2010-03-23 19:16:23 +03:00
/*
2004-11-12 02:25:33 +03:00
Unix SMB / CIFS implementation .
test suite for netlogon rpc operations
Copyright ( C ) Andrew Tridgell 2003
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2003 - 2004
Copyright ( C ) Tim Potter 2003
2010-03-23 19:16:23 +03:00
2004-11-12 02:25:33 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2004-11-12 02:25:33 +03:00
( at your option ) any later version .
2010-03-23 19:16:23 +03:00
2004-11-12 02:25:33 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-03-23 19:16:23 +03:00
2004-11-12 02:25:33 +03:00
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-11-12 02:25:33 +03:00
*/
# include "includes.h"
2008-10-11 23:31:42 +04:00
# include "../lib/util/dlinklist.h"
2008-09-24 17:30:23 +04:00
# include "../lib/crypto/crypto.h"
2004-11-17 14:56:13 +03:00
# include "system/time.h"
2010-04-14 00:06:51 +04:00
# include "torture/rpc/torture_rpc.h"
2008-04-02 06:53:27 +04:00
# include "auth/gensec/gensec.h"
2006-03-14 18:02:05 +03:00
# include "libcli/auth/libcli_auth.h"
2009-04-23 19:53:25 +04:00
# include "libcli/samsync/samsync.h"
2006-04-02 16:02:01 +04:00
# include "libcli/security/security.h"
2006-03-16 03:23:11 +03:00
# include "librpc/gen_ndr/ndr_netlogon.h"
2006-03-15 02:35:30 +03:00
# include "librpc/gen_ndr/ndr_netlogon_c.h"
# include "librpc/gen_ndr/ndr_lsa_c.h"
# include "librpc/gen_ndr/ndr_samr_c.h"
2006-03-16 03:23:11 +03:00
# include "librpc/gen_ndr/ndr_security.h"
2007-09-08 16:42:09 +04:00
# include "param/param.h"
2004-11-12 02:25:33 +03:00
# define TEST_MACHINE_NAME "samsynctest"
2005-03-18 07:09:52 +03:00
# define TEST_WKSTA_MACHINE_NAME "samsynctest2"
2005-03-18 06:16:53 +03:00
# define TEST_USER_NAME "samsynctestuser"
2004-11-12 02:25:33 +03:00
/*
try a netlogon SamLogon
*/
2010-03-23 19:28:55 +03:00
static NTSTATUS test_SamLogon ( struct torture_context * tctx ,
struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
2010-03-23 19:16:23 +03:00
struct netlogon_creds_CredentialState * creds ,
2004-11-22 11:50:20 +03:00
const char * domain , const char * account_name ,
2010-03-23 19:16:23 +03:00
const char * workstation ,
struct samr_Password * lm_hash ,
struct samr_Password * nt_hash ,
2004-11-12 02:25:33 +03:00
struct netr_SamInfo3 * * info3 )
{
NTSTATUS status ;
struct netr_LogonSamLogon r ;
struct netr_Authenticator auth , auth2 ;
struct netr_NetworkInfo ninfo ;
2008-10-28 21:03:50 +03:00
union netr_LogonLevel logon ;
union netr_Validation validation ;
uint8_t authoritative ;
2010-03-17 14:05:10 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2004-11-12 02:25:33 +03:00
ninfo . identity_info . domain_name . string = domain ;
ninfo . identity_info . parameter_control = 0 ;
ninfo . identity_info . logon_id_low = 0 ;
ninfo . identity_info . logon_id_high = 0 ;
2004-11-22 11:50:20 +03:00
ninfo . identity_info . account_name . string = account_name ;
ninfo . identity_info . workstation . string = workstation ;
2010-03-23 19:16:23 +03:00
generate_random_buffer ( ninfo . challenge ,
2004-11-12 02:25:33 +03:00
sizeof ( ninfo . challenge ) ) ;
if ( nt_hash ) {
ninfo . nt . length = 24 ;
2007-09-08 20:46:30 +04:00
ninfo . nt . data = talloc_array ( mem_ctx , uint8_t , 24 ) ;
2004-11-12 02:25:33 +03:00
SMBOWFencrypt ( nt_hash - > hash , ninfo . challenge , ninfo . nt . data ) ;
2004-11-13 06:57:54 +03:00
} else {
ninfo . nt . length = 0 ;
ninfo . nt . data = NULL ;
2004-11-12 02:25:33 +03:00
}
2010-03-23 19:16:23 +03:00
2004-11-12 02:25:33 +03:00
if ( lm_hash ) {
ninfo . lm . length = 24 ;
2007-09-08 20:46:30 +04:00
ninfo . lm . data = talloc_array ( mem_ctx , uint8_t , 24 ) ;
2004-11-12 02:25:33 +03:00
SMBOWFencrypt ( lm_hash - > hash , ninfo . challenge , ninfo . lm . data ) ;
2004-11-13 06:57:54 +03:00
} else {
ninfo . lm . length = 0 ;
ninfo . lm . data = NULL ;
2004-11-12 02:25:33 +03:00
}
2008-10-28 21:03:50 +03:00
logon . network = & ninfo ;
2004-11-12 02:25:33 +03:00
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2006-02-21 03:07:59 +03:00
r . in . computer_name = workstation ;
2004-11-12 02:25:33 +03:00
r . in . credential = & auth ;
r . in . return_authenticator = & auth2 ;
r . in . logon_level = 2 ;
2008-10-28 21:03:50 +03:00
r . in . logon = & logon ;
r . out . validation = & validation ;
r . out . authoritative = & authoritative ;
2004-11-12 02:25:33 +03:00
ZERO_STRUCT ( auth2 ) ;
2009-04-06 16:54:44 +04:00
netlogon_creds_client_authenticator ( creds , & auth ) ;
2010-03-23 19:16:23 +03:00
2004-11-12 02:25:33 +03:00
r . in . validation_level = 3 ;
2010-03-23 19:16:23 +03:00
2010-03-17 14:05:10 +03:00
status = dcerpc_netr_LogonSamLogon_r ( b , mem_ctx , & r ) ;
2010-03-27 12:45:17 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2004-11-12 02:25:33 +03:00
2009-04-06 16:54:44 +04:00
if ( ! netlogon_creds_client_check ( creds , & r . out . return_authenticator - > cred ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Credential chaining failed \n " ) ;
2004-11-12 02:25:33 +03:00
}
2004-11-13 06:57:54 +03:00
if ( info3 ) {
2008-10-28 21:03:50 +03:00
* info3 = validation . sam3 ;
2004-11-13 06:57:54 +03:00
}
2004-11-12 02:25:33 +03:00
2010-03-27 12:45:17 +03:00
return r . out . result ;
2004-11-12 02:25:33 +03:00
}
struct samsync_state {
2004-11-13 16:48:59 +03:00
/* we remember the sequence numbers so we can easily do a DatabaseDelta */
uint64_t seq_num [ 3 ] ;
2007-04-12 15:02:26 +04:00
const char * domain_name [ 2 ] ;
2004-11-13 06:57:54 +03:00
struct samsync_secret * secrets ;
struct samsync_trusted_domain * trusted_domains ;
2009-04-06 16:54:44 +04:00
struct netlogon_creds_CredentialState * creds ;
struct netlogon_creds_CredentialState * creds_netlogon_wksta ;
2004-11-13 16:48:59 +03:00
struct policy_handle * connect_handle ;
struct policy_handle * domain_handle [ 2 ] ;
struct dom_sid * sid [ 2 ] ;
struct dcerpc_pipe * p ;
2010-03-17 14:05:10 +03:00
struct dcerpc_binding_handle * b ;
2004-11-22 11:50:20 +03:00
struct dcerpc_pipe * p_netlogon_wksta ;
2004-11-13 16:48:59 +03:00
struct dcerpc_pipe * p_samr ;
2010-03-17 14:05:10 +03:00
struct dcerpc_binding_handle * b_samr ;
2004-11-17 14:56:13 +03:00
struct dcerpc_pipe * p_lsa ;
2010-03-17 14:05:10 +03:00
struct dcerpc_binding_handle * b_lsa ;
2004-11-17 14:56:13 +03:00
struct policy_handle * lsa_handle ;
2004-11-13 06:57:54 +03:00
} ;
struct samsync_secret {
struct samsync_secret * prev , * next ;
DATA_BLOB secret ;
2007-04-12 15:02:26 +04:00
const char * name ;
2005-01-11 08:16:43 +03:00
NTTIME mtime ;
2004-11-13 06:57:54 +03:00
} ;
struct samsync_trusted_domain {
struct samsync_trusted_domain * prev , * next ;
struct dom_sid * sid ;
2007-04-12 15:02:26 +04:00
const char * name ;
2004-11-12 02:25:33 +03:00
} ;
2010-03-23 19:28:55 +03:00
static struct policy_handle * samsync_open_domain ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx ,
2010-03-23 19:16:23 +03:00
struct samsync_state * samsync_state ,
const char * domain ,
2008-11-07 04:42:45 +03:00
struct dom_sid * * sid_p )
2004-11-13 16:48:59 +03:00
{
2005-07-08 12:09:02 +04:00
struct lsa_String name ;
2004-11-13 16:48:59 +03:00
struct samr_OpenDomain o ;
struct samr_LookupDomain l ;
2008-11-07 04:42:45 +03:00
struct dom_sid2 * sid = NULL ;
2005-01-27 10:08:20 +03:00
struct policy_handle * domain_handle = talloc ( mem_ctx , struct policy_handle ) ;
2004-11-13 16:48:59 +03:00
NTSTATUS nt_status ;
name . string = domain ;
l . in . connect_handle = samsync_state - > connect_handle ;
2005-02-13 03:26:43 +03:00
l . in . domain_name = & name ;
2008-11-07 04:42:45 +03:00
l . out . sid = & sid ;
2004-11-13 16:48:59 +03:00
2010-03-17 14:05:10 +03:00
nt_status = dcerpc_samr_LookupDomain_r ( samsync_state - > b_samr , mem_ctx , & l ) ;
2004-11-13 16:48:59 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " LookupDomain failed - %s \n " , nt_errstr ( nt_status ) ) ;
2004-11-13 16:48:59 +03:00
return NULL ;
}
2010-03-27 12:45:17 +03:00
if ( ! NT_STATUS_IS_OK ( l . out . result ) ) {
torture_comment ( tctx , " LookupDomain failed - %s \n " , nt_errstr ( l . out . result ) ) ;
return NULL ;
}
2004-11-12 02:25:33 +03:00
2004-11-13 16:48:59 +03:00
o . in . connect_handle = samsync_state - > connect_handle ;
2004-12-02 07:37:36 +03:00
o . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2008-11-07 04:42:45 +03:00
o . in . sid = * l . out . sid ;
2004-11-13 16:48:59 +03:00
o . out . domain_handle = domain_handle ;
2010-03-23 19:16:23 +03:00
2009-04-24 11:35:24 +04:00
if ( sid_p ) {
2008-11-07 04:42:45 +03:00
* sid_p = * l . out . sid ;
2004-11-13 16:48:59 +03:00
}
2010-03-17 14:05:10 +03:00
nt_status = dcerpc_samr_OpenDomain_r ( samsync_state - > b_samr , mem_ctx , & o ) ;
2004-11-13 16:48:59 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " OpenDomain failed - %s \n " , nt_errstr ( nt_status ) ) ;
2004-11-13 16:48:59 +03:00
return NULL ;
}
2010-03-27 12:45:17 +03:00
if ( ! NT_STATUS_IS_OK ( o . out . result ) ) {
torture_comment ( tctx , " OpenDomain failed - %s \n " , nt_errstr ( o . out . result ) ) ;
return NULL ;
}
2004-11-13 16:48:59 +03:00
return domain_handle ;
}
2010-03-23 19:28:55 +03:00
static struct sec_desc_buf * samsync_query_samr_sec_desc ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx ,
2010-03-23 19:16:23 +03:00
struct samsync_state * samsync_state ,
struct policy_handle * handle )
2004-11-20 03:29:04 +03:00
{
struct samr_QuerySecurity r ;
2008-10-28 00:57:51 +03:00
struct sec_desc_buf * sdbuf = NULL ;
2004-11-20 03:29:04 +03:00
NTSTATUS status ;
r . in . handle = handle ;
r . in . sec_info = 0x7 ;
2008-10-28 00:57:51 +03:00
r . out . sdbuf = & sdbuf ;
2004-11-20 03:29:04 +03:00
2010-03-17 14:05:10 +03:00
status = dcerpc_samr_QuerySecurity_r ( samsync_state - > b_samr , mem_ctx , & r ) ;
2004-11-20 03:29:04 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " SAMR QuerySecurity failed - %s \n " , nt_errstr ( status ) ) ;
2004-11-22 11:50:20 +03:00
return NULL ;
}
2010-03-27 12:45:17 +03:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " SAMR QuerySecurity failed - %s \n " , nt_errstr ( r . out . result ) ) ;
return NULL ;
}
2004-11-22 11:50:20 +03:00
2008-10-28 00:57:51 +03:00
return sdbuf ;
2004-11-22 11:50:20 +03:00
}
2010-03-23 19:28:55 +03:00
static struct sec_desc_buf * samsync_query_lsa_sec_desc ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx ,
2010-03-23 19:16:23 +03:00
struct samsync_state * samsync_state ,
struct policy_handle * handle )
2004-11-22 11:50:20 +03:00
{
struct lsa_QuerySecurity r ;
2008-10-21 00:39:06 +04:00
struct sec_desc_buf * sdbuf = NULL ;
2004-11-22 11:50:20 +03:00
NTSTATUS status ;
r . in . handle = handle ;
r . in . sec_info = 0x7 ;
2008-10-21 00:39:06 +04:00
r . out . sdbuf = & sdbuf ;
2004-11-22 11:50:20 +03:00
2010-03-17 14:05:10 +03:00
status = dcerpc_lsa_QuerySecurity_r ( samsync_state - > b_lsa , mem_ctx , & r ) ;
