2004-06-06 11:14:10 +04:00
/*
Unix SMB / CIFS implementation .
test suite for schannel operations
Copyright ( C ) Andrew Tridgell 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2004-11-01 13:30:34 +03:00
# include "librpc/gen_ndr/ndr_samr.h"
2004-11-11 07:32:01 +03:00
# include "librpc/gen_ndr/ndr_netlogon.h"
2005-03-22 13:33:53 +03:00
# include "lib/cmdline/popt_common.h"
2004-06-06 11:14:10 +04:00
2005-10-25 16:14:08 +04:00
# define TEST_MACHINE_NAME "schannel"
2004-06-06 11:14:10 +04:00
2004-06-06 11:58:16 +04:00
/*
do some samr ops using the schannel connection
*/
2004-06-06 11:14:10 +04:00
static BOOL test_samr_ops ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct samr_GetDomPwInfo r ;
2005-08-03 00:08:23 +04:00
struct samr_Connect connect ;
struct samr_OpenDomain opendom ;
2004-06-06 11:14:10 +04:00
int i ;
2005-07-08 12:09:02 +04:00
struct lsa_String name ;
2005-08-03 00:08:23 +04:00
struct policy_handle handle ;
struct policy_handle domain_handle ;
2004-06-06 11:14:10 +04:00
2004-11-13 16:45:41 +03:00
name . string = lp_workgroup ( ) ;
2005-02-13 03:26:43 +03:00
r . in . domain_name = & name ;
2004-06-06 11:14:10 +04:00
2005-08-03 00:08:23 +04:00
connect . in . system_name = 0 ;
connect . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
connect . out . connect_handle = & handle ;
printf ( " Testing Connect and OpenDomain on BUILTIN \n " ) ;
status = dcerpc_samr_Connect ( p , mem_ctx , & connect ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-10-25 16:14:08 +04:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
printf ( " Connect failed (expected, schannel mapped to anonymous): %s \n " ,
nt_errstr ( status ) ) ;
} else {
printf ( " Connect failed - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
} else {
opendom . in . connect_handle = & handle ;
opendom . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
opendom . in . sid = dom_sid_parse_talloc ( mem_ctx , " S-1-5-32 " ) ;
opendom . out . domain_handle = & domain_handle ;
status = dcerpc_samr_OpenDomain ( p , mem_ctx , & opendom ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " OpenDomain failed - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2005-08-03 00:08:23 +04:00
}
2005-02-13 03:26:43 +03:00
printf ( " Testing GetDomPwInfo with name %s \n " , r . in . domain_name - > string ) ;
2004-06-06 11:14:10 +04:00
/* do several ops to test credential chaining */
for ( i = 0 ; i < 5 ; i + + ) {
status = dcerpc_samr_GetDomPwInfo ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-10-25 16:14:08 +04:00
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
printf ( " GetDomPwInfo op %d failed - %s \n " , i , nt_errstr ( status ) ) ;
return False ;
}
2004-06-06 11:14:10 +04:00
}
}
return True ;
}
2004-11-12 02:24:30 +03:00
2005-10-06 14:29:28 +04:00
/*
do some lsa ops using the schannel connection
*/
static BOOL test_lsa_ops ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
struct lsa_GetUserName r ;
NTSTATUS status ;
BOOL ret = True ;
struct lsa_StringPointer authority_name_p ;
printf ( " \n Testing GetUserName \n " ) ;
r . in . system_name = " \\ " ;
r . in . account_name = NULL ;
r . in . authority_name = & authority_name_p ;
authority_name_p . string = NULL ;
2005-10-25 16:14:08 +04:00
/* do several ops to test credential chaining and various operations */
status = dcerpc_lsa_GetUserName ( p , mem_ctx , & r ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED ) ) {
