in TestSuites/ADFamily/src/Adapter/MS-LSAD/TrustedDomainObjects.cs [4141:4889]
public ErrorStatus SetTrustedDomainInfo(
int handleInput,
TRUSTED_DOMAIN_INFORMATION_EX trustedDomainInfo,
DomainSid sid,
ForestFunctionalLevel forestFuncLevel,
TrustedInformationClass trustedInformation,
bool isRootDomain,
TRUSTED_DOMAIN_AUTH_INFORMATION authInfo,
UInt32 desiredAccess,
bool daclAllows)
{
_LSAPR_TRUSTED_DOMAIN_INFO domainInformation = new _LSAPR_TRUSTED_DOMAIN_INFO();
_LSAPR_TRUSTED_DOMAIN_INFO? queryInformation = new _LSAPR_TRUSTED_DOMAIN_INFO();
_RPC_SID[] trustSid = new _RPC_SID[1];
_RPC_UNICODE_STRING[] domainName = new _RPC_UNICODE_STRING[1];
_TRUSTED_INFORMATION_CLASS trustedInfoClass = _TRUSTED_INFORMATION_CLASS.TrustedDomainInformationEx;
DomainType checkDomainName = DomainType.ValidDomainName;
PolicyHandle = validPolicyHandle;
// Checking if the Model received and invalid handle
if (stPolicyInformation.PHandle != handleInput)
{
PolicyHandle = utilities.CreateAnInvalidHandle(false);
}
// Checking if the SID of the TDO received by the model is already present
if (trustObjectCreateinformation.strDomainSid.Equals(trustedDomainInfo.TrustDomain_Sid))
{
trustSid = utilities.GetSid(sid, LsadManagedAdapter.ValidSid);
this.isDomainPresent = true;
}
else
{
trustSid = utilities.GetSid(sid, LsadManagedAdapter.NoSid);
this.isDomainPresent = false;
}
// TrustedDomainNameInformation Creates an TDO if TDO with the specified SID is not present.
// So processing rules are similar to LsarCreateTrustedDomain
if (trustedInformation == TrustedInformationClass.TrustedDomainNameInformation)
{
// Checking if Domain Name received by model matches Current Domain
if (trustedDomainInfo.TrustDomainName.Equals(Convert.ToString(DomainType.CurrentDomain)))
{
checkDomainName = DomainType.CurrentDomain;
this.isCurrentDomain = true;
}
else
{
checkDomainName = DomainType.ValidDomainName;
}
// Checking if the Name of the TDO received by the model is already present
if (trustObjectCreateinformation.strTdoDnsName.Equals(trustedDomainInfo.TrustDomainName))
{
this.isDomainPresent = true;
}
else
{
_RPC_SID[] tempSid = new _RPC_SID[1];
tempSid = utilities.GetSid(DomainSid.Valid, LsadManagedAdapter.ValidSid);
this.uintStatus = lsadClientStack.LsarDeleteTrustedDomain(
validPolicyHandle.Value,
tempSid[0]);
}
utilities.GetTheDomainName(checkDomainName, ref domainName);
domainInformation.TrustedDomainNameInfo.Name = domainName[0];
domainInformation.TrustedDomainNameInfo.Name.Length =
(ushort)(domainInformation.TrustedDomainNameInfo.Name.Buffer.Length * 2);
domainInformation.TrustedDomainNameInfo.Name.MaximumLength =
(ushort)((domainInformation.TrustedDomainNameInfo.Name.Length)+2);
trustSid = utilities.GetSid(sid, LsadManagedAdapter.ValidSid);
//// Initialize the SID
if (trustedDomainInfo.TrustDomain_Sid.Equals(trustObjectCreateinformation.strDomainSid))
{
this.isDomainPresent = true;
}
intCheckInfoClass = SUCCESS;
}
else if (trustedInformation == TrustedInformationClass.TrustedDomainInformationEx)
{
utilities.InitializeInformationClass(
trustedInformation,
trustedDomainInfo,
SET_OPERATION,
ref domainInformation);
intCheckInfoClass = INVALIDPARAM;
}
else if (trustedInformation == TrustedInformationClass.TrustedPasswordInformation)
{
utilities.InitializeInformationClass(
trustedInformation,
trustedDomainInfo,
SET_OPERATION,
ref domainInformation);
// Win2k8r2 unsupport TrustedDomainInformationEx & TrustedPasswordInformation in informationType
// trustedInformation and will return STATUS_INVALID_PARAMETER.