2004-11-22 11:50:20 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " LSA QuerySecurity failed - %s \n " , nt_errstr ( status ) ) ;
2004-11-20 03:29:04 +03:00
return NULL ;
}
2010-03-27 12:45:17 +03:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
torture_comment ( tctx , " LSA QuerySecurity failed - %s \n " , nt_errstr ( r . out . result ) ) ;
return NULL ;
}
2004-11-20 03:29:04 +03:00
2008-10-21 00:39:06 +04:00
return sdbuf ;
2004-11-20 03:29:04 +03:00
}
2004-11-17 14:56:13 +03:00
# define TEST_UINT64_EQUAL(i1, i2) do {\
if ( i1 ! = i2 ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " %s: uint64 mismatch: " # i1 " : 0x%016llx (%lld) != " # i2 " : 0x%016llx (%lld) \n " , \
2005-11-30 05:08:15 +03:00
__location__ , \
( long long ) i1 , ( long long ) i1 , \
( long long ) i2 , ( long long ) i2 ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-17 14:56:13 +03:00
} \
} while ( 0 )
# define TEST_INT_EQUAL(i1, i2) do {\
if ( i1 ! = i2 ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " %s: integer mismatch: " # i1 " : 0x%08x (%d) != " # i2 " : 0x%08x (%d) \n " , \
2006-03-07 06:24:29 +03:00
__location__ , i1 , i1 , i2 , i2 ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-17 14:56:13 +03:00
} \
} while ( 0 )
# define TEST_TIME_EQUAL(t1, t2) do {\
if ( t1 ! = t2 ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " %s: NTTIME mismatch: " # t1 " :%s != " # t2 " : %s \n " , \
2005-02-14 08:11:23 +03:00
__location__ , nt_time_string ( mem_ctx , t1 ) , nt_time_string ( mem_ctx , t2 ) ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-17 14:56:13 +03:00
} \
} while ( 0 )
2004-11-20 03:29:04 +03:00
2004-11-17 14:56:13 +03:00
# define TEST_STRING_EQUAL(s1, s2) do {\
if ( ! ( ( ! s1 . string | | s1 . string [ 0 ] = = ' \0 ' ) & & ( ! s2 . string | | s2 . string [ 0 ] = = ' \0 ' ) ) \
& & strcmp_safe ( s1 . string , s2 . string ) ! = 0 ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " %s: string mismatch: " # s1 " :%s != " # s2 " : %s \n " , \
2005-02-14 08:11:23 +03:00
__location__ , s1 . string , s2 . string ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-17 14:56:13 +03:00
} \
} while ( 0 )
2008-11-10 14:30:35 +03:00
# define TEST_BINARY_STRING_EQUAL(s1, s2) do {\
if ( ! ( ( ! s1 . array | | s1 . array [ 0 ] = = ' \0 ' ) & & ( ! s2 . array | | s2 . array [ 0 ] = = ' \0 ' ) ) \
& & memcmp ( s1 . array , s2 . array , s1 . length * 2 ) ! = 0 ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " %s: string mismatch: " # s1 " :%s != " # s2 " : %s \n " , \
2008-11-10 14:30:35 +03:00
__location__ , ( const char * ) s1 . array , ( const char * ) s2 . array ) ; \
ret = false ; \
} \
} while ( 0 )
2004-11-23 14:02:27 +03:00
# define TEST_SID_EQUAL(s1, s2) do {\
if ( ! dom_sid_equal ( s1 , s2 ) ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " %s: dom_sid mismatch: " # s1 " :%s != " # s2 " : %s \n " , \
2005-02-14 08:11:23 +03:00
__location__ , dom_sid_string ( mem_ctx , s1 ) , dom_sid_string ( mem_ctx , s2 ) ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-23 14:02:27 +03:00
} \
} while ( 0 )
2004-11-20 03:29:04 +03:00
/* The ~SEC_DESC_SACL_PRESENT is because we don't, as administrator,
* get back the SACL part of the SD when we ask over SAMR */
2004-11-22 11:50:20 +03:00
# define TEST_SEC_DESC_EQUAL(sd1, pipe, handle) do {\
2010-03-23 19:28:55 +03:00
struct sec_desc_buf * sdbuf = samsync_query_ # # pipe # # _sec_desc ( tctx , mem_ctx , samsync_state , \
2004-11-20 03:29:04 +03:00
handle ) ; \
if ( ! sdbuf | | ! sdbuf - > sd ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Could not obtain security descriptor to match " # sd1 " \n " ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-20 03:29:04 +03:00
} else { \
if ( ! security_descriptor_mask_equal ( sd1 . sd , sdbuf - > sd , \
~ SEC_DESC_SACL_PRESENT ) ) { \
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Security Descriptor Mismatch for %s: \n " , # sd1 ) ; \
2004-11-20 03:29:04 +03:00
ndr_print_debug ( ( ndr_print_fn_t ) ndr_print_security_descriptor , " SamSync " , sd1 . sd ) ; \
ndr_print_debug ( ( ndr_print_fn_t ) ndr_print_security_descriptor , " SamR " , sdbuf - > sd ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-20 03:29:04 +03:00
} \
} \
} while ( 0 )
2010-03-23 19:28:55 +03:00
static bool samsync_handle_domain ( struct torture_context * tctx , TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-12 02:25:33 +03:00
{
struct netr_DELTA_DOMAIN * domain = delta - > delta_union . domain ;
2004-11-13 16:48:59 +03:00
struct dom_sid * dom_sid ;
2004-11-17 14:56:13 +03:00
struct samr_QueryDomainInfo q [ 14 ] ; /* q[0] will be unused simple for clarity */
2008-11-05 04:59:51 +03:00
union samr_DomainInfo * info [ 14 ] ;
2004-11-17 14:56:13 +03:00
uint16_t levels [ ] = { 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 11 , 12 , 13 } ;
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2010-03-23 19:16:23 +03:00
samsync_state - > seq_num [ database_id ] =
2004-11-12 02:25:33 +03:00
domain - > sequence_num ;
2004-11-13 16:48:59 +03:00
switch ( database_id ) {
case SAM_DATABASE_DOMAIN :
break ;
case SAM_DATABASE_BUILTIN :
2005-08-30 15:55:05 +04:00
if ( strcasecmp_m ( " BUILTIN " , domain - > domain_name . string ) ! = 0 ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " BUILTIN domain has different name: %s \n " , domain - > domain_name . string ) ;
2004-11-13 16:48:59 +03:00
}
break ;
case SAM_DATABASE_PRIVS :
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " DOMAIN entry on privs DB! \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 16:48:59 +03:00
break ;
}
2010-03-23 19:16:23 +03:00
2004-11-13 16:48:59 +03:00
if ( ! samsync_state - > domain_name [ database_id ] ) {
2010-03-23 19:16:23 +03:00
samsync_state - > domain_name [ database_id ] =
2004-11-13 16:48:59 +03:00
talloc_reference ( samsync_state , domain - > domain_name . string ) ;
} else {
2005-08-30 15:55:05 +04:00
if ( strcasecmp_m ( samsync_state - > domain_name [ database_id ] , domain - > domain_name . string ) ! = 0 ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Domain has name varies!: %s != %s \n " , samsync_state - > domain_name [ database_id ] ,
2004-11-13 16:48:59 +03:00
domain - > domain_name . string ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 16:48:59 +03:00
}
}
2004-11-12 02:25:33 +03:00
2004-11-13 16:48:59 +03:00
if ( ! samsync_state - > domain_handle [ database_id ] ) {
samsync_state - > domain_handle [ database_id ]
2010-03-23 19:16:23 +03:00
= talloc_reference ( samsync_state ,
2010-03-23 19:28:55 +03:00
samsync_open_domain ( tctx ,
mem_ctx , samsync_state , samsync_state - > domain_name [ database_id ] ,
2005-03-22 11:00:45 +03:00
& dom_sid ) ) ;
2004-11-13 16:48:59 +03:00
}
if ( samsync_state - > domain_handle [ database_id ] ) {
samsync_state - > sid [ database_id ] = talloc_reference ( samsync_state , dom_sid ) ;
}
2004-11-12 02:25:33 +03:00
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " \t sequence_nums[%d/%s]=%llu \n " ,
2004-11-13 16:48:59 +03:00
database_id , domain - > domain_name . string ,
2005-11-30 05:08:15 +03:00
( long long ) samsync_state - > seq_num [ database_id ] ) ;
2004-11-17 14:56:13 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( levels ) ; i + + ) {
2008-11-05 04:59:51 +03:00
2004-11-17 14:56:13 +03:00
q [ levels [ i ] ] . in . domain_handle = samsync_state - > domain_handle [ database_id ] ;
q [ levels [ i ] ] . in . level = levels [ i ] ;
2008-11-05 04:59:51 +03:00
q [ levels [ i ] ] . out . info = & info [ levels [ i ] ] ;
2004-11-17 14:56:13 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_QueryDomainInfo_r ( samsync_state - > b_samr , mem_ctx , & q [ levels [ i ] ] ) ,
talloc_asprintf ( tctx , " QueryDomainInfo level %u failed " , q [ levels [ i ] ] . in . level ) ) ;
torture_assert_ntstatus_ok ( tctx , q [ levels [ i ] ] . out . result ,
talloc_asprintf ( tctx , " QueryDomainInfo level %u failed " , q [ levels [ i ] ] . in . level ) ) ;
2004-11-17 14:56:13 +03:00
}
2008-11-05 04:59:51 +03:00
TEST_STRING_EQUAL ( info [ 5 ] - > info5 . domain_name , domain - > domain_name ) ;
2010-03-23 19:16:23 +03:00
2008-11-05 04:59:51 +03:00
TEST_STRING_EQUAL ( info [ 2 ] - > general . oem_information , domain - > oem_information ) ;
TEST_STRING_EQUAL ( info [ 4 ] - > oem . oem_information , domain - > oem_information ) ;
TEST_TIME_EQUAL ( info [ 2 ] - > general . force_logoff_time , domain - > force_logoff_time ) ;
TEST_TIME_EQUAL ( info [ 3 ] - > info3 . force_logoff_time , domain - > force_logoff_time ) ;
2004-11-17 14:56:13 +03:00
2008-11-05 04:59:51 +03:00
TEST_TIME_EQUAL ( info [ 1 ] - > info1 . min_password_length , domain - > min_password_length ) ;
TEST_TIME_EQUAL ( info [ 1 ] - > info1 . password_history_length , domain - > password_history_length ) ;
TEST_TIME_EQUAL ( info [ 1 ] - > info1 . max_password_age , domain - > max_password_age ) ;
TEST_TIME_EQUAL ( info [ 1 ] - > info1 . min_password_age , domain - > min_password_age ) ;
2004-11-17 14:56:13 +03:00
2008-11-05 04:59:51 +03:00
TEST_UINT64_EQUAL ( info [ 8 ] - > info8 . sequence_num ,
2004-11-17 14:56:13 +03:00
domain - > sequence_num ) ;
2008-11-05 04:59:51 +03:00
TEST_TIME_EQUAL ( info [ 8 ] - > info8 . domain_create_time ,
2004-11-17 14:56:13 +03:00
domain - > domain_create_time ) ;
2008-11-05 04:59:51 +03:00
TEST_TIME_EQUAL ( info [ 13 ] - > info13 . domain_create_time ,
2004-11-17 14:56:13 +03:00
domain - > domain_create_time ) ;
2004-11-22 11:50:20 +03:00
TEST_SEC_DESC_EQUAL ( domain - > sdbuf , samr , samsync_state - > domain_handle [ database_id ] ) ;
2004-11-20 03:29:04 +03:00
2004-11-17 14:56:13 +03:00
return ret ;
2004-11-12 02:25:33 +03:00
}
2010-03-23 19:28:55 +03:00
static bool samsync_handle_policy ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-13 16:48:59 +03:00
{
struct netr_DELTA_POLICY * policy = delta - > delta_union . policy ;
2010-03-23 19:16:23 +03:00
samsync_state - > seq_num [ database_id ] =
2004-11-13 16:48:59 +03:00
policy - > sequence_num ;
2010-03-23 19:16:23 +03:00
2004-11-13 16:48:59 +03:00
if ( ! samsync_state - > domain_name [ SAM_DATABASE_DOMAIN ] ) {
2010-03-23 19:16:23 +03:00
samsync_state - > domain_name [ SAM_DATABASE_DOMAIN ] =
2004-11-13 16:48:59 +03:00
talloc_reference ( samsync_state , policy - > primary_domain_name . string ) ;
} else {
2005-08-30 15:55:05 +04:00
if ( strcasecmp_m ( samsync_state - > domain_name [ SAM_DATABASE_DOMAIN ] , policy - > primary_domain_name . string ) ! = 0 ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " PRIMARY domain has name varies between DOMAIN and POLICY!: %s != %s \n " , samsync_state - > domain_name [ SAM_DATABASE_DOMAIN ] ,
2004-11-13 16:48:59 +03:00
policy - > primary_domain_name . string ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 16:48:59 +03:00
