_core.c +++ b/librpc/rpc/dcesrv_core.c @@ -783,8 +783,8 @@ static void dcesrv_call_set_list(struct dcesrv_call_state *call, } } -static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call, - const char *reason) +void dcesrv_call_disconnect_after(struct dcesrv_call_state *call, + const char *reason) { struct dcesrv_auth *a = NULL; diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h index 90f5bd21d64..0b69af575b2 100644 --- a/librpc/rpc/dcesrv_core.h +++ b/librpc/rpc/dcesrv_core.h @@ -566,6 +566,9 @@ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state *call, NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call, DATA_BLOB *session_key); +void dcesrv_call_disconnect_after(struct dcesrv_call_state *call, + const char *reason); + /* a useful macro for generating a RPC fault in the backend code */ #define DCESRV_FAULT(code) do { \ dce_call->fault_code = code; \ -- 2.48.1 From 1f4eb59cf6eadf621655c222ed99583fecb05a9e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 17 Jul 2024 18:11:49 +0200 Subject: [PATCH 5/8] librpc:pyrpc: Allow new authenticated rpc connection on the same transport as the basis_connection BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 2c171fb1b8c88034a98c3aaf052e99ba5dbbafd9) --- source4/librpc/rpc/pyrpc_util.c | 78 +++++++++++++++++++++++++++++---- 1 file changed, 70 insertions(+), 8 deletions(-) diff --git a/source4/librpc/rpc/pyrpc_util.c b/source4/librpc/rpc/pyrpc_util.c index 11bbe1c7745..f494672175e 100644 --- a/source4/librpc/rpc/pyrpc_util.c +++ b/source4/librpc/rpc/pyrpc_util.c @@ -181,6 +181,8 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py struct dcerpc_pipe *base_pipe; PyObject *py_base; PyTypeObject *ClientConnection_Type; + struct loadparm_context *lp_ctx = NULL; + struct cli_credentials *credentials = NULL; py_base = PyImport_ImportModule("samba.dcerpc.base"); if (py_base == NULL) { @@ -225,16 +227,76 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py return NULL; } - status = dcerpc_secondary_context(base_pipe, &ret->pipe, table); - if (!NT_STATUS_IS_OK(status)) { - PyErr_SetNTSTATUS(status); - Py_DECREF(ret); - Py_DECREF(py_base); - Py_DECREF(ClientConnection_Type); - return NULL; + if (py_lp_ctx != Py_None) { + lp_ctx = lpcfg_from_py_object(ret->ev, py_lp_ctx); + if (lp_ctx == NULL) { + PyErr_SetString(PyExc_TypeError, "Expected loadparm context"); + Py_DECREF(ret); + return NULL; + } + } + + if (py_credentials != Py_None) { + credentials = cli_credentials_from_py_object(py_credentials); + if (credentials == NULL) { + PyErr_SetString(PyExc_TypeError, "Expected credentials"); + Py_DECREF(ret); + return NULL; + } + } + + if (credentials != NULL) { + struct dcerpc_binding *binding = NULL; + + if (lp_ctx == NULL) { + PyErr_SetString( + PyExc_TypeError, + "Expected a loadparm context together " + "with provided credentials"); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); + return NULL; + } + + status = dcerpc_parse_binding(ret->mem_ctx, + binding_string, + &binding); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); + return NULL; + } + + status = dcerpc_secondary_auth_connection(base_pipe, + binding, + table, + credentials, + lp_ctx, + ret->mem_ctx, + &ret->pipe); + TALLOC_FREE(binding); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); + return NULL; + } + } else { + status = dcerpc_secondary_context(base_pipe, &ret->pipe, table); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); + return NULL; + } + ret->pipe = talloc_steal(ret->mem_ctx, ret->pipe); } - ret->pipe = talloc_steal(ret->mem_ctx, ret->pipe); Py_XDECREF(ClientConnection_Type); Py_XDECREF(py_base); } else { -- 2.48.1 From 6a272d5562cf851ae9ee3475e0de198a56e6d265 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Feb 2025 15:41:06 +0100 Subject: [PATCH 6/8] pidl: Update