2009-05-11 16:54:04 +04:00
/*
2003-11-03 09:22:45 +03:00
Unix SMB / CIFS implementation .
test suite for lsa rpc operations
2003-11-04 12:10:31 +03:00
2003-11-03 09:22:45 +03:00
Copyright ( C ) Andrew Tridgell 2003
2005-01-11 17:04:58 +03:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2004 - 2005
2009-05-11 16:54:04 +04:00
2003-11-03 09:22:45 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-11-03 09:22:45 +03:00
( at your option ) any later version .
2009-05-11 16:54:04 +04:00
2003-11-03 09:22:45 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-05-11 16:54:04 +04:00
2003-11-03 09:22:45 +03:00
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-11-03 09:22:45 +03:00
*/
# include "includes.h"
2006-01-03 16:41:17 +03:00
# include "torture/torture.h"
2015-05-20 01:05:00 +03:00
# include "libcli/cldap/cldap.h"
# include "../lib/tsocket/tsocket.h"
2006-03-15 02:35:30 +03:00
# include "librpc/gen_ndr/ndr_lsa_c.h"
2007-06-08 14:43:42 +04:00
# include "librpc/gen_ndr/netlogon.h"
2008-09-04 10:06:38 +04:00
# include "librpc/gen_ndr/ndr_drsblobs.h"
2011-08-22 14:34:36 +04:00
# include "librpc/gen_ndr/ndr_netlogon_c.h"
2005-11-02 08:34:17 +03:00
# include "lib/events/events.h"
2006-04-02 16:02:01 +04:00
# include "libcli/security/security.h"
2006-03-14 18:02:05 +03:00
# include "libcli/auth/libcli_auth.h"
2010-04-14 00:06:51 +04:00
# include "torture/rpc/torture_rpc.h"
2007-09-08 16:42:09 +04:00
# include "param/param.h"
2015-05-20 01:05:00 +03:00
# include "source4/auth/kerberos/kerberos.h"
# include "source4/auth/kerberos/kerberos_util.h"
# include "lib/util/util_net.h"
2015-12-17 15:59:40 +03:00
# include "libcli/resolve/resolve.h"
2019-02-21 13:03:01 +03:00
# include <gnutls/gnutls.h>
# include <gnutls/crypto.h>
2007-12-10 03:45:04 +03:00
# define TEST_MACHINENAME "lsatestmach"
2011-08-22 14:34:36 +04:00
# define TRUSTPW "12345678"
2007-12-10 03:45:04 +03:00
2004-11-22 14:59:59 +03:00
static void init_lsa_String ( struct lsa_String * name , const char * s )
2003-11-19 06:20:32 +03:00
{
2004-11-22 14:59:59 +03:00
name - > string = s ;
2003-11-19 06:20:32 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_OpenPolicy ( struct dcerpc_binding_handle * b ,
2012-06-29 18:50:38 +04:00
struct torture_context * tctx )
2003-11-03 09:22:45 +03:00
{
2003-11-04 12:10:31 +03:00
struct lsa_ObjectAttribute attr ;
struct policy_handle handle ;
struct lsa_QosInfo qos ;
2003-11-09 07:40:50 +03:00
struct lsa_OpenPolicy r ;
2004-05-25 21:24:24 +04:00
uint16_t system_name = ' \\ ' ;
2003-11-03 09:22:45 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing OpenPolicy \n " ) ;
2003-11-04 12:48:33 +03:00
2003-11-15 00:39:13 +03:00
qos . len = 0 ;
2003-11-04 12:10:31 +03:00
qos . impersonation_level = 2 ;
qos . context_mode = 1 ;
qos . effective_only = 0 ;
2003-11-03 09:22:45 +03:00
2003-11-15 00:39:13 +03:00
attr . len = 0 ;
2003-11-04 12:10:31 +03:00
attr . root_dir = NULL ;
attr . object_name = NULL ;
attr . attributes = 0 ;
attr . sec_desc = NULL ;
attr . sec_qos = & qos ;
2003-11-03 09:22:45 +03:00
2003-11-09 07:40:50 +03:00
r . in . system_name = & system_name ;
r . in . attr = & attr ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2003-11-09 07:40:50 +03:00
r . out . handle = & handle ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenPolicy_r ( b , tctx , & r ) ,
" OpenPolicy failed " ) ;
2012-06-29 18:50:38 +04:00
torture_assert_ntstatus_ok ( tctx ,
r . out . result ,
" OpenPolicy failed " ) ;
return true ;
}
static bool test_OpenPolicy_fail ( struct dcerpc_binding_handle * b ,
struct torture_context * tctx )
{
struct lsa_ObjectAttribute attr ;
struct policy_handle handle ;
struct lsa_QosInfo qos ;
struct lsa_OpenPolicy r ;
uint16_t system_name = ' \\ ' ;
NTSTATUS status ;
torture_comment ( tctx , " \n Testing OpenPolicy_fail \n " ) ;
qos . len = 0 ;
qos . impersonation_level = 2 ;
qos . context_mode = 1 ;
qos . effective_only = 0 ;
attr . len = 0 ;
attr . root_dir = NULL ;
attr . object_name = NULL ;
attr . attributes = 0 ;
attr . sec_desc = NULL ;
attr . sec_qos = & qos ;
r . in . system_name = & system_name ;
r . in . attr = & attr ;
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r . out . handle = & handle ;
status = dcerpc_lsa_OpenPolicy_r ( b , tctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
torture_comment ( tctx ,
" OpenPolicy correctly returned with "
" status: %s \n " ,
nt_errstr ( status ) ) ;
return true ;
}
torture_assert_ntstatus_equal ( tctx ,
status ,
NT_STATUS_ACCESS_DENIED ,
" OpenPolicy return value should "
" be ACCESS_DENIED " ) ;
return true ;
}
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_ACCESS_DENIED ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED ) ) {
2012-06-29 18:50:38 +04:00
torture_comment ( tctx ,
" OpenPolicy correctly returned with "
" result: %s \n " ,
nt_errstr ( r . out . result ) ) ;
return true ;
2005-10-25 16:14:08 +04:00
}
2003-11-03 09:22:45 +03:00
}
2012-06-29 18:50:38 +04:00
torture_assert_ntstatus_equal ( tctx ,
r . out . result ,
NT_STATUS_OK ,
" OpenPolicy return value should be "
" ACCESS_DENIED " ) ;
return false ;
2003-11-03 09:22:45 +03:00
}
2003-11-04 12:48:33 +03:00
2010-04-09 11:02:48 +04:00
bool test_lsa_OpenPolicy2_ex ( struct dcerpc_binding_handle * b ,
struct torture_context * tctx ,
struct policy_handle * * handle ,
2019-05-15 07:07:16 +03:00
NTSTATUS expected_status ,
NTSTATUS expected_status2 )
2003-11-04 12:48:33 +03:00
{
struct lsa_ObjectAttribute attr ;
struct lsa_QosInfo qos ;
2003-11-09 07:40:50 +03:00
struct lsa_OpenPolicy2 r ;
2010-04-09 11:02:48 +04:00
NTSTATUS status ;
2003-11-04 12:48:33 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing OpenPolicy2 \n " ) ;
2003-11-04 12:48:33 +03:00
2009-05-11 16:51:41 +04:00
* handle = talloc ( tctx , struct policy_handle ) ;
2012-10-01 10:51:47 +04:00
torture_assert ( tctx , * handle ! = NULL , " talloc(tctx, struct policy_handle) " ) ;
2005-10-25 16:14:08 +04:00
2003-11-15 00:39:13 +03:00
qos . len = 0 ;
2003-11-04 12:48:33 +03:00
qos . impersonation_level = 2 ;
qos . context_mode = 1 ;
qos . effective_only = 0 ;
2003-11-15 00:39:13 +03:00
attr . len = 0 ;
2003-11-04 12:48:33 +03:00
attr . root_dir = NULL ;
attr . object_name = NULL ;
attr . attributes = 0 ;
attr . sec_desc = NULL ;
attr . sec_qos = & qos ;
2003-11-09 07:40:50 +03:00
r . in . system_name = " \\ " ;
r . in . attr = & attr ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2005-10-25 16:14:08 +04:00
r . out . handle = * handle ;
2003-11-09 07:40:50 +03:00
2010-04-09 11:02:48 +04:00
status = dcerpc_lsa_OpenPolicy2_r ( b , tctx , & r ) ;
2019-05-15 07:07:16 +03:00
/* Allow two possible failure status codes */
if ( ! NT_STATUS_EQUAL ( status , expected_status2 ) ) {
torture_assert_ntstatus_equal ( tctx , status ,
expected_status ,
" OpenPolicy2 failed " ) ;
}
if ( ! NT_STATUS_IS_OK ( expected_status ) | |
! NT_STATUS_IS_OK ( expected_status2 ) ) {
2010-04-09 11:02:48 +04:00
return true ;
}
2012-06-29 19:50:06 +04:00
torture_assert_ntstatus_ok ( tctx ,
r . out . result ,
" OpenPolicy2 failed " ) ;
2003-11-04 12:48:33 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2003-11-04 12:48:33 +03:00
}
2007-12-10 03:45:04 +03:00
2010-04-09 11:02:48 +04:00
bool test_lsa_OpenPolicy2 ( struct dcerpc_binding_handle * b ,
struct torture_context * tctx ,
struct policy_handle * * handle )
{
2019-05-15 07:07:16 +03:00
return test_lsa_OpenPolicy2_ex ( b , tctx , handle ,
NT_STATUS_OK , NT_STATUS_OK ) ;
2012-06-29 19:50:06 +04:00
}
static bool test_OpenPolicy2_fail ( struct dcerpc_binding_handle * b ,
struct torture_context * tctx )
{
struct lsa_ObjectAttribute attr ;
struct policy_handle handle ;
struct lsa_QosInfo qos ;
struct lsa_OpenPolicy2 r ;
NTSTATUS status ;
torture_comment ( tctx , " \n Testing OpenPolicy2_fail \n " ) ;
qos . len = 0 ;
qos . impersonation_level = 2 ;
qos . context_mode = 1 ;
qos . effective_only = 0 ;
attr . len = 0 ;
attr . root_dir = NULL ;
attr . object_name = NULL ;
attr . attributes = 0 ;
attr . sec_desc = NULL ;
attr . sec_qos = & qos ;
r . in . system_name = " \\ " ;
r . in . attr = & attr ;
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r . out . handle = & handle ;
status = dcerpc_lsa_OpenPolicy2_r ( b , tctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
torture_comment ( tctx ,
" OpenPolicy2 correctly returned with "
" status: %s \n " ,
nt_errstr ( status ) ) ;
return true ;
}
torture_assert_ntstatus_equal ( tctx ,
status ,
NT_STATUS_ACCESS_DENIED ,
" OpenPolicy2 return value should "
" be ACCESS_DENIED " ) ;
return true ;
}
2012-09-24 02:40:05 +04:00
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_ACCESS_DENIED ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED ) ) {
torture_comment ( tctx ,
" OpenPolicy2 correctly returned with "
" result: %s \n " ,
nt_errstr ( r . out . result ) ) ;
return true ;
2012-06-29 19:50:06 +04:00
}
2012-09-24 02:40:05 +04:00
torture_fail ( tctx ,
" OpenPolicy2 return value should be "
" ACCESS_DENIED or RPC_PROTSEQ_NOT_SUPPORTED " ) ;
2012-06-29 19:50:06 +04:00
return false ;
2010-04-09 11:02:48 +04:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupNames ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2007-12-10 03:45:04 +03:00
struct policy_handle * handle ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2007-09-17 09:31:49 +04:00
struct lsa_TransNameArray * tnames )
2003-11-09 05:21:24 +03:00
{
struct lsa_LookupNames r ;
struct lsa_TransSidArray sids ;
2008-10-24 15:43:21 +04:00
struct lsa_RefDomainList * domains = NULL ;
2004-11-22 14:59:59 +03:00
struct lsa_String * names ;
2004-05-25 20:24:13 +04:00
uint32_t count = 0 ;
2003-11-09 05:21:24 +03:00
int i ;
2010-09-02 12:41:45 +04:00
uint32_t * input_idx ;
2003-11-09 05:21:24 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupNames with %d names \n " , tnames - > count ) ;
2003-11-09 05:21:24 +03:00
sids . count = 0 ;
sids . sids = NULL ;
2010-09-02 12:41:45 +04:00
r . in . num_names = 0 ;
input_idx = talloc_array ( tctx , uint32_t , tnames - > count ) ;
2009-05-11 16:51:41 +04:00
names = talloc_array ( tctx , struct lsa_String , tnames - > count ) ;
2010-09-02 12:41:45 +04:00
2003-11-09 05:21:24 +03:00
for ( i = 0 ; i < tnames - > count ; i + + ) {
2010-09-02 12:41:45 +04:00
if ( tnames - > names [ i ] . sid_type ! = SID_NAME_UNKNOWN ) {
init_lsa_String ( & names [ r . in . num_names ] , tnames - > names [ i ] . name . string ) ;
input_idx [ r . in . num_names ] = i ;
r . in . num_names + + ;
}
2003-11-09 05:21:24 +03:00
}
r . in . handle = handle ;
r . in . names = names ;
r . in . sids = & sids ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2003-11-09 05:21:24 +03:00
r . in . count = & count ;
r . out . count = & count ;
r . out . sids = & sids ;
2008-10-24 15:43:21 +04:00
r . out . domains = & domains ;
2003-11-09 05:21:24 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupNames_r ( b , tctx , & r ) ,
" LookupNames failed " ) ;
if ( NT_STATUS_EQUAL ( r . out . result , STATUS_SOME_UNMAPPED ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NONE_MAPPED ) ) {
2010-09-02 12:41:45 +04:00
for ( i = 0 ; i < r . in . num_names ; i + + ) {
2007-12-10 03:45:04 +03:00
if ( i < count & & sids . sids [ i ] . sid_type = = SID_NAME_UNKNOWN ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LookupName of %s was unmapped \n " ,
2009-05-11 16:54:04 +04:00
tnames - > names [ i ] . name . string ) ;
2007-12-10 03:45:04 +03:00
} else if ( i > = count ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LookupName of %s failed to return a result \n " ,
2007-12-10 03:45:04 +03:00
tnames - > names [ i ] . name . string ) ;
}
}
2012-10-01 10:51:47 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LookupNames failed " ) ;
2010-03-24 11:06:54 +03:00
} else if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
2012-10-01 10:51:47 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LookupNames failed " ) ;
2007-09-17 09:31:49 +04:00
}
2009-05-11 16:54:04 +04:00
2010-09-02 12:41:45 +04:00
for ( i = 0 ; i < r . in . num_names ; i + + ) {
2012-10-01 10:51:47 +04:00
torture_assert ( tctx , ( i < count ) ,
talloc_asprintf ( tctx ,
" LookupName of %s failed to return a result \n " ,
tnames - > names [ input_idx [ i ] ] . name . string ) ) ;
torture_assert_int_equal ( tctx ,
sids . sids [ i ] . sid_type ,
tnames - > names [ input_idx [ i ] ] . sid_type ,
talloc_asprintf ( tctx ,
" LookupName of %s got unexpected name type: %s \n " ,
tnames - > names [ input_idx [ i ] ] . name . string ,
sid_type_lookup ( sids . sids [ i ] . sid_type ) ) ) ;
if ( sids . sids [ i ] . sid_type ! = SID_NAME_DOMAIN ) {
continue ;
2007-12-10 03:45:04 +03:00
}
2012-10-01 10:51:47 +04:00
torture_assert_int_equal ( tctx ,
sids . sids [ i ] . rid ,
UINT32_MAX ,
talloc_asprintf ( tctx ,
" LookupName of %s got unexpected rid: %d \n " ,
tnames - > names [ input_idx [ i ] ] . name . string ,
sids . sids [ i ] . rid ) ) ;
2007-12-10 03:45:04 +03:00
}
2007-09-17 09:31:49 +04:00
2007-10-07 02:28:14 +04:00
return true ;
2007-09-17 09:31:49 +04:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupNames_bogus ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
struct policy_handle * handle ,
enum lsa_LookupNamesLevel level )
2007-09-17 09:31:49 +04:00
{
struct lsa_LookupNames r ;
struct lsa_TransSidArray sids ;
2008-10-24 15:43:21 +04:00
struct lsa_RefDomainList * domains = NULL ;
2009-10-21 01:47:40 +04:00
struct lsa_String names [ 1 ] ;
2007-09-17 09:31:49 +04:00
uint32_t count = 0 ;
2009-10-21 01:47:40 +04:00
torture_comment ( tctx , " \n Testing LookupNames with bogus name \n " ) ;
2007-09-17 09:31:49 +04:00
sids . count = 0 ;
sids . sids = NULL ;
2009-10-21 01:47:40 +04:00
init_lsa_String ( & names [ 0 ] , " NT AUTHORITY \\ BOGUS " ) ;
2007-09-17 09:31:49 +04:00
r . in . handle = handle ;
2009-10-21 01:47:40 +04:00
r . in . num_names = 1 ;
2007-09-17 09:31:49 +04:00
r . in . names = names ;
r . in . sids = & sids ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2007-09-17 09:31:49 +04:00
r . in . count = & count ;
r . out . count = & count ;
r . out . sids = & sids ;
2008-10-24 15:43:21 +04:00
r . out . domains = & domains ;
2007-09-17 09:31:49 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupNames_r ( b , tctx , & r ) ,
" LookupNames bogus failed " ) ;
if ( ! NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NONE_MAPPED ) ) {
torture_comment ( tctx , " LookupNames failed - %s \n " ,
nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2003-11-09 05:21:24 +03:00
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2003-11-09 05:21:24 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2003-11-09 05:21:24 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupNames_NULL ( struct dcerpc_binding_handle * b ,
2009-10-21 01:47:40 +04:00
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
struct policy_handle * handle ,
enum lsa_LookupNamesLevel level )
2009-10-21 01:47:40 +04:00
{
struct lsa_LookupNames r ;
struct lsa_TransSidArray sids ;
struct lsa_RefDomainList * domains = NULL ;
struct lsa_String names [ 1 ] ;
uint32_t count = 0 ;
torture_comment ( tctx , " \n Testing LookupNames with NULL name \n " ) ;
sids . count = 0 ;
sids . sids = NULL ;
names [ 0 ] . string = NULL ;
r . in . handle = handle ;
r . in . num_names = 1 ;
r . in . names = names ;
r . in . sids = & sids ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2009-10-21 01:47:40 +04:00
r . in . count = & count ;
r . out . count = & count ;
r . out . sids = & sids ;
r . out . domains = & domains ;
/* nt4 returns NT_STATUS_NONE_MAPPED with sid_type
* SID_NAME_UNKNOWN , rid 0 , and sid_index - 1 ;
*
* w2k3 / w2k8 return NT_STATUS_OK with sid_type
* SID_NAME_DOMAIN , rid - 1 and sid_index 0 and BUILTIN domain
*/
2010-03-11 14:00:34 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupNames_r ( b , tctx , & r ) ,
2009-10-21 01:47:40 +04:00
" LookupNames with NULL name failed " ) ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LookupNames with NULL name failed " ) ;
2009-10-21 01:47:40 +04:00
torture_comment ( tctx , " \n " ) ;
return true ;
}
2010-03-11 14:00:34 +03:00
static bool test_LookupNames_wellknown ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
struct policy_handle * handle ,
enum lsa_LookupNamesLevel level )
2007-09-17 09:31:49 +04:00
{
struct lsa_TranslatedName name ;
struct lsa_TransNameArray tnames ;
bool ret = true ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing LookupNames with well known names \n " ) ;
2007-09-17 09:31:49 +04:00
tnames . names = & name ;
tnames . count = 1 ;
name . name . string = " NT AUTHORITY \\ SYSTEM " ;
2007-12-10 03:45:04 +03:00
name . sid_type = SID_NAME_WKN_GRP ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
name . name . string = " NT AUTHORITY \\ ANONYMOUS LOGON " ;
2007-12-10 03:45:04 +03:00
name . sid_type = SID_NAME_WKN_GRP ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
name . name . string = " NT AUTHORITY \\ Authenticated Users " ;
2007-12-10 03:45:04 +03:00
name . sid_type = SID_NAME_WKN_GRP ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
2007-12-10 03:45:04 +03:00
#if 0
2007-09-17 09:31:49 +04:00
name . name . string = " NT AUTHORITY " ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
name . name . string = " NT AUTHORITY \\ " ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-12-10 03:45:04 +03:00
# endif
2007-09-17 09:31:49 +04:00
name . name . string = " BUILTIN \\ " ;
2007-12-10 03:45:04 +03:00
name . sid_type = SID_NAME_DOMAIN ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
name . name . string = " BUILTIN \\ Administrators " ;
2007-12-10 03:45:04 +03:00
name . sid_type = SID_NAME_ALIAS ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
name . name . string = " SYSTEM " ;
2007-12-10 03:45:04 +03:00
name . sid_type = SID_NAME_WKN_GRP ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
name . name . string = " Everyone " ;
2007-12-10 03:45:04 +03:00
name . sid_type = SID_NAME_WKN_GRP ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , level , & tnames ) ;
2007-09-17 09:31:49 +04:00
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_LookupNames2 ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2004-11-26 09:33:38 +03:00
struct policy_handle * handle ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2009-05-11 18:40:26 +04:00
struct lsa_TransNameArray2 * tnames ,
bool check_result )
2004-11-26 09:33:38 +03:00
{
struct lsa_LookupNames2 r ;
struct lsa_TransSidArray2 sids ;
2008-10-24 15:43:21 +04:00
struct lsa_RefDomainList * domains = NULL ;
2004-11-26 09:33:38 +03:00
struct lsa_String * names ;
2012-06-25 19:55:02 +04:00
uint32_t * input_idx ;
2004-11-26 09:33:38 +03:00
uint32_t count = 0 ;
int i ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupNames2 with %d names \n " , tnames - > count ) ;
2004-11-26 09:33:38 +03:00
sids . count = 0 ;
sids . sids = NULL ;
2010-09-02 12:41:45 +04:00
r . in . num_names = 0 ;
2004-11-26 09:33:38 +03:00
2010-09-02 12:41:45 +04:00
input_idx = talloc_array ( tctx , uint32_t , tnames - > count ) ;
2009-05-11 16:51:41 +04:00
names = talloc_array ( tctx , struct lsa_String , tnames - > count ) ;
2010-09-02 12:41:45 +04:00
2004-11-26 09:33:38 +03:00
for ( i = 0 ; i < tnames - > count ; i + + ) {
2010-09-02 12:41:45 +04:00
if ( tnames - > names [ i ] . sid_type ! = SID_NAME_UNKNOWN ) {
init_lsa_String ( & names [ r . in . num_names ] , tnames - > names [ i ] . name . string ) ;
input_idx [ r . in . num_names ] = i ;
r . in . num_names + + ;
}
2004-11-26 09:33:38 +03:00
}
r . in . handle = handle ;
r . in . names = names ;
r . in . sids = & sids ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2004-11-26 09:33:38 +03:00
r . in . count = & count ;
2008-10-04 04:52:59 +04:00
r . in . lookup_options = 0 ;
r . in . client_revision = 0 ;
2004-11-26 09:33:38 +03:00
r . out . count = & count ;
r . out . sids = & sids ;
2008-10-24 15:43:21 +04:00
r . out . domains = & domains ;
2004-11-26 09:33:38 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupNames2_r ( b , tctx , & r ) ,
" LookupNames2 failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result , " LookupNames2 failed " ) ;
2004-11-26 09:33:38 +03:00
2009-05-11 18:40:26 +04:00
if ( check_result ) {
torture_assert_int_equal ( tctx , count , sids . count ,
" unexpected number of results returned " ) ;
if ( sids . count > 0 ) {
torture_assert ( tctx , sids . sids , " invalid sid buffer " ) ;
}
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2004-11-26 09:33:38 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2004-11-26 09:33:38 +03:00
}
2003-11-04 14:16:07 +03:00
2010-03-11 14:00:34 +03:00
static bool test_LookupNames3 ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2004-12-31 10:26:26 +03:00
struct policy_handle * handle ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2009-05-11 18:40:26 +04:00
struct lsa_TransNameArray2 * tnames ,
bool check_result )
2004-12-31 10:26:26 +03:00
{
struct lsa_LookupNames3 r ;
struct lsa_TransSidArray3 sids ;
2008-10-24 15:43:21 +04:00
struct lsa_RefDomainList * domains = NULL ;
2004-12-31 10:26:26 +03:00
struct lsa_String * names ;
uint32_t count = 0 ;
int i ;
2010-09-02 12:41:45 +04:00
uint32_t * input_idx ;
2004-12-31 10:26:26 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupNames3 with %d names \n " , tnames - > count ) ;
2004-12-31 10:26:26 +03:00
sids . count = 0 ;
sids . sids = NULL ;
2010-09-02 12:41:45 +04:00
r . in . num_names = 0 ;
input_idx = talloc_array ( tctx , uint32_t , tnames - > count ) ;
2009-05-11 16:51:41 +04:00
names = talloc_array ( tctx , struct lsa_String , tnames - > count ) ;
2004-12-31 10:26:26 +03:00
for ( i = 0 ; i < tnames - > count ; i + + ) {
2010-09-02 12:41:45 +04:00
if ( tnames - > names [ i ] . sid_type ! = SID_NAME_UNKNOWN ) {
init_lsa_String ( & names [ r . in . num_names ] , tnames - > names [ i ] . name . string ) ;
input_idx [ r . in . num_names ] = i ;
r . in . num_names + + ;
}
2004-12-31 10:26:26 +03:00
}
r . in . handle = handle ;
r . in . names = names ;
r . in . sids = & sids ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2004-12-31 10:26:26 +03:00
r . in . count = & count ;
2008-10-04 04:52:59 +04:00
r . in . lookup_options = 0 ;
r . in . client_revision = 0 ;
2004-12-31 10:26:26 +03:00
r . out . count = & count ;
r . out . sids = & sids ;
2008-10-24 15:43:21 +04:00
r . out . domains = & domains ;
2004-12-31 10:26:26 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupNames3_r ( b , tctx , & r ) ,
" LookupNames3 failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LookupNames3 failed " ) ;
2004-12-31 10:26:26 +03:00
2009-05-11 18:40:26 +04:00
if ( check_result ) {
torture_assert_int_equal ( tctx , count , sids . count ,
" unexpected number of results returned " ) ;
if ( sids . count > 0 ) {
torture_assert ( tctx , sids . sids , " invalid sid buffer " ) ;
}
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2004-12-31 10:26:26 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2004-12-31 10:26:26 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupNames4 ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2009-05-11 18:40:26 +04:00
struct lsa_TransNameArray2 * tnames ,
2012-06-29 14:10:20 +04:00
bool check_result )
2005-10-25 16:14:08 +04:00
{
struct lsa_LookupNames4 r ;
struct lsa_TransSidArray3 sids ;
2008-10-24 15:43:21 +04:00
struct lsa_RefDomainList * domains = NULL ;
2005-10-25 16:14:08 +04:00
struct lsa_String * names ;
uint32_t count = 0 ;
int i ;
2010-09-02 12:41:45 +04:00
uint32_t * input_idx ;
2005-10-25 16:14:08 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupNames4 with %d names \n " , tnames - > count ) ;
2005-10-25 16:14:08 +04:00
sids . count = 0 ;
sids . sids = NULL ;
2010-09-02 12:41:45 +04:00
r . in . num_names = 0 ;
input_idx = talloc_array ( tctx , uint32_t , tnames - > count ) ;
2009-05-11 16:51:41 +04:00
names = talloc_array ( tctx , struct lsa_String , tnames - > count ) ;
2005-10-25 16:14:08 +04:00
for ( i = 0 ; i < tnames - > count ; i + + ) {
2010-09-02 12:41:45 +04:00
if ( tnames - > names [ i ] . sid_type ! = SID_NAME_UNKNOWN ) {
init_lsa_String ( & names [ r . in . num_names ] , tnames - > names [ i ] . name . string ) ;
input_idx [ r . in . num_names ] = i ;
r . in . num_names + + ;
}
2005-10-25 16:14:08 +04:00
}