if (this.PDCOSVersion >= ServerVersion.Win2008R2)
{
intCheckInfoClass = INVALIDPARAM;
}
else
{
intCheckInfoClass = SUCCESS;
}
}
else
{
utilities.InitializeInformationClass(
trustedInformation,
trustedDomainInfo,
SET_OPERATION,
ref domainInformation);
}
if (trustedInformation == TrustedInformationClass.Invalid)
{
trustedInfoClass = _TRUSTED_INFORMATION_CLASS.TrustedControllersInformation;
}
else
{
trustedInfoClass = (_TRUSTED_INFORMATION_CLASS)trustedInformation;
}
// TrustedDomainSupportedEncryptionTypes was introduced in windows vista, so it won't work on windows 2k3
if (isWindows
&& this.PDCOSVersion == ServerVersion.Win2003
&& trustedInformation == TrustedInformationClass.TrustedDomainSupportedEncryptionTypes)
{
return ErrorStatus.InvalidParameter;
}
uintMethodStatus = lsadClientStack.LsarSetTrustedDomainInfo(
PolicyHandle.Value,
trustSid[0],
trustedInfoClass,
domainInformation);
////check if the caller has the permissions
if (!this.IsInDomainAdminsGroup)
{
#region MS-LSAD_R608
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
608,
@"In LsarSetTrustedDomainInfo, The server MUST return STATUS_ACCESS_DENIED when the
caller does not have the permissions to perform the operation.");
#endregion
}
//// Checking Data Validity
if (sid == DomainSid.Valid
&& (trustedInformation == TrustedInformationClass.TrustedDomainInformationEx
|| trustedInformation == TrustedInformationClass.TrustedPasswordInformation))
{
string IsR1049Implemented = R1049Implementation;
if (isWindows)
{
if (intCheckInfoClass == SUCCESS
&& (this.PDCOSVersion == ServerVersion.Win2003
|| this.PDCOSVersion == ServerVersion.Win2008))
{
#region MS-LSAD_R1050
Site.CaptureRequirementIfAreNotEqual<uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
1050,
@"<79> Section 3.1.4.7.3: Windows 2000 Server, Windows Server 2003, and Windows Server
2008 support these InformationClass values[TrustedDomainInformationEx,
TrustedPasswordInformation].");
#endregion
}
else
{
if (this.PDCOSVersion >= ServerVersion.Win2008R2)
{
#region MS-LSAD_R1049
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
1049,
@"The server MAY support the following InformationClass values
[TrustedDomainInformationEx, TrustedPasswordInformation].<79>");
#endregion
#region MS-LSAD_R1051
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
1051,
@"If the server does not support these values[TrustedDomainInformationEx,
TrustedPasswordInformation], it MUST return STATUS_INVALID_PARAMETER.");
#endregion
}
}
if (IsR1049Implemented == null)
{
Site.Properties.Add("IsR1049Implemented", bool.FalseString);
IsR1049Implemented = bool.FalseString;
}
}
else
{
if (IsR1049Implemented != null)
{
bool implSigns = bool.Parse(IsR1049Implemented);
bool isSatisfied = ((NtStatus)ErrorStatus.InvalidParameter != uintMethodStatus);
#region MS-LSAD_R1049
Site.CaptureRequirementIfAreEqual<bool>(
implSigns,
isSatisfied,
"MS-LSAD",
1049,
@"The server MAY support the following InformationClass values
[TrustedDomainInformationEx, TrustedPasswordInformation].<79>");
#endregion
if (!implSigns)
{
#region MS-LSAD_R1051
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
1051,
@"If the server does not support these values[TrustedDomainInformationEx,
TrustedPasswordInformation], it MUST return STATUS_INVALID_PARAMETER.");
#endregion
}
}
}
}
if (sid == DomainSid.Invalid)
{
#region MS-LSAD_R609
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
609,
@"In LsarSetTrustedDomainInfo, the server MUST return STATUS_INVALID_PARAMETER when
one or more of the supplied parameters was invalid.");
#endregion
}
else
{
switch (intCheckInfoClass)
{
case SUCCESS:
if (trustedInformation == TrustedInformationClass.TrustedDomainNameInformation)
{
#region ValidationForTrustedDomainNameInfo
if (!this.isDC)
{
#region MS-LSAD_R1014
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.DirectoryServiceRequired,
(uint)uintMethodStatus,
1014,
@"In LsarSetTrustedDomainInfo, the server MUST be in a Domain Controller