documentation for DCERPC interface connections https://realpython.com/documenting-python-code/ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 73ce15e7d5b7ea867849f1aa4fa5390830660f11) --- pidl/lib/Parse/Pidl/Samba4/Python.pm | 29 +++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm index 1d32f71c886..e6a5ac8bb17 100644 --- a/pidl/lib/Parse/Pidl/Samba4/Python.pm +++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm @@ -1597,11 +1597,30 @@ sub Interface($$$) $self->pidl(""); my $signature = -"\"$interface->{NAME}(binding, lp_ctx=None, credentials=None) -> connection\\n\" -\"\\n\" -\"binding should be a DCE/RPC binding string (for example: ncacn_ip_tcp:127.0.0.1)\\n\" -\"lp_ctx should be a path to a smb.conf file or a param.LoadParm object\\n\" -\"credentials should be a credentials.Credentials object.\\n\\n\""; +"\"$interface->{NAME}(binding, lp_ctx=None, credentials=None, basis_connection=None) -> connection\\n\" +\"\\n\\n\" +\"Parameters\\n\" +\"----------\\n\" +\"binding : str\\n\" +\" A DCE/RPC binding string (for example: ncacn_ip_tcp:127.0.0.1)\\n\" +\"lp_ctx : param.LoadParm\\n\" +\" Should be a path to a smb.conf file or a param.LoadParm object\\n\" +\"credentials : credentials.Credentials, optional\\n\" +\" A credentials.Credentials object (default is None).\\n\" +\"basis_connection : samba.dcerpc.ClientConnection, optional\\n\" +\" A $interface->{NAME} client connection object (default is None).\\n\" +\"\\n\\n\" +\"Returns\\n\" +\"-------\\n\" +\"samba.dcerpc.ClientConnection\\n\" +\" A ClientConnection object\\n\" +\"\\n\\n\" +\"Raises\\n\" +\"------\\n\" +\"samba.NTSTATUSError\\n\" +\" An NTSTATUS error\\n\" +\"\\n\""; + my $docstring = $self->DocString($interface, $interface->{NAME}); -- 2.48.1 From 2891e9ff33ed20766856561a77545e20fceb6ee1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 13 Feb 2025 10:31:49 +0100 Subject: [PATCH 7/8] python:lsa_utils: Don't use optional arguments for OpenPolicyFallback() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit f9a3fc19f1e212c54351c3f94978e66fceeb8835) --- python/samba/lsa_utils.py | 4 ++-- python/samba/netcmd/domain/trust.py | 1 + python/samba/tests/dcerpc/lsa_utils.py | 6 ++++-- python/samba/tests/krb5/kdc_base_test.py | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/python/samba/lsa_utils.py b/python/samba/lsa_utils.py index 043e65f3341..571beb46c85 100644 --- a/python/samba/lsa_utils.py +++ b/python/samba/lsa_utils.py @@ -35,8 +35,8 @@ def OpenPolicyFallback( system_name: str, in_version: int, in_revision_info: lsa.revision_info1, - sec_qos: bool = False, - access_mask: int = 0, + sec_qos: bool, + access_mask: int, ): attr = lsa.ObjectAttribute() if sec_qos: diff --git a/python/samba/netcmd/domain/trust.py b/python/samba/netcmd/domain/trust.py index 0784fa5e282..f39d4814a11 100644 --- a/python/samba/netcmd/domain/trust.py +++ b/python/samba/netcmd/domain/trust.py @@ -222,6 +222,7 @@ class DomainTrustCommand(Command): b''.decode('utf-8'), in_version, in_revision_info1, + False, policy_access ) diff --git a/python/samba/tests/dcerpc/lsa_utils.py b/python/samba/tests/dcerpc/lsa_utils.py index 229f57ec546..fee9a45419b 100644 --- a/python/samba/tests/dcerpc/lsa_utils.py +++ b/python/samba/tests/dcerpc/lsa_utils.py @@ -79,7 +79,8 @@ class CreateTrustedDomain(TestCase): '', in_version, in_revision_info1, - access_mask=security.SEC_FLAG_MAXIMUM_ALLOWED + False, + security.SEC_FLAG_MAXIMUM_ALLOWED ) self.assertIsNotNone(pol_handle) @@ -168,7 +169,8 @@ class CreateTrustedDomain(TestCase): '', in_version, in_revision_info1, - access_mask=security.SEC_FLAG_MAXIMUM_ALLOWED + False, + security.SEC_FLAG_MAXIMUM_ALLOWED ) self.assertIsNotNone(pol_handle) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 17877aa8863..1da770e4fe8 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -454,7 +454,8 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest): b''.decode('utf-8'), in_version, in_revision_info1, - access_mask=policy_access + False, + policy_access ) info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS) -- 2.48.1 From 111f5c93e0dfd4adbe30ab2049cc076d3c82f207 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 17 Jul 2024 18:12:31 +0200 Subject: [PATCH 8/8] python:lsa_utils: Fix fallback to OpenPolicy2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Pair-Programmed-With: Andreas Schneider Signed-off-by: Andreas Schneider Signed-off-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Mon Feb 17 18:33:15 UTC 2025 on atb-devel-224 (cherry picked from commit a814f5d90a3fb85a94c9516dba224037e8fd76f1) --- python/samba/lsa_utils.py | 63 +++++++++------- python/samba/netcmd/domain/trust.py | 92 +++++++++++------------- python/samba/tests/dcerpc/lsa_utils.py | 45 +++++++----- python/samba/tests/krb5/kdc_base_test.py | 29 +++++--- 4 files changed, 130 insertions(+), 99 deletions(-) diff --git a/python/samba/lsa_utils.py b/python/samba/lsa_utils.py index 571beb46c85..506dc399c93 100644 --- a/python/samba/lsa_utils.py +++ b/python/samba/lsa_utils.py @@ -20,24 +20,27 @@ from samba.dcerpc import lsa, drsblobs, misc from samba.ndr import ndr_pack from samba import ( NTSTATUSError, + ntstatus, aead_aes_256_cbc_hmac_sha512, arcfour_encrypt, ) -from samba.ntstatus import ( - NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE -) from samba import crypto from secrets import token_bytes +# FIXME from collections.abc import Callable def OpenPolicyFallback( - conn: lsa.lsarpc, + # new_lsa_conn: Callable[[], lsa.lsarpc], - FIXME the type doesn't work + # with python version 3.6 (CentOS8, SLES15). + new_lsa_conn, system_name: str, in_version: int, in_revision_info: lsa.revision_info1, sec_qos: bool, access_mask: int, ): + conn = new_lsa_conn() + attr = lsa.ObjectAttribute() if sec_qos: qos = lsa.QosInfo() @@ -48,26 +51,38 @@ def OpenPolicyFallback( attr.sec_qos = qos - try: - out_version, out_rev_info, policy = conn.OpenPolicy3( - system_name, - attr, - access_mask, - in_version, - in_revision_info - ) - except NTSTATUSError as e: - if e.args[0] == NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE: - out_version = 1 - out_rev_info = lsa.revision_info1() - out_rev_info.revision = 1 - out_rev_info.supported_features = 0 - - policy = conn.OpenPolicy2(system_name, attr, access_mask) - else: - raise - - return out_version, out_rev_info, policy + open_policy2 = False + if in_revision_info is not None: + try: + out_version, out_rev_info, policy = conn.OpenPolicy3( + system_name, + attr, + access_mask, + in_version, + in_revision_info + ) + except NTSTATUSError as e: + if e.args[0] == ntstatus.NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE: + open_policy2 = True + if e.args[0] == ntstatus.NT_STATUS_ACCESS_DENIED: + # We need a new connection + conn = new_lsa_conn(basis_connection=conn) + + open_policy2 = True + else: + raise + else: + open_policy2 = True + + if open_policy2: + out_version = 1 + out_rev_info = lsa.revision_info1() + out_rev_info.revision = 1 + out_rev_info.supported_features = 0 + + policy = conn.OpenPolicy2(system_name, attr, access_mask) + + return conn, out_version, out_rev_info, policy def CreateTrustedDomainRelax( diff --git a/python/samba/netcmd/domain/trust.py b/python/samba/netcmd/domain/trust.py index f39d4814a11..f3d75f84137 100644 --- a/python/samba/netcmd/domain/trust.py +++ b/python/samba/netcmd/domain/trust.py @@ -125,8 +125,13 @@ class DomainTrustCommand(Command): self.local_creds = local_creds return self.local_server - def new_local_lsa_connection(self): - return lsa.lsarpc(self.local_binding_string, self.local_lp, self.local_creds) + def