}
}
2004-11-17 17:35:29 +03:00
if ( ! dom_sid_equal ( samsync_state - > sid [ SAM_DATABASE_DOMAIN ] , policy - > sid ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Domain SID from POLICY (%s) does not match domain sid from SAMR (%s) \n " ,
2004-11-13 16:48:59 +03:00
dom_sid_string ( mem_ctx , policy - > sid ) , dom_sid_string ( mem_ctx , samsync_state - > sid [ SAM_DATABASE_DOMAIN ] ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 16:48:59 +03:00
}
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " \t sequence_nums[%d/PRIVS]=%llu \n " ,
2010-03-23 19:16:23 +03:00
database_id ,
2005-11-30 05:08:15 +03:00
( long long ) samsync_state - > seq_num [ database_id ] ) ;
2007-10-07 02:28:14 +04:00
return true ;
2004-11-13 16:48:59 +03:00
}
2008-02-19 16:12:05 +03:00
static bool samsync_handle_user ( struct torture_context * tctx , TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-12 02:25:33 +03:00
{
2005-02-10 08:09:35 +03:00
uint32_t rid = delta - > delta_id_union . rid ;
2004-11-12 02:25:33 +03:00
struct netr_DELTA_USER * user = delta - > delta_union . user ;
struct netr_SamInfo3 * info3 ;
struct samr_Password lm_hash ;
struct samr_Password nt_hash ;
2004-11-13 06:57:54 +03:00
struct samr_Password * lm_hash_p = NULL ;
struct samr_Password * nt_hash_p = NULL ;
2004-11-13 16:48:59 +03:00
const char * domain = samsync_state - > domain_name [ database_id ] ;
2004-11-12 02:25:33 +03:00
const char * username = user - > account_name . string ;
2004-11-13 16:48:59 +03:00
NTSTATUS nt_status ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-12 02:25:33 +03:00
2004-11-13 16:48:59 +03:00
struct samr_OpenUser r ;
struct samr_QueryUserInfo q ;
2008-11-10 16:42:27 +03:00
union samr_UserInfo * info ;
2004-11-13 16:48:59 +03:00
struct policy_handle user_handle ;
2004-11-12 02:25:33 +03:00
2005-05-01 12:05:17 +04:00
struct samr_GetGroupsForUser getgroups ;
2008-11-05 12:58:35 +03:00
struct samr_RidWithAttributeArray * rids ;
2004-11-13 16:48:59 +03:00
if ( ! samsync_state - > domain_name | | ! samsync_state - > domain_handle [ database_id ] ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " SamSync needs domain information before the users \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 16:48:59 +03:00
}
r . in . domain_handle = samsync_state - > domain_handle [ database_id ] ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-13 16:48:59 +03:00
r . in . rid = rid ;
r . out . user_handle = & user_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_OpenUser_r ( samsync_state - > b_samr , mem_ctx , & r ) ,
talloc_asprintf ( tctx , " OpenUser(%u) failed " , rid ) ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result ,
talloc_asprintf ( tctx , " OpenUser(%u) failed " , rid ) ) ;
2004-11-13 16:48:59 +03:00
q . in . user_handle = & user_handle ;
q . in . level = 21 ;
2008-11-10 16:42:27 +03:00
q . out . info = & info ;
2004-11-12 02:25:33 +03:00
2004-11-22 11:50:20 +03:00
TEST_SEC_DESC_EQUAL ( user - > sdbuf , samr , & user_handle ) ;
2004-11-20 03:29:04 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_QueryUserInfo_r ( samsync_state - > b_samr , mem_ctx , & q ) ,
talloc_asprintf ( tctx , " OpenUserInfo level %u failed " , q . in . level ) ) ;
torture_assert_ntstatus_ok ( tctx , q . out . result ,
talloc_asprintf ( tctx , " OpenUserInfo level %u failed " , q . in . level ) ) ;
2005-05-01 12:05:17 +04:00
getgroups . in . user_handle = & user_handle ;
2008-11-05 12:58:35 +03:00
getgroups . out . rids = & rids ;
2010-03-23 19:16:23 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_GetGroupsForUser_r ( samsync_state - > b_samr , mem_ctx , & getgroups ) ,
" GetGroupsForUser failed " ) ;
torture_assert_ntstatus_ok ( tctx , getgroups . out . result ,
" GetGroupsForUser failed " ) ;
2005-05-01 12:05:17 +04:00
2010-03-24 15:18:33 +03:00
if ( ! test_samr_handle_Close ( samsync_state - > b_samr , tctx , & user_handle ) ) {
2010-11-27 21:45:45 +03:00
torture_comment ( tctx , " samr_handle_Close failed \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-05-01 12:05:17 +04:00
}
if ( ! ret ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 16:48:59 +03:00
}
2008-11-10 16:42:27 +03:00
TEST_STRING_EQUAL ( info - > info21 . account_name , user - > account_name ) ;
TEST_STRING_EQUAL ( info - > info21 . full_name , user - > full_name ) ;
TEST_INT_EQUAL ( info - > info21 . rid , user - > rid ) ;
TEST_INT_EQUAL ( info - > info21 . primary_gid , user - > primary_gid ) ;
TEST_STRING_EQUAL ( info - > info21 . home_directory , user - > home_directory ) ;
TEST_STRING_EQUAL ( info - > info21 . home_drive , user - > home_drive ) ;
TEST_STRING_EQUAL ( info - > info21 . logon_script , user - > logon_script ) ;
TEST_STRING_EQUAL ( info - > info21 . description , user - > description ) ;
TEST_STRING_EQUAL ( info - > info21 . workstations , user - > workstations ) ;
2004-11-13 16:48:59 +03:00
2008-11-10 16:42:27 +03:00
TEST_TIME_EQUAL ( info - > info21 . last_logon , user - > last_logon ) ;
TEST_TIME_EQUAL ( info - > info21 . last_logoff , user - > last_logoff ) ;
2004-11-13 16:48:59 +03:00
2008-11-10 16:42:27 +03:00
TEST_INT_EQUAL ( info - > info21 . logon_hours . units_per_week ,
2004-11-13 16:48:59 +03:00
user - > logon_hours . units_per_week ) ;
if ( ret ) {
2008-11-10 16:42:27 +03:00
if ( memcmp ( info - > info21 . logon_hours . bits , user - > logon_hours . bits ,
info - > info21 . logon_hours . units_per_week / 8 ) ! = 0 ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Logon hours mismatch \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-13 16:48:59 +03:00
}
}
2008-11-10 16:42:27 +03:00
TEST_INT_EQUAL ( info - > info21 . bad_password_count ,
2004-11-13 16:48:59 +03:00
user - > bad_password_count ) ;
2008-11-10 16:42:27 +03:00
TEST_INT_EQUAL ( info - > info21 . logon_count ,
2004-11-13 16:48:59 +03:00
user - > logon_count ) ;
2008-11-10 16:42:27 +03:00
TEST_TIME_EQUAL ( info - > info21 . last_password_change ,
2004-11-13 16:48:59 +03:00
user - > last_password_change ) ;
2008-11-10 16:42:27 +03:00
TEST_TIME_EQUAL ( info - > info21 . acct_expiry ,
2004-11-13 16:48:59 +03:00
user - > acct_expiry ) ;
2008-11-10 16:42:27 +03:00
TEST_INT_EQUAL ( ( info - > info21 . acct_flags & ~ ACB_PW_EXPIRED ) , user - > acct_flags ) ;
2006-03-07 06:24:29 +03:00
if ( user - > acct_flags & ACB_PWNOEXP ) {
2008-11-10 16:42:27 +03:00
if ( info - > info21 . acct_flags & ACB_PW_EXPIRED ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " ACB flags mismatch: both expired and no expiry! \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2006-03-07 06:24:29 +03:00
}
2008-11-10 16:42:27 +03:00
if ( info - > info21 . force_password_change ! = ( NTTIME ) 0x7FFFFFFFFFFFFFFFULL ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " ACB flags mismatch: no password expiry, but force password change 0x%016llx (%lld) != 0x%016llx (%lld) \n " ,
2008-11-10 16:42:27 +03:00
( unsigned long long ) info - > info21 . force_password_change ,
( unsigned long long ) info - > info21 . force_password_change ,
2006-03-07 06:24:29 +03:00
( unsigned long long ) 0x7FFFFFFFFFFFFFFFULL , ( unsigned long long ) 0x7FFFFFFFFFFFFFFFULL
) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2006-03-07 06:24:29 +03:00
}
}
2008-11-10 16:42:27 +03:00
TEST_INT_EQUAL ( info - > info21 . nt_password_set , user - > nt_password_present ) ;
TEST_INT_EQUAL ( info - > info21 . lm_password_set , user - > lm_password_present ) ;
TEST_INT_EQUAL ( info - > info21 . password_expired , user - > password_expired ) ;
2004-11-13 16:48:59 +03:00
2008-11-10 16:42:27 +03:00
TEST_STRING_EQUAL ( info - > info21 . comment , user - > comment ) ;
TEST_BINARY_STRING_EQUAL ( info - > info21 . parameters , user - > parameters ) ;
2004-11-13 16:48:59 +03:00
2008-11-10 16:42:27 +03:00
TEST_INT_EQUAL ( info - > info21 . country_code , user - > country_code ) ;
TEST_INT_EQUAL ( info - > info21 . code_page , user - > code_page ) ;
2004-11-13 16:48:59 +03:00
2008-11-10 16:42:27 +03:00
TEST_STRING_EQUAL ( info - > info21 . profile_path , user - > profile_path ) ;
2004-11-13 16:48:59 +03:00
if ( user - > lm_password_present ) {
2004-11-13 06:57:54 +03:00
lm_hash_p = & lm_hash ;
2004-11-12 02:25:33 +03:00
}
2004-11-13 16:48:59 +03:00
if ( user - > nt_password_present ) {
2004-11-13 06:57:54 +03:00
nt_hash_p = & nt_hash ;
2004-11-12 02:25:33 +03:00
}
2004-11-13 06:57:54 +03:00
if ( user - > user_private_info . SensitiveData ) {
DATA_BLOB data ;
struct netr_USER_KEYS keys ;
2007-11-09 21:24:51 +03:00
enum ndr_err_code ndr_err ;
2004-11-13 06:57:54 +03:00
data . data = user - > user_private_info . SensitiveData ;
data . length = user - > user_private_info . DataLength ;
2010-05-09 19:20:01 +04:00
ndr_err = ndr_pull_struct_blob ( & data , mem_ctx , & keys , ( ndr_pull_flags_fn_t ) ndr_pull_netr_USER_KEYS ) ;
2007-11-09 21:24:51 +03:00
if ( NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2004-11-13 16:48:59 +03:00
if ( keys . keys . keys2 . lmpassword . length = = 16 ) {
lm_hash_p = & lm_hash ;
}
if ( keys . keys . keys2 . ntpassword . length = = 16 ) {
nt_hash_p = & nt_hash ;
}
2005-01-16 14:11:57 +03:00
} else {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to parse Sensitive Data for %s: \n " , username ) ;
2005-01-16 14:11:57 +03:00
#if 0
dump_data ( 0 , data . data , data . length ) ;
# endif
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 06:57:54 +03:00
}
}
2004-11-13 16:48:59 +03:00
2005-07-13 19:19:28 +04:00
if ( nt_hash_p ) {
DATA_BLOB nt_hash_blob = data_blob_const ( nt_hash_p , 16 ) ;
2009-11-04 09:42:53 +03:00
DEBUG ( 100 , ( " ACCOUNT [%s \\ %-25s] NTHASH %s \n " , samsync_state - > domain_name [ 0 ] , username , data_blob_hex_string_upper ( mem_ctx , & nt_hash_blob ) ) ) ;
2005-07-13 19:19:28 +04:00
}
if ( lm_hash_p ) {
DATA_BLOB lm_hash_blob = data_blob_const ( lm_hash_p , 16 ) ;
2009-11-04 09:42:53 +03:00
DEBUG ( 100 , ( " ACCOUNT [%s \\ %-25s] LMHASH %s \n " , samsync_state - > domain_name [ 0 ] , username , data_blob_hex_string_upper ( mem_ctx , & lm_hash_blob ) ) ) ;
2005-07-13 19:19:28 +04:00
}
2010-03-23 19:28:55 +03:00
nt_status = test_SamLogon ( tctx ,
samsync_state - > p_netlogon_wksta , mem_ctx , samsync_state - > creds_netlogon_wksta ,
2004-11-12 02:25:33 +03:00
domain ,
2010-03-23 19:16:23 +03:00
username ,
2005-03-18 07:09:52 +03:00
TEST_WKSTA_MACHINE_NAME ,
2004-11-13 06:57:54 +03:00
lm_hash_p ,
nt_hash_p ,
2004-11-12 02:25:33 +03:00
& info3 ) ;
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_ACCOUNT_DISABLED ) ) {
if ( user - > acct_flags & ACB_DISABLED ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-11-12 02:25:33 +03:00
}
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT ) ) {
if ( user - > acct_flags & ACB_WSTRUST ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-11-12 02:25:33 +03:00