and return DIRECTORY_SERVICE_REQUIRED if there is no active directory
installed on it.");
#endregion
}
else if (this.isDC && this.domainState == ProtocolServerConfig.ReadOnlyDomainController)
{
#region MS-LSAD_R612
Site.CaptureRequirementIfAreNotEqual<uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
612,
@"In LsarSetTrustedDomainInfo, In the processing of PolicyHandle,
If the server is a read-only domain controller, it MUST return an error.");
#endregion MS-LSAD_R612
#region MS-LSAD_R613
// Windows 2k8 specific requirement.
if (isWindows && this.PDCOSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.ObjectNameNotFound,
(uint)uintMethodStatus,
"MS-LSAD",
613,
@"<78> Section 3.1.4.7.3: In LsarSetTrustedDomainInfo, In the processing
of PolicyHandle, If the server is windows 2008 or Windows Server 2008 R2 and
if it is a read-only domain controller, it MUST return
STATUS_OBJECT_NAME_NOT_FOUND error.");
}
#endregion MS-LSAD_R613
}
else
{
// Since this opnum creates an object if one is not present, it checks if the
// name clashes with the name of the current domain.
if (this.isCurrentDomain)
{
#region MS-LSAD_R1019
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.CurrentDomainNotAllowed,
(uint)uintMethodStatus,
"MS-LSAD",
1019,
@"In LsarSetTrustedDomainInfo, in the processing of
TrustedDomainNameInformation, the server MUST return
STATUS_CURRENT_DOMAIN_NOT_ALLOWED if the name or SID
refers to the Current Domain of which the server is part of.");
#endregion MS-LSAD_R1019
}
else
{
// Checking if the handle is invalid
if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R610
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
610,
@"In LsarSetTrustedDomainInfo, the server MUST return STATUS_INVALID_HANDLE
when PolicyHandle is not a valid handle.");
#endregion
}
else
{
if (this.isDomainPresent)
{
#region MS-LSAD_R1013
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.ObjectNameCollision,
(uint)uintMethodStatus,
"MS-LSAD",
1013,
@"In LsarSetTrustedDomainInfo, while processing
TrustedDomainInformation, the server MUST check for the existence of
a Trusted Domain Object with the given SID and fail the request with
OBJECT_NAME_COLLISION if the Object already exists.");
#endregion
}
else
{
//// Checking to be sure if the TDO is created or not by
//// enumerating all the objects.
if (utilities.CheckTheDomain(
trustSid[0],
domainName[0],
PolicyHandle.Value))
{
#region MS-LSAD_R607
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
607,
@"In LsarSetTrustedDomainInfo the server MUST return STATUS_SUCCESS
when the request was succesfully completed");
#endregion
#region MS-LSAD_R614
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
614,
@"In LsarSetTrustedDomainInfo in the processing of InformationClass
(TrustedDomainNameInformation), The server MUST act as if an
LsarCreateTrustedDomain message came in with Trusted Domain Name as
the name passed in TrustedDomainInformation and Trusted Domain SID
as the SID passed in TrustedDomainSid parameter is being
processed.");
#endregion MS-LSAD_R614
}
trustObjectCreateinformation.strTdoDnsName =
trustedDomainInfo.TrustDomainName;
trustObjectCreateinformation.strTdoNetBiosName =
trustedDomainInfo.TrustDomain_NetBiosName;
trustObjectCreateinformation.intTdoHandleNumber = 2;
trustObjectCreateinformation.strDomainSid =
trustedDomainInfo.TrustDomain_Sid;
trustObjectCreateinformation.isForestInformationPresent = false;
trustObjectCreateinformation.doesTdoSupportForestInformation = false;
trustObjectCreateinformation.uintTdoDesiredAccess = 0;
trustObjectCreateinformation.uintTrustAttr = 0;
trustObjectCreateinformation.uintTrustDir = 2;
trustObjectCreateinformation.uintTrustType = 1;
this.isitSetTrustedDomainInfo = true;
}
}
}
}
return (ErrorStatus)uintMethodStatus;
#endregion ValidationForTrustedDomainNameInfo
}
else if (trustedInformation == TrustedInformationClass.TrustedPasswordInformation)
{
#region ValidationForTrustedPasswordInformation
// Checking if the handle is invalid.
