return NT_STATUS_OK;
}
+static NTSTATUS lsa_CreateTrustedDomain_common(
+ struct pipes_struct *p,
+ TALLOC_CTX *mem_ctx,
+ struct auth_session_info *session_info,
+ struct lsa_info *policy,
+ uint32_t access_mask,
+ struct lsa_TrustDomainInfoInfoEx *info,
+ struct trustDomainPasswords *auth_struct,
+ struct policy_handle **ptrustdom_handle)
+{
+ struct security_descriptor *psd = NULL;
+ size_t sd_size = 0;
+ uint32_t acc_granted = 0;
+ struct pdb_trusted_domain td = {
+ .trust_type = 0,
+ };
+ NTSTATUS status;
+
+ /* Work out max allowed. */
+ map_max_allowed_access(session_info->security_token,
+ session_info->unix_token,
+ &access_mask);
+
+ /* map the generic bits to the lsa policy ones */
+ se_map_generic(&access_mask, &lsa_account_mapping);
+
+ status = make_lsa_object_sd(
+ mem_ctx, &psd, &sd_size, &lsa_trusted_domain_mapping, NULL, 0);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = access_check_object(psd,
+ session_info->security_token,
+ SEC_PRIV_INVALID,
+ SEC_PRIV_INVALID,
+ 0,
+ access_mask,
+ &acc_granted,
+ "lsa_CreateTrustedDomain_common");
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ td.domain_name = talloc_strdup(mem_ctx, info->domain_name.string);
+ if (td.domain_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ td.netbios_name = talloc_strdup(mem_ctx, info->netbios_name.string);
+ if (td.netbios_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ sid_copy(&td.security_identifier, info->sid);
+ td.trust_direction = info->trust_direction;
+ td.trust_type = info->trust_type;
+ td.trust_attributes = info->trust_attributes;
+
+ status = get_trustauth_inout_blob(mem_ctx,
+ &auth_struct->incoming,
+ &td.trust_auth_incoming);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ status = get_trustauth_inout_blob(mem_ctx,
+ &auth_struct->outgoing,
+ &td.trust_auth_outgoing);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ status = pdb_set_trusted_domain(info->domain_name.string, &td);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_set_trusted_domain failed: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+
+ status = create_lsa_policy_handle(mem_ctx, p,
+ LSA_HANDLE_TRUST_TYPE,
+ acc_granted,
+ info->sid,
+ info->netbios_name.string,
+ psd,
+ *ptrustdom_handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ pdb_del_trusted_domain(info->netbios_name.string);
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ return NT_STATUS_OK;
+}
+
/***************************************************************************
_lsa_CreateTrustedDomainEx2
***************************************************************************/
dcesrv_call_session_info(dce_call);
struct lsa_info *policy;
NTSTATUS status;
- uint32_t acc_granted;
- struct security_descriptor *psd;
- size_t sd_size;
- struct pdb_trusted_domain td;
- struct trustDomainPasswords auth_struct;
- DATA_BLOB auth_blob;
+ struct trustDomainPasswords auth_struct = {
+ .incoming_size = 0,
+ };
+ DATA_BLOB auth_blob = data_blob_null;
if (!IS_DC) {
return NT_STATUS_NOT_SUPPORTED;
return status;
}
- /* Work out max allowed. */
- map_max_allowed_access(session_info->security_token,
- session_info->unix_token,
- &r->in.access_mask);
-
- /* map the generic bits to the lsa policy ones */
- se_map_generic(&r->in.access_mask, &lsa_account_mapping);
-
- status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
- &lsa_trusted_domain_mapping,
- NULL, 0);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- status = access_check_object(psd, session_info->security_token,
- SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
- r->in.access_mask, &acc_granted,
- "_lsa_CreateTrustedDomainEx2");
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- ZERO_STRUCT(td);
- td.domain_name = talloc_strdup(p->mem_ctx,
- r->in.info->domain_name.string);
- if (td.domain_name == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- td.netbios_name = talloc_strdup(p->mem_ctx,
- r->in.info->netbios_name.string);
- if (td.netbios_name == NULL) {
- return NT_STATUS_NO_MEMORY;
+ if (r->in.auth_info_internal->auth_blob.size == 0) {
+ return NT_STATUS_INVALID_PARAMETER;
}
- sid_copy(&td.security_identifier, r->in.info->sid);
- td.trust_direction = r->in.info->trust_direction;
- td.trust_type = r->in.info->trust_type;
- td.trust_attributes = r->in.info->trust_attributes;
- if (r->in.auth_info_internal->auth_blob.size != 0) {
- auth_blob.length = r->in.auth_info_internal->auth_blob.size;
- auth_blob.data = r->in.auth_info_internal->auth_blob.data;
+ auth_blob = data_blob_const(r->in.auth_info_internal->auth_blob.data,
+ r->in.auth_info_internal->auth_blob.size);
- status = get_trustdom_auth_blob(p, p->mem_ctx, &auth_blob, &auth_struct);
- if (!NT_STATUS_IS_OK(status)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- status = get_trustauth_inout_blob(p->mem_ctx, &auth_struct.incoming, &td.trust_auth_incoming);
- if (!NT_STATUS_IS_OK(status)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- status = get_trustauth_inout_blob(p->mem_ctx, &auth_struct.outgoing, &td.trust_auth_outgoing);
- if (!NT_STATUS_IS_OK(status)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- } else {
- td.trust_auth_incoming.data = NULL;
- td.trust_auth_incoming.length = 0;
- td.trust_auth_outgoing.data = NULL;
- td.trust_auth_outgoing.length = 0;
- }
-
- status = pdb_set_trusted_domain(r->in.info->domain_name.string, &td);
+ status = get_trustdom_auth_blob(p,
+ p->mem_ctx,
+ &auth_blob,
+ &auth_struct);
if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("pdb_set_trusted_domain failed: %s\n",
- nt_errstr(status));
- return status;
+ return NT_STATUS_UNSUCCESSFUL;
}
- status = create_lsa_policy_handle(p->mem_ctx, p,
- LSA_HANDLE_TRUST_TYPE,
- acc_granted,
- r->in.info->sid,
- r->in.info->netbios_name.string,
- psd,
- r->out.trustdom_handle);
+ status = lsa_CreateTrustedDomain_common(p,
+ p->mem_ctx,
+ session_info,
+ policy,
+ r->in.access_mask,
+ r->in.info,
+ &auth_struct,
+ &r->out.trustdom_handle);
if (!NT_STATUS_IS_OK(status)) {
- pdb_del_trusted_domain(r->in.info->netbios_name.string);
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ return status;
}
return NT_STATUS_OK;