}
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT ) ) {
if ( user - > acct_flags & ACB_SVRTRUST ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-11-12 02:25:33 +03:00
}
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT ) ) {
if ( user - > acct_flags & ACB_DOMTRUST ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-11-12 02:25:33 +03:00
}
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT ) ) {
if ( user - > acct_flags & ACB_DOMTRUST ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-11-12 02:25:33 +03:00
}
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_ACCOUNT_LOCKED_OUT ) ) {
if ( user - > acct_flags & ACB_AUTOLOCK ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-11-12 02:25:33 +03:00
}
2006-03-07 06:24:29 +03:00
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_PASSWORD_EXPIRED ) ) {
2008-11-10 16:42:27 +03:00
if ( info - > info21 . acct_flags & ACB_PW_EXPIRED ) {
2007-10-07 02:28:14 +04:00
return true ;
2006-03-07 06:24:29 +03:00
}
2004-11-17 14:56:13 +03:00
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_WRONG_PASSWORD ) ) {
if ( ! lm_hash_p & & ! nt_hash_p ) {
2007-10-07 02:28:14 +04:00
return true ;
2004-11-17 14:56:13 +03:00
}
2005-01-16 14:11:57 +03:00
} else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_PASSWORD_MUST_CHANGE ) ) {
/* We would need to know the server's current time to test this properly */
2007-10-07 02:28:14 +04:00
return true ;
2004-11-13 16:48:59 +03:00
} else if ( NT_STATUS_IS_OK ( nt_status ) ) {
TEST_INT_EQUAL ( user - > rid , info3 - > base . rid ) ;
TEST_INT_EQUAL ( user - > primary_gid , info3 - > base . primary_gid ) ;
2004-11-29 20:51:13 +03:00
/* this is 0x0 from NT4 sp6 */
if ( info3 - > base . acct_flags ) {
TEST_INT_EQUAL ( user - > acct_flags , info3 - > base . acct_flags ) ;
}
/* this is NULL from NT4 sp6 */
if ( info3 - > base . account_name . string ) {
TEST_STRING_EQUAL ( user - > account_name , info3 - > base . account_name ) ;
}
2005-04-30 12:13:39 +04:00
/* this is NULL from Win2k3 */
if ( info3 - > base . full_name . string ) {
TEST_STRING_EQUAL ( user - > full_name , info3 - > base . full_name ) ;
}
2004-11-13 16:48:59 +03:00
TEST_STRING_EQUAL ( user - > logon_script , info3 - > base . logon_script ) ;
TEST_STRING_EQUAL ( user - > profile_path , info3 - > base . profile_path ) ;
TEST_STRING_EQUAL ( user - > home_directory , info3 - > base . home_directory ) ;
TEST_STRING_EQUAL ( user - > home_drive , info3 - > base . home_drive ) ;
TEST_STRING_EQUAL ( user - > logon_script , info3 - > base . logon_script ) ;
TEST_TIME_EQUAL ( user - > last_logon , info3 - > base . last_logon ) ;
TEST_TIME_EQUAL ( user - > acct_expiry , info3 - > base . acct_expiry ) ;
TEST_TIME_EQUAL ( user - > last_password_change , info3 - > base . last_password_change ) ;
2008-11-10 16:42:27 +03:00
TEST_TIME_EQUAL ( info - > info21 . force_password_change , info3 - > base . force_password_change ) ;
2004-11-13 16:48:59 +03:00
/* Does the concept of a logoff time ever really
* exist ? ( not in any sensible way , according to the
* doco I read - - abartlet ) */
/* This copes with the two different versions of 0 I see */
2004-11-29 20:51:13 +03:00
/* with NT4 sp6 we have the || case */
2010-03-23 19:16:23 +03:00
if ( ! ( ( user - > last_logoff = = 0 )
2004-11-29 20:51:13 +03:00
| | ( info3 - > base . last_logoff = = 0x7fffffffffffffffLL ) ) ) {
2004-11-13 16:48:59 +03:00
TEST_TIME_EQUAL ( user - > last_logoff , info3 - > base . last_logoff ) ;
2004-11-12 02:25:33 +03:00
}
2005-05-01 12:05:17 +04:00
2008-11-05 12:58:35 +03:00
TEST_INT_EQUAL ( rids - > count , info3 - > base . groups . count ) ;
if ( rids - > count = = info3 - > base . groups . count ) {
2005-05-01 12:05:17 +04:00
int i , j ;
2008-11-05 12:58:35 +03:00
int count = rids - > count ;
bool * matched = talloc_zero_array ( mem_ctx , bool , rids - > count ) ;
2010-03-23 19:16:23 +03:00
2005-05-01 12:05:17 +04:00
for ( i = 0 ; i < count ; i + + ) {
for ( j = 0 ; j < count ; j + + ) {
2008-11-05 12:58:35 +03:00
if ( ( rids - > rids [ i ] . rid = =
2005-05-01 12:05:17 +04:00
info3 - > base . groups . rids [ j ] . rid )
2008-11-05 12:58:35 +03:00
& & ( rids - > rids [ i ] . attributes = =
2005-06-29 17:55:09 +04:00
info3 - > base . groups . rids [ j ] . attributes ) ) {
2007-10-07 02:28:14 +04:00
matched [ i ] = true ;
2005-05-01 12:05:17 +04:00
}
}
}
2008-11-05 12:58:35 +03:00
for ( i = 0 ; i < rids - > count ; i + + ) {
2007-10-07 02:28:14 +04:00
if ( matched [ i ] = = false ) {
ret = false ;
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Could not find group RID %u found in getgroups in NETLOGON reply \n " ,
2008-11-05 12:58:35 +03:00
rids - > rids [ i ] . rid ) ;
2005-05-01 12:05:17 +04:00
}
}
}
2004-11-13 16:48:59 +03:00
return ret ;
2004-11-12 02:25:33 +03:00
} else {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Could not validate password for user %s \\ %s: %s \n " ,
2004-11-12 02:25:33 +03:00
domain , username , nt_errstr ( nt_status ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2010-03-23 19:16:23 +03:00
}
2007-10-07 02:28:14 +04:00
return false ;
2004-11-12 02:25:33 +03:00
}
2010-03-23 19:28:55 +03:00
static bool samsync_handle_alias ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-17 16:39:37 +03:00
{
2005-02-10 08:09:35 +03:00
uint32_t rid = delta - > delta_id_union . rid ;
2004-11-17 16:39:37 +03:00
struct netr_DELTA_ALIAS * alias = delta - > delta_union . alias ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-17 16:39:37 +03:00
struct samr_OpenAlias r ;
struct samr_QueryAliasInfo q ;
2008-11-10 16:09:06 +03:00
union samr_AliasInfo * info ;
2004-11-17 16:39:37 +03:00
struct policy_handle alias_handle ;
if ( ! samsync_state - > domain_name | | ! samsync_state - > domain_handle [ database_id ] ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " SamSync needs domain information before the users \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 16:39:37 +03:00
}
r . in . domain_handle = samsync_state - > domain_handle [ database_id ] ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-17 16:39:37 +03:00
r . in . rid = rid ;
r . out . alias_handle = & alias_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_OpenAlias_r ( samsync_state - > b_samr , mem_ctx , & r ) ,
talloc_asprintf ( tctx , " OpenUser(%u) failed " , rid ) ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result ,
talloc_asprintf ( tctx , " OpenUser(%u) failed " , rid ) ) ;
2004-11-17 16:39:37 +03:00
q . in . alias_handle = & alias_handle ;
q . in . level = 1 ;
2008-11-10 16:09:06 +03:00
q . out . info = & info ;
2004-11-17 16:39:37 +03:00
2004-11-22 11:50:20 +03:00
TEST_SEC_DESC_EQUAL ( alias - > sdbuf , samr , & alias_handle ) ;
2004-11-20 03:29:04 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_QueryAliasInfo_r ( samsync_state - > b_samr , mem_ctx , & q ) ,
" QueryAliasInfo failed " ) ;
2010-04-06 12:55:55 +04:00
if ( ! test_samr_handle_Close ( samsync_state - > b_samr , tctx , & alias_handle ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 16:39:37 +03:00
}
2010-03-27 12:45:17 +03:00
if ( ! NT_STATUS_IS_OK ( q . out . result ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " QueryAliasInfo level %u failed - %s \n " ,
2010-03-27 12:45:17 +03:00
q . in . level , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 16:39:37 +03:00
}
2008-11-10 16:09:06 +03:00
TEST_STRING_EQUAL ( info - > all . name , alias - > alias_name ) ;
TEST_STRING_EQUAL ( info - > all . description , alias - > description ) ;
2004-11-22 11:50:20 +03:00
return ret ;
2004-11-17 16:39:37 +03:00
}
2010-03-23 19:28:55 +03:00
static bool samsync_handle_group ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-17 16:39:37 +03:00
{
2005-02-10 08:09:35 +03:00
uint32_t rid = delta - > delta_id_union . rid ;
2004-11-17 16:39:37 +03:00
struct netr_DELTA_GROUP * group = delta - > delta_union . group ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-17 16:39:37 +03:00
struct samr_OpenGroup r ;
struct samr_QueryGroupInfo q ;
2008-11-10 16:15:33 +03:00
union samr_GroupInfo * info ;
2004-11-17 16:39:37 +03:00
struct policy_handle group_handle ;
if ( ! samsync_state - > domain_name | | ! samsync_state - > domain_handle [ database_id ] ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " SamSync needs domain information before the users \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 16:39:37 +03:00
}
r . in . domain_handle = samsync_state - > domain_handle [ database_id ] ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-17 16:39:37 +03:00
r . in . rid = rid ;
r . out . group_handle = & group_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_OpenGroup_r ( samsync_state - > b_samr , mem_ctx , & r ) ,
talloc_asprintf ( tctx , " OpenUser(%u) failed " , rid ) ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result ,
talloc_asprintf ( tctx , " OpenUser(%u) failed " , rid ) ) ;
2004-11-17 16:39:37 +03:00
q . in . group_handle = & group_handle ;
q . in . level = 1 ;
2008-11-10 16:15:33 +03:00
q . out . info = & info ;
2004-11-17 16:39:37 +03:00
2004-11-22 11:50:20 +03:00
TEST_SEC_DESC_EQUAL ( group - > sdbuf , samr , & group_handle ) ;
2004-11-20 03:29:04 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_samr_QueryGroupInfo_r ( samsync_state - > b_samr , mem_ctx , & q ) ,
" QueryGroupInfo failed " ) ;
2010-04-06 12:55:55 +04:00
if ( ! test_samr_handle_Close ( samsync_state - > b_samr , tctx , & group_handle ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 16:39:37 +03:00
}
2010-03-27 12:45:17 +03:00
if ( ! NT_STATUS_IS_OK ( q . out . result ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " QueryGroupInfo level %u failed - %s \n " ,
2010-03-27 12:45:17 +03:00
q . in . level , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 16:39:37 +03:00
}
2008-11-10 16:15:33 +03:00
TEST_STRING_EQUAL ( info - > all . name , group - > group_name ) ;
TEST_INT_EQUAL ( info - > all . attributes , group - > attributes ) ;
TEST_STRING_EQUAL ( info - > all . description , group - > description ) ;
2004-11-22 11:50:20 +03:00
return ret ;
2004-11-17 16:39:37 +03:00
}
2010-03-23 19:28:55 +03:00
static bool samsync_handle_secret ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-13 06:57:54 +03:00
{
struct netr_DELTA_SECRET * secret = delta - > delta_union . secret ;
const char * name = delta - > delta_id_union . name ;
2009-02-02 15:03:00 +03:00
struct samsync_secret * nsec = talloc ( samsync_state , struct samsync_secret ) ;
2005-01-27 10:08:20 +03:00
struct samsync_secret * old = talloc ( mem_ctx , struct samsync_secret ) ;
2004-11-17 14:56:13 +03:00
struct lsa_QuerySecret q ;
struct lsa_OpenSecret o ;
struct policy_handle sec_handle ;
struct lsa_DATA_BUF_PTR bufp1 ;
2005-01-11 08:16:43 +03:00
