2011-12-13 23:30:21 +01:00
/*
2004-06-06 07:14:10 +00:00
Unix SMB / CIFS implementation .
test suite for schannel operations
Copyright ( C ) Andrew Tridgell 2004
2011-12-13 23:30:21 +01:00
2004-06-06 07:14:10 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2004-06-06 07:14:10 +00:00
( at your option ) any later version .
2011-12-13 23:30:21 +01:00
2004-06-06 07:14:10 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2011-12-13 23:30:21 +01:00
2004-06-06 07:14:10 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-06-06 07:14:10 +00:00
*/
# include "includes.h"
2006-03-14 23:35:30 +00:00
# include "librpc/gen_ndr/ndr_netlogon_c.h"
# include "librpc/gen_ndr/ndr_lsa_c.h"
# include "librpc/gen_ndr/ndr_samr_c.h"
2006-03-14 01:29:56 +00:00
# include "auth/credentials/credentials.h"
2010-04-13 22:06:51 +02:00
# include "torture/rpc/torture_rpc.h"
2006-02-07 23:49:35 +00:00
# include "lib/cmdline/popt_common.h"
2011-07-21 13:20:26 +10:00
# include "auth/gensec/schannel.h"
2009-09-29 11:49:50 +02:00
# include "../libcli/auth/schannel.h"
2006-03-14 15:02:05 +00:00
# include "libcli/auth/libcli_auth.h"
2006-04-02 12:02:01 +00:00
# include "libcli/security/security.h"
2007-05-23 07:44:51 +00:00
# include "system/filesys.h"
2007-09-08 12:42:09 +00:00
# include "param/param.h"
2008-04-02 04:53:27 +02:00
# include "librpc/rpc/dcerpc_proto.h"
# include "auth/gensec/gensec.h"
2008-05-13 09:10:25 +02:00
# include "libcli/composite/composite.h"
# include "lib/events/events.h"
2004-06-06 07:14:10 +00:00
2005-10-25 12:14:08 +00:00
# define TEST_MACHINE_NAME "schannel"
2004-06-06 07:14:10 +00:00
2006-02-07 23:49:35 +00:00
/*
try a netlogon SamLogon
*/
2011-12-13 23:30:21 +01:00
bool test_netlogon_ex_ops ( struct dcerpc_pipe * p , struct torture_context * tctx ,
struct cli_credentials * credentials ,
2009-04-06 22:54:44 +10:00
struct netlogon_creds_CredentialState * creds )
2006-02-07 23:49:35 +00:00
{
NTSTATUS status ;
struct netr_LogonSamLogonEx r ;
struct netr_NetworkInfo ninfo ;
2008-10-28 19:03:50 +01:00
union netr_LogonLevel logon ;
union netr_Validation validation ;
uint8_t authoritative = 0 ;
uint32_t _flags = 0 ;
2006-02-07 23:49:35 +00:00
DATA_BLOB names_blob , chal , lm_resp , nt_resp ;
int i ;
int flags = CLI_CRED_NTLM_AUTH ;
2010-03-16 11:10:16 +01:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2012-12-07 12:57:18 +01:00
struct netr_UserSessionKey key ;
struct netr_LMSessionKey LMSessKey ;
uint32_t validation_levels [ ] = { 2 , 3 } ;
struct netr_SamBaseInfo * base ;
const char * crypto_alg = " " ;
bool can_do_validation_6 = true ;
2010-07-16 14:32:42 +10:00
if ( lpcfg_client_lanman_auth ( tctx - > lp_ctx ) ) {
2006-02-07 23:49:35 +00:00
flags | = CLI_CRED_LANMAN_AUTH ;
}
2010-07-16 14:32:42 +10:00
if ( lpcfg_client_ntlmv2_auth ( tctx - > lp_ctx ) ) {
2006-02-07 23:49:35 +00:00
flags | = CLI_CRED_NTLMv2_AUTH ;
}
2011-12-13 23:30:21 +01:00
cli_credentials_get_ntlm_username_domain ( cmdline_credentials , tctx ,
2006-02-07 23:49:35 +00:00
& ninfo . identity_info . account_name . string ,
& ninfo . identity_info . domain_name . string ) ;
2011-12-13 23:30:21 +01:00
generate_random_buffer ( ninfo . challenge ,