printf ( " not considering %s to be an error \n " , nt_errstr ( status ) ) ;
} else if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " GetUserName failed - %s \n " , nt_errstr ( status ) ) ;
return False ;
} else {
if ( ! r . out . account_name ) {
return False ;
}
2005-10-06 14:29:28 +04:00
2005-10-25 16:14:08 +04:00
if ( strcmp ( r . out . account_name - > string , " ANONYMOUS LOGON " ) ! = 0 ) {
printf ( " GetUserName returned wrong user: %s, expected %s \n " ,
r . out . account_name - > string , " ANONYMOUS LOGON " ) ;
return False ;
}
if ( ! r . out . authority_name | | ! r . out . authority_name - > string ) {
return False ;
}
if ( strcmp ( r . out . authority_name - > string - > string , " NT AUTHORITY " ) ! = 0 ) {
printf ( " GetUserName returned wrong user: %s, expected %s \n " ,
r . out . authority_name - > string - > string , " NT AUTHORITY " ) ;
2005-10-06 14:29:28 +04:00
return False ;
}
}
2005-10-25 16:14:08 +04:00
if ( ! test_many_LookupSids ( p , mem_ctx , NULL ) ) {
printf ( " LsaLookupSids3 failed! \n " ) ;
return False ;
}
2005-10-06 14:29:28 +04:00
return ret ;
}
2004-06-06 11:58:16 +04:00
/*
test a schannel connection with the given flags
*/
2004-06-06 11:14:10 +04:00
static BOOL test_schannel ( TALLOC_CTX * mem_ctx ,
2005-02-10 08:09:35 +03:00
uint16_t acct_flags , uint32_t dcerpc_flags ,
2005-10-25 16:14:08 +04:00
int i )
2004-06-06 11:14:10 +04:00
{
2005-10-06 14:29:28 +04:00
BOOL ret = True ;
2004-06-06 11:14:10 +04:00
void * join_ctx ;
NTSTATUS status ;
2004-06-14 03:50:55 +04:00
const char * binding = lp_parm_string ( - 1 , " torture " , " binding " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct dcerpc_binding * b ;
2005-01-06 12:26:14 +03:00
struct dcerpc_pipe * p = NULL ;
struct dcerpc_pipe * p_netlogon = NULL ;
2005-10-06 14:29:28 +04:00
struct dcerpc_pipe * p_lsa = NULL ;
2004-11-12 02:24:30 +03:00
struct creds_CredentialState * creds ;
2005-03-22 11:00:45 +03:00
struct cli_credentials * credentials ;
TALLOC_CTX * test_ctx = talloc_named ( mem_ctx , 0 , " test_schannel context " ) ;
2004-06-06 11:14:10 +04:00
2005-10-25 16:14:08 +04:00
join_ctx = torture_join_domain ( talloc_asprintf ( mem_ctx , " %s%d " , TEST_MACHINE_NAME , i ) ,
2005-10-04 03:46:21 +04:00
acct_flags , & credentials ) ;
2004-06-06 11:14:10 +04:00
if ( ! join_ctx ) {
printf ( " Failed to join domain with acct_flags=0x%x \n " , acct_flags ) ;
2005-03-22 11:00:45 +03:00
talloc_free ( test_ctx ) ;
2004-06-06 11:14:10 +04:00
return False ;
}
2005-03-22 11:00:45 +03:00
status = dcerpc_parse_binding ( test_ctx , binding , & b ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Bad binding string %s \n " , binding ) ;
goto failed ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
b - > flags | = dcerpc_flags ;
2004-06-06 11:14:10 +04:00
2005-03-22 11:00:45 +03:00
status = dcerpc_pipe_connect_b ( test_ctx ,
& p , b ,
2004-06-06 11:14:10 +04:00
DCERPC_SAMR_UUID ,
DCERPC_SAMR_VERSION ,
2005-06-16 15:36:09 +04:00
credentials , NULL ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
printf ( " Failed to connect with schannel: %s \n " , nt_errstr ( status ) ) ;
2004-06-06 11:14:10 +04:00
goto failed ;
}
2005-03-22 11:00:45 +03:00
if ( ! test_samr_ops ( p , test_ctx ) ) {
2005-10-06 14:29:28 +04:00
printf ( " Failed to process schannel secured SAMR ops \n " ) ;
ret = False ;
r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2004-06-29 13:40:10 +04:00
}
2004-06-06 11:14:10 +04:00
2004-11-12 02:24:30 +03:00