new_local_lsa_connection(self, basis_connection=None): + return lsa.lsarpc( + self.local_binding_string, + self.local_lp, + self.local_creds, + basis_connection=basis_connection + ) def new_local_netlogon_connection(self): return netlogon.netlogon(self.local_binding_string, self.local_lp, self.local_creds) @@ -203,13 +208,23 @@ class DomainTrustCommand(Command): self.remote_creds = remote_creds return self.remote_server - def new_remote_lsa_connection(self): - return lsa.lsarpc(self.remote_binding_string, self.local_lp, self.remote_creds) + def new_remote_lsa_connection(self, basis_connection=None): + return lsa.lsarpc( + self.remote_binding_string, + self.local_lp, + self.remote_creds, + basis_connection=basis_connection + ) - def new_remote_netlogon_connection(self): - return netlogon.netlogon(self.remote_binding_string, self.local_lp, self.remote_creds) + def new_remote_netlogon_connection(self, basis_connection=None): + return netlogon.netlogon( + self.remote_binding_string, + self.local_lp, + self.remote_creds, + basis_connection=basis_connection + ) - def get_lsa_info(self, conn, policy_access): + def get_lsa_info(self, conn_fn, policy_access): in_version = 1 in_revision_info1 = lsa.revision_info1() in_revision_info1.revision = 1 @@ -217,9 +232,9 @@ class DomainTrustCommand(Command): lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER ) - out_version, out_revision_info1, policy = OpenPolicyFallback( - conn, - b''.decode('utf-8'), + conn, out_version, out_revision_info1, policy = OpenPolicyFallback( + conn_fn, + '', in_version, in_revision_info1, False, @@ -228,7 +243,7 @@ class DomainTrustCommand(Command): info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS) - return (policy, out_version, out_revision_info1, info) + return (conn, policy, out_version, out_revision_info1, info) def get_netlogon_dc_unc(self, conn, server, domain): try: @@ -508,19 +523,15 @@ class cmd_domain_trust_show(DomainTrustCommand): def run(self, domain, sambaopts=None, versionopts=None, localdcopts=None): self.setup_local_server(sambaopts, localdcopts) - try: - local_lsa = self.new_local_lsa_connection() - except RuntimeError as error: - raise self.LocalRuntimeError(self, error, "failed to connect lsa server") - try: local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION ( + local_lsa, local_policy, local_version, local_revision_info1, local_lsa_info - ) = self.get_lsa_info(local_lsa, local_policy_access) + ) = self.get_lsa_info(self.new_local_lsa_connection, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -649,19 +660,16 @@ class cmd_domain_trust_modify(DomainTrustCommand): raise CommandError("modification arguments are required, try --help") self.setup_local_server(sambaopts, localdcopts) - try: - local_lsa = self.new_local_lsa_connection() - except RuntimeError as error: - raise self.LocalRuntimeError(self, error, "failed to connect to lsa server") try: local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION ( + local_lsa, local_policy, local_version, local_revision_info1, local_lsa_info - ) = self.get_lsa_info(local_lsa, local_policy_access) + ) = self.get_lsa_info(self.new_local_lsa_connection, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -908,18 +916,15 @@ class cmd_domain_trust_create(DomainTrustCommand): remote_trust_info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL local_server = self.setup_local_server(sambaopts, localdcopts) - try: - local_lsa = self.new_local_lsa_connection() - except RuntimeError as error: - raise self.LocalRuntimeError(self, error, "failed to connect lsa server") try: ( + local_lsa, local_policy, local_version, local_revision_info1, local_lsa_info - ) = self.get_lsa_info(local_lsa, local_policy_access) + ) = self.get_lsa_info(self.new_local_lsa_connection, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -933,18 +938,14 @@ class cmd_domain_trust_create(DomainTrustCommand): except RuntimeError as error: raise self.RemoteRuntimeError(self, error, "failed to locate remote server") - try: - remote_lsa = self.new_remote_lsa_connection() - except RuntimeError as error: - raise self.RemoteRuntimeError(self, error, "failed to connect lsa server") - try: ( + remote_lsa, remote_policy, remote_version, remote_revision_info1, remote_lsa_info - ) = self.get_lsa_info(remote_lsa, remote_policy_access) + ) = self.get_lsa_info(self.new_remote_lsa_connection, remote_policy_access) except RuntimeError as error: raise self.RemoteRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -1297,18 +1298,15 @@ class cmd_domain_trust_delete(DomainTrustCommand): remote_policy_access |= lsa.LSA_POLICY_CREATE_SECRET self.setup_local_server(sambaopts, localdcopts) - try: - local_lsa = self.new_local_lsa_connection() - except RuntimeError as error: - raise self.LocalRuntimeError(self, error, "failed to connect lsa server") try: ( + local_lsa, local_policy, local_version, local_revision_info1, local_lsa_info - ) = self.get_lsa_info(local_lsa, local_policy_access) + ) = self.get_lsa_info(self.new_local_lsa_connection, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -1338,18 +1336,14 @@ class cmd_domain_trust_delete(DomainTrustCommand): except RuntimeError as error: raise self.RemoteRuntimeError(self, error, "failed to locate remote server") - try: - remote_lsa = self.new_remote_lsa_connection() - except RuntimeError as error: - raise self.RemoteRuntimeError(self, error, "failed to connect lsa server") - try: ( + remote_lsa, remote_policy, remote_version, remote_revision_info1, remote_lsa_info - ) = self.get_lsa_info(remote_lsa, remote_policy_access) + ) = self.get_lsa_info(self.new_remote_lsa_connection, remote_policy_access) except RuntimeError as error: raise self.RemoteRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -1450,18 +1444,15 @@ class cmd_domain_trust_validate(DomainTrustCommand): local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION local_server = self.setup_local_server(sambaopts, localdcopts) - try: - local_lsa = self.new_local_lsa_connection() - except RuntimeError as error: - raise self.LocalRuntimeError(self, error, "failed to connect lsa server") try: ( + local_lsa, local_policy, local_version, local_revision_info1, local_lsa_info - ) = self.get_lsa_info(local_lsa, local_policy_access) + ) = self.get_lsa_info(self.new_local_lsa_connection, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") @@ -1897,11 +1888,12 @@ class cmd_domain_trust_namespaces(DomainTrustCommand): try: ( + local_lsa, local_policy, local_version, local_revision_info1, local_lsa_info - ) = self.get_lsa_info(local_lsa, local_policy_access) + ) = self.get_lsa_info(self.new_local_lsa_connection, local_policy_access) except RuntimeError as error: raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS") diff --git a/python/samba/tests/dcerpc/lsa_utils.py b/python/samba/tests/dcerpc/lsa_utils.py index fee9a45419b..8a3e7d24276 100644 --- a/python/samba/tests/dcerpc/lsa_utils.py +++ b/python/samba/tests/dcerpc/lsa_utils.py @@ -35,6 +35,7 @@ from samba.lsa_utils import ( class CreateTrustedDomain(TestCase): + smbencrypt = True def get_user_creds(self): c = Credentials() @@ -47,26 +48,35 @@ class CreateTrustedDomain(TestCase): c.set_password(password) return c - def _create_trust_relax(self, smbencrypt=True): + def new_lsa_conn(self, basis_connection=None): creds = self.get_user_creds() - - if smbencrypt: + if self.smbencrypt: creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED) else: creds.set_smb_encryption(SMB_ENCRYPTION_OFF) lp = self.get_loadparm() - binding_string = ( "ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')) ) - lsa_conn = lsa.lsarpc(binding_string, lp, creds) - if smbencrypt: + lsa_conn = lsa.lsarpc( + binding_string, + lp, + creds, + basis_connection=basis_connection + ) + + if self.smbencrypt: self.assertTrue(lsa_conn.transport_encrypted()) else: self.assertFalse(lsa_conn.transport_encrypted()) + return lsa_conn + + def _create_trust_relax(self, smbencrypt=True): + self.smbencrypt = smbencrypt + in_version = 1 in_revision_info1 = lsa.revision_info1() in_revision_info1.revision = 1 @@ -74,8 +84,13 @@ class CreateTrustedDomain(TestCase): lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER ) - out_version, out_revision_info1, pol_handle = OpenPolicyFallback( + ( lsa_conn, + out_version, + out_revision_info1, + pol_handle + ) = OpenPolicyFallback( + self.new_lsa_conn, '', in_version, in_revision_info1, @@ -148,14 +163,7 @@ class CreateTrustedDomain(TestCase): self.assertIsNone(trustdom_handle) def _create_trust_fallback(self): - creds = self.get_user_creds() - - lp = self.get_loadparm() - - binding_string = ( - "ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')) - ) - lsa_conn = lsa.lsarpc(binding_string, lp, creds) + self.smbencrypt = True in_version = 1 in_revision_info1 = lsa.revision_info1() @@ -164,8 +172,13 @@ class CreateTrustedDomain(TestCase): lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER ) - out_version, out_revision_info1, pol_handle = OpenPolicyFallback( + ( lsa_conn, + out_version, + out_revision_info1, + pol_handle + ) = OpenPolicyFallback( + self.new_lsa_conn, '', in_version, in_revision_info1, diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 1da770e4fe8..dee6ef83071 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -57,7 +57,6 @@ from samba.crypto import des_crypt_blob_16, md4_hash_blob from samba.lsa_utils import OpenPolicyFallback, CreateTrustedDomainFallback from samba.dcerpc import ( claims, - dcerpc, drsblobs, drsuapi, krb5ccache, @@ -441,7 +440,7 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest): return self._drsuapi_connection def get_lsarpc_connection(self): - def get_lsa_info(conn, policy_access): + def get_lsa_info(conn_fn, policy_access): in_version = 1 in_revision_info1 = lsa.revision_info1() in_revision_info1.revision = 1 @@ -449,9 +448,9 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest): lsa.LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER ) - out_version, out_revision_info1, policy = OpenPolicyFallback( - conn, - b''.decode('utf-8'), + conn, out_version, out_revision_info1, policy = OpenPolicyFallback( + conn_fn, + '', in_version, in_revision_info1, False, @@ -460,7 +459,18 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest): info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS) - return (policy, out_version, out_revision_info1, info) + return (conn, policy, out_version, out_revision_info1, info) + + def new_lsa_conn(basis_connection=None): + lp = self.get_lp() + admin_creds = self.get_admin_creds() + + return lsa.lsarpc( + self._binding_string, + lp, + admin_creds, + basis_connection=basis_connection + ) def lsarpc_connect(server, lp, creds, ip=None): binding_options = "" @@ -474,13 +484,14 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest): else: binding_string = "ncacn_np:%s[%s]" % (server, binding_options) + self._binding_string = binding_string + try: - conn = lsa.lsarpc(binding_string, lp, creds) policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION policy_access |= lsa.LSA_POLICY_TRUST_ADMIN policy_access |= lsa.LSA_POLICY_CREATE_SECRET - (policy, out_version, out_revision_info1, info) = \ - get_lsa_info(conn, policy_access) + (conn, policy, out_version, out_revision_info1, info) = \ + get_lsa_info(new_lsa_conn, policy_access) except Exception as e: raise RuntimeError("LSARPC connection to %s failed: %s" % (server, e)) -- 2.48.1