struct lsa_DATA_BUF_PTR bufp2 ;
2009-02-02 15:03:00 +03:00
NTTIME nsec_mtime ;
2005-01-11 08:16:43 +03:00
NTTIME old_mtime ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-17 14:56:13 +03:00
DATA_BLOB lsa_blob1 , lsa_blob_out , session_key ;
NTSTATUS status ;
2004-11-13 06:57:54 +03:00
2009-02-02 15:03:00 +03:00
nsec - > name = talloc_reference ( nsec , name ) ;
nsec - > secret = data_blob_talloc ( nsec , secret - > current_cipher . cipher_data , secret - > current_cipher . maxlen ) ;
nsec - > mtime = secret - > current_cipher_set_time ;
2004-11-13 06:57:54 +03:00
2009-02-02 15:03:00 +03:00
nsec = talloc_reference ( samsync_state , nsec ) ;
DLIST_ADD ( samsync_state - > secrets , nsec ) ;
2004-11-13 06:57:54 +03:00
2005-01-11 08:16:43 +03:00
old - > name = talloc_reference ( old , name ) ;
old - > secret = data_blob_const ( secret - > old_cipher . cipher_data , secret - > old_cipher . maxlen ) ;
old - > mtime = secret - > old_cipher_set_time ;
2004-11-17 14:56:13 +03:00
o . in . handle = samsync_state - > lsa_handle ;
2004-12-02 07:37:36 +03:00
o . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-22 14:59:59 +03:00
o . in . name . string = name ;
2004-11-17 14:56:13 +03:00
o . out . sec_handle = & sec_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_OpenSecret_r ( samsync_state - > b_lsa , mem_ctx , & o ) ,
" OpenSecret failed " ) ;
torture_assert_ntstatus_ok ( tctx , o . out . result ,
" OpenSecret failed " ) ;
2004-11-17 14:56:13 +03:00
2005-01-07 07:09:45 +03:00
/*
We would like to do this , but it is NOT_SUPPORTED on win2k3
TEST_SEC_DESC_EQUAL ( secret - > sdbuf , lsa , & sec_handle ) ;
*/
2004-11-17 14:56:13 +03:00
status = dcerpc_fetch_session_key ( samsync_state - > p_lsa , & session_key ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " dcerpc_fetch_session_key failed - %s \n " , nt_errstr ( status ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 14:56:13 +03:00
}
2009-02-02 15:03:00 +03:00
ZERO_STRUCT ( nsec_mtime ) ;
2005-01-11 08:16:43 +03:00
ZERO_STRUCT ( old_mtime ) ;
2004-11-17 14:56:13 +03:00
/* fetch the secret back again */
2005-01-11 17:29:26 +03:00
q . in . sec_handle = & sec_handle ;
2004-11-17 14:56:13 +03:00
q . in . new_val = & bufp1 ;
2009-02-02 15:03:00 +03:00
q . in . new_mtime = & nsec_mtime ;
2005-01-11 08:16:43 +03:00
q . in . old_val = & bufp2 ;
q . in . old_mtime = & old_mtime ;
2004-11-17 14:56:13 +03:00
bufp1 . buf = NULL ;
2005-01-11 08:16:43 +03:00
bufp2 . buf = NULL ;
2004-11-17 14:56:13 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_QuerySecret_r ( samsync_state - > b_lsa , mem_ctx , & q ) ,
" QuerySecret failed " ) ;
if ( NT_STATUS_EQUAL ( NT_STATUS_ACCESS_DENIED , q . out . result ) ) {
2005-01-11 08:16:43 +03:00
/* some things are just off limits */
2007-10-07 02:28:14 +04:00
return true ;
2010-03-27 12:45:17 +03:00
} else if ( ! NT_STATUS_IS_OK ( q . out . result ) ) {
torture_comment ( tctx , " QuerySecret failed - %s \n " , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-17 14:56:13 +03:00
}
2005-01-11 08:16:43 +03:00
if ( q . out . old_val - > buf = = NULL ) {
/* probably just not available due to ACLs */
} else {
lsa_blob1 . data = q . out . old_val - > buf - > data ;
lsa_blob1 . length = q . out . old_val - > buf - > length ;
2005-01-11 17:04:58 +03:00
status = sess_decrypt_blob ( mem_ctx , & lsa_blob1 , & session_key , & lsa_blob_out ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to decrypt secrets OLD blob: %s \n " , nt_errstr ( status ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2005-01-11 17:04:58 +03:00
}
2005-01-11 08:16:43 +03:00
if ( ! q . out . old_mtime ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " OLD mtime not available on LSA for secret %s \n " , old - > name ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
if ( old - > mtime ! = * q . out . old_mtime ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " OLD mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s) \n " ,
2010-03-23 19:16:23 +03:00
old - > name , nt_time_string ( mem_ctx , old - > mtime ) ,
nt_time_string ( mem_ctx , * q . out . old_mtime ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
if ( old - > secret . length ! = lsa_blob_out . length ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Returned secret %s doesn't match: %d != %d \n " ,
2005-07-17 13:20:52 +04:00
old - > name , ( int ) old - > secret . length , ( int ) lsa_blob_out . length ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2010-03-23 19:16:23 +03:00
} else if ( memcmp ( lsa_blob_out . data ,
2005-01-11 08:16:43 +03:00
old - > secret . data , old - > secret . length ) ! = 0 ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Returned secret %s doesn't match: \n " ,
2005-01-11 08:16:43 +03:00
old - > name ) ;
DEBUG ( 1 , ( " SamSync Secret: \n " ) ) ;
dump_data ( 1 , old - > secret . data , old - > secret . length ) ;
DEBUG ( 1 , ( " LSA Secret: \n " ) ) ;
dump_data ( 1 , lsa_blob_out . data , lsa_blob_out . length ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
}
2004-11-17 14:56:13 +03:00
if ( q . out . new_val - > buf = = NULL ) {
2004-11-17 16:39:37 +03:00
/* probably just not available due to ACLs */
2004-11-17 14:56:13 +03:00
} else {
lsa_blob1 . data = q . out . new_val - > buf - > data ;
lsa_blob1 . length = q . out . new_val - > buf - > length ;
2005-01-11 17:04:58 +03:00
status = sess_decrypt_blob ( mem_ctx , & lsa_blob1 , & session_key , & lsa_blob_out ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to decrypt secrets OLD blob \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2005-01-11 17:04:58 +03:00
}
2010-03-23 19:16:23 +03:00
2005-01-11 08:16:43 +03:00
if ( ! q . out . new_mtime ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " NEW mtime not available on LSA for secret %s \n " , nsec - > name ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
2009-02-02 15:03:00 +03:00
if ( nsec - > mtime ! = * q . out . new_mtime ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " NEW mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s) \n " ,
2009-02-02 15:03:00 +03:00
nsec - > name , nt_time_string ( mem_ctx , nsec - > mtime ) ,
2010-03-23 19:16:23 +03:00
nt_time_string ( mem_ctx , * q . out . new_mtime ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-11 08:16:43 +03:00
}
2009-02-02 15:03:00 +03:00
if ( nsec - > secret . length ! = lsa_blob_out . length ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Returned secret %s doesn't match: %d != %d \n " ,
2009-02-02 15:03:00 +03:00
nsec - > name , ( int ) nsec - > secret . length , ( int ) lsa_blob_out . length ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2010-03-23 19:16:23 +03:00
} else if ( memcmp ( lsa_blob_out . data ,
2009-02-02 15:03:00 +03:00
nsec - > secret . data , nsec - > secret . length ) ! = 0 ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Returned secret %s doesn't match: \n " ,
2009-02-02 15:03:00 +03:00
nsec - > name ) ;
2004-11-17 14:56:13 +03:00
DEBUG ( 1 , ( " SamSync Secret: \n " ) ) ;
2009-02-02 15:03:00 +03:00
dump_data ( 1 , nsec - > secret . data , nsec - > secret . length ) ;
2004-11-17 14:56:13 +03:00
DEBUG ( 1 , ( " LSA Secret: \n " ) ) ;
dump_data ( 1 , lsa_blob_out . data , lsa_blob_out . length ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-17 14:56:13 +03:00
}
}
return ret ;
2004-11-13 06:57:54 +03:00
}
2010-03-23 19:28:55 +03:00
static bool samsync_handle_trusted_domain ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-13 06:57:54 +03:00
{
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-13 06:57:54 +03:00
struct netr_DELTA_TRUSTED_DOMAIN * trusted_domain = delta - > delta_union . trusted_domain ;
struct dom_sid * dom_sid = delta - > delta_id_union . sid ;
2009-02-02 15:03:00 +03:00
struct samsync_trusted_domain * ndom = talloc ( samsync_state , struct samsync_trusted_domain ) ;
2004-11-22 11:50:20 +03:00
struct lsa_OpenTrustedDomain t ;
struct policy_handle trustdom_handle ;
2004-11-23 03:31:00 +03:00
struct lsa_QueryTrustedDomainInfo q ;
2004-11-23 14:02:27 +03:00
union lsa_TrustedDomainInfo * info [ 9 ] ;
2008-10-21 12:33:27 +04:00
union lsa_TrustedDomainInfo * _info = NULL ;
2004-11-23 14:02:27 +03:00
int levels [ ] = { 1 , 3 , 8 } ;
2004-11-22 14:59:59 +03:00
int i ;
2004-11-22 11:50:20 +03:00
2009-02-02 15:03:00 +03:00
ndom - > name = talloc_reference ( ndom , trusted_domain - > domain_name . string ) ;
ndom - > sid = talloc_reference ( ndom , dom_sid ) ;
2004-11-13 06:57:54 +03:00
2004-11-22 11:50:20 +03:00
t . in . handle = samsync_state - > lsa_handle ;
2004-12-02 07:37:36 +03:00
t . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-22 11:50:20 +03:00
t . in . sid = dom_sid ;
t . out . trustdom_handle = & trustdom_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_OpenTrustedDomain_r ( samsync_state - > b_lsa , mem_ctx , & t ) ,
" OpenTrustedDomain failed " ) ;
torture_assert_ntstatus_ok ( tctx , t . out . result ,
" OpenTrustedDomain failed " ) ;
2010-03-23 19:16:23 +03:00
2004-11-22 14:59:59 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( levels ) ; i + + ) {
q . in . trustdom_handle = & trustdom_handle ;
q . in . level = levels [ i ] ;
2008-10-21 12:33:27 +04:00
q . out . info = & _info ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_QueryTrustedDomainInfo_r ( samsync_state - > b_lsa , mem_ctx , & q ) ,
" QueryTrustedDomainInfo failed " ) ;
if ( ! NT_STATUS_IS_OK ( q . out . result ) ) {
if ( q . in . level = = 8 & & NT_STATUS_EQUAL ( q . out . result , NT_STATUS_INVALID_PARAMETER ) ) {
2004-11-29 20:51:13 +03:00
info [ levels [ i ] ] = NULL ;
continue ;
}
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " QueryInfoTrustedDomain level %d failed - %s \n " ,
2010-03-27 12:45:17 +03:00
levels [ i ] , nt_errstr ( q . out . result ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 14:59:59 +03:00
}
2008-10-21 12:33:27 +04:00
info [ levels [ i ] ] = _info ;
2004-11-22 14:59:59 +03:00
}
2004-11-22 11:50:20 +03:00
2004-11-29 20:51:13 +03:00
if ( info [ 8 ] ) {
TEST_SID_EQUAL ( info [ 8 ] - > full_info . info_ex . sid , dom_sid ) ;
TEST_STRING_EQUAL ( info [ 8 ] - > full_info . info_ex . netbios_name , trusted_domain - > domain_name ) ;
}
TEST_STRING_EQUAL ( info [ 1 ] - > name . netbios_name , trusted_domain - > domain_name ) ;
2005-01-12 14:16:04 +03:00
TEST_INT_EQUAL ( info [ 3 ] - > posix_offset . posix_offset , trusted_domain - > posix_offset ) ;
2005-01-07 07:09:45 +03:00
/*
We would like to do this , but it is NOT_SUPPORTED on win2k3
2004-11-22 11:50:20 +03:00
TEST_SEC_DESC_EQUAL ( trusted_domain - > sdbuf , lsa , & trustdom_handle ) ;
2005-01-07 07:09:45 +03:00
*/
2009-02-02 15:03:00 +03:00
ndom = talloc_reference ( samsync_state , ndom ) ;
DLIST_ADD ( samsync_state - > trusted_domains , ndom ) ;
2004-11-13 06:57:54 +03:00