/* Also test that when we connect to the netlogon pipe, that
* the credentials we setup on the first pipe are valid for
* the second */
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
/* Swap the binding details from SAMR to NETLOGON */
2005-03-22 11:00:45 +03:00
status = dcerpc_epm_map_binding ( test_ctx , b , DCERPC_NETLOGON_UUID ,
2005-06-16 15:36:09 +04:00
DCERPC_NETLOGON_VERSION , NULL ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
status = dcerpc_secondary_connection ( p , & p_netlogon ,
b ) ;
2004-11-12 02:24:30 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 07:14:06 +03:00
status = dcerpc_bind_auth_password ( p_netlogon ,
DCERPC_NETLOGON_UUID ,
DCERPC_NETLOGON_VERSION ,
credentials , DCERPC_AUTH_TYPE_SCHANNEL ,
NULL ) ;
2004-11-12 02:24:30 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
2005-03-22 11:00:45 +03:00
status = dcerpc_schannel_creds ( p_netlogon - > conn - > security_state . generic_state , test_ctx , & creds ) ;
2004-11-12 02:24:30 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
/* do a couple of logins */
2005-10-25 16:14:08 +04:00
if ( ! test_netlogon_ops ( p_netlogon , test_ctx , credentials , creds ) ) {
2005-10-06 14:29:28 +04:00
printf ( " Failed to process schannel secured NETLOGON ops \n " ) ;
ret = False ;
}
/* Swap the binding details from SAMR to LSARPC */
status = dcerpc_epm_map_binding ( test_ctx , b , DCERPC_LSARPC_UUID ,
DCERPC_LSARPC_VERSION , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
status = dcerpc_secondary_connection ( p , & p_lsa ,
b ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2004-11-12 02:24:30 +03:00
goto failed ;
}
2005-10-06 14:29:28 +04:00
status = dcerpc_bind_auth_password ( p_lsa ,
DCERPC_LSARPC_UUID ,
DCERPC_LSARPC_VERSION ,
credentials , DCERPC_AUTH_TYPE_SCHANNEL ,
NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
if ( ! test_lsa_ops ( p_lsa , test_ctx ) ) {
printf ( " Failed to process schannel secured LSA ops \n " ) ;
ret = False ;
}
2004-06-06 11:14:10 +04:00
torture_leave_domain ( join_ctx ) ;
2005-03-22 11:00:45 +03:00
talloc_free ( test_ctx ) ;
2005-10-06 14:29:28 +04:00
return ret ;
2004-06-06 11:14:10 +04:00
failed :
torture_leave_domain ( join_ctx ) ;
2005-03-22 11:00:45 +03:00
talloc_free ( test_ctx ) ;
2004-06-06 11:14:10 +04:00
return False ;
}
2004-06-06 11:58:16 +04:00
/*
a schannel test suite
*/
2004-10-28 17:40:50 +04:00
BOOL torture_rpc_schannel ( void )
2004-06-06 11:14:10 +04:00
{
TALLOC_CTX * mem_ctx ;
BOOL ret = True ;
struct {
2005-02-10 08:09:35 +03:00
uint16_t acct_flags ;
uint32_t dcerpc_flags ;
2004-06-06 11:14:10 +04:00
} tests [ ] = {
2005-10-25 16:14:08 +04:00
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SIGN } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SEAL } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SIGN } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SEAL } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
2004-06-06 11:14:10 +04:00
} ;
int i ;
mem_ctx = talloc_init ( " torture_rpc_schannel " ) ;
for ( i = 0 ; i < ARRAY_SIZE ( tests ) ; i + + ) {
if ( ! test_schannel ( mem_ctx ,
2005-10-25 16:14:08 +04:00
tests [ i ] . acct_flags , tests [ i ] . dcerpc_flags ,
i ) ) {
printf ( " Failed with acct_flags=0x%x dcerpc_flags=0x%x \n " ,
tests [ i ] . acct_flags , tests [ i ] . dcerpc_flags ) ;
2004-06-06 11:14:10 +04:00
ret = False ;
break ;
}
}
2004-10-30 15:37:17 +04:00
talloc_free ( mem_ctx ) ;
2004-06-06 11:14:10 +04:00
return ret ;
}