2006-02-07 23:49:35 +00:00
sizeof ( ninfo . challenge ) ) ;
2011-12-13 23:30:21 +01:00
chal = data_blob_const ( ninfo . challenge ,
2006-02-07 23:49:35 +00:00
sizeof ( ninfo . challenge ) ) ;
2011-12-13 23:30:21 +01:00
names_blob = NTLMv2_generate_names_blob ( tctx , cli_credentials_get_workstation ( credentials ) ,
2006-02-07 23:49:35 +00:00
cli_credentials_get_domain ( credentials ) ) ;
2011-12-13 23:30:21 +01:00
status = cli_credentials_get_ntlm_response ( cmdline_credentials , tctx ,
& flags ,
2006-02-07 23:49:35 +00:00
chal ,
names_blob ,
& lm_resp , & nt_resp ,
NULL , NULL ) ;
2011-12-13 23:30:21 +01:00
torture_assert_ntstatus_ok ( tctx , status ,
2007-08-31 22:34:52 +00:00
" cli_credentials_get_ntlm_response failed " ) ;
2006-02-07 23:49:35 +00:00
ninfo . lm . data = lm_resp . data ;
ninfo . lm . length = lm_resp . length ;
ninfo . nt . data = nt_resp . data ;
ninfo . nt . length = nt_resp . length ;
ninfo . identity_info . parameter_control = 0 ;
ninfo . identity_info . logon_id_low = 0 ;
ninfo . identity_info . logon_id_high = 0 ;
ninfo . identity_info . workstation . string = cli_credentials_get_workstation ( credentials ) ;
2008-10-28 19:03:50 +01:00
logon . network = & ninfo ;
2007-08-31 22:34:52 +00:00
r . in . server_name = talloc_asprintf ( tctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2006-02-21 00:07:59 +00:00
r . in . computer_name = cli_credentials_get_workstation ( credentials ) ;
2012-12-05 16:11:19 +01:00
r . in . logon_level = NetlogonNetworkInformation ;
2008-10-28 19:03:50 +01:00
r . in . logon = & logon ;
r . in . flags = & _flags ;
r . out . validation = & validation ;
r . out . authoritative = & authoritative ;
r . out . flags = & _flags ;
2006-02-07 23:49:35 +00:00
2012-12-07 12:57:18 +01:00
/*
- retrieve level6
- save usrsession and lmsession key
- retrieve level 2
- calculate , compare
- retrieve level 3
- calculate , compare
*/
if ( creds ) {
if ( creds - > negotiate_flags & NETLOGON_NEG_SUPPORTS_AES ) {
crypto_alg = " AES " ;
} else if ( creds - > negotiate_flags & NETLOGON_NEG_ARCFOUR ) {
crypto_alg = " ARCFOUR " ;
}
}
2011-12-13 23:30:21 +01:00
2012-12-07 12:57:18 +01:00
r . in . validation_level = 6 ;
torture_comment ( tctx ,
" Testing LogonSamLogonEx with name %s using %s and validation_level: %d \n " ,
ninfo . identity_info . account_name . string , crypto_alg ,
r . in . validation_level ) ;
torture_assert_ntstatus_ok ( tctx ,
dcerpc_netr_LogonSamLogonEx_r ( b , tctx , & r ) ,
" LogonSamLogonEx failed " ) ;
if ( NT_STATUS_EQUAL ( r . out . result , NT_STATUS_INVALID_INFO_CLASS ) ) {
can_do_validation_6 = false ;
} else {
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LogonSamLogonEx failed " ) ;
key = r . out . validation - > sam6 - > base . key ;
LMSessKey = r . out . validation - > sam6 - > base . LMSessKey ;
DEBUG ( 1 , ( " unencrypted session keys from validation_level 6: \n " ) ) ;
dump_data ( 1 , r . out . validation - > sam6 - > base . key . key , 16 ) ;
dump_data ( 1 , r . out . validation - > sam6 - > base . LMSessKey . key , 8 ) ;
}
2011-12-13 23:30:21 +01:00
2012-12-07 12:57:18 +01:00
for ( i = 0 ; i < ARRAY_SIZE ( validation_levels ) ; i + + ) {