2004-11-22 11:50:20 +03:00
return ret ;
}
2010-03-23 19:28:55 +03:00
static bool samsync_handle_account ( struct torture_context * tctx ,
TALLOC_CTX * mem_ctx , struct samsync_state * samsync_state ,
2010-03-23 19:16:23 +03:00
int database_id , struct netr_DELTA_ENUM * delta )
2004-11-22 11:50:20 +03:00
{
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-22 11:50:20 +03:00
struct netr_DELTA_ACCOUNT * account = delta - > delta_union . account ;
struct dom_sid * dom_sid = delta - > delta_id_union . sid ;
struct lsa_OpenAccount a ;
struct policy_handle acct_handle ;
struct lsa_EnumPrivsAccount e ;
2008-10-21 04:11:54 +04:00
struct lsa_PrivilegeSet * privs = NULL ;
2004-11-22 11:50:20 +03:00
struct lsa_LookupPrivName r ;
int i , j ;
2007-10-07 02:28:14 +04:00
bool * found_priv_in_lsa ;
2004-11-22 11:50:20 +03:00
a . in . handle = samsync_state - > lsa_handle ;
2004-12-02 07:37:36 +03:00
a . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-22 11:50:20 +03:00
a . in . sid = dom_sid ;
a . out . acct_handle = & acct_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_OpenAccount_r ( samsync_state - > b_lsa , mem_ctx , & a ) ,
" OpenAccount failed " ) ;
torture_assert_ntstatus_ok ( tctx , a . out . result ,
" OpenAccount failed " ) ;
2004-11-22 11:50:20 +03:00
TEST_SEC_DESC_EQUAL ( account - > sdbuf , lsa , & acct_handle ) ;
2007-10-07 02:28:14 +04:00
found_priv_in_lsa = talloc_zero_array ( mem_ctx , bool , account - > privilege_entries ) ;
2004-11-22 11:50:20 +03:00
e . in . handle = & acct_handle ;
2008-10-21 04:11:54 +04:00
e . out . privs = & privs ;
2004-11-22 11:50:20 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_EnumPrivsAccount_r ( samsync_state - > b_lsa , mem_ctx , & e ) ,
" EnumPrivsAccount failed " ) ;
torture_assert_ntstatus_ok ( tctx , e . out . result ,
" EnumPrivsAccount failed " ) ;
2004-11-22 11:50:20 +03:00
2008-10-21 04:11:54 +04:00
if ( ( account - > privilege_entries & & ! privs ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Account %s has privileges in SamSync, but not LSA \n " ,
2005-01-16 14:11:57 +03:00
dom_sid_string ( mem_ctx , dom_sid ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 11:50:20 +03:00
}
2008-10-21 04:11:54 +04:00
if ( ! account - > privilege_entries & & privs & & privs - > count ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Account %s has privileges in LSA, but not SamSync \n " ,
2005-01-16 14:11:57 +03:00
dom_sid_string ( mem_ctx , dom_sid ) ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 11:50:20 +03:00
}
2008-10-21 04:11:54 +04:00
TEST_INT_EQUAL ( account - > privilege_entries , privs - > count ) ;
2010-03-23 19:16:23 +03:00
2008-10-21 04:11:54 +04:00
for ( i = 0 ; i < privs - > count ; i + + ) {
2008-10-21 04:24:07 +04:00
struct lsa_StringLarge * name = NULL ;
2004-11-22 11:50:20 +03:00
r . in . handle = samsync_state - > lsa_handle ;
2008-10-21 04:11:54 +04:00
r . in . luid = & privs - > set [ i ] . luid ;
2008-10-21 04:24:07 +04:00
r . out . name = & name ;
2010-03-23 19:16:23 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_lsa_LookupPrivName_r ( samsync_state - > b_lsa , mem_ctx , & r ) ,
" \n LookupPrivName failed " ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" \n LookupPrivName failed " ) ;
2010-03-23 19:16:23 +03:00
2004-11-22 11:50:20 +03:00
if ( ! r . out . name ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " \n LookupPrivName failed to return a name \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 11:50:20 +03:00
}
for ( j = 0 ; j < account - > privilege_entries ; j + + ) {
2008-10-21 04:24:07 +04:00
if ( strcmp ( name - > string , account - > privilege_name [ j ] . string ) = = 0 ) {
2007-10-07 02:28:14 +04:00
found_priv_in_lsa [ j ] = true ;
2004-11-22 11:50:20 +03:00
break ;
}
}
}
for ( j = 0 ; j < account - > privilege_entries ; j + + ) {
if ( ! found_priv_in_lsa [ j ] ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Privilege %s on account %s not found in LSA \n " , account - > privilege_name [ j ] . string ,
2004-11-22 11:50:20 +03:00
dom_sid_string ( mem_ctx , dom_sid ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-22 11:50:20 +03:00
}
}
return ret ;
2004-11-13 06:57:54 +03:00
}
2004-11-12 02:25:33 +03:00
/*
try a netlogon DatabaseSync
*/
2010-03-23 19:16:23 +03:00
static bool test_DatabaseSync ( struct torture_context * tctx ,
2008-02-19 16:12:05 +03:00
struct samsync_state * samsync_state ,
TALLOC_CTX * mem_ctx )
2004-11-12 02:25:33 +03:00
{
2005-03-22 11:00:45 +03:00
TALLOC_CTX * loop_ctx , * delta_ctx , * trustdom_ctx ;
2004-11-12 02:25:33 +03:00
struct netr_DatabaseSync r ;
2010-03-23 19:16:23 +03:00
const enum netr_SamDatabaseID database_ids [ ] = { SAM_DATABASE_DOMAIN , SAM_DATABASE_BUILTIN , SAM_DATABASE_PRIVS } ;
2004-11-12 02:25:33 +03:00
int i , d ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-13 06:57:54 +03:00
struct samsync_trusted_domain * t ;
struct samsync_secret * s ;
2008-10-29 01:13:58 +03:00
struct netr_Authenticator return_authenticator , credential ;
struct netr_DELTA_ENUM_ARRAY * delta_enum_array = NULL ;
2010-03-23 19:16:23 +03:00
2004-11-13 16:48:59 +03:00
const char * domain , * username ;
2004-11-12 02:25:33 +03:00
2008-10-29 01:13:58 +03:00
ZERO_STRUCT ( return_authenticator ) ;
2004-11-13 16:48:59 +03:00
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( samsync_state - > p ) ) ;
2004-11-12 02:25:33 +03:00
r . in . computername = TEST_MACHINE_NAME ;
r . in . preferredmaximumlength = ( uint32_t ) - 1 ;
2008-10-29 01:13:58 +03:00
r . in . return_authenticator = & return_authenticator ;
r . out . return_authenticator = & return_authenticator ;
r . out . delta_enum_array = & delta_enum_array ;
2004-11-12 02:25:33 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( database_ids ) ; i + + ) {
2008-10-29 01:13:58 +03:00
uint32_t sync_context = 0 ;
2004-11-12 02:25:33 +03:00
r . in . database_id = database_ids [ i ] ;
2008-10-29 01:13:58 +03:00
r . in . sync_context = & sync_context ;
r . out . sync_context = & sync_context ;
2004-11-12 02:25:33 +03:00
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Testing DatabaseSync of id %d \n " , r . in . database_id ) ;
2004-11-12 02:25:33 +03:00
do {
2005-03-22 11:00:45 +03:00
loop_ctx = talloc_named ( mem_ctx , 0 , " DatabaseSync loop context " ) ;
2009-04-06 16:54:44 +04:00
netlogon_creds_client_authenticator ( samsync_state - > creds , & credential ) ;
2008-10-29 01:13:58 +03:00
r . in . credential = & credential ;
2004-11-12 02:25:33 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_netr_DatabaseSync_r ( samsync_state - > b , loop_ctx , & r ) ,
" DatabaseSync failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) & &
! NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) ) {
torture_comment ( tctx , " DatabaseSync - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-12 02:25:33 +03:00
break ;
}
2009-04-06 16:54:44 +04:00
if ( ! netlogon_creds_client_check ( samsync_state - > creds , & r . out . return_authenticator - > cred ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Credential chaining failed \n " ) ;
2004-11-12 02:25:33 +03:00
}
r . in . sync_context = r . out . sync_context ;
2008-10-29 01:13:58 +03:00
for ( d = 0 ; d < delta_enum_array - > num_deltas ; d + + ) {
2005-03-22 11:00:45 +03:00
delta_ctx = talloc_named ( loop_ctx , 0 , " DatabaseSync delta context " ) ;
2009-04-23 19:53:25 +04:00
2010-03-23 19:16:23 +03:00
if ( ! NT_STATUS_IS_OK ( samsync_fix_delta ( delta_ctx , samsync_state - > creds ,
r . in . database_id ,
2009-04-23 19:53:25 +04:00
& delta_enum_array - > delta_enum [ d ] ) ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to decrypt delta \n " ) ;
2009-04-23 19:53:25 +04:00
ret = false ;
}
2008-10-29 01:13:58 +03:00
switch ( delta_enum_array - > delta_enum [ d ] . delta_type ) {
2004-11-12 02:25:33 +03:00
case NETR_DELTA_DOMAIN :
2010-03-23 19:28:55 +03:00
if ( ! samsync_handle_domain ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_DOMAIN \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-12 02:25:33 +03:00
break ;
2004-11-17 16:39:37 +03:00
case NETR_DELTA_GROUP :
2010-03-23 19:28:55 +03:00
if ( ! samsync_handle_group ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_USER \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-17 16:39:37 +03:00
break ;
2004-11-17 16:47:01 +03:00
case NETR_DELTA_USER :
2010-03-23 19:16:23 +03:00
if ( ! samsync_handle_user ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_USER \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-17 16:47:01 +03:00
break ;
2004-11-17 16:39:37 +03:00
case NETR_DELTA_ALIAS :
2010-03-23 19:28:55 +03:00
if ( ! samsync_handle_alias ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_ALIAS \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-17 16:39:37 +03:00
break ;
2004-11-17 16:47:01 +03:00
case NETR_DELTA_POLICY :
2010-03-23 19:28:55 +03:00
if ( ! samsync_handle_policy ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_POLICY \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-17 16:47:01 +03:00
break ;
2004-11-13 06:57:54 +03:00
case NETR_DELTA_TRUSTED_DOMAIN :
2010-03-23 19:28:55 +03:00
if ( ! samsync_handle_trusted_domain ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_TRUSTED_DOMAIN \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-13 06:57:54 +03:00
break ;
2004-11-22 11:50:20 +03:00
case NETR_DELTA_ACCOUNT :
2010-03-23 19:28:55 +03:00
if ( ! samsync_handle_account ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_ACCOUNT \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-22 11:50:20 +03:00
break ;
2004-11-13 06:57:54 +03:00
case NETR_DELTA_SECRET :
2010-03-23 19:28:55 +03:00
if ( ! samsync_handle_secret ( tctx , delta_ctx , samsync_state ,
2008-10-29 01:13:58 +03:00
r . in . database_id , & delta_enum_array - > delta_enum [ d ] ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Failed to handle DELTA_SECRET \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-16 14:11:57 +03:00
}
2004-11-13 06:57:54 +03:00
break ;
2006-03-07 06:24:29 +03:00
case NETR_DELTA_GROUP_MEMBER :
case NETR_DELTA_ALIAS_MEMBER :
/* These are harder to cross-check, and we expect them */
break ;
2005-11-10 06:48:56 +03:00
case NETR_DELTA_DELETE_GROUP :
case NETR_DELTA_RENAME_GROUP :
case NETR_DELTA_DELETE_USER :
case NETR_DELTA_RENAME_USER :
case NETR_DELTA_DELETE_ALIAS :
case NETR_DELTA_RENAME_ALIAS :
case NETR_DELTA_DELETE_TRUST :
case NETR_DELTA_DELETE_ACCOUNT :
case NETR_DELTA_DELETE_SECRET :
case NETR_DELTA_DELETE_GROUP2 :
case NETR_DELTA_DELETE_USER2 :
case NETR_DELTA_MODIFY_COUNT :
2006-03-07 06:24:29 +03:00
default :
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Uxpected delta type %d \n " , delta_enum_array - > delta_enum [ d ] . delta_type ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-11-10 06:48:56 +03:00