r . in . num_names = tnames - > count ;
r . in . names = names ;
r . in . sids = & sids ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2005-10-25 16:14:08 +04:00
r . in . count = & count ;
2008-10-04 04:52:59 +04:00
r . in . lookup_options = 0 ;
r . in . client_revision = 0 ;
2005-10-25 16:14:08 +04:00
r . out . count = & count ;
r . out . sids = & sids ;
2008-10-24 15:43:21 +04:00
r . out . domains = & domains ;
2005-10-25 16:14:08 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupNames4_r ( b , tctx , & r ) ,
" LookupNames4 failed " ) ;
2012-06-29 14:10:20 +04:00
2012-07-05 16:11:25 +04:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NONE_MAPPED ) ) {
torture_comment ( tctx ,
" LookupNames4 failed: %s - not considered as an error " ,
nt_errstr ( r . out . result ) ) ;
return true ;
}
}
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx ,
r . out . result ,
" LookupNames4 failed " ) ;
2005-10-25 16:14:08 +04:00
2009-05-11 18:40:26 +04:00
if ( check_result ) {
torture_assert_int_equal ( tctx , count , sids . count ,
" unexpected number of results returned " ) ;
if ( sids . count > 0 ) {
torture_assert ( tctx , sids . sids , " invalid sid buffer " ) ;
}
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2005-10-25 16:14:08 +04:00
2007-10-07 02:28:14 +04:00
return true ;
2005-10-25 16:14:08 +04:00
}
2012-06-29 14:10:20 +04:00
static bool test_LookupNames4_fail ( struct dcerpc_binding_handle * b ,
2019-08-01 21:08:52 +03:00
struct torture_context * tctx ,
enum lsa_LookupNamesLevel level )
2012-06-29 14:10:20 +04:00
{
struct lsa_LookupNames4 r ;
struct lsa_TransSidArray3 sids ;
struct lsa_RefDomainList * domains = NULL ;
2012-06-29 18:50:38 +04:00
struct lsa_String * names = NULL ;
2012-06-29 14:10:20 +04:00
uint32_t count = 0 ;
NTSTATUS status ;
torture_comment ( tctx , " \n Testing LookupNames4_fail " ) ;
sids . count = 0 ;
sids . sids = NULL ;
r . in . num_names = 0 ;
r . in . num_names = count ;
r . in . names = names ;
r . in . sids = & sids ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2012-06-29 14:10:20 +04:00
r . in . count = & count ;
r . in . lookup_options = 0 ;
r . in . client_revision = 0 ;
r . out . count = & count ;
r . out . sids = & sids ;
r . out . domains = & domains ;
status = dcerpc_lsa_LookupNames4_r ( b , tctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
torture_comment ( tctx ,
" LookupNames4 correctly returned with "
" status: %s \n " ,
nt_errstr ( status ) ) ;
return true ;
}
torture_assert_ntstatus_equal ( tctx ,
status ,
NT_STATUS_ACCESS_DENIED ,
" LookupNames4 return value should "
" be ACCESS_DENIED " ) ;
return true ;
}
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_ACCESS_DENIED ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED ) ) {
torture_comment ( tctx ,
" LookupSids3 correctly returned with "
" result: %s \n " ,
nt_errstr ( r . out . result ) ) ;
return true ;
}
}
2012-09-24 02:59:10 +04:00
torture_fail ( tctx ,
" LookupNames4 return value should be "
" ACCESS_DENIED or RPC_PROTSEQ_NOT_SUPPORTED " ) ;
2012-06-29 14:10:20 +04:00
return false ;
}
2004-12-31 10:26:26 +03:00
2010-03-11 14:00:34 +03:00
static bool test_LookupSids ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2003-11-09 03:58:40 +03:00
struct policy_handle * handle ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2003-11-09 03:58:40 +03:00
struct lsa_SidArray * sids )
{
struct lsa_LookupSids r ;
struct lsa_TransNameArray names ;
2008-10-24 04:01:16 +04:00
struct lsa_RefDomainList * domains = NULL ;
2004-05-25 20:24:13 +04:00
uint32_t count = sids - > num_sids ;
2003-11-09 03:58:40 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupSids \n " ) ;
2003-11-09 03:58:40 +03:00
names . count = 0 ;
names . names = NULL ;
r . in . handle = handle ;
r . in . sids = sids ;
r . in . names = & names ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2003-11-09 03:58:40 +03:00
r . in . count = & count ;
r . out . count = & count ;
r . out . names = & names ;
2008-10-24 04:01:16 +04:00
r . out . domains = & domains ;
2003-11-09 03:58:40 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupSids_r ( b , tctx , & r ) ,
" LookupSids failed " ) ;
2012-10-01 10:51:47 +04:00
if ( ! NT_STATUS_EQUAL ( r . out . result , STATUS_SOME_UNMAPPED ) ) {
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LookupSids failed " ) ;
2003-11-09 03:58:40 +03:00
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2003-11-09 03:58:40 +03:00
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames ( b , tctx , handle , level , & names ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2003-11-09 05:21:24 +03:00
}
2007-10-07 02:28:14 +04:00
return true ;
2003-11-09 03:58:40 +03:00
}
2004-11-26 09:33:38 +03:00
2010-03-11 14:00:34 +03:00
static bool test_LookupSids2 ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2004-11-26 09:33:38 +03:00
struct policy_handle * handle ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2004-11-26 09:33:38 +03:00
struct lsa_SidArray * sids )
{
struct lsa_LookupSids2 r ;
struct lsa_TransNameArray2 names ;
2008-10-24 04:01:16 +04:00
struct lsa_RefDomainList * domains = NULL ;
2004-11-26 09:33:38 +03:00
uint32_t count = sids - > num_sids ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupSids2 \n " ) ;
2004-11-26 09:33:38 +03:00
names . count = 0 ;
names . names = NULL ;
r . in . handle = handle ;
r . in . sids = sids ;
r . in . names = & names ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2004-11-26 09:33:38 +03:00
r . in . count = & count ;
2009-09-11 15:55:44 +04:00
r . in . lookup_options = 0 ;
r . in . client_revision = 0 ;
2004-11-26 09:33:38 +03:00
r . out . count = & count ;
r . out . names = & names ;
2008-10-24 04:01:16 +04:00
r . out . domains = & domains ;
2004-11-26 09:33:38 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupSids2_r ( b , tctx , & r ) ,
" LookupSids2 failed " ) ;
2010-09-02 12:41:45 +04:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) & &
! NT_STATUS_EQUAL ( r . out . result , STATUS_SOME_UNMAPPED ) ) {
2010-03-24 11:06:54 +03:00
torture_comment ( tctx , " LookupSids2 failed - %s \n " ,
nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-26 09:33:38 +03:00
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2004-11-26 09:33:38 +03:00
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames2 ( b , tctx , handle , level , & names , false ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-11-26 09:33:38 +03:00
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames3 ( b , tctx , handle , level , & names , false ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-12-31 10:53:42 +03:00
}
2007-10-07 02:28:14 +04:00
return true ;
2004-11-26 09:33:38 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupSids3 ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2012-06-29 13:54:45 +04:00
struct lsa_SidArray * sids )
2004-12-31 10:26:26 +03:00
{
struct lsa_LookupSids3 r ;
struct lsa_TransNameArray2 names ;
2008-10-24 04:01:16 +04:00
struct lsa_RefDomainList * domains = NULL ;
2004-12-31 10:26:26 +03:00
uint32_t count = sids - > num_sids ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupSids3 \n " ) ;
2004-12-31 10:26:26 +03:00
names . count = 0 ;
names . names = NULL ;
r . in . sids = sids ;
r . in . names = & names ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2004-12-31 10:26:26 +03:00
r . in . count = & count ;
2009-09-11 15:55:44 +04:00
r . in . lookup_options = 0 ;
r . in . client_revision = 0 ;
2008-10-24 04:01:16 +04:00
r . out . domains = & domains ;
2004-12-31 10:26:26 +03:00
r . out . count = & count ;
r . out . names = & names ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupSids3_r ( b , tctx , & r ) ,
" LookupSids3 failed " ) ;
2012-06-29 13:54:45 +04:00
2012-07-05 16:11:51 +04:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NONE_MAPPED ) ) {
torture_comment ( tctx ,
" LookupSids3 failed: %s - not considered as an error " ,
nt_errstr ( r . out . result ) ) ;
return true ;
}
torture_assert_ntstatus_ok ( tctx ,
r . out . result ,
" LookupSids3 failed " ) ;
return false ;
}
2012-06-29 13:54:45 +04:00
torture_comment ( tctx , " \n " ) ;
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames4 ( b , tctx , level , & names , true ) ) {
2012-07-05 16:11:51 +04:00
return false ;
}
2012-06-29 13:54:45 +04:00
return true ;
}
static bool test_LookupSids3_fail ( struct dcerpc_binding_handle * b ,
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
enum lsa_LookupNamesLevel level ,
2012-06-29 13:54:45 +04:00
struct lsa_SidArray * sids )
{
struct lsa_LookupSids3 r ;
struct lsa_TransNameArray2 names ;
struct lsa_RefDomainList * domains = NULL ;
uint32_t count = sids - > num_sids ;
NTSTATUS status ;
torture_comment ( tctx , " \n Testing LookupSids3 \n " ) ;
names . count = 0 ;
names . names = NULL ;
r . in . sids = sids ;
r . in . names = & names ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2012-06-29 13:54:45 +04:00
r . in . count = & count ;
r . in . lookup_options = 0 ;
r . in . client_revision = 0 ;
r . out . domains = & domains ;
r . out . count = & count ;
r . out . names = & names ;
status = dcerpc_lsa_LookupSids3_r ( b , tctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
torture_comment ( tctx ,
" LookupSids3 correctly returned with "
" status: %s \n " ,
nt_errstr ( status ) ) ;
return true ;
}
torture_assert_ntstatus_equal ( tctx ,
status ,
NT_STATUS_ACCESS_DENIED ,
" LookupSids3 return value should "
" be ACCESS_DENIED " ) ;
return true ;
}
2012-09-24 02:59:10 +04:00
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_ACCESS_DENIED ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED ) ) {
torture_comment ( tctx ,
" LookupNames4 correctly returned with "
" result: %s \n " ,
nt_errstr ( r . out . result ) ) ;
return true ;
2004-12-31 10:26:26 +03:00
}
2012-09-24 02:59:10 +04:00
torture_fail ( tctx ,
" LookupSids3 return value should be "
" ACCESS_DENIED or RPC_PROTSEQ_NOT_SUPPORTED " ) ;
2004-12-31 10:26:26 +03:00
2012-06-29 13:54:45 +04:00
return false ;
2004-12-31 10:26:26 +03:00
}
2009-05-11 16:54:04 +04:00
bool test_many_LookupSids ( struct dcerpc_pipe * p ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
struct policy_handle * handle ,
enum lsa_LookupNamesLevel level )
2004-07-06 00:33:17 +04:00
{
uint32_t count ;
struct lsa_SidArray sids ;
int i ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2014-01-30 22:05:06 +04:00
enum dcerpc_transport_t transport = dcerpc_binding_get_transport ( p - > binding ) ;
2004-07-06 00:33:17 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupSids with lots of SIDs \n " ) ;
2004-07-06 00:33:17 +04:00
2004-12-14 08:32:51 +03:00
sids . num_sids = 100 ;
2004-07-06 00:33:17 +04:00
2009-05-11 16:51:41 +04:00
sids . sids = talloc_array ( tctx , struct lsa_SidPtr , sids . num_sids ) ;
2004-07-06 00:33:17 +04:00
for ( i = 0 ; i < sids . num_sids ; i + + ) {
const char * sidstr = " S-1-5-32-545 " ;
2009-05-11 16:51:41 +04:00
sids . sids [ i ] . sid = dom_sid_parse_talloc ( tctx , sidstr ) ;
2004-07-06 00:33:17 +04:00
}
count = sids . num_sids ;
2005-10-25 16:14:08 +04:00
if ( handle ) {
struct lsa_LookupSids r ;
struct lsa_TransNameArray names ;
2008-10-24 04:01:16 +04:00
struct lsa_RefDomainList * domains = NULL ;
2005-10-25 16:14:08 +04:00
names . count = 0 ;
names . names = NULL ;
2004-07-06 00:33:17 +04:00
2005-10-25 16:14:08 +04:00
r . in . handle = handle ;
r . in . sids = & sids ;
r . in . names = & names ;
2019-08-01 21:08:52 +03:00
r . in . level = level ;
2005-10-25 16:14:08 +04:00
r . in . count = & names . count ;
r . out . count = & count ;
r . out . names = & names ;
2008-10-24 04:01:16 +04:00
r . out . domains = & domains ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupSids_r ( b , tctx , & r ) ,
" LookupSids failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " LookupSids failed - %s \n " ,
nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2005-10-25 16:14:08 +04:00
}
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2009-05-11 16:54:04 +04:00
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames ( b , tctx , handle , level , & names ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2005-10-25 16:14:08 +04:00
}
2012-06-27 13:14:35 +04:00
}
2005-10-25 16:14:08 +04:00
2014-01-30 22:05:06 +04:00
if ( transport = = NCACN_NP ) {
2019-08-01 21:08:52 +03:00
if ( ! test_LookupSids3_fail ( b , tctx , level , & sids ) ) {
2012-06-27 13:14:35 +04:00
return false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames4_fail ( b , tctx , level ) ) {
2012-06-27 13:14:35 +04:00
return false ;
}
2014-01-30 22:05:06 +04:00
} else if ( transport = = NCACN_IP_TCP ) {
2012-06-27 13:14:35 +04:00
struct lsa_TransNameArray2 names ;
2014-01-22 14:19:15 +04:00
enum dcerpc_AuthType auth_type ;
enum dcerpc_AuthLevel auth_level ;
2012-06-27 13:14:35 +04:00
names . count = 0 ;
names . names = NULL ;
2014-01-22 14:19:15 +04:00
dcerpc_binding_handle_auth_info ( p - > binding_handle ,
& auth_type , & auth_level ) ;
if ( auth_type = = DCERPC_AUTH_TYPE_SCHANNEL & &
auth_level > = DCERPC_AUTH_LEVEL_INTEGRITY ) {
2019-08-01 21:08:52 +03:00
if ( ! test_LookupSids3 ( b , tctx , level , & sids ) ) {
2012-06-25 20:23:31 +04:00
return false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames4 ( b , tctx , level , & names , true ) ) {
2012-06-25 20:23:31 +04:00
return false ;
}
2012-06-27 13:14:35 +04:00
} else {
/*
* If we don ' t have a secure channel these tests must
* fail with ACCESS_DENIED .
*/
2019-08-01 21:08:52 +03:00
if ( ! test_LookupSids3_fail ( b , tctx , level , & sids ) ) {
2012-06-25 20:23:31 +04:00
return false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames4_fail ( b , tctx , level ) ) {
2012-06-25 20:23:31 +04:00
return false ;
}
2005-10-25 16:14:08 +04:00
}
2004-07-06 00:33:17 +04:00
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2004-07-06 00:33:17 +04:00
2005-10-25 16:14:08 +04:00
2004-07-06 00:33:17 +04:00
2007-10-07 02:28:14 +04:00
return true ;
2004-07-06 00:33:17 +04:00
}
2010-03-09 17:46:55 +03:00
static void lookupsids_cb ( struct tevent_req * subreq )
2005-11-02 08:34:17 +03:00
{
2010-03-09 17:46:55 +03:00
int * replies = ( int * ) tevent_req_callback_data_void ( subreq ) ;
2005-11-02 08:34:17 +03:00
NTSTATUS status ;
2010-03-09 17:46:55 +03:00
status = dcerpc_lsa_LookupSids_r_recv ( subreq , subreq ) ;
TALLOC_FREE ( subreq ) ;
2005-11-02 08:34:17 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2006-09-12 04:40:45 +04:00
printf ( " lookupsids returned %s \n " , nt_errstr ( status ) ) ;
2005-11-02 08:34:17 +03:00
* replies = - 1 ;
}
2006-09-11 08:28:34 +04:00
if ( * replies > = 0 ) {
* replies + = 1 ;
}
2005-11-02 08:34:17 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupSids_async ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2019-08-01 21:08:52 +03:00
struct policy_handle * handle ,
enum lsa_LookupNamesLevel level )
2005-11-02 08:34:17 +03:00
{
struct lsa_SidArray sids ;
struct lsa_SidPtr sidptr ;
2006-09-11 06:58:45 +04:00
uint32_t * count ;
struct lsa_TransNameArray * names ;
struct lsa_LookupSids * r ;
2008-10-24 04:01:16 +04:00
struct lsa_RefDomainList * domains = NULL ;
2010-03-09 17:46:55 +03:00
struct tevent_req * * req ;
2005-11-02 08:34:17 +03:00
int i , replies ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2006-09-11 06:58:45 +04:00
const int num_async_requests = 50 ;
2009-05-11 16:51:41 +04:00
count = talloc_array ( tctx , uint32_t , num_async_requests ) ;
names = talloc_array ( tctx , struct lsa_TransNameArray , num_async_requests ) ;
r = talloc_array ( tctx , struct lsa_LookupSids , num_async_requests ) ;
2005-11-02 08:34:17 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing %d async lookupsids request \n " , num_async_requests ) ;
2005-11-02 08:34:17 +03:00
2010-03-09 17:46:55 +03:00
req = talloc_array ( tctx , struct tevent_req * , num_async_requests ) ;
2005-11-02 08:34:17 +03:00
sids . num_sids = 1 ;
sids . sids = & sidptr ;
2009-05-11 16:51:41 +04:00
sidptr . sid = dom_sid_parse_talloc ( tctx , " S-1-5-32-545 " ) ;
2005-11-02 08:34:17 +03:00
replies = 0 ;
2006-09-11 06:58:45 +04:00
for ( i = 0 ; i < num_async_requests ; i + + ) {
2005-11-02 08:34:17 +03:00
count [ i ] = 0 ;
names [ i ] . count = 0 ;
names [ i ] . names = NULL ;
r [ i ] . in . handle = handle ;
r [ i ] . in . sids = & sids ;
r [ i ] . in . names = & names [ i ] ;
2019-08-01 21:08:52 +03:00
r [ i ] . in . level = level ;
2005-11-02 08:34:17 +03:00
r [ i ] . in . count = & names [ i ] . count ;
r [ i ] . out . count = & count [ i ] ;
r [ i ] . out . names = & names [ i ] ;
2008-10-24 04:01:16 +04:00
r [ i ] . out . domains = & domains ;
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
req [ i ] = dcerpc_lsa_LookupSids_r_send ( tctx , tctx - > ev , b , & r [ i ] ) ;
2005-11-02 08:34:17 +03:00
if ( req [ i ] = = NULL ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-11-02 08:34:17 +03:00
break ;
}
2010-03-09 17:46:55 +03:00
tevent_req_set_callback ( req [ i ] , lookupsids_cb , & replies ) ;
2005-11-02 08:34:17 +03:00
}
2006-09-11 08:28:34 +04:00
while ( replies > = 0 & & replies < num_async_requests ) {
2010-05-25 23:23:55 +04:00
tevent_loop_once ( tctx - > ev ) ;
2005-11-02 08:34:17 +03:00
}
talloc_free ( req ) ;
2006-09-11 08:28:34 +04:00
if ( replies < 0 ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2006-09-11 08:28:34 +04:00
}
2005-11-02 08:34:17 +03:00
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_LookupPrivValue ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2004-12-14 08:32:51 +03:00
struct policy_handle * handle ,
struct lsa_String * name )
{
struct lsa_LookupPrivValue r ;
2004-12-21 12:33:12 +03:00
struct lsa_LUID luid ;
2004-12-14 08:32:51 +03:00
r . in . handle = handle ;
r . in . name = name ;
2004-12-21 12:33:12 +03:00
r . out . luid = & luid ;
2004-12-14 08:32:51 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupPrivValue_r ( b , tctx , & r ) ,
" LookupPrivValue failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LookupPrivValue failed " ) ;
2004-12-14 08:32:51 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2004-12-14 08:32:51 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupPrivName ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2003-11-10 15:42:45 +03:00
struct policy_handle * handle ,
struct lsa_LUID * luid )
{
struct lsa_LookupPrivName r ;
2008-10-21 04:24:07 +04:00
struct lsa_StringLarge * name = NULL ;
2003-11-10 15:42:45 +03:00
r . in . handle = handle ;
2003-11-14 10:56:43 +03:00
r . in . luid = luid ;
2008-10-21 04:24:07 +04:00
r . out . name = & name ;
2003-11-10 15:42:45 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupPrivName_r ( b , tctx , & r ) ,
" LookupPrivName failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result , " LookupPrivName failed " ) ;
2003-11-10 15:42:45 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2003-11-10 15:42:45 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_RemovePrivilegesFromAccount ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2008-08-26 06:18:26 +04:00
struct policy_handle * handle ,
2004-12-19 10:20:55 +03:00
struct policy_handle * acct_handle ,
struct lsa_LUID * luid )
{
struct lsa_RemovePrivilegesFromAccount r ;
struct lsa_PrivilegeSet privs ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-12-19 10:20:55 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing RemovePrivilegesFromAccount \n " ) ;
2004-12-19 10:20:55 +03:00
r . in . handle = acct_handle ;
r . in . remove_all = 0 ;
r . in . privs = & privs ;
privs . count = 1 ;
privs . unknown = 0 ;
2009-05-11 16:51:41 +04:00
privs . set = talloc_array ( tctx , struct lsa_LUIDAttribute , 1 ) ;
2004-12-19 10:20:55 +03:00
privs . set [ 0 ] . luid = * luid ;
privs . set [ 0 ] . attribute = 0 ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_RemovePrivilegesFromAccount_r ( b , tctx , & r ) ,
" RemovePrivilegesFromAccount failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
2009-05-11 16:54:04 +04:00
2008-08-26 06:18:26 +04:00
struct lsa_LookupPrivName r_name ;
2008-10-21 04:24:07 +04:00
struct lsa_StringLarge * name = NULL ;
2009-05-11 16:54:04 +04:00
2008-08-26 06:18:26 +04:00
r_name . in . handle = handle ;
r_name . in . luid = luid ;
2008-10-21 04:24:07 +04:00
r_name . out . name = & name ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupPrivName_r ( b , tctx , & r_name ) ,
" LookupPrivName failed " ) ;
if ( ! NT_STATUS_IS_OK ( r_name . out . result ) ) {
torture_comment ( tctx , " \n LookupPrivName failed - %s \n " ,
nt_errstr ( r_name . out . result ) ) ;
2008-08-26 06:18:26 +04:00
return false ;
}
/* Windows 2008 does not allow this to be removed */
2008-10-21 04:24:07 +04:00
if ( strcmp ( " SeAuditPrivilege " , name - > string ) = = 0 ) {
2008-08-26 06:18:26 +04:00
return ret ;
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " RemovePrivilegesFromAccount failed to remove %s - %s \n " ,
2008-10-21 04:24:07 +04:00
name - > string ,
2010-03-24 11:06:54 +03:00
nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-12-19 10:20:55 +03:00
}
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_AddPrivilegesToAccount ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2004-12-19 10:20:55 +03:00
struct policy_handle * acct_handle ,
struct lsa_LUID * luid )
{
struct lsa_AddPrivilegesToAccount r ;
struct lsa_PrivilegeSet privs ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-12-19 10:20:55 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing AddPrivilegesToAccount \n " ) ;
2004-12-19 10:20:55 +03:00
r . in . handle = acct_handle ;
r . in . privs = & privs ;
privs . count = 1 ;
privs . unknown = 0 ;
2009-05-11 16:51:41 +04:00
privs . set = talloc_array ( tctx , struct lsa_LUIDAttribute , 1 ) ;
2004-12-19 10:20:55 +03:00
privs . set [ 0 ] . luid = * luid ;
privs . set [ 0 ] . attribute = 0 ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_AddPrivilegesToAccount_r ( b , tctx , & r ) ,
" AddPrivilegesToAccount failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" AddPrivilegesToAccount failed " ) ;
2004-12-19 10:20:55 +03:00
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_EnumPrivsAccount ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2003-11-10 15:42:45 +03:00
struct policy_handle * handle ,
2003-11-10 14:37:19 +03:00
struct policy_handle * acct_handle )
{
struct lsa_EnumPrivsAccount r ;
2008-10-21 04:11:54 +04:00
struct lsa_PrivilegeSet * privs = NULL ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2003-11-10 14:37:19 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing EnumPrivsAccount \n " ) ;
2003-11-10 14:37:19 +03:00
r . in . handle = acct_handle ;
2008-10-21 04:11:54 +04:00
r . out . privs = & privs ;
2003-11-10 14:37:19 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumPrivsAccount_r ( b , tctx , & r ) ,
" EnumPrivsAccount failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" EnumPrivsAccount failed " ) ;
2003-11-10 14:37:19 +03:00
2008-10-21 04:11:54 +04:00
if ( privs & & privs - > count > 0 ) {
2003-11-10 14:37:19 +03:00
int i ;
2008-10-21 04:11:54 +04:00
for ( i = 0 ; i < privs - > count ; i + + ) {
2010-03-11 14:00:34 +03:00
test_LookupPrivName ( b , tctx , handle ,
2008-10-21 04:11:54 +04:00
& privs - > set [ i ] . luid ) ;
2003-11-10 14:37:19 +03:00
}
2004-12-19 10:20:55 +03:00
2010-03-11 14:00:34 +03:00
ret & = test_RemovePrivilegesFromAccount ( b , tctx , handle , acct_handle ,
2008-10-21 04:11:54 +04:00
& privs - > set [ 0 ] . luid ) ;
2010-03-11 14:00:34 +03:00
ret & = test_AddPrivilegesToAccount ( b , tctx , acct_handle ,
2008-10-21 04:11:54 +04:00
& privs - > set [ 0 ] . luid ) ;
2003-11-10 14:37:19 +03:00
}
2004-12-19 10:20:55 +03:00
return ret ;
2003-11-10 14:37:19 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_GetSystemAccessAccount ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2008-10-20 08:50:07 +04:00
struct policy_handle * handle ,
struct policy_handle * acct_handle )
{
uint32_t access_mask ;
struct lsa_GetSystemAccessAccount r ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing GetSystemAccessAccount \n " ) ;
2008-10-20 08:50:07 +04:00
r . in . handle = acct_handle ;
r . out . access_mask = & access_mask ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_GetSystemAccessAccount_r ( b , tctx , & r ) ,