if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R610
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
610,
@"In LsarSetTrustedDomainInfo, the server MUST return STATUS_INVALID_HANDLE
when PolicyHandle is not a valid handle.");
#endregion
}
else
{
// server returns NO_SUCH_DOMAIN when there is no domain present.
if (!this.isDomainPresent)
{
#region MS-LSAD_R623
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.NoSuchDomain,
(uint)uintMethodStatus,
"MS-LSAD",
623,
@"In LsarSetTrustedDomainInfo in the processing of InformationClass
(TrustedPasswordInformation), The server MUST verify that a trusted
domain object with the specified TrustedDomainSid exists in its policy database.
If it does not exists, it MUST fail with STATUS_NO_SUCH_DOMAIN.");
#endregion
#region MS-LSAD_R622
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.NoSuchDomain,
(uint)uintMethodStatus,
"MS-LSAD",
622,
@"In LsarSetTrustedDomainInfo in the processing of InformationClass
(TrustedPasswordInformation), The server MUST verify that a trusted domain
object with TrustedDomainSid exists in its policy database.");
#endregion
}
else
{
#region MS-LSAD_R607
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
607,
@"In LsarSetTrustedDomainInfo the server MUST return STATUS_SUCCESS
when the request was succesfully completed");
#endregion
}
}
return (ErrorStatus)uintMethodStatus;
#endregion
}
else if (trustedInformation == TrustedInformationClass.TrustedPosixOffsetInformation)
{
#region ValidationForPosixOffset
// Checking if the handle provided is invalid.
if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R610
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
610,
@"In LsarSetTrustedDomainInfo, the server MUST return STATUS_INVALID_HANDLE
when PolicyHandle is not a valid handle.");
#endregion
}
else
{
// returns NO_SUCH_DOMAIN if there is no domain present with the specified name
if (!this.isDomainPresent)
{
#region MS-LSAD_R618
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.NoSuchDomain,
(uint)uintMethodStatus,
"MS-LSAD",
618,
@"In LsarSetTrustedDomainInfo in the processing of InformationClass
(TrustedPosixOffsetInformation), The server MUST verify that a trusted domain
object with TrustedDomainSid exists in its policy database.");
#endregion MS-LSAD_R618
#region MS-LSAD_R619
Site.CaptureRequirementIfAreEqual<uint>
((uint)ErrorStatus.NoSuchDomain,
(uint)uintMethodStatus,
"MS-LSAD",
619,
@"In LsarSetTrustedDomainInfo in the processing of InformationClass
(TrustedPosixOffsetInformation), The server MUST verify that a trusted domain
object with the specified TrustedDomainSid exists in its policy database.