break ;
2004-11-12 02:25:33 +03:00
}
2005-03-22 11:00:45 +03:00
talloc_free ( delta_ctx ) ;
2004-11-12 02:25:33 +03:00
}
2005-03-22 11:00:45 +03:00
talloc_free ( loop_ctx ) ;
2010-03-27 12:45:17 +03:00
} while ( NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) ) ;
2010-03-23 19:16:23 +03:00
2004-11-13 16:48:59 +03:00
}
2004-11-13 06:57:54 +03:00
2004-11-13 16:48:59 +03:00
domain = samsync_state - > domain_name [ SAM_DATABASE_DOMAIN ] ;
if ( ! domain ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Never got a DOMAIN object in samsync! \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-13 16:48:59 +03:00
}
2005-03-22 11:00:45 +03:00
trustdom_ctx = talloc_named ( mem_ctx , 0 , " test_DatabaseSync Trusted domains context " ) ;
2010-03-23 19:16:23 +03:00
2005-03-22 11:00:45 +03:00
username = talloc_asprintf ( trustdom_ctx , " %s$ " , domain ) ;
2004-11-13 16:48:59 +03:00
for ( t = samsync_state - > trusted_domains ; t ; t = t - > next ) {
2005-03-22 11:00:45 +03:00
char * secret_name = talloc_asprintf ( trustdom_ctx , " G$$%s " , t - > name ) ;
2004-11-13 16:48:59 +03:00
for ( s = samsync_state - > secrets ; s ; s = s - > next ) {
2005-08-30 15:55:05 +04:00
if ( strcasecmp_m ( s - > name , secret_name ) = = 0 ) {
2004-11-13 16:48:59 +03:00
NTSTATUS nt_status ;
struct samr_Password nt_hash ;
mdfour ( nt_hash . hash , s - > secret . data , s - > secret . length ) ;
2010-03-23 19:16:23 +03:00
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Checking password for %s \\ %s \n " , t - > name , username ) ;
nt_status = test_SamLogon ( tctx ,
samsync_state - > p_netlogon_wksta , trustdom_ctx , samsync_state - > creds_netlogon_wksta ,
2004-11-13 16:48:59 +03:00
t - > name ,
2010-03-23 19:16:23 +03:00
username ,
2005-03-18 07:09:52 +03:00
TEST_WKSTA_MACHINE_NAME ,
2010-03-23 19:16:23 +03:00
NULL ,
2004-11-13 16:48:59 +03:00
& nt_hash ,
NULL ) ;
2004-11-22 11:50:20 +03:00
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NO_LOGON_SERVERS ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Verifiction of trust password to %s failed: %s (the trusted domain is not available) \n " ,
2004-11-22 11:50:20 +03:00
t - > name , nt_errstr ( nt_status ) ) ;
2010-03-23 19:16:23 +03:00
2004-11-22 11:50:20 +03:00
break ;
}
2004-11-13 16:48:59 +03:00
if ( ! NT_STATUS_EQUAL ( nt_status , NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s \n " ,
2004-11-13 16:48:59 +03:00
t - > name , nt_errstr ( nt_status ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-13 16:48:59 +03:00
}
2010-03-23 19:16:23 +03:00
2004-11-13 16:48:59 +03:00
/* break it */
nt_hash . hash [ 0 ] + + ;
2010-03-23 19:28:55 +03:00
nt_status = test_SamLogon ( tctx ,
samsync_state - > p_netlogon_wksta , trustdom_ctx , samsync_state - > creds_netlogon_wksta ,
2004-11-13 16:48:59 +03:00
t - > name ,
2010-03-23 19:16:23 +03:00
username ,
2005-03-18 07:09:52 +03:00
TEST_WKSTA_MACHINE_NAME ,
2004-11-13 16:48:59 +03:00
NULL ,
& nt_hash ,
NULL ) ;
2010-03-23 19:16:23 +03:00
2004-11-13 16:48:59 +03:00
if ( ! NT_STATUS_EQUAL ( nt_status , NT_STATUS_WRONG_PASSWORD ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Verifiction of trust password to %s: should have failed (wrong password), instead: %s \n " ,
2004-11-13 16:48:59 +03:00
t - > name , nt_errstr ( nt_status ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-13 06:57:54 +03:00
}
2010-03-23 19:16:23 +03:00
2004-11-13 16:48:59 +03:00
break ;
2004-11-13 06:57:54 +03:00
}
}
2004-11-12 02:25:33 +03:00
}
2005-03-22 11:00:45 +03:00
talloc_free ( trustdom_ctx ) ;
2004-11-12 02:25:33 +03:00
return ret ;
}
/*
try a netlogon DatabaseDeltas
*/
2010-03-23 19:28:55 +03:00
static bool test_DatabaseDeltas ( struct torture_context * tctx ,
struct samsync_state * samsync_state , TALLOC_CTX * mem_ctx )
2004-11-12 02:25:33 +03:00
{
2005-03-22 11:00:45 +03:00
TALLOC_CTX * loop_ctx ;
2004-11-12 02:25:33 +03:00
struct netr_DatabaseDeltas r ;
2008-10-28 02:38:44 +03:00
struct netr_Authenticator credential ;
struct netr_Authenticator return_authenticator ;
struct netr_DELTA_ENUM_ARRAY * delta_enum_array = NULL ;
2010-03-23 19:16:23 +03:00
const uint32_t database_ids [ ] = { 0 , 1 , 2 } ;
2004-11-12 02:25:33 +03:00
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-12 02:25:33 +03:00
2008-10-28 02:38:44 +03:00
ZERO_STRUCT ( return_authenticator ) ;
2004-11-13 16:48:59 +03:00
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( samsync_state - > p ) ) ;
2004-11-12 02:25:33 +03:00
r . in . computername = TEST_MACHINE_NAME ;
2008-10-28 02:38:44 +03:00
r . in . credential = & credential ;
2004-11-12 02:25:33 +03:00
r . in . preferredmaximumlength = ( uint32_t ) - 1 ;
2008-10-28 02:38:44 +03:00
r . in . return_authenticator = & return_authenticator ;
r . out . return_authenticator = & return_authenticator ;
r . out . delta_enum_array = & delta_enum_array ;
2004-11-12 02:25:33 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( database_ids ) ; i + + ) {
2008-10-28 02:38:44 +03:00
uint64_t seq_num = samsync_state - > seq_num [ i ] ;
2004-11-12 02:25:33 +03:00
r . in . database_id = database_ids [ i ] ;
2008-10-28 02:38:44 +03:00
r . in . sequence_num = & seq_num ;
r . out . sequence_num = & seq_num ;
2004-11-12 02:25:33 +03:00
2008-10-28 02:38:44 +03:00
if ( seq_num = = 0 ) continue ;
2004-11-12 02:25:33 +03:00
2005-04-05 10:55:10 +04:00
/* this shows that the bdc doesn't need to do a single call for
* each seqnumber , and the pdc doesn ' t need to know about old values
* - - metze
*/
2008-10-28 02:38:44 +03:00
seq_num - = 10 ;
2004-11-12 02:25:33 +03:00
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Testing DatabaseDeltas of id %d at %llu \n " ,
2008-10-28 02:38:44 +03:00
r . in . database_id , ( long long ) seq_num ) ;
2004-11-12 02:25:33 +03:00
do {
2005-03-22 11:00:45 +03:00
loop_ctx = talloc_named ( mem_ctx , 0 , " test_DatabaseDeltas loop context " ) ;
2009-04-06 16:54:44 +04:00
netlogon_creds_client_authenticator ( samsync_state - > creds , & credential ) ;
2004-11-12 02:25:33 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_netr_DatabaseDeltas_r ( samsync_state - > b , loop_ctx , & r ) ,
" DatabaseDeltas failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) & &
! NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) & &
! NT_STATUS_EQUAL ( r . out . result , NT_STATUS_SYNCHRONIZATION_REQUIRED ) ) {
torture_comment ( tctx , " DatabaseDeltas - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-12 02:25:33 +03:00
}
2009-04-06 16:54:44 +04:00
if ( ! netlogon_creds_client_check ( samsync_state - > creds , & return_authenticator . cred ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Credential chaining failed \n " ) ;
2004-11-12 02:25:33 +03:00
}
2008-10-28 02:38:44 +03:00
seq_num + + ;
2005-03-22 11:00:45 +03:00
talloc_free ( loop_ctx ) ;
2010-03-27 12:45:17 +03:00
} while ( NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) ) ;
2004-11-12 02:25:33 +03:00
}
return ret ;
}
/*
try a netlogon DatabaseSync2
*/
2010-03-23 19:28:55 +03:00
static bool test_DatabaseSync2 ( struct torture_context * tctx ,
struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
2009-04-06 16:54:44 +04:00
struct netlogon_creds_CredentialState * creds )
2004-11-12 02:25:33 +03:00
{
2005-03-22 11:00:45 +03:00
TALLOC_CTX * loop_ctx ;
2004-11-12 02:25:33 +03:00
struct netr_DatabaseSync2 r ;
2010-03-23 19:16:23 +03:00
const uint32_t database_ids [ ] = { 0 , 1 , 2 } ;
2004-11-12 02:25:33 +03:00
int i ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2008-10-29 02:07:12 +03:00
struct netr_Authenticator return_authenticator , credential ;
struct netr_DELTA_ENUM_ARRAY * delta_enum_array = NULL ;
2010-03-17 14:05:10 +03:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2008-10-29 02:07:12 +03:00
ZERO_STRUCT ( return_authenticator ) ;
2004-11-12 02:25:33 +03:00
r . in . logon_server = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
r . in . computername = TEST_MACHINE_NAME ;
r . in . preferredmaximumlength = ( uint32_t ) - 1 ;
2008-10-29 02:07:12 +03:00
r . in . return_authenticator = & return_authenticator ;
r . out . return_authenticator = & return_authenticator ;
r . out . delta_enum_array = & delta_enum_array ;
2004-11-12 02:25:33 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( database_ids ) ; i + + ) {
2008-10-29 02:07:12 +03:00
uint32_t sync_context = 0 ;
2004-11-12 02:25:33 +03:00
r . in . database_id = database_ids [ i ] ;
2008-10-29 02:07:12 +03:00
r . in . sync_context = & sync_context ;
r . out . sync_context = & sync_context ;
2004-11-12 02:25:33 +03:00
r . in . restart_state = 0 ;
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Testing DatabaseSync2 of id %d \n " , r . in . database_id ) ;
2004-11-12 02:25:33 +03:00
do {
2005-03-22 11:00:45 +03:00
loop_ctx = talloc_named ( mem_ctx , 0 , " test_DatabaseSync2 loop context " ) ;
2009-04-06 16:54:44 +04:00
netlogon_creds_client_authenticator ( creds , & credential ) ;
2008-10-29 02:07:12 +03:00
r . in . credential = & credential ;
2004-11-12 02:25:33 +03:00
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_netr_DatabaseSync2_r ( b , loop_ctx , & r ) ,
" DatabaseSync2 failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) & &
! NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) ) {
torture_comment ( tctx , " DatabaseSync2 - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-12 02:25:33 +03:00
}
2009-04-06 16:54:44 +04:00
if ( ! netlogon_creds_client_check ( creds , & r . out . return_authenticator - > cred ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( tctx , " Credential chaining failed \n " ) ;
2004-11-12 02:25:33 +03:00
}
2005-03-22 11:00:45 +03:00
talloc_free ( loop_ctx ) ;
2010-03-27 12:45:17 +03:00
} while ( NT_STATUS_EQUAL ( r . out . result , STATUS_MORE_ENTRIES ) ) ;
2004-11-12 02:25:33 +03:00
}
return ret ;
}
2007-10-07 02:28:14 +04:00
bool torture_rpc_samsync ( struct torture_context * torture )
2004-11-12 02:25:33 +03:00
{
NTSTATUS status ;
TALLOC_CTX * mem_ctx ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-11-12 02:25:33 +03:00
struct test_join * join_ctx ;
2004-11-22 11:50:20 +03:00
struct test_join * join_ctx2 ;
2005-03-18 06:16:53 +03:00
struct test_join * user_ctx ;
2004-11-12 02:25:33 +03:00
const char * machine_password ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
const char * wksta_machine_password ;
struct dcerpc_binding * b ;
struct dcerpc_binding * b_netlogon_wksta ;
2004-11-13 16:48:59 +03:00
struct samr_Connect c ;
2004-11-17 14:56:13 +03:00
struct samr_SetDomainInfo s ;
struct policy_handle * domain_policy ;
struct lsa_ObjectAttribute attr ;
struct lsa_QosInfo qos ;
struct lsa_OpenPolicy2 r ;
2005-03-22 11:00:45 +03:00
struct cli_credentials * credentials ;
struct cli_credentials * credentials_wksta ;