" GetSystemAccessAccount failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" GetSystemAccessAccount failed " ) ;
2008-10-20 08:50:07 +04:00
if ( r . out . access_mask ! = NULL ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Rights: " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_INTERACTIVE )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_INTERACTIVE " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_NETWORK )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_NETWORK " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_BATCH )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_BATCH " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_SERVICE )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_SERVICE " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_PROXY )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_PROXY " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_DENY_INTERACTIVE )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_DENY_INTERACTIVE " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_DENY_NETWORK )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_DENY_NETWORK " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_DENY_BATCH )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_DENY_BATCH " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_DENY_SERVICE )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_DENY_SERVICE " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_REMOTE_INTERACTIVE )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_REMOTE_INTERACTIVE " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_ALL )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_ALL " ) ;
2008-10-20 08:50:07 +04:00
if ( * ( r . out . access_mask ) & LSA_POLICY_MODE_ALL_NT4 )
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " LSA_POLICY_MODE_ALL_NT4 " ) ;
torture_comment ( tctx , " \n " ) ;
2008-10-20 08:50:07 +04:00
}
return true ;
}
2010-03-11 14:00:34 +03:00
static bool test_Delete ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
struct policy_handle * handle )
2004-03-31 16:52:21 +04:00
{
struct lsa_Delete r ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing Delete \n " ) ;
2004-03-31 16:52:21 +04:00
r . in . handle = handle ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_Delete_r ( b , tctx , & r ) ,
" Delete failed " ) ;
2012-10-01 10:51:47 +04:00
torture_assert_ntstatus_equal ( tctx , r . out . result , NT_STATUS_NOT_SUPPORTED ,
" Delete should have failed NT_STATUS_NOT_SUPPORTED " ) ;
2008-08-26 03:49:54 +04:00
return true ;
}
2010-03-11 14:00:34 +03:00
static bool test_DeleteObject ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2008-08-26 03:49:54 +04:00
struct policy_handle * handle )
{
struct lsa_DeleteObject r ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing DeleteObject \n " ) ;
2008-08-26 03:49:54 +04:00
r . in . handle = handle ;
r . out . handle = handle ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_DeleteObject_r ( b , tctx , & r ) ,
" DeleteObject failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" DeleteObject failed " ) ;
2004-03-31 16:52:21 +04:00
2007-10-07 02:28:14 +04:00
return true ;
2004-03-31 16:52:21 +04:00
}
2010-03-11 14:00:34 +03:00
static bool test_CreateAccount ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2004-03-31 16:52:21 +04:00
struct policy_handle * handle )
{
struct lsa_CreateAccount r ;
2004-04-07 11:20:53 +04:00
struct dom_sid2 * newsid ;
2004-03-31 16:52:21 +04:00
struct policy_handle acct_handle ;
2009-05-11 16:51:41 +04:00
newsid = dom_sid_parse_talloc ( tctx , " S-1-5-12349876-4321-2854 " ) ;
2004-03-31 16:52:21 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing CreateAccount \n " ) ;
2004-03-31 16:52:21 +04:00
r . in . handle = handle ;
r . in . sid = newsid ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-03-31 16:52:21 +04:00
r . out . acct_handle = & acct_handle ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_CreateAccount_r ( b , tctx , & r ) ,
" CreateAccount failed " ) ;
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_OBJECT_NAME_COLLISION ) ) {
2008-08-26 03:49:54 +04:00
struct lsa_OpenAccount r_o ;
r_o . in . handle = handle ;
r_o . in . sid = newsid ;
r_o . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r_o . out . acct_handle = & acct_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenAccount_r ( b , tctx , & r_o ) ,
" OpenAccount failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r_o . out . result ,
" OpenAccount failed " ) ;
} else {
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" CreateAccount failed " ) ;
2004-03-31 16:52:21 +04:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_Delete ( b , tctx , & acct_handle ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-03-31 16:52:21 +04:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_DeleteObject ( b , tctx , & acct_handle ) ) {
2008-08-26 03:49:54 +04:00
return false ;
}
2007-10-07 02:28:14 +04:00
return true ;
2004-03-31 16:52:21 +04:00
}
2010-03-11 14:00:34 +03:00
static bool test_DeleteTrustedDomain ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2005-01-07 06:11:18 +03:00
struct policy_handle * handle ,
2005-12-31 08:33:50 +03:00
struct lsa_StringLarge name )
2005-01-07 06:11:18 +03:00
{
struct lsa_OpenTrustedDomainByName r ;
struct policy_handle trustdom_handle ;
r . in . handle = handle ;
2005-12-31 08:33:50 +03:00
r . in . name . string = name . string ;
2005-01-07 06:11:18 +03:00
r . in . access_mask = SEC_STD_DELETE ;
r . out . trustdom_handle = & trustdom_handle ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenTrustedDomainByName_r ( b , tctx , & r ) ,
" OpenTrustedDomainByName failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" OpenTrustedDomainByName failed " ) ;
2005-01-07 06:11:18 +03:00
2010-03-11 14:00:34 +03:00
if ( ! test_Delete ( b , tctx , & trustdom_handle ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2005-01-07 06:11:18 +03:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_DeleteObject ( b , tctx , & trustdom_handle ) ) {
2008-08-26 03:49:54 +04:00
return false ;
}
2007-10-07 02:28:14 +04:00
return true ;
2005-01-07 06:11:18 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_DeleteTrustedDomainBySid ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2006-08-31 12:22:13 +04:00
struct policy_handle * handle ,
struct dom_sid * sid )
{
struct lsa_DeleteTrustedDomain r ;
r . in . handle = handle ;
r . in . dom_sid = sid ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_DeleteTrustedDomain_r ( b , tctx , & r ) ,
" DeleteTrustedDomain failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" DeleteTrustedDomain failed " ) ;
2006-08-31 12:22:13 +04:00
2007-10-07 02:28:14 +04:00
return true ;
2006-08-31 12:22:13 +04:00
}
2004-04-03 20:44:39 +04:00
2009-05-11 16:54:04 +04:00
static bool test_CreateSecret ( struct dcerpc_pipe * p ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2004-04-03 21:15:32 +04:00
struct policy_handle * handle )
{
struct lsa_CreateSecret r ;
2004-04-03 21:21:26 +04:00
struct lsa_OpenSecret r2 ;
2004-04-07 11:20:53 +04:00
struct lsa_SetSecret r3 ;
struct lsa_QuerySecret r4 ;
2005-01-11 06:49:29 +03:00
struct lsa_SetSecret r5 ;
struct lsa_QuerySecret r6 ;
2005-01-11 09:04:44 +03:00
struct lsa_SetSecret r7 ;
struct lsa_QuerySecret r8 ;
2005-01-11 17:04:58 +03:00
struct policy_handle sec_handle , sec_handle2 , sec_handle3 ;
2008-08-26 03:49:54 +04:00
struct lsa_DeleteObject d_o ;
2004-04-07 11:20:53 +04:00
struct lsa_DATA_BUF buf1 ;
struct lsa_DATA_BUF_PTR bufp1 ;
2005-01-11 08:16:43 +03:00
struct lsa_DATA_BUF_PTR bufp2 ;
2004-04-07 11:20:53 +04:00
DATA_BLOB enc_key ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-05-09 17:07:23 +04:00
DATA_BLOB session_key ;
2004-04-07 11:20:53 +04:00
NTTIME old_mtime , new_mtime ;
2012-06-25 19:55:02 +04:00
DATA_BLOB blob1 ;
2004-04-07 11:20:53 +04:00
const char * secret1 = " abcdef12345699qwerty " ;
char * secret2 ;
2005-01-11 06:49:29 +03:00
const char * secret3 = " ABCDEF12345699QWERTY " ;
char * secret4 ;
2005-01-11 09:04:44 +03:00
const char * secret5 = " NEW-SAMBA4-SECRET " ;
char * secret6 ;
2005-01-08 05:00:28 +03:00
char * secname [ 2 ] ;
int i ;
2005-01-11 09:04:44 +03:00
const int LOCAL = 0 ;
const int GLOBAL = 1 ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2004-04-07 11:20:53 +04:00
2010-01-05 20:42:54 +03:00
secname [ LOCAL ] = talloc_asprintf ( tctx , " torturesecret-%u " , ( unsigned int ) random ( ) ) ;
secname [ GLOBAL ] = talloc_asprintf ( tctx , " G$torturesecret-%u " , ( unsigned int ) random ( ) ) ;
2005-01-08 05:00:28 +03:00
for ( i = 0 ; i < 2 ; i + + ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing CreateSecret of %s \n " , secname [ i ] ) ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
init_lsa_String ( & r . in . name , secname [ i ] ) ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
r . in . handle = handle ;
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r . out . sec_handle = & sec_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_CreateSecret_r ( b , tctx , & r ) ,
" CreateSecret failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" CreateSecret failed " ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 17:04:58 +03:00
r . in . handle = handle ;
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r . out . sec_handle = & sec_handle3 ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_CreateSecret_r ( b , tctx , & r ) ,
" CreateSecret failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_equal ( tctx , r . out . result , NT_STATUS_OBJECT_NAME_COLLISION ,
" CreateSecret should have failed OBJECT_NAME_COLLISION " ) ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
r2 . in . handle = handle ;
r2 . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r2 . in . name = r . in . name ;
r2 . out . sec_handle = & sec_handle2 ;
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing OpenSecret \n " ) ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenSecret_r ( b , tctx , & r2 ) ,
" OpenSecret failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r2 . out . result ,
" OpenSecret failed " ) ;
2009-05-11 16:54:04 +04:00
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , dcerpc_fetch_session_key ( p , & session_key ) ,
" dcerpc_fetch_session_key failed " ) ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
enc_key = sess_encrypt_string ( secret1 , & session_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 17:04:58 +03:00
r3 . in . sec_handle = & sec_handle ;
2005-01-08 05:00:28 +03:00
r3 . in . new_val = & buf1 ;
r3 . in . old_val = NULL ;
r3 . in . new_val - > data = enc_key . data ;
r3 . in . new_val - > length = enc_key . length ;
r3 . in . new_val - > size = enc_key . length ;
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing SetSecret \n " ) ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_SetSecret_r ( b , tctx , & r3 ) ,
" SetSecret failed " ) ;
2012-09-24 02:59:10 +04:00
torture_assert_ntstatus_ok ( tctx , r3 . out . result ,
" SetSecret failed " ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 17:04:58 +03:00
r3 . in . sec_handle = & sec_handle ;
r3 . in . new_val = & buf1 ;
r3 . in . old_val = NULL ;
r3 . in . new_val - > data = enc_key . data ;
r3 . in . new_val - > length = enc_key . length ;
r3 . in . new_val - > size = enc_key . length ;
2009-05-11 16:54:04 +04:00
2005-01-11 17:04:58 +03:00
/* break the encrypted data */
enc_key . data [ 0 ] + + ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing SetSecret with broken key \n " ) ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_SetSecret_r ( b , tctx , & r3 ) ,
2012-09-24 02:59:10 +04:00
" SetSecret failed " ) ;
torture_assert_ntstatus_equal ( tctx , r3 . out . result , NT_STATUS_UNKNOWN_REVISION ,
" SetSecret should have failed UNKNOWN_REVISION " ) ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
data_blob_free ( & enc_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
ZERO_STRUCT ( new_mtime ) ;
ZERO_STRUCT ( old_mtime ) ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
/* fetch the secret back again */
2005-01-11 17:04:58 +03:00
r4 . in . sec_handle = & sec_handle ;
2005-01-08 05:00:28 +03:00
r4 . in . new_val = & bufp1 ;
r4 . in . new_mtime = & new_mtime ;
r4 . in . old_val = NULL ;
r4 . in . old_mtime = NULL ;
2009-05-11 16:54:04 +04:00
2005-01-08 05:00:28 +03:00
bufp1 . buf = NULL ;
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing QuerySecret \n " ) ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QuerySecret_r ( b , tctx , & r4 ) ,
" QuerySecret failed " ) ;
if ( ! NT_STATUS_IS_OK ( r4 . out . result ) ) {
torture_comment ( tctx , " QuerySecret failed - %s \n " , nt_errstr ( r4 . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-08 05:00:28 +03:00
} else {
2005-01-11 17:04:58 +03:00
if ( r4 . out . new_val = = NULL | | r4 . out . new_val - > buf = = NULL ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " No secret buffer returned \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
} else {
blob1 . data = r4 . out . new_val - > buf - > data ;
2005-01-11 17:04:58 +03:00
blob1 . length = r4 . out . new_val - > buf - > size ;
2009-05-11 16:54:04 +04:00
2009-05-11 16:51:41 +04:00
secret2 = sess_decrypt_string ( tctx ,
2006-09-28 10:44:47 +04:00
& blob1 , & session_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 08:16:43 +03:00
if ( strcmp ( secret1 , secret2 ) ! = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Returned secret (r4) '%s' doesn't match '%s' \n " ,
2005-01-11 09:04:44 +03:00
secret2 , secret1 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
2005-01-08 05:00:28 +03:00
}
}
2009-05-11 16:54:04 +04:00
2005-01-11 06:49:29 +03:00
enc_key = sess_encrypt_string ( secret3 , & session_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 17:04:58 +03:00
r5 . in . sec_handle = & sec_handle ;
2005-01-11 06:49:29 +03:00
r5 . in . new_val = & buf1 ;
r5 . in . old_val = NULL ;
r5 . in . new_val - > data = enc_key . data ;
r5 . in . new_val - > length = enc_key . length ;
r5 . in . new_val - > size = enc_key . length ;
2008-08-26 04:56:16 +04:00
2010-09-16 23:36:37 +04:00
smb_msleep ( 200 ) ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing SetSecret (existing value should move to old) \n " ) ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_SetSecret_r ( b , tctx , & r5 ) ,
" SetSecret failed " ) ;
if ( ! NT_STATUS_IS_OK ( r5 . out . result ) ) {
torture_comment ( tctx , " SetSecret failed - %s \n " , nt_errstr ( r5 . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 06:49:29 +03:00
}
2009-05-11 16:54:04 +04:00
2005-01-11 06:49:29 +03:00
data_blob_free ( & enc_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 06:49:29 +03:00
ZERO_STRUCT ( new_mtime ) ;
ZERO_STRUCT ( old_mtime ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 06:49:29 +03:00
/* fetch the secret back again */
2005-01-11 17:04:58 +03:00
r6 . in . sec_handle = & sec_handle ;
2005-01-11 06:49:29 +03:00
r6 . in . new_val = & bufp1 ;
r6 . in . new_mtime = & new_mtime ;
2005-01-11 08:16:43 +03:00
r6 . in . old_val = & bufp2 ;
r6 . in . old_mtime = & old_mtime ;
2009-05-11 16:54:04 +04:00
2005-01-11 06:49:29 +03:00
bufp1 . buf = NULL ;
2005-01-11 08:16:43 +03:00
bufp2 . buf = NULL ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QuerySecret_r ( b , tctx , & r6 ) ,
" QuerySecret failed " ) ;
if ( ! NT_STATUS_IS_OK ( r6 . out . result ) ) {
torture_comment ( tctx , " QuerySecret failed - %s \n " , nt_errstr ( r6 . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-31 05:58:29 +03:00
secret4 = NULL ;
2005-01-11 06:49:29 +03:00
} else {
2005-01-11 08:16:43 +03:00
2009-05-11 16:54:04 +04:00
if ( r6 . out . new_val - > buf = = NULL | | r6 . out . old_val - > buf = = NULL
2005-01-11 08:16:43 +03:00
| | r6 . out . new_mtime = = NULL | | r6 . out . old_mtime = = NULL ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Both secret buffers and both times not returned \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-31 05:58:29 +03:00
secret4 = NULL ;
2005-01-11 08:16:43 +03:00
} else {
blob1 . data = r6 . out . new_val - > buf - > data ;
2005-01-11 17:04:58 +03:00
blob1 . length = r6 . out . new_val - > buf - > size ;
2009-05-11 16:54:04 +04:00
2009-05-11 16:51:41 +04:00
secret4 = sess_decrypt_string ( tctx ,
2006-09-28 10:44:47 +04:00
& blob1 , & session_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 08:16:43 +03:00
if ( strcmp ( secret3 , secret4 ) ! = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Returned NEW secret %s doesn't match %s \n " , secret4 , secret3 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
2005-01-11 09:04:44 +03:00
blob1 . data = r6 . out . old_val - > buf - > data ;
blob1 . length = r6 . out . old_val - > buf - > length ;
2009-05-11 16:54:04 +04:00
2009-05-11 16:51:41 +04:00
secret2 = sess_decrypt_string ( tctx ,
2006-09-28 10:44:47 +04:00
& blob1 , & session_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 09:04:44 +03:00
if ( strcmp ( secret1 , secret2 ) ! = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Returned OLD secret %s doesn't match %s \n " , secret2 , secret1 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
2009-05-11 16:54:04 +04:00
2005-01-11 08:16:43 +03:00
if ( * r6 . out . new_mtime = = * r6 . out . old_mtime ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s \n " ,
2008-08-26 04:56:16 +04:00
i ,
2005-01-11 08:16:43 +03:00
secname [ i ] ,
2009-05-11 16:51:41 +04:00
nt_time_string ( tctx , * r6 . out . old_mtime ) ,
nt_time_string ( tctx , * r6 . out . new_mtime ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
2005-01-11 06:49:29 +03:00
}
}
2005-01-11 08:16:43 +03:00
2005-01-11 09:04:44 +03:00
enc_key = sess_encrypt_string ( secret5 , & session_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 17:04:58 +03:00
r7 . in . sec_handle = & sec_handle ;
2005-01-11 09:04:44 +03:00
r7 . in . old_val = & buf1 ;
r7 . in . old_val - > data = enc_key . data ;
r7 . in . old_val - > length = enc_key . length ;
r7 . in . old_val - > size = enc_key . length ;
r7 . in . new_val = NULL ;
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing SetSecret of old Secret only \n " ) ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_SetSecret_r ( b , tctx , & r7 ) ,
" SetSecret failed " ) ;
if ( ! NT_STATUS_IS_OK ( r7 . out . result ) ) {
torture_comment ( tctx , " SetSecret failed - %s \n " , nt_errstr ( r7 . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 09:04:44 +03:00
}
2009-05-11 16:54:04 +04:00
2005-01-11 09:04:44 +03:00
data_blob_free ( & enc_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 09:04:44 +03:00
/* fetch the secret back again */
2005-01-11 17:04:58 +03:00
r8 . in . sec_handle = & sec_handle ;
2005-01-11 09:04:44 +03:00
r8 . in . new_val = & bufp1 ;
r8 . in . new_mtime = & new_mtime ;
r8 . in . old_val = & bufp2 ;
r8 . in . old_mtime = & old_mtime ;
2009-05-11 16:54:04 +04:00
2005-01-11 09:04:44 +03:00
bufp1 . buf = NULL ;
bufp2 . buf = NULL ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QuerySecret_r ( b , tctx , & r8 ) ,
" QuerySecret failed " ) ;
if ( ! NT_STATUS_IS_OK ( r8 . out . result ) ) {
torture_comment ( tctx , " QuerySecret failed - %s \n " , nt_errstr ( r8 . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 09:04:44 +03:00
} else {
2005-01-12 01:16:14 +03:00
if ( ! r8 . out . new_val | | ! r8 . out . old_val ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " in/out pointers not returned, despite being set on in for QuerySecret \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2008-08-26 03:49:54 +04:00
} else if ( r8 . out . new_val - > buf ! = NULL ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " NEW secret buffer must not be returned after OLD set \n " ) ;
2008-08-26 03:49:54 +04:00
ret = false ;
2005-01-11 09:04:44 +03:00
} else if ( r8 . out . old_val - > buf = = NULL ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " OLD secret buffer was not returned after OLD set \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 09:04:44 +03:00
} else if ( r8 . out . new_mtime = = NULL | | r8 . out . old_mtime = = NULL ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Both times not returned after OLD set \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 09:04:44 +03:00
} else {
blob1 . data = r8 . out . old_val - > buf - > data ;
2005-01-11 17:04:58 +03:00
blob1 . length = r8 . out . old_val - > buf - > size ;
2009-05-11 16:54:04 +04:00
2009-05-11 16:51:41 +04:00
secret6 = sess_decrypt_string ( tctx ,
2006-09-28 10:44:47 +04:00
& blob1 , & session_key ) ;
2009-05-11 16:54:04 +04:00
2005-01-11 09:04:44 +03:00
if ( strcmp ( secret5 , secret6 ) ! = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Returned OLD secret %s doesn't match %s \n " , secret5 , secret6 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 09:04:44 +03:00
}
2009-05-11 16:54:04 +04:00
2008-08-26 03:49:54 +04:00
if ( * r8 . out . new_mtime ! = * r8 . out . old_mtime ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Returned secret (r8) %s did not had same mtime for both secrets: %s != %s \n " ,
2005-01-11 09:04:44 +03:00
secname [ i ] ,
2009-05-11 16:51:41 +04:00
nt_time_string ( tctx , * r8 . out . old_mtime ) ,
nt_time_string ( tctx , * r8 . out . new_mtime ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 09:04:44 +03:00
}
}
}
2010-03-11 14:00:34 +03:00
if ( ! test_Delete ( b , tctx , & sec_handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-08 05:00:28 +03:00
}
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_DeleteObject ( b , tctx , & sec_handle ) ) {
2008-08-26 03:49:54 +04:00
return false ;
}
d_o . in . handle = & sec_handle2 ;
d_o . out . handle = & sec_handle2 ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_DeleteObject_r ( b , tctx , & d_o ) ,
" DeleteObject failed " ) ;
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_equal ( tctx , d_o . out . result , NT_STATUS_INVALID_HANDLE ,
" OpenSecret expected INVALID_HANDLE " ) ;
2009-05-11 16:54:04 +04:00
2012-09-24 03:20:59 +04:00
torture_comment ( tctx , " Testing OpenSecret of just-deleted secret \n " ) ;
2009-05-11 16:54:04 +04:00
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenSecret_r ( b , tctx , & r2 ) ,
" OpenSecret failed " ) ;
torture_assert_ntstatus_equal ( tctx , r2 . out . result , NT_STATUS_OBJECT_NAME_NOT_FOUND ,
" OpenSecret expected OBJECT_NAME_NOT_FOUND " ) ;
2004-04-03 21:21:26 +04:00
}
2004-04-07 11:20:53 +04:00
return ret ;
2004-04-03 21:15:32 +04:00
}
2004-09-03 12:28:24 +04:00
2010-03-11 14:00:34 +03:00
static bool test_EnumAccountRights ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2003-11-10 15:12:22 +03:00
struct policy_handle * acct_handle ,
struct dom_sid * sid )
{
struct lsa_EnumAccountRights r ;
struct lsa_RightSet rights ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing EnumAccountRights \n " ) ;
2003-11-10 15:12:22 +03:00
r . in . handle = acct_handle ;
r . in . sid = sid ;
r . out . rights = & rights ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumAccountRights_r ( b , tctx , & r ) ,
" EnumAccountRights failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumAccountRights of %s failed - %s \n " ,
2010-03-24 11:06:54 +03:00
dom_sid_string ( tctx , sid ) , nt_errstr ( r . out . result ) ) ;
2003-11-10 15:12:22 +03:00
}
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" EnumAccountRights failed " ) ;
2003-11-10 15:12:22 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2003-11-10 15:12:22 +03:00
}
2003-11-15 07:42:48 +03:00
2010-03-11 14:00:34 +03:00
static bool test_QuerySecurity ( struct dcerpc_binding_handle * b ,
2009-05-11 16:54:04 +04:00
struct torture_context * tctx ,
2003-11-15 09:00:21 +03:00
struct policy_handle * handle ,
struct policy_handle * acct_handle )
2003-11-15 07:42:48 +03:00
{
2004-11-22 11:47:47 +03:00
struct lsa_QuerySecurity r ;
2008-10-21 00:39:06 +04:00
struct sec_desc_buf * sdbuf = NULL ;
2003-11-15 07:42:48 +03:00
2007-12-03 17:53:17 +03:00
if ( torture_setting_bool ( tctx , " samba4 " , false ) ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n skipping QuerySecurity test against Samba4 \n " ) ;
2007-10-07 02:28:14 +04:00
return true ;
2006-07-06 09:23:29 +04:00
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing QuerySecurity \n " ) ;