If it does exists, it MUST fail with STATUS_NO_SUCH_DOMAIN");
#endregion
#region MS-LSAD_R611
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.NoSuchDomain,
(uint)uintMethodStatus,
"MS-LSAD",
611,
@"In LsarSetTrustedDomainInfo, The server MUST return STATUS_NO_SUCH_DOMAIN
when The specified trusted domain object does not exist.");
#endregion
}
else
{
this.uintStatus = lsadClientStack.LsarQueryTrustedDomainInfo(
PolicyHandle.Value,
trustSid[0],
trustedInfoClass,
out queryInformation);
if (utilities.CheckIfDataIsSame(
trustedInfoClass,
domainInformation,
queryInformation.Value))
{
#region MS-LSAD_R607
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
607,
@"In LsarSetTrustedDomainInfo the server MUST return STATUS_SUCCESS
when the request was succesfully completed");
#endregion
#region MS-LSAD_R621
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
621,
@"In LsarSetTrustedDomainInfo in the processing of InformationClass
(TrustedPosixOffsetInformation), Then the server MUST act as if an
LsarSetInformationTrustedDomain message is being processed.");
#endregion MS-LSAD_R621
}
}
}
return (ErrorStatus)uintMethodStatus;
#endregion ValidationForPosixOffset
}
break;
case INVALIDPARAM:
//// Win2k8r2 unsupport TrustedDomainInformationEx & TrustedPasswordInformation in
//// informationType trustedInformation
//// and will return STATUS_INVALID_PARAMETER.
if (trustedInformation != TrustedInformationClass.TrustedDomainInformationEx
&& trustedInformation != TrustedInformationClass.TrustedDomainNameInformation
&& trustedInformation != TrustedInformationClass.TrustedPasswordInformation
&& trustedInformation != TrustedInformationClass.TrustedPosixOffsetInformation)
{
#region MS-LSAD_R625
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
625,
@"In LsarSetTrustedDomainInfo, the valid InformationClass values are
TrustedDomainNameInformation, TrustedDomainInformationEx, TrustedPosixOffsetInformation,
TrustedPasswordInformation. The server MUST return STATUS_INVALID_PARAMETER for all
other InformationClass arguments.");
#endregion
}
else if (trustedInformation == TrustedInformationClass.TrustedDomainInformationEx && PDCOSVersion < ServerVersion.Win2008R2)
{
//// There is a product bug in the processing of TrustedDomainInformationEx,
//// The opnum will return STATUS_NO_SUCH_DOMAIN if no TDO with the specified SID exists,
//// The Opnum will return STATUS_ACCESS_DENIED if TDO with the specified SID exists.
#region ValidationForTrustedDomainInformationEx
if (!this.isDC)
{
#region MS-LSAD_R1014
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.DirectoryServiceRequired,
(uint)uintMethodStatus,
1014,
@"In LsarSetTrustedDomainInfo, the server MUST be in a Domain Controller
and return DIRECTORY_SERVICE_REQUIRED if there is no active directory
installed on it.");
#endregion
}
else
{
if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R610
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
610,
@"In LsarSetTrustedDomainInfo, the server MUST return STATUS_INVALID_HANDLE
when PolicyHandle is not a valid handle.");
#endregion
}
else
{
if (this.isDomainPresent)
{
#region MS-LSAD_R1033
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
1033,
@"In LsarSetTrustedDomainInfo, in the processing of
TrustedDomainInformationEx, The server MUST check that a trusted
domain object with the specified SID exists in its policy database.
If the object exists, the server MUST fail the request with the
STATUS_ACCESS_DENIED error code.");
#endregion MS-LSAD_R1033
}
else
{
#region MS-LSAD_R615
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.NoSuchDomain,
(uint)uintMethodStatus,
"MS-LSAD",
615,
@"In LsarSetTrustedDomainInfo in the processing of InformationClass
(TrustedDomainInformationEx), The server MUST check that a trusted domain
object with TrustedDomainSid exists in its policy database.");
#endregion
#region MS-LSAD_R1032
Site.CaptureRequirementIfAreEqual<uint>(
(uint)ErrorStatus.NoSuchDomain,
(uint)uintMethodStatus,
"MS-LSAD",
1032,
@"In LsarSetTrustedDomainInfo, in the processing of
TrustedDomainInformationEx, The server MUST check that a trusted
domain object with the specified SID exists in its policy database.
If the object does not exist, the server MUST fail the request with
the STATUS_NO_SUCH_DOMAIN error code.");
#endregion MS-LSAD_R1032
}
}
}
return (ErrorStatus)uintMethodStatus;
#endregion
}
break;
}
}
return (ErrorStatus)uintMethodStatus;
}