2004-11-13 16:48:59 +03:00
struct samsync_state * samsync_state ;
2004-11-12 02:25:33 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
char * test_machine_account ;
char * test_wksta_machine_account ;
2004-11-12 02:25:33 +03:00
mem_ctx = talloc_init ( " torture_rpc_netlogon " ) ;
2010-03-23 19:16:23 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
test_machine_account = talloc_asprintf ( mem_ctx , " %s$ " , TEST_MACHINE_NAME ) ;
2010-03-23 19:16:23 +03:00
join_ctx = torture_create_testuser ( torture , test_machine_account ,
2010-07-16 08:32:42 +04:00
lpcfg_workgroup ( torture - > lp_ctx ) , ACB_SVRTRUST ,
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
& machine_password ) ;
2004-11-12 02:25:33 +03:00
if ( ! join_ctx ) {
2005-03-22 11:00:45 +03:00
talloc_free ( mem_ctx ) ;
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " Failed to join as BDC \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-12 02:25:33 +03:00
}
2010-03-23 19:16:23 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
test_wksta_machine_account = talloc_asprintf ( mem_ctx , " %s$ " , TEST_WKSTA_MACHINE_NAME ) ;
2010-07-16 08:32:42 +04:00
join_ctx2 = torture_create_testuser ( torture , test_wksta_machine_account , lpcfg_workgroup ( torture - > lp_ctx ) , ACB_WSTRUST , & wksta_machine_password ) ;
2004-11-22 11:50:20 +03:00
if ( ! join_ctx2 ) {
2005-03-22 11:00:45 +03:00
talloc_free ( mem_ctx ) ;
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " Failed to join as member \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2004-11-22 11:50:20 +03:00
}
2010-03-23 19:16:23 +03:00
2007-08-28 16:54:27 +04:00
user_ctx = torture_create_testuser ( torture , TEST_USER_NAME ,
2010-07-16 08:32:42 +04:00
lpcfg_workgroup ( torture - > lp_ctx ) ,
2005-03-18 06:16:53 +03:00
ACB_NORMAL , NULL ) ;
if ( ! user_ctx ) {
2005-03-22 11:00:45 +03:00
talloc_free ( mem_ctx ) ;
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " Failed to create test account \n " ) ;
2007-10-07 02:28:14 +04:00
return false ;
2005-03-18 06:16:53 +03:00
}
2005-01-27 10:08:20 +03:00
samsync_state = talloc_zero ( mem_ctx , struct samsync_state ) ;
2004-11-13 16:48:59 +03:00
samsync_state - > p_samr = torture_join_samr_pipe ( join_ctx ) ;
2010-03-17 14:05:10 +03:00
samsync_state - > b_samr = samsync_state - > p_samr - > binding_handle ;
2005-01-27 10:08:20 +03:00
samsync_state - > connect_handle = talloc_zero ( samsync_state , struct policy_handle ) ;
samsync_state - > lsa_handle = talloc_zero ( samsync_state , struct policy_handle ) ;
2004-11-13 16:48:59 +03:00
c . in . system_name = NULL ;
2004-12-02 07:37:36 +03:00
c . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-13 16:48:59 +03:00
c . out . connect_handle = samsync_state - > connect_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok_goto ( torture ,
dcerpc_samr_Connect_r ( samsync_state - > b_samr , mem_ctx , & c ) ,
ret , failed ,
" samr_Connect failed " ) ;
torture_assert_ntstatus_ok_goto ( torture , c . out . result ,
ret , failed ,
" samr_Connect failed " ) ;
2004-11-12 02:25:33 +03:00
2010-07-16 08:32:42 +04:00
domain_policy = samsync_open_domain ( torture , mem_ctx , samsync_state , lpcfg_workgroup ( torture - > lp_ctx ) , NULL ) ;
2004-11-17 14:56:13 +03:00
if ( ! domain_policy ) {
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " samrsync_open_domain failed \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-17 14:56:13 +03:00
goto failed ;
}
2010-03-23 19:16:23 +03:00
2004-11-17 14:56:13 +03:00
s . in . domain_handle = domain_policy ;
s . in . level = 4 ;
2005-01-27 10:08:20 +03:00
s . in . info = talloc ( mem_ctx , union samr_DomainInfo ) ;
2010-03-23 19:16:23 +03:00
2008-07-21 07:42:07 +04:00
s . in . info - > oem . oem_information . string
2010-03-23 19:16:23 +03:00
= talloc_asprintf ( mem_ctx ,
" Tortured by Samba4: %s " ,
2004-11-17 14:56:13 +03:00
timestring ( mem_ctx , time ( NULL ) ) ) ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok_goto ( torture ,
dcerpc_samr_SetDomainInfo_r ( samsync_state - > b_samr , mem_ctx , & s ) ,
ret , failed ,
" SetDomainInfo failed " ) ;
2004-11-17 14:56:13 +03:00
2010-03-24 15:18:33 +03:00
if ( ! test_samr_handle_Close ( samsync_state - > b_samr , torture , domain_policy ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-17 16:39:37 +03:00
goto failed ;
}
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok_goto ( torture , s . out . result ,
ret , failed ,
talloc_asprintf ( torture , " SetDomainInfo level %u failed " , s . in . level ) ) ;
2004-11-17 14:56:13 +03:00
2007-08-28 16:54:27 +04:00
status = torture_rpc_connection ( torture ,
2010-03-23 19:16:23 +03:00
& samsync_state - > p_lsa ,
2007-08-20 01:23:03 +04:00
& ndr_table_lsarpc ) ;
2004-11-17 14:56:13 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-17 14:56:13 +03:00
goto failed ;
}
2010-03-17 14:05:10 +03:00
samsync_state - > b_lsa = samsync_state - > p_lsa - > binding_handle ;
2004-11-17 14:56:13 +03:00
qos . len = 0 ;
qos . impersonation_level = 2 ;
qos . context_mode = 1 ;
qos . effective_only = 0 ;
attr . len = 0 ;
attr . root_dir = NULL ;
attr . object_name = NULL ;
attr . attributes = 0 ;
attr . sec_desc = NULL ;
attr . sec_qos = & qos ;
r . in . system_name = " \\ " ;
r . in . attr = & attr ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-17 14:56:13 +03:00
r . out . handle = samsync_state - > lsa_handle ;
2010-03-27 12:45:17 +03:00
torture_assert_ntstatus_ok_goto ( torture ,
dcerpc_lsa_OpenPolicy2_r ( samsync_state - > b_lsa , mem_ctx , & r ) ,
ret , failed ,
" OpenPolicy2 failed " ) ;
torture_assert_ntstatus_ok_goto ( torture , r . out . result ,
ret , failed ,
" OpenPolicy2 failed " ) ;
2004-11-12 02:25:33 +03:00
2007-08-28 23:03:08 +04:00
status = torture_rpc_binding ( torture , & b ) ;
2004-11-22 11:50:20 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-22 11:50:20 +03:00
goto failed ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
2005-05-01 23:29:00 +04:00
b - > flags | = DCERPC_SCHANNEL | DCERPC_SIGN ;
2004-11-12 02:25:33 +03:00
2005-03-22 11:00:45 +03:00
credentials = cli_credentials_init ( mem_ctx ) ;
2005-03-22 00:22:07 +03:00
2005-03-22 11:00:45 +03:00
cli_credentials_set_workstation ( credentials , TEST_MACHINE_NAME , CRED_SPECIFIED ) ;
2010-07-16 08:32:42 +04:00
cli_credentials_set_domain ( credentials , lpcfg_workgroup ( torture - > lp_ctx ) , CRED_SPECIFIED ) ;
2005-03-22 11:00:45 +03:00
cli_credentials_set_username ( credentials , test_machine_account , CRED_SPECIFIED ) ;
cli_credentials_set_password ( credentials , machine_password , CRED_SPECIFIED ) ;
2005-05-01 23:29:00 +04:00
cli_credentials_set_secure_channel_type ( credentials ,
SEC_CHAN_BDC ) ;
2005-03-22 11:00:45 +03:00
status = dcerpc_pipe_connect_b ( samsync_state ,
2010-03-23 19:16:23 +03:00
& samsync_state - > p , b ,
2007-08-20 01:23:03 +04:00
& ndr_table_netlogon ,
2008-04-22 01:58:23 +04:00
credentials , torture - > ev , torture - > lp_ctx ) ;
2010-03-23 19:16:23 +03:00
2004-11-12 02:25:33 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " Failed to connect to server as a BDC: %s \n " , nt_errstr ( status ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-13 16:48:59 +03:00
goto failed ;
2004-11-12 02:25:33 +03:00
}
2010-03-17 14:05:10 +03:00
samsync_state - > b = samsync_state - > p - > binding_handle ;
2004-11-12 02:25:33 +03:00
2010-03-23 19:16:23 +03:00
status = dcerpc_schannel_creds ( samsync_state - > p - > conn - > security_state . generic_state ,
2005-03-22 11:00:45 +03:00
samsync_state , & samsync_state - > creds ) ;
2004-11-12 02:25:33 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-12 02:25:33 +03:00
}
2004-11-22 11:50:20 +03:00
2007-08-28 23:03:08 +04:00
status = torture_rpc_binding ( torture , & b_netlogon_wksta ) ;
2004-11-22 11:50:20 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-22 11:50:20 +03:00
goto failed ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
b_netlogon_wksta - > flags & = ~ DCERPC_AUTH_OPTIONS ;
2005-05-01 23:29:00 +04:00
b_netlogon_wksta - > flags | = DCERPC_SCHANNEL | DCERPC_SIGN ;
2004-11-22 11:50:20 +03:00
2005-03-22 11:00:45 +03:00
credentials_wksta = cli_credentials_init ( mem_ctx ) ;
cli_credentials_set_workstation ( credentials_wksta , TEST_WKSTA_MACHINE_NAME , CRED_SPECIFIED ) ;
2010-07-16 08:32:42 +04:00
cli_credentials_set_domain ( credentials_wksta , lpcfg_workgroup ( torture - > lp_ctx ) , CRED_SPECIFIED ) ;
2005-03-22 11:00:45 +03:00
cli_credentials_set_username ( credentials_wksta , test_wksta_machine_account , CRED_SPECIFIED ) ;
cli_credentials_set_password ( credentials_wksta , wksta_machine_password , CRED_SPECIFIED ) ;
2005-05-01 23:29:00 +04:00
cli_credentials_set_secure_channel_type ( credentials_wksta ,
SEC_CHAN_WKSTA ) ;
2005-03-22 00:22:07 +03:00
2010-03-23 19:16:23 +03:00
status = dcerpc_pipe_connect_b ( samsync_state ,
& samsync_state - > p_netlogon_wksta ,
b_netlogon_wksta ,
2007-08-20 01:23:03 +04:00
& ndr_table_netlogon ,
2008-04-22 01:58:23 +04:00
credentials_wksta , torture - > ev , torture - > lp_ctx ) ;
2004-11-22 11:50:20 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " Failed to connect to server as a Workstation: %s \n " , nt_errstr ( status ) ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-22 11:50:20 +03:00
goto failed ;
}
2010-03-23 19:16:23 +03:00
status = dcerpc_schannel_creds ( samsync_state - > p_netlogon_wksta - > conn - > security_state . generic_state ,
2005-03-22 11:00:45 +03:00
samsync_state , & samsync_state - > creds_netlogon_wksta ) ;
2004-11-22 11:50:20 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " Failed to obtail schanel creds! \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-22 11:50:20 +03:00
}
2008-02-19 16:12:05 +03:00
if ( ! test_DatabaseSync ( torture , samsync_state , mem_ctx ) ) {
2010-03-23 19:28:55 +03:00
torture_comment ( torture , " DatabaseSync failed \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-12 02:25:33 +03:00
}
2010-03-23 19:28:55 +03:00
if ( ! test_DatabaseDeltas ( torture , samsync_state , mem_ctx ) ) {
torture_comment ( torture , " DatabaseDeltas failed \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-12 02:25:33 +03:00
}
2010-03-23 19:28:55 +03:00
if ( ! test_DatabaseSync2 ( torture , samsync_state - > p , mem_ctx , samsync_state - > creds ) ) {
torture_comment ( torture , " DatabaseSync2 failed \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-12 02:25:33 +03:00
}
2004-11-13 16:48:59 +03:00
failed :
2004-11-12 02:25:33 +03:00
2008-06-14 19:24:17 +04:00
torture_leave_domain ( torture , join_ctx ) ;
torture_leave_domain ( torture , join_ctx2 ) ;
torture_leave_domain ( torture , user_ctx ) ;
2004-11-12 02:25:33 +03:00
2005-01-27 10:08:20 +03:00
talloc_free ( mem_ctx ) ;
2004-11-13 16:48:59 +03:00
2004-11-12 02:25:33 +03:00
return ret ;
}