2003-11-15 07:42:48 +03:00
r . in . handle = acct_handle ;
2009-07-16 20:38:25 +04:00
r . in . sec_info = SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
2008-10-21 00:39:06 +04:00
r . out . sdbuf = & sdbuf ;
2003-11-15 07:42:48 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QuerySecurity_r ( b , tctx , & r ) ,
" QuerySecurity failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " QuerySecurity failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2003-11-15 07:42:48 +03:00
}
2007-10-07 02:28:14 +04:00
return true ;
2003-11-15 07:42:48 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_OpenAccount ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2003-11-09 14:01:39 +03:00
struct policy_handle * handle ,
struct dom_sid * sid )
{
struct lsa_OpenAccount r ;
struct policy_handle acct_handle ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing OpenAccount \n " ) ;
2003-11-09 14:01:39 +03:00
r . in . handle = handle ;
r . in . sid = sid ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2003-11-09 14:01:39 +03:00
r . out . acct_handle = & acct_handle ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenAccount_r ( b , tctx , & r ) ,
" OpenAccount failed " ) ;
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" OpenAccount failed " ) ;
2003-11-09 14:01:39 +03:00
2010-03-11 14:00:34 +03:00
if ( ! test_EnumPrivsAccount ( b , tctx , handle , & acct_handle ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2003-11-10 14:37:19 +03:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_GetSystemAccessAccount ( b , tctx , handle , & acct_handle ) ) {
2008-10-20 08:50:07 +04:00
return false ;
}
2010-03-11 14:00:34 +03:00
if ( ! test_QuerySecurity ( b , tctx , handle , & acct_handle ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2003-11-15 07:42:48 +03:00
}
2007-10-07 02:28:14 +04:00
return true ;
2003-11-09 14:01:39 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_EnumAccounts ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
struct policy_handle * handle )
2003-11-04 14:16:07 +03:00
{
2003-11-09 11:30:29 +03:00
struct lsa_EnumAccounts r ;
2003-11-08 14:21:57 +03:00
struct lsa_SidArray sids1 , sids2 ;
2004-05-25 20:24:13 +04:00
uint32_t resume_handle = 0 ;
2003-11-04 14:16:07 +03:00
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2003-11-04 14:16:07 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing EnumAccounts \n " ) ;
2003-11-04 14:16:07 +03:00
2003-11-09 07:40:50 +03:00
r . in . handle = handle ;
r . in . resume_handle = & resume_handle ;
r . in . num_entries = 100 ;
r . out . resume_handle = & resume_handle ;
r . out . sids = & sids1 ;
2003-11-08 14:21:57 +03:00
resume_handle = 0 ;
2007-10-07 02:28:14 +04:00
while ( true ) {
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumAccounts_r ( b , tctx , & r ) ,
" EnumAccounts failed " ) ;
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NO_MORE_ENTRIES ) ) {
2004-12-19 08:53:13 +03:00
break ;
}
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" EnumAccounts failed " ) ;
2003-11-04 14:16:07 +03:00
2019-08-01 21:08:52 +03:00
if ( ! test_LookupSids ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL , & sids1 ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-12-19 08:53:13 +03:00
}
2003-11-09 14:01:39 +03:00
2019-08-01 21:08:52 +03:00
if ( ! test_LookupSids2 ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL , & sids1 ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-12-19 08:53:13 +03:00
}
2004-11-26 09:33:38 +03:00
2008-08-26 03:49:54 +04:00
/* Can't test lookupSids3 here, as clearly we must not
* be on schannel , or we would not be able to do the
* rest */
2004-12-31 10:26:26 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Testing all accounts \n " ) ;
2004-12-19 08:53:13 +03:00
for ( i = 0 ; i < sids1 . num_sids ; i + + ) {
2010-03-11 14:00:34 +03:00
ret & = test_OpenAccount ( b , tctx , handle , sids1 . sids [ i ] . sid ) ;
ret & = test_EnumAccountRights ( b , tctx , handle , sids1 . sids [ i ] . sid ) ;
2004-12-19 08:53:13 +03:00
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2003-11-09 14:01:39 +03:00
}
2003-11-10 15:12:22 +03:00
2003-11-08 14:21:57 +03:00
if ( sids1 . num_sids < 3 ) {
2006-07-06 09:23:29 +04:00
return ret ;
2003-11-04 14:16:07 +03:00
}
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Trying EnumAccounts partial listing (asking for 1 at 2) \n " ) ;
2003-11-08 14:21:57 +03:00
resume_handle = 2 ;
2003-11-09 07:40:50 +03:00
r . in . num_entries = 1 ;
r . out . sids = & sids2 ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumAccounts_r ( b , tctx , & r ) ,
" EnumAccounts failed " ) ;
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" EnumAccounts failed " ) ;
2003-11-08 14:21:57 +03:00
if ( sids2 . num_sids ! = 1 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " Returned wrong number of entries (%d) \n " , sids2 . num_sids ) ;
2007-10-07 02:28:14 +04:00
return false ;
2003-11-08 14:21:57 +03:00
}
2003-11-04 14:16:07 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2003-11-04 14:16:07 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_LookupPrivDisplayName ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
struct policy_handle * handle ,
struct lsa_String * priv_name )
2004-09-02 03:36:22 +04:00
{
struct lsa_LookupPrivDisplayName r ;
2004-09-03 09:16:25 +04:00
/* produce a reasonable range of language output without screwing up
terminals */
2005-02-10 08:09:35 +03:00
uint16_t language_id = ( random ( ) % 4 ) + 0x409 ;
2008-10-21 03:53:32 +04:00
uint16_t returned_language_id = 0 ;
struct lsa_StringLarge * disp_name = NULL ;
2004-09-02 03:36:22 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing LookupPrivDisplayName(%s) \n " , priv_name - > string ) ;
2009-05-11 16:54:04 +04:00
2004-09-02 03:36:22 +04:00
r . in . handle = handle ;
r . in . name = priv_name ;
2008-10-21 03:53:32 +04:00
r . in . language_id = language_id ;
r . in . language_id_sys = 0 ;
r . out . returned_language_id = & returned_language_id ;
r . out . disp_name = & disp_name ;
2004-09-02 03:36:22 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_LookupPrivDisplayName_r ( b , tctx , & r ) ,
" LookupPrivDisplayName failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " LookupPrivDisplayName failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-09-02 03:36:22 +04:00
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " %s -> \" %s \" (language 0x%x/0x%x) \n " ,
2008-10-21 03:53:32 +04:00
priv_name - > string , disp_name - > string ,
r . in . language_id , * r . out . returned_language_id ) ;
2004-09-02 03:36:22 +04:00
2007-10-07 02:28:14 +04:00
return true ;
2004-09-02 03:36:22 +04:00
}
2010-03-11 14:00:34 +03:00
static bool test_EnumAccountsWithUserRight ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
struct policy_handle * handle ,
struct lsa_String * priv_name )
2004-09-02 03:36:22 +04:00
{
struct lsa_EnumAccountsWithUserRight r ;
struct lsa_SidArray sids ;
ZERO_STRUCT ( sids ) ;
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing EnumAccountsWithUserRight(%s) \n " , priv_name - > string ) ;
2009-05-11 16:54:04 +04:00
2004-09-02 03:36:22 +04:00
r . in . handle = handle ;
r . in . name = priv_name ;
r . out . sids = & sids ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumAccountsWithUserRight_r ( b , tctx , & r ) ,
" EnumAccountsWithUserRight failed " ) ;
2004-09-02 03:36:22 +04:00
2019-08-29 23:05:05 +03:00
/* NT_STATUS_NO_MORE_ENTRIES means no one has this privilege */
2010-03-24 11:06:54 +03:00
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NO_MORE_ENTRIES ) ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-09-02 03:36:22 +04:00
}
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " EnumAccountsWithUserRight failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-09-02 03:36:22 +04:00
}
2009-05-11 16:54:04 +04:00
2007-10-07 02:28:14 +04:00
return true ;
2004-09-02 03:36:22 +04:00
}
2003-11-09 12:04:28 +03:00
2010-03-11 14:00:34 +03:00
static bool test_EnumPrivs ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2003-11-09 12:44:06 +03:00
struct policy_handle * handle )
{
struct lsa_EnumPrivs r ;
struct lsa_PrivArray privs1 ;
2004-05-25 20:24:13 +04:00
uint32_t resume_handle = 0 ;
2004-09-02 03:36:22 +04:00
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2003-11-09 12:44:06 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing EnumPrivs \n " ) ;
2003-11-09 12:44:06 +03:00
r . in . handle = handle ;
r . in . resume_handle = & resume_handle ;
2004-12-14 08:32:51 +03:00
r . in . max_count = 100 ;
2003-11-09 12:44:06 +03:00
r . out . resume_handle = & resume_handle ;
r . out . privs = & privs1 ;
resume_handle = 0 ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumPrivs_r ( b , tctx , & r ) ,
" EnumPrivs failed " ) ;
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" EnumPrivs failed " ) ;
2003-11-09 12:44:06 +03:00
2004-09-02 03:36:22 +04:00
for ( i = 0 ; i < privs1 . count ; i + + ) {
2010-03-11 14:00:34 +03:00
test_LookupPrivDisplayName ( b , tctx , handle , ( struct lsa_String * ) & privs1 . privs [ i ] . name ) ;
test_LookupPrivValue ( b , tctx , handle , ( struct lsa_String * ) & privs1 . privs [ i ] . name ) ;
if ( ! test_EnumAccountsWithUserRight ( b , tctx , handle , ( struct lsa_String * ) & privs1 . privs [ i ] . name ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2004-09-02 03:36:22 +04:00
}
}
return ret ;
2003-11-09 12:44:06 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_QueryForestTrustInformation ( struct dcerpc_binding_handle * b ,
2009-05-11 16:54:04 +04:00
struct torture_context * tctx ,
2007-06-08 14:43:42 +04:00
struct policy_handle * handle ,
const char * trusted_domain_name )
{
2007-10-07 02:28:14 +04:00
bool ret = true ;
2007-06-08 14:43:42 +04:00
struct lsa_lsaRQueryForestTrustInformation r ;
struct lsa_String string ;
struct lsa_ForestTrustInformation info , * info_ptr ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing lsaRQueryForestTrustInformation \n " ) ;
2007-06-08 14:43:42 +04:00
2007-12-03 17:53:17 +03:00
if ( torture_setting_bool ( tctx , " samba4 " , false ) ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " skipping QueryForestTrustInformation against Samba4 \n " ) ;
2007-10-07 02:28:14 +04:00
return true ;
2007-06-08 14:43:42 +04:00
}
ZERO_STRUCT ( string ) ;
if ( trusted_domain_name ) {
init_lsa_String ( & string , trusted_domain_name ) ;
}
info_ptr = & info ;
r . in . handle = handle ;
r . in . trusted_domain_name = & string ;
2015-01-30 11:01:58 +03:00
r . in . highest_record_type = LSA_FOREST_TRUST_TOP_LEVEL_NAME ;
2007-06-08 14:43:42 +04:00
r . out . forest_trust_info = & info_ptr ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_lsaRQueryForestTrustInformation_r ( b , tctx , & r ) ,
" lsaRQueryForestTrustInformation failed " ) ;
2007-06-08 14:43:42 +04:00
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " lsaRQueryForestTrustInformation of %s failed - %s \n " , trusted_domain_name , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2007-06-08 14:43:42 +04:00
}
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_query_each_TrustDomEx ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2009-05-11 16:54:04 +04:00
struct policy_handle * handle ,
struct lsa_DomainListEx * domains )
2007-06-08 14:43:42 +04:00
{
2007-08-28 16:54:27 +04:00
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2007-06-08 14:43:42 +04:00
for ( i = 0 ; i < domains - > count ; i + + ) {
2014-09-23 21:02:57 +04:00
if ( domains - > domains [ i ] . trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE ) {
2010-03-11 14:00:34 +03:00
ret & = test_QueryForestTrustInformation ( b , tctx , handle ,
2007-06-08 14:43:42 +04:00
domains - > domains [ i ] . domain_name . string ) ;
}
}
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_query_each_TrustDom ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2009-05-11 16:54:04 +04:00
struct policy_handle * handle ,
struct lsa_DomainList * domains )
2003-11-09 13:01:24 +03:00
{
2004-11-22 14:59:59 +03:00
int i , j ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2009-05-11 16:54:04 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing OpenTrustedDomain, OpenTrustedDomainByName and QueryInfoTrustedDomain \n " ) ;
2005-01-12 10:57:33 +03:00
for ( i = 0 ; i < domains - > count ; i + + ) {
2004-11-22 11:47:47 +03:00
struct lsa_OpenTrustedDomain trust ;
struct lsa_OpenTrustedDomainByName trust_by_name ;
2004-11-23 03:31:00 +03:00
struct policy_handle trustdom_handle ;
2004-11-22 11:47:47 +03:00
struct policy_handle handle2 ;
struct lsa_Close c ;
2006-08-31 12:22:13 +04:00
struct lsa_CloseTrustedDomainEx c_trust ;
2008-08-26 03:49:54 +04:00
int levels [ ] = { 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 } ;
int ok [ ] = { 1 , 0 , 1 , 0 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 } ;
2006-08-31 12:22:13 +04:00
2005-01-12 10:57:33 +03:00
if ( domains - > domains [ i ] . sid ) {
trust . in . handle = handle ;
trust . in . sid = domains - > domains [ i ] . sid ;
trust . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
trust . out . trustdom_handle = & trustdom_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenTrustedDomain_r ( b , tctx , & trust ) ,
" OpenTrustedDomain failed " ) ;
2009-05-11 16:54:04 +04:00
2015-06-30 13:06:11 +03:00
if ( NT_STATUS_EQUAL ( trust . out . result , NT_STATUS_NO_SUCH_DOMAIN ) ) {
torture_comment ( tctx , " DOMAIN(%s, %s) not a direct trust? \n " ,
domains - > domains [ i ] . name . string ,
dom_sid_string ( tctx , domains - > domains [ i ] . sid ) ) ;
continue ;
}
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_IS_OK ( trust . out . result ) ) {
torture_comment ( tctx , " OpenTrustedDomain failed - %s \n " , nt_errstr ( trust . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2005-01-12 10:57:33 +03:00
}
2009-05-11 16:54:04 +04:00
2005-01-12 10:57:33 +03:00
c . in . handle = & trustdom_handle ;
c . out . handle = & handle2 ;
2009-05-11 16:54:04 +04:00
2006-08-31 12:22:13 +04:00
c_trust . in . handle = & trustdom_handle ;
c_trust . out . handle = & handle2 ;
2009-05-11 16:54:04 +04:00
2005-01-12 10:57:33 +03:00
for ( j = 0 ; j < ARRAY_SIZE ( levels ) ; j + + ) {
struct lsa_QueryTrustedDomainInfo q ;
2008-10-21 12:33:27 +04:00
union lsa_TrustedDomainInfo * info = NULL ;
2005-01-12 10:57:33 +03:00
q . in . trustdom_handle = & trustdom_handle ;
q . in . level = levels [ j ] ;
q . out . info = & info ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryTrustedDomainInfo_r ( b , tctx , & q ) ,
" QueryTrustedDomainInfo failed " ) ;
if ( ! NT_STATUS_IS_OK ( q . out . result ) & & ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo level %d failed - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2010-03-24 11:06:54 +03:00
} else if ( NT_STATUS_IS_OK ( q . out . result ) & & ! ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo level %d unexpectedly succeeded - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 10:57:33 +03:00
}
}
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_CloseTrustedDomainEx_r ( b , tctx , & c_trust ) ,
" CloseTrustedDomainEx failed " ) ;
if ( ! NT_STATUS_EQUAL ( c_trust . out . result , NT_STATUS_NOT_IMPLEMENTED ) ) {
torture_comment ( tctx , " Expected CloseTrustedDomainEx to return NT_STATUS_NOT_IMPLEMENTED, instead - %s \n " , nt_errstr ( c_trust . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2006-08-31 12:22:13 +04:00
}
2009-05-11 16:54:04 +04:00
2006-08-31 12:22:13 +04:00
c . in . handle = & trustdom_handle ;
c . out . handle = & handle2 ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_Close_r ( b , tctx , & c ) ,
" Close failed " ) ;
if ( ! NT_STATUS_IS_OK ( c . out . result ) ) {
torture_comment ( tctx , " Close of trusted domain failed - %s \n " , nt_errstr ( c . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 14:59:59 +03:00
}
2006-08-31 12:22:13 +04:00
2007-04-07 04:57:26 +04:00
for ( j = 0 ; j < ARRAY_SIZE ( levels ) ; j + + ) {
struct lsa_QueryTrustedDomainInfoBySid q ;
2008-10-21 04:34:45 +04:00
union lsa_TrustedDomainInfo * info = NULL ;
2009-05-11 16:54:04 +04:00
2007-04-07 04:57:26 +04:00
if ( ! domains - > domains [ i ] . sid ) {
continue ;
}
2009-05-11 16:54:04 +04:00
2007-04-07 04:57:26 +04:00
q . in . handle = handle ;
q . in . dom_sid = domains - > domains [ i ] . sid ;
q . in . level = levels [ j ] ;
q . out . info = & info ;
2008-10-21 04:34:45 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryTrustedDomainInfoBySid_r ( b , tctx , & q ) ,
" lsa_QueryTrustedDomainInfoBySid failed " ) ;
if ( ! NT_STATUS_IS_OK ( q . out . result ) & & ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfoBySid level %d failed - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2010-03-24 11:06:54 +03:00
} else if ( NT_STATUS_IS_OK ( q . out . result ) & & ! ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfoBySid level %d unexpectedly succeeded - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2007-04-07 04:57:26 +04:00
}
}
2004-11-22 11:47:47 +03:00
}
trust_by_name . in . handle = handle ;
2005-12-31 08:33:50 +03:00
trust_by_name . in . name . string = domains - > domains [ i ] . name . string ;
2004-12-02 07:37:36 +03:00
trust_by_name . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-23 03:31:00 +03:00
trust_by_name . out . trustdom_handle = & trustdom_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_OpenTrustedDomainByName_r ( b , tctx , & trust_by_name ) ,
" OpenTrustedDomainByName failed " ) ;
2009-05-11 16:54:04 +04:00
2015-06-30 13:06:11 +03:00
if ( NT_STATUS_EQUAL ( trust_by_name . out . result , NT_STATUS_NO_SUCH_DOMAIN ) ) {
torture_comment ( tctx , " DOMAIN(%s, %s) not a direct trust? \n " ,
domains - > domains [ i ] . name . string ,
dom_sid_string ( tctx , domains - > domains [ i ] . sid ) ) ;
continue ;
}
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_IS_OK ( trust_by_name . out . result ) ) {
torture_comment ( tctx , " OpenTrustedDomainByName failed - %s \n " , nt_errstr ( trust_by_name . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 11:47:47 +03:00
}
2004-11-23 03:31:00 +03:00
for ( j = 0 ; j < ARRAY_SIZE ( levels ) ; j + + ) {
struct lsa_QueryTrustedDomainInfo q ;
2008-10-21 12:33:27 +04:00
union lsa_TrustedDomainInfo * info = NULL ;
2004-11-23 03:31:00 +03:00
q . in . trustdom_handle = & trustdom_handle ;
q . in . level = levels [ j ] ;
q . out . info = & info ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryTrustedDomainInfo_r ( b , tctx , & q ) ,
" QueryTrustedDomainInfo failed " ) ;
if ( ! NT_STATUS_IS_OK ( q . out . result ) & & ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo level %d failed - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2010-03-24 11:06:54 +03:00
} else if ( NT_STATUS_IS_OK ( q . out . result ) & & ! ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo level %d unexpectedly succeeded - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-23 03:31:00 +03:00
}
}
2009-05-11 16:54:04 +04:00
2004-11-23 03:31:00 +03:00
c . in . handle = & trustdom_handle ;
2004-11-22 11:47:47 +03:00
c . out . handle = & handle2 ;
2004-11-22 14:59:59 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_Close_r ( b , tctx , & c ) ,
" Close failed " ) ;
if ( ! NT_STATUS_IS_OK ( c . out . result ) ) {
torture_comment ( tctx , " Close of trusted domain failed - %s \n " , nt_errstr ( c . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 11:47:47 +03:00
}
2004-11-23 03:31:00 +03:00
for ( j = 0 ; j < ARRAY_SIZE ( levels ) ; j + + ) {
struct lsa_QueryTrustedDomainInfoByName q ;
2008-10-21 12:23:14 +04:00
union lsa_TrustedDomainInfo * info = NULL ;
struct lsa_String name ;
name . string = domains - > domains [ i ] . name . string ;
2004-11-23 03:31:00 +03:00
q . in . handle = handle ;
2008-10-21 12:23:14 +04:00
q . in . trusted_domain = & name ;
2004-11-23 03:31:00 +03:00
q . in . level = levels [ j ] ;
q . out . info = & info ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryTrustedDomainInfoByName_r ( b , tctx , & q ) ,
" QueryTrustedDomainInfoByName failed " ) ;
if ( ! NT_STATUS_IS_OK ( q . out . result ) & & ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfoByName level %d failed - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2010-03-24 11:06:54 +03:00
} else if ( NT_STATUS_IS_OK ( q . out . result ) & & ! ok [ j ] ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfoByName level %d unexpectedly succeeded - %s \n " ,
2010-03-24 11:06:54 +03:00
levels [ j ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-23 03:31:00 +03:00
}
}
2005-01-12 10:57:33 +03:00
}
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_EnumTrustDom ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2005-01-12 10:57:33 +03:00
struct policy_handle * handle )
{
struct lsa_EnumTrustDom r ;
2009-10-21 04:16:32 +04:00
uint32_t in_resume_handle = 0 ;
uint32_t out_resume_handle ;
2005-01-12 10:57:33 +03:00
struct lsa_DomainList domains ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2005-01-12 10:57:33 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing EnumTrustDom \n " ) ;
2005-01-12 10:57:33 +03:00
2008-07-21 06:05:53 +04:00
r . in . handle = handle ;
2009-10-21 04:16:32 +04:00
r . in . resume_handle = & in_resume_handle ;
2008-07-21 06:05:53 +04:00
r . in . max_size = 0 ;
r . out . domains = & domains ;
2009-10-21 04:16:32 +04:00
r . out . resume_handle = & out_resume_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumTrustDom_r ( b , tctx , & r ) ,
" lsa_EnumTrustDom failed " ) ;
2009-05-11 16:54:04 +04:00
2009-10-21 04:16:32 +04:00
/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
* always be larger than the previous input resume handle , in
* particular when hitting the last query it is vital to set the
* resume handle correctly to avoid infinite client loops , as
* seen e . g . with Windows XP SP3 when resume handle is 0 and
* status is NT_STATUS_OK - gd */
2010-03-24 11:06:54 +03:00
if ( NT_STATUS_IS_OK ( r . out . result ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NO_MORE_ENTRIES ) | |
NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) )
2009-10-21 04:16:32 +04:00
{
if ( out_resume_handle < = in_resume_handle ) {
torture_comment ( tctx , " EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x) \n " ,
out_resume_handle , in_resume_handle ) ;
return false ;
}
}
2010-03-24 11:06:54 +03:00
if ( NT_STATUS_IS_OK ( r . out . result ) ) {
2008-07-31 03:07:57 +04:00
if ( domains . count = = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains \n " ) ;
2008-07-31 03:07:57 +04:00
return false ;
}
2010-03-24 11:06:54 +03:00
} else if ( ! ( NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) | | NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NO_MORE_ENTRIES ) ) ) {
torture_comment ( tctx , " EnumTrustDom of zero size failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2008-07-21 06:05:53 +04:00
return false ;
}
2009-05-11 16:54:04 +04:00
2008-09-04 10:06:38 +04:00
/* Start from the bottom again */
2009-10-21 04:16:32 +04:00
in_resume_handle = 0 ;
2008-09-04 10:06:38 +04:00
2005-01-12 10:57:33 +03:00
do {
r . in . handle = handle ;
2009-10-21 04:16:32 +04:00
r . in . resume_handle = & in_resume_handle ;
2005-01-12 10:57:33 +03:00
r . in . max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3 ;
r . out . domains = & domains ;
2009-10-21 04:16:32 +04:00
r . out . resume_handle = & out_resume_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumTrustDom_r ( b , tctx , & r ) ,
" EnumTrustDom failed " ) ;
2009-05-11 16:54:04 +04:00
2009-10-21 04:16:32 +04:00
/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
* always be larger than the previous input resume handle , in
* particular when hitting the last query it is vital to set the
* resume handle correctly to avoid infinite client loops , as
* seen e . g . with Windows XP SP3 when resume handle is 0 and
* status is NT_STATUS_OK - gd */
2010-03-24 11:06:54 +03:00
if ( NT_STATUS_IS_OK ( r . out . result ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NO_MORE_ENTRIES ) | |
NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) )
2009-10-21 04:16:32 +04:00
{
if ( out_resume_handle < = in_resume_handle ) {
torture_comment ( tctx , " EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x) \n " ,