r . in . validation_level = validation_levels [ i ] ;
torture_comment ( tctx ,
" Testing LogonSamLogonEx with name %s using %s and validation_level: %d \n " ,
ninfo . identity_info . account_name . string , crypto_alg ,
r . in . validation_level ) ;
torture_assert_ntstatus_ok ( tctx ,
dcerpc_netr_LogonSamLogonEx_r ( b , tctx , & r ) ,
" LogonSamLogonEx failed " ) ;
torture_assert_ntstatus_ok ( tctx , r . out . result ,
" LogonSamLogonEx failed " ) ;
if ( creds = = NULL ) {
/* when this test is called without creds no point in
* testing the session keys */
continue ;
}
switch ( validation_levels [ i ] ) {
case 2 :
base = & r . out . validation - > sam2 - > base ;
break ;
case 3 :
base = & r . out . validation - > sam3 - > base ;
break ;
default :
break ;
}
DEBUG ( 1 , ( " encrypted keys validation_level %d: \n " ,
validation_levels [ i ] ) ) ;
dump_data ( 1 , base - > key . key , 16 ) ;
dump_data ( 1 , base - > LMSessKey . key , 8 ) ;
if ( creds - > negotiate_flags & NETLOGON_NEG_SUPPORTS_AES ) {
netlogon_creds_aes_decrypt ( creds , base - > key . key , 16 ) ;
netlogon_creds_aes_decrypt ( creds , base - > LMSessKey . key , 8 ) ;
} else if ( creds - > negotiate_flags & NETLOGON_NEG_ARCFOUR ) {
netlogon_creds_arcfour_crypt ( creds , base - > key . key , 16 ) ;
netlogon_creds_arcfour_crypt ( creds , base - > LMSessKey . key , 8 ) ;
}
DEBUG ( 1 , ( " decryped keys validation_level %d \n " ,
validation_levels [ i ] ) ) ;
dump_data ( 1 , base - > key . key , 16 ) ;
dump_data ( 1 , base - > LMSessKey . key , 8 ) ;
if ( ! can_do_validation_6 ) {
/* we cant compare against unencrypted keys */
continue ;
}
torture_assert_mem_equal ( tctx ,
base - > key . key ,
key . key ,
16 ,
" unexpected user session key \n " ) ;
torture_assert_mem_equal ( tctx ,
base - > LMSessKey . key ,
LMSessKey . key ,
8 ,
" unexpected LM session key \n " ) ;
2006-02-07 23:49:35 +00:00
}
2007-08-31 22:34:52 +00:00
return true ;
2006-02-07 23:49:35 +00:00
}
2004-06-06 07:58:16 +00:00
/*
do some samr ops using the schannel connection
*/
2007-08-31 22:34:52 +00:00
static bool test_samr_ops ( struct torture_context * tctx ,
2010-03-16 11:10:16 +01:00
struct dcerpc_binding_handle * b )
2004-06-06 07:14:10 +00:00
{
struct samr_GetDomPwInfo r ;
2008-11-05 01:34:55 +01:00
struct samr_PwInfo info ;
2008-12-23 23:22:57 +01:00
struct samr_Connect connect_r ;
2005-08-02 20:08:23 +00:00
struct samr_OpenDomain opendom ;
2004-06-06 07:14:10 +00:00
int i ;
2005-07-08 08:09:02 +00:00
struct lsa_String name ;
2005-08-02 20:08:23 +00:00
struct policy_handle handle ;
struct policy_handle domain_handle ;
2004-06-06 07:14:10 +00:00
2010-07-16 14:32:42 +10:00
name . string = lpcfg_workgroup ( tctx - > lp_ctx ) ;
2005-02-13 00:26:43 +00:00
r . in . domain_name = & name ;
2008-11-05 01:34:55 +01:00
r . out . info = & info ;
2004-06-06 07:14:10 +00:00
2008-12-23 23:22:57 +01:00
connect_r . in . system_name = 0 ;
connect_r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
connect_r . out . connect_handle = & handle ;
2011-12-13 23:30:21 +01:00
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " Testing Connect and OpenDomain on BUILTIN \n " ) ;
2005-08-02 20:08:23 +00:00
2010-03-19 14:17:18 +01:00