out_resume_handle , in_resume_handle ) ;
return false ;
}
}
2005-01-12 10:57:33 +03:00
/* NO_MORE_ENTRIES is allowed */
2010-03-24 11:06:54 +03:00
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_NO_MORE_ENTRIES ) ) {
2008-10-02 00:11:11 +04:00
if ( domains . count = = 0 ) {
return true ;
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES' \n " ) ;
2008-10-02 00:11:11 +04:00
return false ;
2010-03-24 11:06:54 +03:00
} else if ( NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) ) {
2005-01-12 10:57:33 +03:00
/* Windows 2003 gets this off by one on the first run */
if ( r . out . domains - > count < 3 | | r . out . domains - > count > 4 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumTrustDom didn't fill the buffer we "
2005-01-12 10:57:33 +03:00
" asked it to (got %d, expected %d / %d == %d entries) \n " ,
2009-05-11 16:54:04 +04:00
r . out . domains - > count , LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3 ,
2005-01-12 10:57:33 +03:00
LSA_ENUM_TRUST_DOMAIN_MULTIPLIER , r . in . max_size ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 10:57:33 +03:00
}
2010-03-24 11:06:54 +03:00
} else if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " EnumTrustDom failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2005-01-12 10:57:33 +03:00
}
2009-05-11 16:54:04 +04:00
2008-07-21 06:05:53 +04:00
if ( domains . count = = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains \n " ) ;
2008-07-21 06:05:53 +04:00
return false ;
}
2010-03-11 14:00:34 +03:00
ret & = test_query_each_TrustDom ( b , tctx , handle , & domains ) ;
2009-05-11 16:54:04 +04:00
2009-10-21 04:16:32 +04:00
in_resume_handle = out_resume_handle ;
2017-11-19 20:55:14 +03:00
} while ( NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) ) ;
2006-08-31 12:22:13 +04:00
2009-10-20 14:59:49 +04:00
return ret ;
}
2010-03-11 14:00:34 +03:00
static bool test_EnumTrustDomEx ( struct dcerpc_binding_handle * b ,
2009-10-20 14:59:49 +04:00
struct torture_context * tctx ,
struct policy_handle * handle )
{
struct lsa_EnumTrustedDomainsEx r_ex ;
2015-03-24 02:16:29 +03:00
uint32_t in_resume_handle = 0 ;
uint32_t out_resume_handle ;
2009-10-20 14:59:49 +04:00
struct lsa_DomainListEx domains_ex ;
bool ret = true ;
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing EnumTrustedDomainsEx \n " ) ;
2006-08-31 12:22:13 +04:00
2008-07-21 06:05:53 +04:00
r_ex . in . handle = handle ;
2015-03-24 02:16:29 +03:00
r_ex . in . resume_handle = & in_resume_handle ;
r_ex . in . max_size = 0 ;
2008-07-21 06:05:53 +04:00
r_ex . out . domains = & domains_ex ;
2015-03-24 02:16:29 +03:00
r_ex . out . resume_handle = & out_resume_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumTrustedDomainsEx_r ( b , tctx , & r_ex ) ,
" EnumTrustedDomainsEx failed " ) ;
2009-05-11 16:54:04 +04:00
2015-03-24 02:16:29 +03:00
/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
* always be larger than the previous input resume handle , in
* particular when hitting the last query it is vital to set the
* resume handle correctly to avoid infinite client loops , as
* seen e . g . with Windows XP SP3 when resume handle is 0 and
* status is NT_STATUS_OK - gd */
if ( NT_STATUS_IS_OK ( r_ex . out . result ) | |
NT_STATUS_EQUAL ( r_ex . out . result , NT_STATUS_NO_MORE_ENTRIES ) | |
NT_STATUS_EQUAL ( r_ex . out . result , STATUS_MORE_ENTRIES ) )
{
if ( out_resume_handle < = in_resume_handle ) {
torture_comment ( tctx , " EnumTrustDomEx failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x) \n " ,
out_resume_handle , in_resume_handle ) ;
return false ;
}
}
if ( NT_STATUS_IS_OK ( r_ex . out . result ) ) {
if ( domains_ex . count = = 0 ) {
torture_comment ( tctx , " EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains \n " ) ;
return false ;
}
} else if ( ! ( NT_STATUS_EQUAL ( r_ex . out . result , STATUS_MORE_ENTRIES ) | |
NT_STATUS_EQUAL ( r_ex . out . result , NT_STATUS_NO_MORE_ENTRIES ) ) ) {
torture_comment ( tctx , " EnumTrustDom of zero size failed - %s \n " ,
nt_errstr ( r_ex . out . result ) ) ;
2008-07-21 06:05:53 +04:00
return false ;
}
2009-05-11 16:54:04 +04:00
2015-03-24 02:16:29 +03:00
in_resume_handle = 0 ;
2006-08-31 12:22:13 +04:00
do {
r_ex . in . handle = handle ;
2015-03-24 02:16:29 +03:00
r_ex . in . resume_handle = & in_resume_handle ;
2006-08-31 12:22:13 +04:00
r_ex . in . max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3 ;
r_ex . out . domains = & domains_ex ;
2015-03-24 02:16:29 +03:00
r_ex . out . resume_handle = & out_resume_handle ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_EnumTrustedDomainsEx_r ( b , tctx , & r_ex ) ,
" EnumTrustedDomainsEx failed " ) ;
2009-05-11 16:54:04 +04:00
2015-03-24 02:16:29 +03:00
in_resume_handle = out_resume_handle ;
2006-08-31 12:22:13 +04:00
/* NO_MORE_ENTRIES is allowed */
2010-03-24 11:06:54 +03:00
if ( NT_STATUS_EQUAL ( r_ex . out . result , NT_STATUS_NO_MORE_ENTRIES ) ) {
2008-10-02 00:11:11 +04:00
if ( domains_ex . count = = 0 ) {
return true ;
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES' \n " ) ;
2008-10-02 00:11:11 +04:00
return false ;
2010-03-24 11:06:54 +03:00
} else if ( NT_STATUS_EQUAL ( r_ex . out . result , STATUS_MORE_ENTRIES ) ) {
2006-08-31 12:22:13 +04:00
/* Windows 2003 gets this off by one on the first run */
if ( r_ex . out . domains - > count < 3 | | r_ex . out . domains - > count > 4 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumTrustDom didn't fill the buffer we "
2006-08-31 12:22:13 +04:00
" asked it to (got %d, expected %d / %d == %d entries) \n " ,
2009-05-11 16:54:04 +04:00
r_ex . out . domains - > count ,
2006-08-31 12:22:13 +04:00
r_ex . in . max_size ,
2009-05-11 16:54:04 +04:00
LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER ,
2006-08-31 12:22:13 +04:00
r_ex . in . max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER ) ;
}
2010-03-24 11:06:54 +03:00
} else if ( ! NT_STATUS_IS_OK ( r_ex . out . result ) ) {
torture_comment ( tctx , " EnumTrustedDomainEx failed - %s \n " , nt_errstr ( r_ex . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2006-08-31 12:22:13 +04:00
}
2007-06-08 14:43:42 +04:00
2008-07-21 06:05:53 +04:00
if ( domains_ex . count = = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " EnumTrustDomainEx failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains \n " ) ;
2008-07-21 06:05:53 +04:00
return false ;
}
2010-03-11 14:00:34 +03:00
ret & = test_query_each_TrustDomEx ( b , tctx , handle , & domains_ex ) ;
2009-05-11 16:54:04 +04:00
2017-11-19 20:55:14 +03:00
} while ( NT_STATUS_EQUAL ( r_ex . out . result , STATUS_MORE_ENTRIES ) ) ;
2004-11-22 11:47:47 +03:00
return ret ;
2003-11-09 13:01:24 +03:00
}
2009-10-20 14:59:49 +04:00
2010-03-11 14:00:34 +03:00
static bool test_CreateTrustedDomain ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2009-10-20 20:34:09 +04:00
struct policy_handle * handle ,
uint32_t num_trusts )
2005-01-12 06:19:48 +03:00
{
2007-10-07 02:28:14 +04:00
bool ret = true ;
2005-01-12 06:19:48 +03:00
struct lsa_CreateTrustedDomain r ;
2006-08-31 12:22:13 +04:00
struct lsa_DomainInfo trustinfo ;
2009-10-20 20:34:09 +04:00
struct dom_sid * * domsid ;
struct policy_handle * trustdom_handle ;
2005-01-12 06:19:48 +03:00
struct lsa_QueryTrustedDomainInfo q ;
2008-10-21 12:33:27 +04:00
union lsa_TrustedDomainInfo * info = NULL ;
2005-01-12 10:57:33 +03:00
int i ;
2005-01-12 06:19:48 +03:00
2009-10-20 20:34:09 +04:00
torture_comment ( tctx , " \n Testing CreateTrustedDomain for %d domains \n " , num_trusts ) ;
2005-01-12 06:19:48 +03:00
2010-03-11 14:00:34 +03:00
if ( ! test_EnumTrustDom ( b , tctx , handle ) ) {
2008-07-21 06:05:53 +04:00
ret = false ;
}
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_EnumTrustDomEx ( b , tctx , handle ) ) {
2009-10-20 14:59:49 +04:00
ret = false ;
}
2009-10-20 20:34:09 +04:00
domsid = talloc_array ( tctx , struct dom_sid * , num_trusts ) ;
trustdom_handle = talloc_array ( tctx , struct policy_handle , num_trusts ) ;
for ( i = 0 ; i < num_trusts ; i + + ) {
2015-05-20 01:05:00 +03:00
char * trust_name = talloc_asprintf ( tctx , " TORTURE1%02d " , i ) ;
2015-03-24 01:15:45 +03:00
char * trust_sid = talloc_asprintf ( tctx , " S-1-5-21-97398-379795-1%02d " , i ) ;
2009-05-11 16:54:04 +04:00
2009-05-11 16:51:41 +04:00
domsid [ i ] = dom_sid_parse_talloc ( tctx , trust_sid ) ;
2005-01-12 06:19:48 +03:00
2005-01-12 10:57:33 +03:00
trustinfo . sid = domsid [ i ] ;
2006-01-18 19:20:33 +03:00
init_lsa_String ( ( struct lsa_String * ) & trustinfo . name , trust_name ) ;
2005-01-12 06:19:48 +03:00
2008-09-08 04:55:34 +04:00
r . in . policy_handle = handle ;
2005-01-12 10:57:33 +03:00
r . in . info = & trustinfo ;
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r . out . trustdom_handle = & trustdom_handle [ i ] ;
2009-05-11 16:54:04 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_CreateTrustedDomain_r ( b , tctx , & r ) ,
" CreateTrustedDomain failed " ) ;
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_OBJECT_NAME_COLLISION ) ) {
2010-03-11 14:00:34 +03:00
test_DeleteTrustedDomain ( b , tctx , handle , trustinfo . name ) ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_CreateTrustedDomain_r ( b , tctx , & r ) ,
" CreateTrustedDomain failed " ) ;
2005-01-12 10:57:33 +03:00
}
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " CreateTrustedDomain failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 10:57:33 +03:00
} else {
2009-05-11 16:54:04 +04:00
2005-01-12 10:57:33 +03:00
q . in . trustdom_handle = & trustdom_handle [ i ] ;
2008-09-01 08:43:00 +04:00
q . in . level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX ;
2008-10-21 12:33:27 +04:00
q . out . info = & info ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryTrustedDomainInfo_r ( b , tctx , & q ) ,
" QueryTrustedDomainInfo failed " ) ;
if ( ! NT_STATUS_IS_OK ( q . out . result ) ) {
torture_comment ( tctx , " QueryTrustedDomainInfo level %d failed - %s \n " , q . in . level , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 10:57:33 +03:00
} else if ( ! q . out . info ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 10:57:33 +03:00
} else {
2015-05-20 01:05:00 +03:00
if ( strcmp ( info - > info_ex . domain_name . string , trustinfo . name . string ) ! = 0 ) {
torture_comment ( tctx , " QueryTrustedDomainInfo returned inconsistent long name: %s != %s \n " ,
info - > info_ex . domain_name . string , trustinfo . name . string ) ;
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( strcmp ( info - > info_ex . netbios_name . string , trustinfo . name . string ) ! = 0 ) {
2011-03-01 00:04:29 +03:00
torture_comment ( tctx , " QueryTrustedDomainInfo returned inconsistent short name: %s != %s \n " ,
2008-10-21 12:33:27 +04:00
info - > info_ex . netbios_name . string , trustinfo . name . string ) ;
2008-09-01 08:43:00 +04:00
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( info - > info_ex . trust_type ! = LSA_TRUST_TYPE_DOWNLEVEL ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d \n " ,
2008-10-21 12:33:27 +04:00
trust_name , info - > info_ex . trust_type , LSA_TRUST_TYPE_DOWNLEVEL ) ;
2008-09-01 08:43:00 +04:00
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( info - > info_ex . trust_attributes ! = 0 ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d \n " ,
2008-10-21 12:33:27 +04:00
trust_name , info - > info_ex . trust_attributes , 0 ) ;
2008-09-01 08:43:00 +04:00
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( info - > info_ex . trust_direction ! = LSA_TRUST_DIRECTION_OUTBOUND ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d \n " ,
2008-10-21 12:33:27 +04:00
trust_name , info - > info_ex . trust_direction , LSA_TRUST_DIRECTION_OUTBOUND ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 10:57:33 +03:00
}
}
2005-01-12 06:19:48 +03:00
}
}
/* now that we have some domains to look over, we can test the enum calls */
2010-03-11 14:00:34 +03:00
if ( ! test_EnumTrustDom ( b , tctx , handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 06:19:48 +03:00
}
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_EnumTrustDomEx ( b , tctx , handle ) ) {
2009-10-20 14:59:49 +04:00
ret = false ;
}
2009-10-20 20:34:09 +04:00
for ( i = 0 ; i < num_trusts ; i + + ) {
2010-03-11 14:00:34 +03:00
if ( ! test_DeleteTrustedDomainBySid ( b , tctx , handle , domsid [ i ] ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-12 10:57:33 +03:00
}
2005-01-12 06:19:48 +03:00
}
return ret ;
}
2015-05-20 01:05:00 +03:00
static bool gen_authinfo_internal ( TALLOC_CTX * mem_ctx ,
const char * incoming_old , const char * incoming_new ,
const char * outgoing_old , const char * outgoing_new ,
2011-08-22 14:34:36 +04:00
DATA_BLOB session_key ,
struct lsa_TrustDomainInfoAuthInfoInternal * * _authinfo_internal )
{
struct lsa_TrustDomainInfoAuthInfoInternal * authinfo_internal ;
struct trustDomainPasswords auth_struct ;
2015-05-20 01:05:00 +03:00
struct AuthenticationInformation in_info ;
struct AuthenticationInformation io_info ;
struct AuthenticationInformation on_info ;
struct AuthenticationInformation oo_info ;
2011-08-22 14:34:36 +04:00
size_t converted_size ;
DATA_BLOB auth_blob ;
enum ndr_err_code ndr_err ;
2015-05-20 01:05:00 +03:00
bool ok ;
2019-02-21 13:03:01 +03:00
gnutls_cipher_hd_t cipher_hnd = NULL ;
gnutls_datum_t _session_key ;
2011-08-22 14:34:36 +04:00
authinfo_internal = talloc_zero ( mem_ctx , struct lsa_TrustDomainInfoAuthInfoInternal ) ;
if ( authinfo_internal = = NULL ) {
return false ;
}
2015-05-20 01:05:00 +03:00
in_info . AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( mem_ctx , CH_UNIX , CH_UTF16 ,
incoming_new ,
strlen ( incoming_new ) ,
& in_info . AuthInfo . clear . password ,
& converted_size ) ;
if ( ! ok ) {
2011-08-22 14:34:36 +04:00
return false ;
}
2015-05-20 01:05:00 +03:00
in_info . AuthInfo . clear . size = converted_size ;
io_info . AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( mem_ctx , CH_UNIX , CH_UTF16 ,
incoming_old ,
strlen ( incoming_old ) ,
& io_info . AuthInfo . clear . password ,
& converted_size ) ;
if ( ! ok ) {
2011-08-22 14:34:36 +04:00
return false ;
}
2015-05-20 01:05:00 +03:00
io_info . AuthInfo . clear . size = converted_size ;
on_info . AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( mem_ctx , CH_UNIX , CH_UTF16 ,
outgoing_new ,
strlen ( outgoing_new ) ,
& on_info . AuthInfo . clear . password ,
& converted_size ) ;
if ( ! ok ) {
return false ;
}
on_info . AuthInfo . clear . size = converted_size ;
oo_info . AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( mem_ctx , CH_UNIX , CH_UTF16 ,
outgoing_old ,
strlen ( outgoing_old ) ,
& oo_info . AuthInfo . clear . password ,
& converted_size ) ;
if ( ! ok ) {
return false ;
}
oo_info . AuthInfo . clear . size = converted_size ;
2011-08-22 14:34:36 +04:00
2015-05-20 01:05:00 +03:00
generate_random_buffer ( auth_struct . confounder , sizeof ( auth_struct . confounder ) ) ;
2011-08-22 14:34:36 +04:00
auth_struct . outgoing . count = 1 ;
auth_struct . outgoing . current . count = 1 ;
2015-05-20 01:05:00 +03:00
auth_struct . outgoing . current . array = & on_info ;
auth_struct . outgoing . previous . count = 1 ;
auth_struct . outgoing . previous . array = & oo_info ;
2011-08-22 14:34:36 +04:00
auth_struct . incoming . count = 1 ;
auth_struct . incoming . current . count = 1 ;
2015-05-20 01:05:00 +03:00
auth_struct . incoming . current . array = & in_info ;
auth_struct . incoming . previous . count = 1 ;
auth_struct . incoming . previous . array = & io_info ;
2011-08-22 14:34:36 +04:00
ndr_err = ndr_push_struct_blob ( & auth_blob , mem_ctx , & auth_struct ,
( ndr_push_flags_fn_t ) ndr_push_trustDomainPasswords ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
return false ;
}
2019-02-21 13:03:01 +03:00
_session_key = ( gnutls_datum_t ) {
. data = session_key . data ,
. size = session_key . length ,
} ;
gnutls_cipher_init ( & cipher_hnd ,
GNUTLS_CIPHER_ARCFOUR_128 ,
& _session_key ,
NULL ) ;
gnutls_cipher_encrypt ( cipher_hnd ,
auth_blob . data ,
auth_blob . length ) ;
gnutls_cipher_deinit ( cipher_hnd ) ;
2011-08-22 14:34:36 +04:00
authinfo_internal - > auth_blob . size = auth_blob . length ;
authinfo_internal - > auth_blob . data = auth_blob . data ;
* _authinfo_internal = authinfo_internal ;
return true ;
}
2015-05-20 01:05:00 +03:00
static bool gen_authinfo ( TALLOC_CTX * mem_ctx ,
const char * incoming_old , const char * incoming_new ,
const char * outgoing_old , const char * outgoing_new ,
2011-08-22 14:34:36 +04:00
struct lsa_TrustDomainInfoAuthInfo * * _authinfo )
{
struct lsa_TrustDomainInfoAuthInfo * authinfo ;
2015-05-20 01:05:00 +03:00
struct lsa_TrustDomainInfoBuffer * in_buffer ;
struct lsa_TrustDomainInfoBuffer * io_buffer ;
struct lsa_TrustDomainInfoBuffer * on_buffer ;
struct lsa_TrustDomainInfoBuffer * oo_buffer ;
2011-08-22 14:34:36 +04:00
size_t converted_size ;
2015-05-20 01:05:00 +03:00
bool ok ;
2011-08-22 14:34:36 +04:00
authinfo = talloc_zero ( mem_ctx , struct lsa_TrustDomainInfoAuthInfo ) ;
if ( authinfo = = NULL ) {
return false ;
}
2015-05-20 01:05:00 +03:00
in_buffer = talloc_zero ( authinfo , struct lsa_TrustDomainInfoBuffer ) ;
if ( in_buffer = = NULL ) {
return false ;
}
in_buffer - > AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( in_buffer , CH_UNIX , CH_UTF16 ,
incoming_new ,
strlen ( incoming_new ) ,
& in_buffer - > data . data ,
& converted_size ) ;
if ( ! ok ) {
2011-08-22 14:34:36 +04:00
return false ;
}
2015-05-20 01:05:00 +03:00
in_buffer - > data . size = converted_size ;
2011-08-22 14:34:36 +04:00
2015-05-20 01:05:00 +03:00
io_buffer = talloc_zero ( authinfo , struct lsa_TrustDomainInfoBuffer ) ;
if ( io_buffer = = NULL ) {
return false ;
}
io_buffer - > AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( io_buffer , CH_UNIX , CH_UTF16 ,
incoming_old ,
strlen ( incoming_old ) ,
& io_buffer - > data . data ,
& converted_size ) ;
if ( ! ok ) {
return false ;
}
io_buffer - > data . size = converted_size ;
2011-08-22 14:34:36 +04:00
2015-05-20 01:05:00 +03:00
on_buffer = talloc_zero ( authinfo , struct lsa_TrustDomainInfoBuffer ) ;
if ( on_buffer = = NULL ) {
2011-08-22 14:34:36 +04:00
return false ;
}
2015-05-20 01:05:00 +03:00
on_buffer - > AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( on_buffer , CH_UNIX , CH_UTF16 ,
outgoing_new ,
strlen ( outgoing_new ) ,
& on_buffer - > data . data ,
& converted_size ) ;
if ( ! ok ) {
return false ;
}
on_buffer - > data . size = converted_size ;
2011-08-22 14:34:36 +04:00
2015-05-20 01:05:00 +03:00
oo_buffer = talloc_zero ( authinfo , struct lsa_TrustDomainInfoBuffer ) ;
if ( oo_buffer = = NULL ) {
return false ;
}
oo_buffer - > AuthType = TRUST_AUTH_TYPE_CLEAR ;
ok = convert_string_talloc ( oo_buffer , CH_UNIX , CH_UTF16 ,
outgoing_old ,
strlen ( outgoing_old ) ,
& oo_buffer - > data . data ,
& converted_size ) ;
if ( ! ok ) {
return false ;
}
oo_buffer - > data . size = converted_size ;
2011-08-22 14:34:36 +04:00
authinfo - > incoming_count = 1 ;
2015-05-20 01:05:00 +03:00
authinfo - > incoming_current_auth_info = in_buffer ;
authinfo - > incoming_previous_auth_info = io_buffer ;
2011-08-22 14:34:36 +04:00
authinfo - > outgoing_count = 1 ;
2015-05-20 01:05:00 +03:00
authinfo - > outgoing_current_auth_info = on_buffer ;
authinfo - > outgoing_previous_auth_info = oo_buffer ;
2011-08-22 14:34:36 +04:00
* _authinfo = authinfo ;
return true ;
}
static bool check_pw_with_ServerAuthenticate3 ( struct dcerpc_pipe * p ,
struct torture_context * tctx ,
uint32_t negotiate_flags ,
2015-05-20 01:05:00 +03:00
const char * server_name ,
2011-08-22 14:34:36 +04:00
struct cli_credentials * machine_credentials ,
struct netlogon_creds_CredentialState * * creds_out )
{
struct netr_ServerReqChallenge r ;
struct netr_ServerAuthenticate3 a ;
struct netr_Credential credentials1 , credentials2 , credentials3 ;
struct netlogon_creds_CredentialState * creds ;
2015-05-20 01:05:00 +03:00
const struct samr_Password * new_password = NULL ;
const struct samr_Password * old_password = NULL ;
2011-08-22 14:34:36 +04:00
uint32_t rid ;
struct dcerpc_binding_handle * b = p - > binding_handle ;
2015-05-20 01:05:00 +03:00
new_password = cli_credentials_get_nt_hash ( machine_credentials , tctx ) ;
old_password = cli_credentials_get_old_nt_hash ( machine_credentials , tctx ) ;
2011-08-22 14:34:36 +04:00
2015-05-20 01:05:00 +03:00
r . in . server_name = server_name ;
r . in . computer_name = cli_credentials_get_workstation ( machine_credentials ) ;
2011-08-22 14:34:36 +04:00
r . in . credentials = & credentials1 ;
r . out . return_credentials = & credentials2 ;
generate_random_buffer ( credentials1 . data , sizeof ( credentials1 . data ) ) ;
torture_assert_ntstatus_ok ( tctx , dcerpc_netr_ServerReqChallenge_r ( b , tctx , & r ) ,
" ServerReqChallenge failed " ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result , " ServerReqChallenge failed " ) ;
2015-05-20 01:05:00 +03:00
a . in . server_name = server_name ;
a . in . account_name = cli_credentials_get_username ( machine_credentials ) ;
2011-08-22 14:34:36 +04:00
a . in . secure_channel_type = cli_credentials_get_secure_channel_type ( machine_credentials ) ;
2015-05-20 01:05:00 +03:00
a . in . computer_name = cli_credentials_get_workstation ( machine_credentials ) ;
2011-08-22 14:34:36 +04:00
a . in . negotiate_flags = & negotiate_flags ;
a . in . credentials = & credentials3 ;
a . out . return_credentials = & credentials3 ;
a . out . negotiate_flags = & negotiate_flags ;
a . out . rid = & rid ;
creds = netlogon_creds_client_init ( tctx , a . in . account_name ,
a . in . computer_name ,
2012-12-19 16:53:23 +04:00
a . in . secure_channel_type ,
2011-08-22 14:34:36 +04:00
& credentials1 , & credentials2 ,
2015-05-20 01:05:00 +03:00
new_password , & credentials3 ,
2011-08-22 14:34:36 +04:00
negotiate_flags ) ;
torture_assert ( tctx , creds ! = NULL , " memory allocation " ) ;
torture_assert_ntstatus_ok ( tctx , dcerpc_netr_ServerAuthenticate3_r ( b , tctx , & a ) ,
" ServerAuthenticate3 failed " ) ;
if ( ! NT_STATUS_IS_OK ( a . out . result ) ) {
if ( ! NT_STATUS_EQUAL ( a . out . result , NT_STATUS_ACCESS_DENIED ) ) {
torture_assert_ntstatus_ok ( tctx , a . out . result ,
" ServerAuthenticate3 failed " ) ;
}
return false ;
}
torture_assert ( tctx , netlogon_creds_client_check ( creds , & credentials3 ) , " Credential chaining failed " ) ;
2015-05-20 01:05:00 +03:00
if ( old_password ! = NULL ) {
torture_assert_ntstatus_ok ( tctx , dcerpc_netr_ServerReqChallenge_r ( b , tctx , & r ) ,
" ServerReqChallenge failed " ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result , " ServerReqChallenge failed " ) ;
creds = netlogon_creds_client_init ( tctx , a . in . account_name ,
a . in . computer_name ,
a . in . secure_channel_type ,
& credentials1 , & credentials2 ,
old_password , & credentials3 ,
negotiate_flags ) ;
torture_assert ( tctx , creds ! = NULL , " memory allocation " ) ;
torture_assert_ntstatus_ok ( tctx , dcerpc_netr_ServerAuthenticate3_r ( b , tctx , & a ) ,
" ServerAuthenticate3 failed " ) ;
if ( ! NT_STATUS_IS_OK ( a . out . result ) ) {
if ( ! NT_STATUS_EQUAL ( a . out . result , NT_STATUS_ACCESS_DENIED ) ) {
torture_assert_ntstatus_ok ( tctx , a . out . result ,
" ServerAuthenticate3 (old) failed " ) ;
}
return false ;
}
torture_assert ( tctx , netlogon_creds_client_check ( creds , & credentials3 ) , " Credential (old) chaining failed " ) ;
}
2011-08-22 14:34:36 +04:00
/* Prove that requesting a challenge again won't break it */
torture_assert_ntstatus_ok ( tctx , dcerpc_netr_ServerReqChallenge_r ( b , tctx , & r ) ,
" ServerReqChallenge failed " ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result , " ServerReqChallenge failed " ) ;
* creds_out = creds ;
return true ;
}
2015-07-10 10:44:40 +03:00
# ifdef SAMBA4_USES_HEIMDAL
2015-05-20 01:05:00 +03:00
/*
* This function is set in torture_krb5_init_context as krb5
* send_and_recv function . This allows us to override what server the
* test is aimed at , and to inspect the packets just before they are
* sent to the network , and before they are processed on the recv
* side .
*
* The torture_krb5_pre_send_test ( ) and torture_krb5_post_recv_test ( )
* functions are implement the actual tests .
*
* When this asserts , the caller will get a spurious ' cannot contact
* any KDC ' message .
*
*/
struct check_pw_with_krb5_ctx {
struct addrinfo * server ;
struct {
unsigned io ;
unsigned fail ;
unsigned errors ;
unsigned error_io ;
unsigned ok ;
} counts ;
2015-07-09 19:02:31 +03:00
krb5_error error ;
2015-05-20 01:05:00 +03:00
struct smb_krb5_context * smb_krb5_context ;
krb5_get_init_creds_opt * krb_options ;
krb5_creds my_creds ;
krb5_get_creds_opt opt_canon ;
krb5_get_creds_opt opt_nocanon ;
krb5_principal upn_realm ;
krb5_principal upn_dns ;
krb5_principal upn_netbios ;
krb5_ccache krbtgt_ccache ;
krb5_principal krbtgt_trust_realm ;
krb5_creds * krbtgt_trust_realm_creds ;
krb5_principal krbtgt_trust_dns ;
krb5_creds * krbtgt_trust_dns_creds ;
krb5_principal krbtgt_trust_netbios ;
krb5_creds * krbtgt_trust_netbios_creds ;
krb5_principal cifs_trust_dns ;
krb5_creds * cifs_trust_dns_creds ;
krb5_principal cifs_trust_netbios ;
krb5_creds * cifs_trust_netbios_creds ;
krb5_principal drs_trust_dns ;
krb5_creds * drs_trust_dns_creds ;
krb5_principal drs_trust_netbios ;
krb5_creds * drs_trust_netbios_creds ;
krb5_principal four_trust_dns ;
krb5_creds * four_trust_dns_creds ;
krb5_creds krbtgt_referral_creds ;
Ticket krbtgt_referral_ticket ;
krb5_keyblock krbtgt_referral_keyblock ;
EncTicketPart krbtgt_referral_enc_part ;
} ;
static krb5_error_code check_pw_with_krb5_send_and_recv_func ( krb5_context context ,
void * data , /* struct check_pw_with_krb5_ctx */
krb5_krbhst_info * _hi ,
time_t timeout ,
const krb5_data * send_buf ,
krb5_data * recv_buf )
{
struct check_pw_with_krb5_ctx * ctx =
talloc_get_type_abort ( data , struct check_pw_with_krb5_ctx ) ;
krb5_error_code k5ret ;
krb5_krbhst_info hi = * _hi ;
size_t used ;
int ret ;
hi . proto = KRB5_KRBHST_TCP ;
2016-08-29 10:09:18 +03:00
krb5_free_error_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > error ) ;
2015-05-20 01:05:00 +03:00
ctx - > counts . io + + ;
k5ret = smb_krb5_send_and_recv_func_forced ( context , ctx - > server ,
& hi , timeout , send_buf , recv_buf ) ;
if ( k5ret ! = 0 ) {
ctx - > counts . fail + + ;
return k5ret ;
}
ret = decode_KRB_ERROR ( recv_buf - > data , recv_buf - > length ,
& ctx - > error , & used ) ;
if ( ret = = 0 ) {
ctx - > counts . errors + + ;
ctx - > counts . error_io = ctx - > counts . io ;
} else {
ctx - > counts . ok + + ;
}
return k5ret ;
}
static int check_pw_with_krb5_ctx_destructor ( struct check_pw_with_krb5_ctx * ctx )
{
if ( ctx - > server ! = NULL ) {
freeaddrinfo ( ctx - > server ) ;
ctx - > server = NULL ;
}
if ( ctx - > krb_options ! = NULL ) {
krb5_get_init_creds_opt_free ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krb_options ) ;
ctx - > krb_options = NULL ;
}
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > my_creds ) ;
if ( ctx - > opt_canon ! = NULL ) {
krb5_get_creds_opt_free ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ) ;
ctx - > opt_canon = NULL ;
}
if ( ctx - > opt_nocanon ! = NULL ) {
krb5_get_creds_opt_free ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_nocanon ) ;
ctx - > opt_nocanon = NULL ;
}
if ( ctx - > krbtgt_ccache ! = NULL ) {
krb5_cc_close ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ) ;
ctx - > krbtgt_ccache = NULL ;
}
if ( ctx - > upn_realm ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > upn_realm ) ;
ctx - > upn_realm = NULL ;
}
if ( ctx - > upn_dns ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > upn_dns ) ;
ctx - > upn_dns = NULL ;
}
if ( ctx - > upn_netbios ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > upn_netbios ) ;
ctx - > upn_netbios = NULL ;
}
if ( ctx - > krbtgt_trust_realm ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_realm ) ;
ctx - > krbtgt_trust_realm = NULL ;
}
if ( ctx - > krbtgt_trust_realm_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_realm_creds ) ;
ctx - > krbtgt_trust_realm_creds = NULL ;
}
if ( ctx - > krbtgt_trust_dns ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_dns ) ;
ctx - > krbtgt_trust_dns = NULL ;
}
if ( ctx - > krbtgt_trust_dns_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_dns_creds ) ;
ctx - > krbtgt_trust_dns_creds = NULL ;
}
if ( ctx - > krbtgt_trust_netbios ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_netbios ) ;
ctx - > krbtgt_trust_netbios = NULL ;
}
if ( ctx - > krbtgt_trust_netbios_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_netbios_creds ) ;
ctx - > krbtgt_trust_netbios_creds = NULL ;
}
if ( ctx - > cifs_trust_dns ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > cifs_trust_dns ) ;
ctx - > cifs_trust_dns = NULL ;
}
if ( ctx - > cifs_trust_dns_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > cifs_trust_dns_creds ) ;
ctx - > cifs_trust_dns_creds = NULL ;
}
if ( ctx - > cifs_trust_netbios ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > cifs_trust_netbios ) ;
ctx - > cifs_trust_netbios = NULL ;
}
if ( ctx - > cifs_trust_netbios_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > cifs_trust_netbios_creds ) ;
ctx - > cifs_trust_netbios_creds = NULL ;
}
if ( ctx - > drs_trust_dns ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > drs_trust_dns ) ;
ctx - > drs_trust_dns = NULL ;
}
if ( ctx - > drs_trust_dns_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > drs_trust_dns_creds ) ;
ctx - > drs_trust_dns_creds = NULL ;
}
if ( ctx - > drs_trust_netbios ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > drs_trust_netbios ) ;
ctx - > drs_trust_netbios = NULL ;
}
if ( ctx - > drs_trust_netbios_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > drs_trust_netbios_creds ) ;
ctx - > drs_trust_netbios_creds = NULL ;
}
if ( ctx - > four_trust_dns ! = NULL ) {
krb5_free_principal ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > four_trust_dns ) ;
ctx - > four_trust_dns = NULL ;
}
if ( ctx - > four_trust_dns_creds ! = NULL ) {
krb5_free_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > four_trust_dns_creds ) ;
ctx - > four_trust_dns_creds = NULL ;
}
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
free_Ticket ( & ctx - > krbtgt_referral_ticket ) ;
krb5_free_keyblock_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_keyblock ) ;
free_EncTicketPart ( & ctx - > krbtgt_referral_enc_part ) ;
2016-08-29 10:09:18 +03:00
krb5_free_error_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > error ) ;
2015-05-20 01:05:00 +03:00
talloc_unlink ( ctx , ctx - > smb_krb5_context ) ;
ctx - > smb_krb5_context = NULL ;
return 0 ;
}
static bool check_pw_with_krb5 ( struct torture_context * tctx ,
struct cli_credentials * credentials ,
const struct lsa_TrustDomainInfoInfoEx * trusted )
{
const char * trusted_dns_name = trusted - > domain_name . string ;
const char * trusted_netbios_name = trusted - > netbios_name . string ;
char * trusted_realm_name = NULL ;
krb5_principal principal = NULL ;
enum credentials_obtained obtained ;
const char * error_string = NULL ;
const char * workstation = cli_credentials_get_workstation ( credentials ) ;
const char * password = cli_credentials_get_password ( credentials ) ;
const struct samr_Password * nthash = NULL ;
const struct samr_Password * old_nthash = NULL ;
const char * old_password = cli_credentials_get_old_password ( credentials ) ;
int kvno = cli_credentials_get_kvno ( credentials ) ;
int expected_kvno = 0 ;
2016-05-17 13:45:11 +03:00
krb5uint32 t_kvno = 0 ;
2015-05-20 01:05:00 +03:00
const char * host = torture_setting_string ( tctx , " host " , NULL ) ;
krb5_error_code k5ret ;
krb5_boolean k5ok ;
int type ;
bool ok ;
struct check_pw_with_krb5_ctx * ctx = NULL ;
char * assertion_message = NULL ;
const char * realm = NULL ;
char * upn_realm_string = NULL ;
char * upn_dns_string = NULL ;
char * upn_netbios_string = NULL ;
char * krbtgt_cc_name = NULL ;
char * krbtgt_trust_realm_string = NULL ;
char * krbtgt_trust_dns_string = NULL ;
char * krbtgt_trust_netbios_string = NULL ;
char * cifs_trust_dns_string = NULL ;
char * cifs_trust_netbios_string = NULL ;
char * drs_trust_dns_string = NULL ;
char * drs_trust_netbios_string = NULL ;
char * four_trust_dns_string = NULL ;
ctx = talloc_zero ( tctx , struct check_pw_with_krb5_ctx ) ;
torture_assert ( tctx , ctx ! = NULL , " Failed to allocate " ) ;
realm = cli_credentials_get_realm ( credentials ) ;
trusted_realm_name = strupper_talloc ( tctx , trusted_dns_name ) ;
nthash = cli_credentials_get_nt_hash ( credentials , ctx ) ;
old_nthash = cli_credentials_get_old_nt_hash ( credentials , ctx ) ;
k5ret = smb_krb5_init_context ( ctx , tctx - > lp_ctx , & ctx - > smb_krb5_context ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , " smb_krb5_init_context failed " ) ;
2015-12-17 15:59:58 +03:00
ok = interpret_string_addr_internal ( & ctx - > server , host , 0 ) ;
2015-05-20 01:05:00 +03:00
torture_assert ( tctx , ok , " Failed to parse target server " ) ;
talloc_set_destructor ( ctx , check_pw_with_krb5_ctx_destructor ) ;
set_sockaddr_port ( ctx - > server - > ai_addr , 88 ) ;
k5ret = krb5_set_send_to_kdc_func ( ctx - > smb_krb5_context - > krb5_context ,
check_pw_with_krb5_send_and_recv_func ,
ctx ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , " krb5_set_send_to_kdc_func failed " ) ;
torture_assert_int_equal ( tctx ,
krb5_get_init_creds_opt_alloc ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krb_options ) ,
0 , " krb5_get_init_creds_opt_alloc failed " ) ;
torture_assert_int_equal ( tctx ,
krb5_get_init_creds_opt_set_pac_request (
ctx - > smb_krb5_context - > krb5_context ,
ctx - > krb_options , true ) ,
0 , " krb5_get_init_creds_opt_set_pac_request failed " ) ;
upn_realm_string = talloc_asprintf ( ctx , " user@%s " ,
trusted_realm_name ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > upn_realm ,
realm , upn_realm_string , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-07-09 19:05:12 +03:00
smb_krb5_principal_set_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > upn_realm , KRB5_NT_ENTERPRISE_PRINCIPAL ) ;
2015-05-20 01:05:00 +03:00
upn_dns_string = talloc_asprintf ( ctx , " user@%s " ,
trusted_dns_name ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > upn_dns ,
realm , upn_dns_string , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-07-09 19:05:12 +03:00
smb_krb5_principal_set_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > upn_dns , KRB5_NT_ENTERPRISE_PRINCIPAL ) ;
2015-05-20 01:05:00 +03:00
upn_netbios_string = talloc_asprintf ( ctx , " user@%s " ,
trusted_netbios_name ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > upn_netbios ,
realm , upn_netbios_string , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-07-09 19:05:12 +03:00
smb_krb5_principal_set_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > upn_netbios , KRB5_NT_ENTERPRISE_PRINCIPAL ) ;
2015-05-20 01:05:00 +03:00
k5ret = principal_from_credentials ( ctx , credentials , ctx - > smb_krb5_context ,
& principal , & obtained , & error_string ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , error_string ) ;
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_init_creds_password ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > my_creds , ctx - > upn_realm ,
" _none_ " , NULL , NULL , 0 ,
NULL , ctx - > krb_options ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_init_creds_password(%s, canon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u/%u,ok=%u] " ,
upn_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . error_io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . error_io , 1 , assertion_message ) ;
2015-07-09 19:02:31 +03:00
torture_assert_int_equal ( tctx , KRB5_ERROR_CODE ( & ctx - > error ) , 68 , assertion_message ) ;
2015-05-20 01:05:00 +03:00
torture_assert ( tctx , ctx - > error . crealm ! = NULL , assertion_message ) ;
torture_assert_str_equal ( tctx , * ctx - > error . crealm , trusted_realm_name , assertion_message ) ;
torture_assert ( tctx , ctx - > error . cname = = NULL , assertion_message ) ;
torture_assert_str_equal ( tctx , ctx - > error . realm , realm , assertion_message ) ;
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_init_creds_password ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > my_creds , ctx - > upn_dns ,
" _none_ " , NULL , NULL , 0 ,
NULL , ctx - > krb_options ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_init_creds_password(%s, canon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u/%u,ok=%u] " ,
upn_dns_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . error_io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . error_io , 1 , assertion_message ) ;
2015-07-09 19:02:31 +03:00
torture_assert_int_equal ( tctx , KRB5_ERROR_CODE ( & ctx - > error ) , 68 , assertion_message ) ;
2015-05-20 01:05:00 +03:00
torture_assert ( tctx , ctx - > error . crealm ! = NULL , assertion_message ) ;
torture_assert_str_equal ( tctx , * ctx - > error . crealm , trusted_realm_name , assertion_message ) ;
torture_assert ( tctx , ctx - > error . cname = = NULL , assertion_message ) ;
torture_assert_str_equal ( tctx , ctx - > error . realm , realm , assertion_message ) ;
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_init_creds_password ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > my_creds , ctx - > upn_netbios ,
" _none_ " , NULL , NULL , 0 ,
NULL , ctx - > krb_options ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_init_creds_password(%s, canon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u/%u,ok=%u] " ,
upn_netbios_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . error_io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . error_io , 1 , assertion_message ) ;
2015-07-09 19:02:31 +03:00
torture_assert_int_equal ( tctx , KRB5_ERROR_CODE ( & ctx - > error ) , 68 , assertion_message ) ;
2015-05-20 01:05:00 +03:00
torture_assert ( tctx , ctx - > error . crealm ! = NULL , assertion_message ) ;
torture_assert_str_equal ( tctx , * ctx - > error . crealm , trusted_realm_name , assertion_message ) ;
torture_assert ( tctx , ctx - > error . cname = = NULL , assertion_message ) ;
torture_assert_str_equal ( tctx , ctx - > error . realm , realm , assertion_message ) ;
2016-03-10 14:16:25 +03:00
torture_comment ( tctx , " (%s:%s) password[%s] old_password[%s] \n " ,
__location__ , __FUNCTION__ ,
2015-05-20 01:05:00 +03:00
password , old_password ) ;
if ( old_password ! = NULL ) {
k5ret = krb5_get_init_creds_password ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > my_creds , principal ,
old_password , NULL , NULL , 0 ,
NULL , ctx - > krb_options ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5KDC_ERR_PREAUTH_FAILED ,
" preauth should fail with old password " ) ;
}
k5ret = krb5_get_init_creds_password ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > my_creds , principal ,
password , NULL , NULL , 0 ,
NULL , ctx - > krb_options ) ;
if ( k5ret = = KRB5KDC_ERR_PREAUTH_FAILED ) {
TALLOC_FREE ( ctx ) ;
return false ;
}
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_init_creds_password for failed: %s " ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
torture_assert_int_equal ( tctx ,
krb5_get_creds_opt_alloc ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > opt_canon ) ,
0 , " krb5_get_creds_opt_alloc " ) ;
krb5_get_creds_opt_add_options ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
KRB5_GC_CANONICALIZE ) ;
krb5_get_creds_opt_add_options ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
KRB5_GC_NO_STORE ) ;
torture_assert_int_equal ( tctx ,
krb5_get_creds_opt_alloc ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > opt_nocanon ) ,
0 , " krb5_get_creds_opt_alloc " ) ;
krb5_get_creds_opt_add_options ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_nocanon ,
KRB5_GC_NO_STORE ) ;
krbtgt_cc_name = talloc_asprintf ( ctx , " MEMORY:%p.krbtgt " , ctx - > smb_krb5_context ) ;
torture_assert_int_equal ( tctx ,
krb5_cc_resolve ( ctx - > smb_krb5_context - > krb5_context ,
krbtgt_cc_name ,
& ctx - > krbtgt_ccache ) ,
0 , " krb5_cc_resolve failed " ) ;
torture_assert_int_equal ( tctx ,
krb5_cc_initialize ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
ctx - > my_creds . client ) ,
0 , " krb5_cc_initialize failed " ) ;
torture_assert_int_equal ( tctx ,
krb5_cc_store_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
& ctx - > my_creds ) ,
0 , " krb5_cc_store_cred failed " ) ;
krbtgt_trust_realm_string = talloc_asprintf ( ctx , " krbtgt/%s@%s " ,
trusted_realm_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_trust_realm ,
realm , " krbtgt " ,
trusted_realm_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
krbtgt_trust_dns_string = talloc_asprintf ( ctx , " krbtgt/%s@%s " ,
trusted_dns_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_trust_dns ,
realm , " krbtgt " ,
trusted_dns_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
krbtgt_trust_netbios_string = talloc_asprintf ( ctx , " krbtgt/%s@%s " ,
trusted_netbios_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_trust_netbios ,
realm , " krbtgt " ,
trusted_netbios_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
/* Confirm if we can do a TGS for krbtgt/trusted_realm */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_nocanon ,
ctx - > krbtgt_ccache ,
ctx - > krbtgt_trust_realm ,
& ctx - > krbtgt_trust_realm_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s, canon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 1 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_realm_creds - > server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_realm_creds - > server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Confirm if we have no referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_CC_END , assertion_message ) ;
/* Confirm if we can do a TGS for krbtgt/trusted_dns with CANON */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
ctx - > krbtgt_ccache ,
ctx - > krbtgt_trust_dns ,
& ctx - > krbtgt_trust_dns_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s, canon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
krbtgt_trust_dns_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 1 , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
k5ret = decode_Ticket ( ctx - > krbtgt_referral_creds . ticket . data ,
ctx - > krbtgt_referral_creds . ticket . length ,
& ctx - > krbtgt_referral_ticket , NULL ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
if ( kvno > 0 ) {
expected_kvno = kvno - 1 ;
}
if ( ctx - > krbtgt_referral_ticket . enc_part . kvno ! = NULL ) {
t_kvno = * ctx - > krbtgt_referral_ticket . enc_part . kvno ;
assertion_message = talloc_asprintf ( ctx ,
" krbtgt_referral_ticket(%s) kvno(%u) expected(%u) current(%u) " ,
krbtgt_trust_realm_string ,
( unsigned ) t_kvno , ( unsigned ) expected_kvno , ( unsigned ) kvno ) ;
torture_comment ( tctx , " %s \n " , assertion_message ) ;
torture_assert_int_not_equal ( tctx , t_kvno , 0 , assertion_message ) ;
} else {
assertion_message = talloc_asprintf ( ctx ,
" krbtgt_referral_ticket(%s) kvno(NULL) exptected(%u) current(%u) " ,
krbtgt_trust_realm_string ,
( unsigned ) expected_kvno , ( unsigned ) kvno ) ;
torture_comment ( tctx , " %s \n " , assertion_message ) ;
}
torture_assert_int_equal ( tctx , t_kvno , expected_kvno , assertion_message ) ;
if ( old_nthash ! = NULL & & expected_kvno ! = kvno ) {
torture_comment ( tctx , " old_nthash: %s \n " , assertion_message ) ;
k5ret = smb_krb5_keyblock_init_contents ( ctx - > smb_krb5_context - > krb5_context ,
ENCTYPE_ARCFOUR_HMAC ,
old_nthash - > hash ,
sizeof ( old_nthash - > hash ) ,
& ctx - > krbtgt_referral_keyblock ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
} else {
torture_comment ( tctx , " nthash: %s \n " , assertion_message ) ;
k5ret = smb_krb5_keyblock_init_contents ( ctx - > smb_krb5_context - > krb5_context ,
ENCTYPE_ARCFOUR_HMAC ,
nthash - > hash ,
sizeof ( nthash - > hash ) ,
& ctx - > krbtgt_referral_keyblock ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
}
k5ret = krb5_decrypt_ticket ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_ticket ,
& ctx - > krbtgt_referral_keyblock ,
& ctx - > krbtgt_referral_enc_part ,
0 ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
/* Confirm if we can do a TGS for krbtgt/trusted_dns no CANON */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_nocanon ,
ctx - > krbtgt_ccache ,
ctx - > krbtgt_trust_dns ,
& ctx - > krbtgt_trust_dns_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s, nocanon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
krbtgt_trust_dns_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 2 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 2 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_dns_creds - > server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_dns_creds - > server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
/* Confirm if we can do a TGS for krbtgt/NETBIOS with CANON */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
ctx - > krbtgt_ccache ,
ctx - > krbtgt_trust_netbios ,
& ctx - > krbtgt_trust_netbios_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s, canon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
krbtgt_trust_netbios_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 1 , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_netbios_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
/* Confirm if we can do a TGS for krbtgt/NETBIOS no CANON */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_nocanon ,
ctx - > krbtgt_ccache ,
ctx - > krbtgt_trust_netbios ,
& ctx - > krbtgt_trust_netbios_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s, nocanon) for failed: "
" (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
krbtgt_trust_netbios_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 2 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 2 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_netbios_creds - > server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_trust_netbios_creds - > server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
cifs_trust_dns_string = talloc_asprintf ( ctx , " cifs/%s@%s " ,
trusted_dns_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > cifs_trust_dns ,
realm , " cifs " ,
trusted_dns_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
/* Confirm if we get krbtgt/trusted_realm back when asking for cifs/trusted_realm */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
ctx - > krbtgt_ccache ,
ctx - > cifs_trust_dns ,
& ctx - > cifs_trust_dns_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
cifs_trust_dns_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 1 , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
cifs_trust_netbios_string = talloc_asprintf ( ctx , " cifs/%s@%s " ,
trusted_netbios_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > cifs_trust_netbios ,
realm , " cifs " ,
trusted_netbios_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
/* Confirm if we get krbtgt/trusted_realm back when asking for cifs/trusted_realm */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
ctx - > krbtgt_ccache ,
ctx - > cifs_trust_netbios ,
& ctx - > cifs_trust_netbios_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
cifs_trust_netbios_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 1 , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
drs_trust_dns_string = talloc_asprintf ( ctx ,
" E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s " ,
workstation , trusted_dns_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > drs_trust_dns ,
realm , " E3514235-4B06-11D1-AB04-00C04FC2DCD2 " ,
workstation , trusted_dns_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
/* Confirm if we get krbtgt/trusted_realm back when asking for a 3 part principal */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
ctx - > krbtgt_ccache ,
ctx - > drs_trust_dns ,
& ctx - > drs_trust_dns_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
drs_trust_dns_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 1 , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
drs_trust_netbios_string = talloc_asprintf ( ctx ,
" E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s " ,
workstation , trusted_netbios_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > drs_trust_netbios ,
realm , " E3514235-4B06-11D1-AB04-00C04FC2DCD2 " ,
workstation , trusted_netbios_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
/* Confirm if we get krbtgt/trusted_realm back when asking for a 3 part principal */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
ctx - > krbtgt_ccache ,
ctx - > drs_trust_netbios ,
& ctx - > drs_trust_netbios_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
drs_trust_netbios_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_KDC_UNREACH , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . ok , 1 , assertion_message ) ;
/* Confirm if we have the referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
k5ok = krb5_principal_compare ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ,
ctx - > krbtgt_trust_realm ) ;
torture_assert ( tctx , k5ok , assertion_message ) ;
2015-07-09 19:00:13 +03:00
type = smb_krb5_principal_get_type ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_referral_creds . server ) ;
2015-05-20 01:05:00 +03:00
torture_assert_int_equal ( tctx , type , KRB5_NT_SRV_INST , assertion_message ) ;
/* Delete the referral ticket from the cache */
k5ret = krb5_cc_remove_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_remove_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
four_trust_dns_string = talloc_asprintf ( ctx , " four/tree/two/%s@%s " ,
trusted_dns_name , realm ) ;
torture_assert_int_equal ( tctx ,
2015-07-09 18:59:28 +03:00
smb_krb5_make_principal ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > four_trust_dns ,
realm , " four " , " tree " , " two " ,
trusted_dns_name , NULL ) ,
0 , " smb_krb5_make_principal failed " ) ;
2015-05-20 01:05:00 +03:00
/* Confirm if we get an error back for a 4 part principal */
ZERO_STRUCT ( ctx - > counts ) ;
k5ret = krb5_get_creds ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > opt_canon ,
ctx - > krbtgt_ccache ,
ctx - > four_trust_dns ,
& ctx - > four_trust_dns_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u] " ,
four_trust_dns_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ,
trusted - > trust_direction ,
trusted - > trust_type ,
trusted - > trust_attributes ,
ctx - > counts . io , ctx - > counts . errors , ctx - > counts . ok ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . io , 1 , assertion_message ) ;
torture_assert_int_equal ( tctx , ctx - > counts . error_io , 1 , assertion_message ) ;
2015-07-09 19:02:31 +03:00
torture_assert_int_equal ( tctx , KRB5_ERROR_CODE ( & ctx - > error ) , 7 , assertion_message ) ;
2015-05-20 01:05:00 +03:00
/* Confirm if we have no referral ticket in the cache */
krb5_free_cred_contents ( ctx - > smb_krb5_context - > krb5_context ,
& ctx - > krbtgt_referral_creds ) ;
k5ret = krb5_cc_retrieve_cred ( ctx - > smb_krb5_context - > krb5_context ,
ctx - > krbtgt_ccache ,
0 ,
ctx - > krbtgt_trust_realm_creds ,
& ctx - > krbtgt_referral_creds ) ;
assertion_message = talloc_asprintf ( ctx ,
" krb5_cc_retrieve_cred(%s) for failed: (%d) %s " ,
krbtgt_trust_realm_string ,
k5ret ,
smb_get_krb5_error_message ( ctx - > smb_krb5_context - > krb5_context ,
k5ret , ctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_CC_END , assertion_message ) ;
TALLOC_FREE ( ctx ) ;
return true ;
}
2015-07-10 10:44:40 +03:00
# endif
2015-05-20 01:05:00 +03:00
2011-08-22 14:34:36 +04:00
static bool check_dom_trust_pw ( struct dcerpc_pipe * p ,
struct torture_context * tctx ,
2015-05-20 01:05:00 +03:00
const char * our_netbios_name ,
const char * our_dns_name ,
enum netr_SchannelType secure_channel_type ,
const struct lsa_TrustDomainInfoInfoEx * trusted ,
const char * previous_password ,
const char * current_password ,
uint32_t current_version ,
const char * next_password ,
uint32_t next_version ,
bool expected_result )
2011-08-22 14:34:36 +04:00
{
2015-05-20 01:05:00 +03:00
struct cli_credentials * incoming_creds ;
char * server_name = NULL ;
char * account = NULL ;
char * principal = NULL ;
char * workstation = NULL ;
2015-03-10 06:04:30 +03:00
const char * binding = torture_setting_string ( tctx , " binding " , NULL ) ;
2015-05-20 01:05:00 +03:00
const char * host = torture_setting_string ( tctx , " host " , NULL ) ;
2015-12-17 15:59:40 +03:00
const char * ip ;
struct nbt_name nbt_name ;
2015-03-10 06:04:30 +03:00
struct dcerpc_binding * b2 ;
2011-08-22 14:34:36 +04:00
struct netlogon_creds_CredentialState * creds ;
2015-05-20 01:05:00 +03:00
struct samr_CryptPassword samr_crypt_password ;
struct netr_CryptPassword netr_crypt_password ;
struct netr_Authenticator req_auth ;
struct netr_Authenticator rep_auth ;
struct netr_ServerPasswordSet2 s ;
2015-12-22 14:10:12 +03:00
struct dcerpc_pipe * p1 = NULL ;
struct dcerpc_pipe * p2 = NULL ;
2011-08-22 14:34:36 +04:00
NTSTATUS status ;
bool ok ;
2015-05-20 01:05:00 +03:00
int rc ;
const char * trusted_netbios_name = trusted - > netbios_name . string ;
const char * trusted_dns_name = trusted - > domain_name . string ;
struct tsocket_address * dest_addr ;
struct cldap_socket * cldap ;
struct cldap_netlogon cldap1 ;
incoming_creds = cli_credentials_init ( tctx ) ;
torture_assert ( tctx , incoming_creds , " cli_credentials_init " ) ;
cli_credentials_set_domain ( incoming_creds , our_netbios_name , CRED_SPECIFIED ) ;
cli_credentials_set_realm ( incoming_creds , our_dns_name , CRED_SPECIFIED ) ;
if ( secure_channel_type = = SEC_CHAN_DNS_DOMAIN ) {
account = talloc_asprintf ( tctx , " %s. " , trusted_dns_name ) ;
torture_assert ( tctx , account , __location__ ) ;
principal = talloc_asprintf ( tctx , " %s$@%s " ,
trusted_netbios_name ,
cli_credentials_get_realm ( incoming_creds ) ) ;
torture_assert ( tctx , principal , __location__ ) ;
workstation = talloc_asprintf ( tctx , " %sUP " ,
trusted_netbios_name ) ;
torture_assert ( tctx , workstation , __location__ ) ;
} else {
account = talloc_asprintf ( tctx , " %s$ " , trusted_netbios_name ) ;
torture_assert ( tctx , account , __location__ ) ;
2011-08-22 14:34:36 +04:00
2015-05-20 01:05:00 +03:00
workstation = talloc_asprintf ( tctx , " %sDOWN " ,
trusted_netbios_name ) ;
torture_assert ( tctx , workstation , __location__ ) ;
2011-08-22 14:34:36 +04:00
}
2015-05-20 01:05:00 +03:00
cli_credentials_set_username ( incoming_creds , account , CRED_SPECIFIED ) ;
if ( principal ! = NULL ) {
cli_credentials_set_principal ( incoming_creds , principal ,
CRED_SPECIFIED ) ;
2011-08-22 14:34:36 +04:00
}
2015-05-20 01:05:00 +03:00
cli_credentials_set_kvno ( incoming_creds , current_version ) ;
cli_credentials_set_password ( incoming_creds , current_password , CRED_SPECIFIED ) ;
cli_credentials_set_old_password ( incoming_creds , previous_password , CRED_SPECIFIED ) ;
cli_credentials_set_workstation ( incoming_creds , workstation , CRED_SPECIFIED ) ;
cli_credentials_set_secure_channel_type ( incoming_creds , secure_channel_type ) ;
2015-12-17 15:59:40 +03:00
make_nbt_name_server ( & nbt_name , host ) ;
status = resolve_name_ex ( lpcfg_resolve_context ( tctx - > lp_ctx ) ,
0 , 0 , & nbt_name , tctx , & ip , tctx - > ev ) ;
torture_assert_ntstatus_ok ( tctx , status ,
talloc_asprintf ( tctx , " Failed to resolve %s: %s " ,
nbt_name . name , nt_errstr ( status ) ) ) ;
2015-05-20 01:05:00 +03:00
rc = tsocket_address_inet_from_strings ( tctx , " ip " ,
2015-12-17 15:59:40 +03:00
ip ,
2015-05-20 01:05:00 +03:00
lpcfg_cldap_port ( tctx - > lp_ctx ) ,
& dest_addr ) ;
2015-08-31 03:51:14 +03:00
torture_assert_int_equal ( tctx , rc , 0 ,
talloc_asprintf ( tctx ,
" tsocket_address_inet_from_strings failed parsing %s:%d " ,
host , lpcfg_cldap_port ( tctx - > lp_ctx ) ) ) ;
2015-05-20 01:05:00 +03:00
/* cldap_socket_init should now know about the dest. address */
status = cldap_socket_init ( tctx , NULL , dest_addr , & cldap ) ;
torture_assert_ntstatus_ok ( tctx , status , " cldap_socket_init " ) ;
ZERO_STRUCT ( cldap1 ) ;
cldap1 . in . dest_address = NULL ;
cldap1 . in . dest_port = 0 ;
cldap1 . in . version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX ;
cldap1 . in . user = account ;
if ( secure_channel_type = = SEC_CHAN_DNS_DOMAIN ) {
cldap1 . in . acct_control = ACB_AUTOLOCK ;
} else {
cldap1 . in . acct_control = ACB_DOMTRUST ;
}
status = cldap_netlogon ( cldap , tctx , & cldap1 ) ;
torture_assert_ntstatus_ok ( tctx , status , " cldap_netlogon " ) ;
torture_assert_int_equal ( tctx , cldap1 . out . netlogon . ntver ,
NETLOGON_NT_VERSION_5EX ,
" ntver " ) ;
torture_assert_int_equal ( tctx , cldap1 . out . netlogon . data . nt5_ex . nt_version ,
NETLOGON_NT_VERSION_1 | NETLOGON_NT_VERSION_5EX ,
" nt_version " ) ;
torture_assert_int_equal ( tctx , cldap1 . out . netlogon . data . nt5_ex . command ,
LOGON_SAM_LOGON_RESPONSE_EX ,
" command " ) ;
torture_assert_str_equal ( tctx , cldap1 . out . netlogon . data . nt5_ex . user_name ,
cldap1 . in . user ,
" user_name " ) ;
server_name = talloc_asprintf ( tctx , " \\ \\ %s " ,
cldap1 . out . netlogon . data . nt5_ex . pdc_dns_name ) ;
torture_assert ( tctx , server_name , __location__ ) ;
2011-08-22 14:34:36 +04:00
2015-03-10 06:04:30 +03:00
status = dcerpc_parse_binding ( tctx , binding , & b2 ) ;
torture_assert_ntstatus_ok ( tctx , status , " Bad binding string " ) ;
2015-12-22 14:10:12 +03:00
status = dcerpc_pipe_connect_b ( tctx , & p1 , b2 ,
2011-08-22 14:34:36 +04:00
& ndr_table_netlogon ,
cli_credentials_init_anon ( tctx ) ,
tctx - > ev , tctx - > lp_ctx ) ;
2015-05-20 01:05:00 +03:00
torture_assert_ntstatus_ok ( tctx , status , " dcerpc_pipe_connect_b " ) ;
2015-12-22 14:10:12 +03:00
ok = check_pw_with_ServerAuthenticate3 ( p1 , tctx ,
2015-05-20 01:05:00 +03:00
NETLOGON_NEG_AUTH2_ADS_FLAGS ,
server_name ,
incoming_creds , & creds ) ;
torture_assert_int_equal ( tctx , ok , expected_result ,
" check_pw_with_ServerAuthenticate3 " ) ;
2015-12-22 14:10:12 +03:00
if ( expected_result = = true ) {
ok = test_SetupCredentialsPipe ( p1 , tctx , incoming_creds , creds ,
DCERPC_SIGN | DCERPC_SEAL , & p2 ) ;
torture_assert_int_equal ( tctx , ok , true ,
" test_SetupCredentialsPipe " ) ;
}
TALLOC_FREE ( p1 ) ;
2015-05-20 01:05:00 +03:00
if ( trusted - > trust_type ! = LSA_TRUST_TYPE_DOWNLEVEL ) {
2015-07-10 10:44:40 +03:00
# ifdef SAMBA4_USES_HEIMDAL
2015-05-20 01:05:00 +03:00
ok = check_pw_with_krb5 ( tctx , incoming_creds , trusted ) ;
torture_assert_int_equal ( tctx , ok , expected_result ,
" check_pw_with_krb5 " ) ;
2015-07-10 10:44:40 +03:00
# else
torture_comment ( tctx , " skipping check_pw_with_krb5 for MIT Kerberos build " ) ;
# endif
2015-05-20 01:05:00 +03:00
}
if ( expected_result ! = true | | next_password = = NULL ) {
TALLOC_FREE ( p2 ) ;
return true ;
}
/*
* netr_ServerPasswordSet2
*/
ok = encode_pw_buffer ( samr_crypt_password . data ,
next_password , STR_UNICODE ) ;
torture_assert ( tctx , ok , " encode_pw_buffer " ) ;
if ( next_version ! = 0 ) {
struct NL_PASSWORD_VERSION version ;
uint32_t len = IVAL ( samr_crypt_password . data , 512 ) ;
uint32_t ofs = 512 - len ;
uint8_t * ptr ;
ofs - = 12 ;
version . ReservedField = 0 ;
version . PasswordVersionNumber = next_version ;
version . PasswordVersionPresent =
NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT ;
ptr = samr_crypt_password . data + ofs ;
SIVAL ( ptr , 0 , version . ReservedField ) ;
SIVAL ( ptr , 4 , version . PasswordVersionNumber ) ;
SIVAL ( ptr , 8 , version . PasswordVersionPresent ) ;
}
netlogon_creds_client_authenticator ( creds , & req_auth ) ;
ZERO_STRUCT ( rep_auth ) ;
if ( creds - > negotiate_flags & NETLOGON_NEG_SUPPORTS_AES ) {
netlogon_creds_aes_encrypt ( creds ,
samr_crypt_password . data ,
516 ) ;
} else {
netlogon_creds_arcfour_crypt ( creds ,
samr_crypt_password . data ,
516 ) ;
2011-08-22 14:34:36 +04:00
}
2015-05-20 01:05:00 +03:00
memcpy ( netr_crypt_password . data ,
samr_crypt_password . data , 512 ) ;
netr_crypt_password . length = IVAL ( samr_crypt_password . data , 512 ) ;
s . in . server_name = server_name ;
s . in . account_name = cli_credentials_get_username ( incoming_creds ) ;
s . in . secure_channel_type = cli_credentials_get_secure_channel_type ( incoming_creds ) ;
s . in . computer_name = cli_credentials_get_workstation ( incoming_creds ) ;
s . in . credential = & req_auth ;
s . in . new_password = & netr_crypt_password ;
s . out . return_authenticator = & rep_auth ;
status = dcerpc_netr_ServerPasswordSet2_r ( p2 - > binding_handle , tctx , & s ) ;
torture_assert_ntstatus_ok ( tctx , status , " failed to set password " ) ;
ok = netlogon_creds_client_check ( creds , & rep_auth . cred ) ;
torture_assert ( tctx , ok , " netlogon_creds_client_check " ) ;
cli_credentials_set_kvno ( incoming_creds , next_version ) ;
cli_credentials_set_password ( incoming_creds , next_password , CRED_SPECIFIED ) ;
cli_credentials_set_old_password ( incoming_creds , current_password , CRED_SPECIFIED ) ;
TALLOC_FREE ( p2 ) ;
status = dcerpc_pipe_connect_b ( tctx , & p2 , b2 ,
& ndr_table_netlogon ,
cli_credentials_init_anon ( tctx ) ,
tctx - > ev , tctx - > lp_ctx ) ;
torture_assert_ntstatus_ok ( tctx , status , " dcerpc_pipe_connect_b " ) ;
2015-03-19 01:03:48 +03:00
ok = check_pw_with_ServerAuthenticate3 ( p2 , tctx ,
2011-08-22 14:34:36 +04:00
NETLOGON_NEG_AUTH2_ADS_FLAGS ,
2015-05-20 01:05:00 +03:00
server_name ,
incoming_creds , & creds ) ;
torture_assert ( tctx , ok , " check_pw_with_ServerAuthenticate3 with changed password " ) ;
if ( trusted - > trust_type ! = LSA_TRUST_TYPE_DOWNLEVEL ) {
2015-07-10 10:44:40 +03:00
# if SAMBA4_USES_HEIMDAL
2015-05-20 01:05:00 +03:00
ok = check_pw_with_krb5 ( tctx , incoming_creds , trusted ) ;
torture_assert ( tctx , ok , " check_pw_with_krb5 with changed password " ) ;
2015-07-10 10:44:40 +03:00
# else
torture_comment ( tctx , " skipping check_pw_with_krb5 for MIT Kerberos build " ) ;
# endif
2015-05-20 01:05:00 +03:00
}
2011-08-22 14:34:36 +04:00
2015-05-20 01:05:00 +03:00
TALLOC_FREE ( p2 ) ;
return true ;
2011-08-22 14:34:36 +04:00
}
2011-07-15 17:38:12 +04:00
static bool test_CreateTrustedDomainEx_common ( struct dcerpc_pipe * p ,
struct torture_context * tctx ,
struct policy_handle * handle ,
uint32_t num_trusts ,
bool ex2_call )
2008-09-02 05:31:46 +04:00
{
NTSTATUS status ;
bool ret = true ;
2015-05-20 01:05:00 +03:00
struct lsa_QueryInfoPolicy2 p2 ;
union lsa_PolicyInformation * our_info = NULL ;
2011-07-15 17:38:12 +04:00
struct lsa_CreateTrustedDomainEx r ;
struct lsa_CreateTrustedDomainEx2 r2 ;
2008-09-02 05:31:46 +04:00
struct lsa_TrustDomainInfoInfoEx trustinfo ;
2015-02-25 15:19:44 +03:00
struct lsa_TrustDomainInfoAuthInfoInternal * authinfo_internal = NULL ;
struct lsa_TrustDomainInfoAuthInfo * authinfo = NULL ;
2009-10-20 20:34:09 +04:00
struct dom_sid * * domsid ;
struct policy_handle * trustdom_handle ;
2008-09-02 05:31:46 +04:00
struct lsa_QueryTrustedDomainInfo q ;
2008-10-21 12:33:27 +04:00
union lsa_TrustedDomainInfo * info = NULL ;
2008-09-04 10:06:38 +04:00
DATA_BLOB session_key ;
2008-09-02 05:31:46 +04:00
int i ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2015-03-24 01:15:45 +03:00
const char * id ;
2015-05-20 01:05:00 +03:00
const char * incoming_v00 = TRUSTPW " InV00 " ;
const char * incoming_v0 = TRUSTPW " InV0 " ;
const char * incoming_v1 = TRUSTPW " InV1 " ;
const char * incoming_v2 = TRUSTPW " InV2 " ;
const char * incoming_v40 = TRUSTPW " InV40 " ;
const char * outgoing_v00 = TRUSTPW " OutV00 " ;
const char * outgoing_v0 = TRUSTPW " OutV0 " ;
2008-09-02 05:31:46 +04:00
2011-07-15 17:38:12 +04:00
if ( ex2_call ) {
torture_comment ( tctx , " \n Testing CreateTrustedDomainEx2 for %d domains \n " , num_trusts ) ;
2015-03-24 01:15:45 +03:00
id = " 3 " ;
2011-07-15 17:38:12 +04:00
} else {
torture_comment ( tctx , " \n Testing CreateTrustedDomainEx for %d domains \n " , num_trusts ) ;
2015-03-24 01:15:45 +03:00
id = " 2 " ;
2011-07-15 17:38:12 +04:00
}
2009-10-20 20:34:09 +04:00
domsid = talloc_array ( tctx , struct dom_sid * , num_trusts ) ;
trustdom_handle = talloc_array ( tctx , struct policy_handle , num_trusts ) ;
2008-09-02 05:31:46 +04:00
2008-09-04 10:06:38 +04:00
status = dcerpc_fetch_session_key ( p , & session_key ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " dcerpc_fetch_session_key failed - %s \n " , nt_errstr ( status ) ) ;
2008-09-04 10:06:38 +04:00
return false ;
}
2009-05-11 16:54:04 +04:00
2015-05-20 01:05:00 +03:00
ZERO_STRUCT ( p2 ) ;
p2 . in . handle = handle ;
p2 . in . level = LSA_POLICY_INFO_DNS ;
p2 . out . info = & our_info ;
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_QueryInfoPolicy2_r ( b , tctx , & p2 ) ,
" lsa_QueryInfoPolicy2 failed " ) ;
torture_assert_ntstatus_ok ( tctx , p2 . out . result ,
" lsa_QueryInfoPolicy2 failed " ) ;
torture_assert ( tctx , our_info ! = NULL , " lsa_QueryInfoPolicy2 our_info " ) ;
2009-10-20 20:34:09 +04:00
for ( i = 0 ; i < num_trusts ; i + + ) {
2015-05-20 01:05:00 +03:00
char * trust_name = talloc_asprintf ( tctx , " TORTURE%s%02d " , id , i ) ;
char * trust_name_dns = talloc_asprintf ( tctx , " torturedom%s%02d.samba._none_.example.com " , id , i ) ;
2015-03-24 01:15:45 +03:00
char * trust_sid = talloc_asprintf ( tctx , " S-1-5-21-97398-379795-%s%02d " , id , i ) ;
2015-05-20 01:05:00 +03:00
bool ok ;
2009-05-11 16:51:41 +04:00
domsid [ i ] = dom_sid_parse_talloc ( tctx , trust_sid ) ;
2008-09-02 05:31:46 +04:00
trustinfo . sid = domsid [ i ] ;
trustinfo . netbios_name . string = trust_name ;
trustinfo . domain_name . string = trust_name_dns ;
/* Create inbound, some outbound, and some
* bi - directional trusts in a repeating pattern based
* on i */
/* 1 == inbound, 2 == outbound, 3 == both */
trustinfo . trust_direction = ( i % 3 ) + 1 ;
/* Try different trust types too */
2008-10-02 00:11:11 +04:00
/* 1 == downlevel (NT4), 2 == uplevel (ADS), 3 == MIT (kerberos but not AD) */
2008-09-02 05:31:46 +04:00
trustinfo . trust_type = ( ( ( i / 3 ) + 1 ) % 3 ) + 1 ;
trustinfo . trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION ;
2015-05-20 01:05:00 +03:00
ok = gen_authinfo_internal ( tctx , incoming_v00 , incoming_v0 ,
outgoing_v00 , outgoing_v0 ,
session_key , & authinfo_internal ) ;
if ( ! ok ) {
2011-08-22 14:34:36 +04:00
torture_comment ( tctx , " gen_authinfo_internal failed " ) ;
2008-09-04 10:06:38 +04:00
ret = false ;
}
2015-05-20 01:05:00 +03:00
ok = gen_authinfo ( tctx , incoming_v00 , incoming_v0 ,
outgoing_v00 , outgoing_v0 ,
& authinfo ) ;
if ( ! ok ) {
2011-08-22 14:34:36 +04:00
torture_comment ( tctx , " gen_authinfonfo failed " ) ;
ret = false ;
}
2009-05-11 16:51:41 +04:00
2011-07-15 17:38:12 +04:00
if ( ex2_call ) {
r2 . in . policy_handle = handle ;
r2 . in . info = & trustinfo ;
2011-08-22 14:34:36 +04:00
r2 . in . auth_info_internal = authinfo_internal ;
2011-07-15 17:38:12 +04:00
r2 . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r2 . out . trustdom_handle = & trustdom_handle [ i ] ;
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_CreateTrustedDomainEx2_r ( b , tctx , & r2 ) ,
2010-03-24 11:06:54 +03:00
" CreateTrustedDomainEx2 failed " ) ;
2011-07-15 17:38:12 +04:00
status = r2 . out . result ;
} else {
r . in . policy_handle = handle ;
r . in . info = & trustinfo ;
2011-08-22 14:34:36 +04:00
r . in . auth_info = authinfo ;
2011-07-15 17:38:12 +04:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
r . out . trustdom_handle = & trustdom_handle [ i ] ;
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_CreateTrustedDomainEx_r ( b , tctx , & r ) ,
" CreateTrustedDomainEx failed " ) ;
status = r . out . result ;
2008-09-02 05:31:46 +04:00
}
2011-07-15 17:38:12 +04:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_OBJECT_NAME_COLLISION ) ) {
test_DeleteTrustedDomain ( b , tctx , handle , trustinfo . netbios_name ) ;
if ( ex2_call ) {
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_CreateTrustedDomainEx2_r ( b , tctx , & r2 ) ,
" CreateTrustedDomainEx2 failed " ) ;
status = r2 . out . result ;
} else {
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_CreateTrustedDomainEx_r ( b , tctx , & r ) ,
" CreateTrustedDomainEx2 failed " ) ;
status = r . out . result ;
}
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
torture_comment ( tctx , " CreateTrustedDomainEx failed2 - %s \n " , nt_errstr ( status ) ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
} else {
2011-08-22 14:34:36 +04:00
/* For outbound and MIT trusts there is no trust account */
if ( trustinfo . trust_direction ! = 2 & &
trustinfo . trust_type ! = 3 ) {
2011-08-31 14:42:51 +04:00
2015-03-10 06:23:40 +03:00
if ( torture_setting_bool ( tctx , " samba3 " , false ) ) {
2015-06-30 13:08:22 +03:00
torture_comment ( tctx , " skipping trusted domain auth tests against samba3 \n " ) ;
2015-03-10 06:23:40 +03:00
} else if ( ex2_call = = false & &
torture_setting_bool ( tctx , " samba4 " , false ) ) {
2015-06-30 13:08:22 +03:00
torture_comment ( tctx , " skipping CreateTrustedDomainEx trusted domain auth tests against samba4 \n " ) ;
2015-03-10 06:23:40 +03:00
2011-08-31 14:42:51 +04:00
} else {
2015-05-20 01:05:00 +03:00
ok = check_dom_trust_pw ( p , tctx ,
our_info - > dns . name . string ,
our_info - > dns . dns_domain . string ,
SEC_CHAN_DOMAIN ,
& trustinfo ,
NULL ,
" x " TRUSTPW " x " , 0 ,
NULL , 0 ,
false ) ;
if ( ! ok ) {
2011-08-31 14:42:51 +04:00
torture_comment ( tctx , " Password check passed unexpectedly \n " ) ;
ret = false ;
}
2015-05-20 01:05:00 +03:00
ok = check_dom_trust_pw ( p , tctx ,
our_info - > dns . name . string ,
our_info - > dns . dns_domain . string ,
SEC_CHAN_DOMAIN ,
& trustinfo ,
incoming_v00 ,
incoming_v0 , 0 ,
incoming_v1 , 1 ,
true ) ;
if ( ! ok ) {
torture_comment ( tctx , " Password check failed (SEC_CHAN_DOMAIN) \n " ) ;
ret = false ;
}
ok = check_dom_trust_pw ( p , tctx ,
our_info - > dns . name . string ,
our_info - > dns . dns_domain . string ,
SEC_CHAN_DNS_DOMAIN ,
& trustinfo ,
incoming_v0 ,
incoming_v1 , 1 ,
incoming_v2 , 2 ,
true ) ;
if ( ! ok ) {
torture_comment ( tctx , " Password check failed v2 (SEC_CHAN_DNS_DOMAIN) \n " ) ;
ret = false ;
}
ok = check_dom_trust_pw ( p , tctx ,
our_info - > dns . name . string ,
our_info - > dns . dns_domain . string ,
SEC_CHAN_DNS_DOMAIN ,
& trustinfo ,
incoming_v1 ,
incoming_v2 , 2 ,
incoming_v40 , 40 ,
true ) ;
if ( ! ok ) {
torture_comment ( tctx , " Password check failed v4 (SEC_CHAN_DNS_DOMAIN) \n " ) ;
2011-08-31 14:42:51 +04:00
ret = false ;
}
2011-08-22 14:34:36 +04:00
}
}
2009-05-11 16:54:04 +04:00
2008-09-02 05:31:46 +04:00
q . in . trustdom_handle = & trustdom_handle [ i ] ;
q . in . level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX ;
2008-10-21 12:33:27 +04:00
q . out . info = & info ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryTrustedDomainInfo_r ( b , tctx , & q ) ,
" QueryTrustedDomainInfo failed " ) ;
if ( ! NT_STATUS_IS_OK ( q . out . result ) ) {
torture_comment ( tctx , " QueryTrustedDomainInfo level 1 failed - %s \n " , nt_errstr ( q . out . result ) ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
} else if ( ! q . out . info ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo level 1 failed to return an info pointer \n " ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
} else {
2015-05-20 01:05:00 +03:00
if ( strcmp ( info - > info_ex . domain_name . string , trustinfo . domain_name . string ) ! = 0 ) {
torture_comment ( tctx , " QueryTrustedDomainInfo returned inconsistent long name: %s != %s \n " ,
info - > info_ex . domain_name . string , trustinfo . domain_name . string ) ;
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( strcmp ( info - > info_ex . netbios_name . string , trustinfo . netbios_name . string ) ! = 0 ) {
2011-03-01 00:04:29 +03:00
torture_comment ( tctx , " QueryTrustedDomainInfo returned inconsistent short name: %s != %s \n " ,
2008-10-21 12:33:27 +04:00
info - > info_ex . netbios_name . string , trustinfo . netbios_name . string ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( info - > info_ex . trust_type ! = trustinfo . trust_type ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d \n " ,
2008-10-21 12:33:27 +04:00
trust_name , info - > info_ex . trust_type , trustinfo . trust_type ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( info - > info_ex . trust_attributes ! = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d \n " ,
2008-10-21 12:33:27 +04:00
trust_name , info - > info_ex . trust_attributes , LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
}
2008-10-21 12:33:27 +04:00
if ( info - > info_ex . trust_direction ! = trustinfo . trust_direction ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d \n " ,
2008-10-21 12:33:27 +04:00
trust_name , info - > info_ex . trust_direction , trustinfo . trust_direction ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
}
}
}
}
/* now that we have some domains to look over, we can test the enum calls */
2010-03-11 14:00:34 +03:00
if ( ! test_EnumTrustDom ( b , tctx , handle ) ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " test_EnumTrustDom failed \n " ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
}
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_EnumTrustDomEx ( b , tctx , handle ) ) {
2009-10-20 14:59:49 +04:00
torture_comment ( tctx , " test_EnumTrustDomEx failed \n " ) ;
ret = false ;
}
2009-10-20 20:34:09 +04:00
for ( i = 0 ; i < num_trusts ; i + + ) {
2010-03-11 14:00:34 +03:00
if ( ! test_DeleteTrustedDomainBySid ( b , tctx , handle , domsid [ i ] ) ) {
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " test_DeleteTrustedDomainBySid failed \n " ) ;
2008-09-02 05:31:46 +04:00
ret = false ;
}
}
return ret ;
}
2011-07-15 17:38:12 +04:00
static bool test_CreateTrustedDomainEx2 ( struct dcerpc_pipe * p ,
struct torture_context * tctx ,
struct policy_handle * handle ,
uint32_t num_trusts )
{
return test_CreateTrustedDomainEx_common ( p , tctx , handle , num_trusts , true ) ;
}
static bool test_CreateTrustedDomainEx ( struct dcerpc_pipe * p ,
struct torture_context * tctx ,
struct policy_handle * handle ,
uint32_t num_trusts )
{
return test_CreateTrustedDomainEx_common ( p , tctx , handle , num_trusts , false ) ;
}
2010-03-11 14:00:34 +03:00
static bool test_QueryDomainInfoPolicy ( struct dcerpc_binding_handle * b ,
2009-05-11 16:54:04 +04:00
struct torture_context * tctx ,
2005-09-01 14:36:48 +04:00
struct policy_handle * handle )
{
struct lsa_QueryDomainInformationPolicy r ;
2008-10-21 15:03:49 +04:00
union lsa_DomainInformationPolicy * info = NULL ;
2005-09-01 14:36:48 +04:00
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2006-07-06 09:23:29 +04:00
2009-11-02 18:51:00 +03:00
if ( torture_setting_bool ( tctx , " samba3 " , false ) ) {
torture_skip ( tctx , " skipping QueryDomainInformationPolicy test \n " ) ;
}
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing QueryDomainInformationPolicy \n " ) ;
2005-09-01 14:36:48 +04:00
for ( i = 2 ; i < 4 ; i + + ) {
r . in . handle = handle ;
r . in . level = i ;
2008-10-21 15:03:49 +04:00
r . out . info = & info ;
2005-09-01 14:36:48 +04:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Trying QueryDomainInformationPolicy level %d \n " , i ) ;
2005-09-01 14:36:48 +04:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryDomainInformationPolicy_r ( b , tctx , & r ) ,
" QueryDomainInformationPolicy failed " ) ;
2005-09-01 14:36:48 +04:00
2008-08-26 06:18:26 +04:00
/* If the server does not support EFS, then this is the correct return */
2010-03-24 11:06:54 +03:00
if ( i = = LSA_DOMAIN_INFO_POLICY_EFS & & NT_STATUS_EQUAL ( r . out . result , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
2008-08-26 06:18:26 +04:00
continue ;
2010-03-24 11:06:54 +03:00
} else if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " QueryDomainInformationPolicy failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-09-01 14:36:48 +04:00
continue ;
}
}
return ret ;
}
2008-10-20 08:50:07 +04:00
static bool test_QueryInfoPolicyCalls ( bool version2 ,
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b ,
2008-10-20 08:50:07 +04:00
struct torture_context * tctx ,
struct policy_handle * handle )
2003-11-11 05:02:29 +03:00
{
struct lsa_QueryInfoPolicy r ;
2008-10-24 17:05:57 +04:00
union lsa_PolicyInformation * info = NULL ;
2003-11-11 09:22:58 +03:00
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2009-11-02 21:59:47 +03:00
const char * call = talloc_asprintf ( tctx , " QueryInfoPolicy%s " , version2 ? " 2 " : " " ) ;
2003-11-11 05:02:29 +03:00
2009-11-02 21:59:47 +03:00
torture_comment ( tctx , " \n Testing %s \n " , call ) ;
2008-10-20 08:50:07 +04:00
2009-11-02 22:11:14 +03:00
if ( version2 & & torture_setting_bool ( tctx , " samba3 " , false ) ) {
torture_skip ( tctx , " skipping QueryInfoPolicy2 tests \n " ) ;
}
2008-10-20 08:50:07 +04:00
for ( i = 1 ; i < = 14 ; i + + ) {
2003-11-11 09:22:58 +03:00
r . in . handle = handle ;
r . in . level = i ;
2008-10-24 17:05:57 +04:00
r . out . info = & info ;
2003-11-11 05:02:29 +03:00
2009-11-02 21:59:47 +03:00
torture_comment ( tctx , " \n Trying %s level %d \n " , call , i ) ;
2003-11-11 09:54:54 +03:00
2008-10-20 08:50:07 +04:00
if ( version2 )
/* We can perform the cast, because both types are
structurally equal */
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryInfoPolicy2_r ( b , tctx ,
( struct lsa_QueryInfoPolicy2 * ) & r ) ,
" QueryInfoPolicy2 failed " ) ;
2008-10-20 08:50:07 +04:00
else
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_QueryInfoPolicy_r ( b , tctx , & r ) ,
" QueryInfoPolicy2 failed " ) ;
2003-11-20 04:02:09 +03:00
2007-09-17 09:31:49 +04:00
switch ( i ) {
2008-10-20 08:50:07 +04:00
case LSA_POLICY_INFO_MOD :
2007-09-17 09:31:49 +04:00
case LSA_POLICY_INFO_AUDIT_FULL_SET :
2008-10-20 09:12:37 +04:00
case LSA_POLICY_INFO_AUDIT_FULL_QUERY :
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_EQUAL ( r . out . result , NT_STATUS_INVALID_PARAMETER ) ) {
torture_comment ( tctx , " Server should have failed level %u: %s \n " , i , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2007-09-17 09:31:49 +04:00
}
break ;
case LSA_POLICY_INFO_DOMAIN :
case LSA_POLICY_INFO_ACCOUNT_DOMAIN :
2008-10-04 04:52:59 +04:00
case LSA_POLICY_INFO_REPLICA :
case LSA_POLICY_INFO_QUOTA :
case LSA_POLICY_INFO_ROLE :
case LSA_POLICY_INFO_AUDIT_LOG :
case LSA_POLICY_INFO_AUDIT_EVENTS :
case LSA_POLICY_INFO_PD :
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " %s failed - %s \n " , call , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2007-09-17 09:31:49 +04:00
}
break ;
2009-11-03 13:46:07 +03:00
case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN :
case LSA_POLICY_INFO_DNS_INT :
case LSA_POLICY_INFO_DNS :
if ( torture_setting_bool ( tctx , " samba3 " , false ) ) {
/* Other levels not implemented yet */
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_EQUAL ( r . out . result , NT_STATUS_INVALID_INFO_CLASS ) ) {
torture_comment ( tctx , " %s failed - %s \n " , call , nt_errstr ( r . out . result ) ) ;
2009-11-03 13:46:07 +03:00
ret = false ;
}
2010-03-24 11:06:54 +03:00
} else if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " %s failed - %s \n " , call , nt_errstr ( r . out . result ) ) ;
2009-11-03 13:46:07 +03:00
ret = false ;
}
break ;
2007-09-17 09:31:49 +04:00
default :
2007-12-03 17:53:17 +03:00
if ( torture_setting_bool ( tctx , " samba4 " , false ) ) {
2007-09-17 09:31:49 +04:00
/* Other levels not implemented yet */
2010-03-24 11:06:54 +03:00
if ( ! NT_STATUS_EQUAL ( r . out . result , NT_STATUS_INVALID_INFO_CLASS ) ) {
torture_comment ( tctx , " %s failed - %s \n " , call , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2007-09-17 09:31:49 +04:00
}
2010-03-24 11:06:54 +03:00
} else if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " %s failed - %s \n " , call , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2007-09-17 09:31:49 +04:00
}
break ;
2003-11-20 04:02:09 +03:00
}
2010-03-24 11:06:54 +03:00
if ( NT_STATUS_IS_OK ( r . out . result ) & & ( i = = LSA_POLICY_INFO_DNS
2008-10-20 08:50:07 +04:00
| | i = = LSA_POLICY_INFO_DNS_INT ) ) {
2007-09-17 09:31:49 +04:00
/* Let's look up some of these names */
2019-08-10 11:53:12 +03:00
struct lsa_TransNameArray tnames , dnames ;
2007-12-10 03:45:04 +03:00
tnames . count = 14 ;
tnames . names = talloc_zero_array ( tctx , struct lsa_TranslatedName , tnames . count ) ;
2008-10-24 17:05:57 +04:00
tnames . names [ 0 ] . name . string = info - > dns . name . string ;
2007-12-10 03:45:04 +03:00
tnames . names [ 0 ] . sid_type = SID_NAME_DOMAIN ;
2008-10-24 17:05:57 +04:00
tnames . names [ 1 ] . name . string = info - > dns . dns_domain . string ;
2007-12-10 03:45:04 +03:00
tnames . names [ 1 ] . sid_type = SID_NAME_DOMAIN ;
2008-10-24 17:05:57 +04:00
tnames . names [ 2 ] . name . string = talloc_asprintf ( tctx , " %s \\ " , info - > dns . name . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 2 ] . sid_type = SID_NAME_DOMAIN ;
2008-10-24 17:05:57 +04:00
tnames . names [ 3 ] . name . string = talloc_asprintf ( tctx , " %s \\ " , info - > dns . dns_domain . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 3 ] . sid_type = SID_NAME_DOMAIN ;
2008-10-24 17:05:57 +04:00
tnames . names [ 4 ] . name . string = talloc_asprintf ( tctx , " %s \\ guest " , info - > dns . name . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 4 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 5 ] . name . string = talloc_asprintf ( tctx , " %s \\ krbtgt " , info - > dns . name . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 5 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 6 ] . name . string = talloc_asprintf ( tctx , " %s \\ guest " , info - > dns . dns_domain . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 6 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 7 ] . name . string = talloc_asprintf ( tctx , " %s \\ krbtgt " , info - > dns . dns_domain . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 7 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 8 ] . name . string = talloc_asprintf ( tctx , " krbtgt@%s " , info - > dns . name . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 8 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 9 ] . name . string = talloc_asprintf ( tctx , " krbtgt@%s " , info - > dns . dns_domain . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 9 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 10 ] . name . string = talloc_asprintf ( tctx , " %s \\ " TEST_MACHINENAME " $ " , info - > dns . name . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 10 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 11 ] . name . string = talloc_asprintf ( tctx , " %s \\ " TEST_MACHINENAME " $ " , info - > dns . dns_domain . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 11 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 12 ] . name . string = talloc_asprintf ( tctx , TEST_MACHINENAME " $@%s " , info - > dns . name . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 12 ] . sid_type = SID_NAME_USER ;
2008-10-24 17:05:57 +04:00
tnames . names [ 13 ] . name . string = talloc_asprintf ( tctx , TEST_MACHINENAME " $@%s " , info - > dns . dns_domain . string ) ;
2007-12-10 03:45:04 +03:00
tnames . names [ 13 ] . sid_type = SID_NAME_USER ;
2019-08-01 21:08:52 +03:00
ret & = test_LookupNames ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL , & tnames ) ;
2007-12-10 03:45:04 +03:00
2019-08-10 11:53:12 +03:00
/* Try to use in-forest search for the test machine */
dnames . count = 1 ;
dnames . names = talloc_zero_array ( tctx , struct lsa_TranslatedName , dnames . count ) ;
dnames . names [ 0 ] . name . string = talloc_asprintf ( tctx , " %s \\ " TEST_MACHINENAME " $ " , info - > dns . name . string ) ;
dnames . names [ 0 ] . sid_type = SID_NAME_USER ;
ret & = test_LookupNames ( b , tctx , handle , LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 , & dnames ) ;
2003-11-11 09:22:58 +03:00
}
}
2003-11-11 05:02:29 +03:00
2003-11-11 09:22:58 +03:00
return ret ;
2003-11-11 05:02:29 +03:00
}
2010-03-11 14:00:34 +03:00
static bool test_QueryInfoPolicy ( struct dcerpc_binding_handle * b ,
2009-05-11 16:54:04 +04:00
struct torture_context * tctx ,
2008-10-20 08:50:07 +04:00
struct policy_handle * handle )
{
2010-03-11 14:00:34 +03:00
return test_QueryInfoPolicyCalls ( false , b , tctx , handle ) ;
2008-10-20 08:50:07 +04:00
}
2010-03-11 14:00:34 +03:00
static bool test_QueryInfoPolicy2 ( struct dcerpc_binding_handle * b ,
2009-05-11 16:54:04 +04:00
struct torture_context * tctx ,
2004-05-27 10:27:21 +04:00
struct policy_handle * handle )
{
2010-03-11 14:00:34 +03:00
return test_QueryInfoPolicyCalls ( true , b , tctx , handle ) ;
2004-05-27 10:27:21 +04:00
}
2010-03-11 14:00:34 +03:00
static bool test_GetUserName ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx )
2004-12-21 12:41:21 +03:00
{
struct lsa_GetUserName r ;
2008-10-21 03:20:53 +04:00
struct lsa_String * authority_name_p = NULL ;
struct lsa_String * account_name_p = NULL ;
2004-12-21 13:05:02 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing GetUserName \n " ) ;
2004-12-21 12:41:21 +03:00
2008-10-21 03:20:53 +04:00
r . in . system_name = " \\ " ;
r . in . account_name = & account_name_p ;
r . in . authority_name = NULL ;
r . out . account_name = & account_name_p ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_GetUserName_r ( b , tctx , & r ) ,
" GetUserName failed " ) ;
2018-11-26 13:06:44 +03:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" GetUserName result failed " ) ;
torture_assert_not_null ( tctx , r . out . account_name , " r.out.account_name " ) ;
torture_assert_not_null ( tctx , * r . out . account_name , " *r.out.account_name " ) ;
torture_assert ( tctx , r . out . authority_name = = NULL , " r.out.authority_name " ) ;
2008-10-21 03:20:53 +04:00
account_name_p = NULL ;
r . in . account_name = & account_name_p ;
r . in . authority_name = & authority_name_p ;
r . out . account_name = & account_name_p ;
2004-12-21 12:41:21 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_GetUserName_r ( b , tctx , & r ) ,
" GetUserName failed " ) ;
2018-11-26 13:06:44 +03:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" GetUserName result failed " ) ;
torture_assert_not_null ( tctx , r . out . account_name , " r.out.account_name " ) ;
torture_assert_not_null ( tctx , * r . out . account_name , " *r.out.account_name " ) ;
torture_assert_not_null ( tctx , r . out . authority_name , " r.out.authority_name " ) ;
torture_assert_not_null ( tctx , * r . out . authority_name , " *r.out.authority_name " ) ;
2004-12-21 12:41:21 +03:00
2019-07-18 15:18:57 +03:00
torture_comment ( tctx ,
" Account Name: %s, Authority Name: %s \n " ,
( * r . out . account_name ) - > string ,
( * r . out . authority_name ) - > string ) ;
2018-11-26 13:06:44 +03:00
return true ;
2004-12-21 12:41:21 +03:00
}
2012-06-29 19:57:12 +04:00
static bool test_GetUserName_fail ( struct dcerpc_binding_handle * b ,
struct torture_context * tctx )
{
struct lsa_GetUserName r ;
struct lsa_String * account_name_p = NULL ;
NTSTATUS status ;
torture_comment ( tctx , " \n Testing GetUserName_fail \n " ) ;
r . in . system_name = " \\ " ;
r . in . account_name = & account_name_p ;
r . in . authority_name = NULL ;
r . out . account_name = & account_name_p ;
status = dcerpc_lsa_GetUserName_r ( b , tctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
torture_comment ( tctx ,
" GetUserName correctly returned with "
" status: %s \n " ,
nt_errstr ( status ) ) ;
return true ;
}
torture_assert_ntstatus_equal ( tctx ,
status ,
NT_STATUS_ACCESS_DENIED ,
" GetUserName return value should "
" be ACCESS_DENIED " ) ;
return true ;
}
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_ACCESS_DENIED ) | |
NT_STATUS_EQUAL ( r . out . result , NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED ) ) {
torture_comment ( tctx ,
" GetUserName correctly returned with "
" result: %s \n " ,
nt_errstr ( r . out . result ) ) ;
return true ;
}
}
torture_assert_ntstatus_equal ( tctx ,
r . out . result ,
NT_STATUS_OK ,
" GetUserName return value should be "
" ACCESS_DENIED " ) ;
return false ;
}
2010-03-11 14:00:34 +03:00
bool test_lsa_Close ( struct dcerpc_binding_handle * b ,
2009-05-11 16:51:41 +04:00
struct torture_context * tctx ,
2005-01-09 12:38:16 +03:00
struct policy_handle * handle )
2003-11-09 12:04:28 +03:00
{
struct lsa_Close r ;
2003-11-09 14:01:39 +03:00
struct policy_handle handle2 ;
2003-11-09 12:04:28 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n Testing Close \n " ) ;
2003-11-09 12:04:28 +03:00
r . in . handle = handle ;
2003-11-09 14:01:39 +03:00
r . out . handle = & handle2 ;
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_Close_r ( b , tctx , & r ) ,
" Close failed " ) ;
2012-09-24 03:20:59 +04:00
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" Close failed " ) ;
2003-11-09 12:04:28 +03:00
2010-03-24 11:06:54 +03:00
torture_assert_ntstatus_equal ( tctx , dcerpc_lsa_Close_r ( b , tctx , & r ) ,
2010-03-30 00:36:07 +04:00
NT_STATUS_RPC_SS_CONTEXT_MISMATCH , " Close should failed " ) ;
2003-11-09 12:44:06 +03:00
2009-07-16 13:13:26 +04:00
torture_comment ( tctx , " \n " ) ;
2003-11-09 12:04:28 +03:00
2007-10-07 02:28:14 +04:00
return true ;
2003-11-09 12:04:28 +03:00
}
2007-12-03 17:53:17 +03:00
bool torture_rpc_lsa ( struct torture_context * tctx )
2003-11-03 09:22:45 +03:00
{
NTSTATUS status ;
struct dcerpc_pipe * p ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2012-06-25 21:06:34 +04:00
struct policy_handle * handle = NULL ;
2007-12-10 03:45:04 +03:00
struct test_join * join = NULL ;
struct cli_credentials * machine_creds ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b ;
2014-01-30 22:05:06 +04:00
enum dcerpc_transport_t transport ;
2003-11-03 09:22:45 +03:00
2007-12-03 17:53:17 +03:00
status = torture_rpc_connection ( tctx , & p , & ndr_table_lsarpc ) ;
2019-02-19 14:43:02 +03:00
torture_assert_ntstatus_ok ( tctx , status , " Error connecting to server " ) ;
2010-03-11 14:00:34 +03:00
b = p - > binding_handle ;
2014-01-30 22:05:06 +04:00
transport = dcerpc_binding_get_transport ( p - > binding ) ;
2003-11-18 04:18:24 +03:00
2012-06-25 21:06:34 +04:00
/* Test lsaLookupSids3 and lsaLookupNames4 over tcpip */
2014-01-30 22:05:06 +04:00
if ( transport = = NCACN_IP_TCP ) {
2012-06-29 18:50:38 +04:00
if ( ! test_OpenPolicy_fail ( b , tctx ) ) {
2012-06-26 11:58:12 +04:00
ret = false ;
}
2012-06-29 19:50:06 +04:00
if ( ! test_OpenPolicy2_fail ( b , tctx ) ) {
2012-06-26 12:38:08 +04:00
ret = false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_many_LookupSids ( p , tctx , handle , LSA_LOOKUP_NAMES_ALL ) ) {
2012-06-26 11:58:12 +04:00
ret = false ;
}
return ret ;
2012-06-25 21:06:34 +04:00
}
2012-06-29 18:50:38 +04:00
if ( ! test_OpenPolicy ( b , tctx ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2003-11-04 12:48:33 +03:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_OpenPolicy2 ( b , tctx , & handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2003-11-04 12:48:33 +03:00
}
2003-11-03 09:22:45 +03:00
2005-10-25 16:14:08 +04:00
if ( handle ) {
2007-12-10 03:45:04 +03:00
join = torture_join_domain ( tctx , TEST_MACHINENAME , ACB_WSTRUST , & machine_creds ) ;
if ( ! join ) {
ret = false ;
}
2007-09-17 09:31:49 +04:00
2019-08-01 21:08:52 +03:00
if ( ! test_LookupSids_async ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-11-02 08:34:17 +03:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_QueryDomainInfoPolicy ( b , tctx , handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2009-05-11 16:54:04 +04:00
2007-12-03 17:53:17 +03:00
if ( ! test_CreateSecret ( p , tctx , handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2008-09-02 05:31:46 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_QueryInfoPolicy ( b , tctx , handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_QueryInfoPolicy2 ( b , tctx , handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_Delete ( b , tctx , handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2009-05-11 16:54:04 +04:00
2019-08-01 21:08:52 +03:00
if ( ! test_many_LookupSids ( p , tctx , handle , LSA_LOOKUP_NAMES_ALL ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2009-05-11 16:54:04 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_Close ( b , tctx , handle ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2009-05-11 16:54:04 +04:00
2008-06-14 19:24:17 +04:00
torture_leave_domain ( tctx , join ) ;
2007-12-10 03:45:04 +03:00
2005-10-25 16:14:08 +04:00
} else {
2019-08-01 21:08:52 +03:00
if ( ! test_many_LookupSids ( p , tctx , handle , LSA_LOOKUP_NAMES_ALL ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2005-10-25 16:14:08 +04:00
}
2003-11-09 12:44:06 +03:00
}
2006-07-01 18:41:01 +04:00
2010-03-11 14:00:34 +03:00
if ( ! test_GetUserName ( b , tctx ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2006-07-01 18:41:01 +04:00
}
return ret ;
}
2009-05-11 16:51:41 +04:00
bool torture_rpc_lsa_get_user ( struct torture_context * tctx )
2006-07-01 18:41:01 +04:00
{
NTSTATUS status ;
struct dcerpc_pipe * p ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b ;
2014-01-30 22:05:06 +04:00
enum dcerpc_transport_t transport ;
2006-07-01 18:41:01 +04:00
2009-05-11 16:51:41 +04:00
status = torture_rpc_connection ( tctx , & p , & ndr_table_lsarpc ) ;
2019-02-19 14:43:02 +03:00
torture_assert_ntstatus_ok ( tctx , status , " Error connecting to server " ) ;
2010-03-11 14:00:34 +03:00
b = p - > binding_handle ;
2014-01-30 22:05:06 +04:00
transport = dcerpc_binding_get_transport ( p - > binding ) ;
2006-07-01 18:41:01 +04:00
2014-01-30 22:05:06 +04:00
if ( transport = = NCACN_IP_TCP ) {
2012-06-29 19:57:12 +04:00
if ( ! test_GetUserName_fail ( b , tctx ) ) {
ret = false ;
}
return ret ;
}
2010-03-11 14:00:34 +03:00
if ( ! test_GetUserName ( b , tctx ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2006-07-01 18:41:01 +04:00
}
2003-11-22 11:11:32 +03:00
2003-11-04 12:48:33 +03:00
return ret ;
2003-11-03 09:22:45 +03:00
}
2009-05-11 18:28:42 +04:00
static bool testcase_LookupNames ( struct torture_context * tctx ,
struct dcerpc_pipe * p )
{
bool ret = true ;
struct policy_handle * handle ;
struct lsa_TransNameArray tnames ;
struct lsa_TransNameArray2 tnames2 ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2014-01-30 22:05:06 +04:00
enum dcerpc_transport_t transport = dcerpc_binding_get_transport ( p - > binding ) ;
2009-05-11 18:28:42 +04:00
2014-01-30 22:05:06 +04:00
if ( transport ! = NCACN_NP & & transport ! = NCALRPC ) {
2012-06-25 21:06:34 +04:00
torture_comment ( tctx , " testcase_LookupNames is only available "
" over NCACN_NP or NCALRPC " ) ;
return true ;
}
2012-06-29 18:50:38 +04:00
if ( ! test_OpenPolicy ( b , tctx ) ) {
2009-05-11 18:28:42 +04:00
ret = false ;
}
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_OpenPolicy2 ( b , tctx , & handle ) ) {
2009-05-11 18:28:42 +04:00
ret = false ;
}
if ( ! handle ) {
ret = false ;
}
tnames . count = 1 ;
tnames . names = talloc_array ( tctx , struct lsa_TranslatedName , tnames . count ) ;
ZERO_STRUCT ( tnames . names [ 0 ] ) ;
tnames . names [ 0 ] . name . string = " BUILTIN " ;
tnames . names [ 0 ] . sid_type = SID_NAME_DOMAIN ;
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL , & tnames ) ) {
2009-05-11 18:28:42 +04:00
ret = false ;
}
tnames2 . count = 1 ;
tnames2 . names = talloc_array ( tctx , struct lsa_TranslatedName2 , tnames2 . count ) ;
ZERO_STRUCT ( tnames2 . names [ 0 ] ) ;
tnames2 . names [ 0 ] . name . string = " BUILTIN " ;
tnames2 . names [ 0 ] . sid_type = SID_NAME_DOMAIN ;
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames2 ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL , & tnames2 , true ) ) {
2009-05-11 18:28:42 +04:00
ret = false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames3 ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL , & tnames2 , true ) ) {
2009-05-11 18:28:42 +04:00
ret = false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames_wellknown ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL ) ) {
2009-07-16 02:52:28 +04:00
ret = false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames_NULL ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL ) ) {
2009-10-21 01:47:40 +04:00
ret = false ;
}
2019-08-01 21:08:52 +03:00
if ( ! test_LookupNames_bogus ( b , tctx , handle , LSA_LOOKUP_NAMES_ALL ) ) {
2009-07-16 02:52:28 +04:00
ret = false ;
}
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_Close ( b , tctx , handle ) ) {
2009-05-11 18:28:42 +04:00
ret = false ;
}
return ret ;
}
struct torture_suite * torture_rpc_lsa_lookup_names ( TALLOC_CTX * mem_ctx )
{
struct torture_suite * suite ;
struct torture_rpc_tcase * tcase ;
2010-12-11 05:26:31 +03:00
suite = torture_suite_create ( mem_ctx , " lsa.lookupnames " ) ;
2009-05-11 18:28:42 +04:00
tcase = torture_suite_add_rpc_iface_tcase ( suite , " lsa " ,
& ndr_table_lsarpc ) ;
torture_rpc_tcase_add_test ( tcase , " LookupNames " ,
testcase_LookupNames ) ;
return suite ;
}
2009-07-16 02:56:17 +04:00
2009-10-20 20:34:09 +04:00
struct lsa_trustdom_state {
uint32_t num_trusts ;
} ;
2009-07-16 02:56:17 +04:00
static bool testcase_TrustedDomains ( struct torture_context * tctx ,
2009-10-20 20:34:09 +04:00
struct dcerpc_pipe * p ,
void * data )
2009-07-16 02:56:17 +04:00
{
bool ret = true ;
struct policy_handle * handle ;
2009-10-20 20:34:09 +04:00
struct lsa_trustdom_state * state =
talloc_get_type_abort ( data , struct lsa_trustdom_state ) ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2014-01-30 22:05:06 +04:00
enum dcerpc_transport_t transport = dcerpc_binding_get_transport ( p - > binding ) ;
2009-10-20 20:34:09 +04:00
2014-01-30 22:05:06 +04:00
if ( transport ! = NCACN_NP & & transport ! = NCALRPC ) {
2012-06-25 21:06:34 +04:00
torture_comment ( tctx , " testcase_TrustedDomains is only available "
" over NCACN_NP or NCALRPC " ) ;
return true ;
}
2010-04-11 03:39:06 +04:00
torture_comment ( tctx , " Testing %d domains \n " , state - > num_trusts ) ;
2009-07-16 02:56:17 +04:00
2012-06-29 18:50:38 +04:00
if ( ! test_OpenPolicy ( b , tctx ) ) {
2009-07-16 02:56:17 +04:00
ret = false ;
}
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_OpenPolicy2 ( b , tctx , & handle ) ) {
2009-07-16 02:56:17 +04:00
ret = false ;
}
if ( ! handle ) {
ret = false ;
}
2010-03-11 14:00:34 +03:00
if ( ! test_CreateTrustedDomain ( b , tctx , handle , state - > num_trusts ) ) {
2009-07-16 02:56:17 +04:00
ret = false ;
}
2011-07-15 17:38:12 +04:00
if ( ! test_CreateTrustedDomainEx ( p , tctx , handle , state - > num_trusts ) ) {
ret = false ;
}
2009-10-20 20:34:09 +04:00
if ( ! test_CreateTrustedDomainEx2 ( p , tctx , handle , state - > num_trusts ) ) {
2009-07-16 02:56:17 +04:00
ret = false ;
}
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_Close ( b , tctx , handle ) ) {
2009-07-16 02:56:17 +04:00
ret = false ;
}
return ret ;
}
struct torture_suite * torture_rpc_lsa_trusted_domains ( TALLOC_CTX * mem_ctx )
{
struct torture_suite * suite ;
struct torture_rpc_tcase * tcase ;
2009-10-20 20:34:09 +04:00
struct lsa_trustdom_state * state ;
state = talloc ( mem_ctx , struct lsa_trustdom_state ) ;
state - > num_trusts = 12 ;
2009-07-16 02:56:17 +04:00
2010-12-11 05:26:31 +03:00
suite = torture_suite_create ( mem_ctx , " lsa.trusted.domains " ) ;
2009-07-16 02:56:17 +04:00
2009-07-16 20:38:55 +04:00
tcase = torture_suite_add_rpc_iface_tcase ( suite , " lsa " ,
& ndr_table_lsarpc ) ;
2009-10-20 20:34:09 +04:00
torture_rpc_tcase_add_test_ex ( tcase , " TrustedDomains " ,
testcase_TrustedDomains ,
state ) ;
2009-07-16 02:56:17 +04:00
return suite ;
}
2009-07-16 04:10:23 +04:00
static bool testcase_Privileges ( struct torture_context * tctx ,
struct dcerpc_pipe * p )
{
struct policy_handle * handle ;
2010-03-11 14:00:34 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2014-01-30 22:05:06 +04:00
enum dcerpc_transport_t transport = dcerpc_binding_get_transport ( p - > binding ) ;
2009-07-16 04:10:23 +04:00
2014-01-30 22:05:06 +04:00
if ( transport ! = NCACN_NP & & transport ! = NCALRPC ) {
2012-10-01 10:51:47 +04:00
torture_skip ( tctx , " testcase_Privileges is only available "
2012-06-25 21:06:34 +04:00
" over NCACN_NP or NCALRPC " ) ;
}
2012-06-29 18:50:38 +04:00
if ( ! test_OpenPolicy ( b , tctx ) ) {
2012-10-01 10:51:47 +04:00
return false ;
2009-07-16 04:10:23 +04:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_OpenPolicy2 ( b , tctx , & handle ) ) {
2012-10-01 10:51:47 +04:00
return false ;
2009-07-16 04:10:23 +04:00
}
if ( ! handle ) {
2012-10-01 10:51:47 +04:00
return false ;
2009-07-16 04:10:23 +04:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_CreateAccount ( b , tctx , handle ) ) {
2012-10-01 10:51:47 +04:00
return false ;
2009-07-16 04:10:23 +04:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_EnumAccounts ( b , tctx , handle ) ) {
2012-10-01 10:51:47 +04:00
return false ;
2009-07-16 04:10:23 +04:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_EnumPrivs ( b , tctx , handle ) ) {
2012-10-01 10:51:47 +04:00
return false ;
2009-07-16 04:10:23 +04:00
}
2010-03-11 14:00:34 +03:00
if ( ! test_lsa_Close ( b , tctx , handle ) ) {
2012-10-01 10:51:47 +04:00
return false ;
2009-07-16 04:10:23 +04:00
}
2012-10-01 10:51:47 +04:00
return true ;
2009-07-16 04:10:23 +04:00
}
struct torture_suite * torture_rpc_lsa_privileges ( TALLOC_CTX * mem_ctx )
{
struct torture_suite * suite ;
struct torture_rpc_tcase * tcase ;
2010-12-11 05:26:31 +03:00
suite = torture_suite_create ( mem_ctx , " lsa.privileges " ) ;
2009-07-16 04:10:23 +04:00
2009-07-16 20:39:06 +04:00
tcase = torture_suite_add_rpc_iface_tcase ( suite , " lsa " ,
& ndr_table_lsarpc ) ;
2009-07-16 04:10:23 +04:00
torture_rpc_tcase_add_test ( tcase , " Privileges " ,
testcase_Privileges ) ;
return suite ;
}