torture_assert_ntstatus_ok ( tctx , dcerpc_samr_Connect_r ( b , tctx , & connect_r ) ,
" Connect failed " ) ;
if ( ! NT_STATUS_IS_OK ( connect_r . out . result ) ) {
if ( NT_STATUS_EQUAL ( connect_r . out . result , NT_STATUS_ACCESS_DENIED ) ) {
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " Connect failed (expected, schannel mapped to anonymous): %s \n " ,
2010-03-19 14:17:18 +01:00
nt_errstr ( connect_r . out . result ) ) ;
2005-10-25 12:14:08 +00:00
} else {
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " Connect failed - %s \n " , nt_errstr ( connect_r . out . result ) ) ;
2007-08-31 22:34:52 +00:00
return false ;
2005-10-25 12:14:08 +00:00
}
} else {
opendom . in . connect_handle = & handle ;
opendom . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-31 22:34:52 +00:00
opendom . in . sid = dom_sid_parse_talloc ( tctx , " S-1-5-32 " ) ;
2005-10-25 12:14:08 +00:00
opendom . out . domain_handle = & domain_handle ;
2011-12-13 23:30:21 +01:00
2010-03-19 14:17:18 +01:00
torture_assert_ntstatus_ok ( tctx , dcerpc_samr_OpenDomain_r ( b , tctx , & opendom ) ,
" OpenDomain failed " ) ;
if ( ! NT_STATUS_IS_OK ( opendom . out . result ) ) {
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " OpenDomain failed - %s \n " , nt_errstr ( opendom . out . result ) ) ;
2007-08-31 22:34:52 +00:00
return false ;
2005-10-25 12:14:08 +00:00
}
2005-08-02 20:08:23 +00:00
}
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " Testing GetDomPwInfo with name %s \n " , r . in . domain_name - > string ) ;
2011-12-13 23:30:21 +01:00
2004-06-06 07:14:10 +00:00
/* do several ops to test credential chaining */
for ( i = 0 ; i < 5 ; i + + ) {
2010-03-19 14:17:18 +01:00
torture_assert_ntstatus_ok ( tctx , dcerpc_samr_GetDomPwInfo_r ( b , tctx , & r ) ,
" GetDomPwInfo failed " ) ;
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
if ( ! NT_STATUS_EQUAL ( r . out . result , NT_STATUS_ACCESS_DENIED ) ) {
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " GetDomPwInfo op %d failed - %s \n " , i , nt_errstr ( r . out . result ) ) ;
2007-10-06 22:28:14 +00:00
return false ;
2005-10-25 12:14:08 +00:00
}
2004-06-06 07:14:10 +00:00
}
}
2007-10-06 22:28:14 +00:00
return true ;
2004-06-06 07:14:10 +00:00
}
2004-11-11 23:24:30 +00:00
2005-10-06 10:29:28 +00:00
/*
do some lsa ops using the schannel connection
*/
2007-08-31 22:34:52 +00:00
static bool test_lsa_ops ( struct torture_context * tctx , struct dcerpc_pipe * p )
2005-10-06 10:29:28 +00:00
{
struct lsa_GetUserName r ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2008-10-21 01:20:53 +02:00
struct lsa_String * account_name_p = NULL ;
struct lsa_String * authority_name_p = NULL ;
2010-03-16 11:10:16 +01:00
struct dcerpc_binding_handle * b = p - > binding_handle ;
2005-10-06 10:29:28 +00:00
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " \n Testing GetUserName \n " ) ;
2005-10-06 10:29:28 +00:00
2011-12-13 23:30:21 +01:00
r . in . system_name = " \\ " ;
2008-10-21 01:20:53 +02:00
r . in . account_name = & account_name_p ;
2005-10-06 10:29:28 +00:00
r . in . authority_name = & authority_name_p ;
2008-10-21 01:20:53 +02:00
r . out . account_name = & account_name_p ;
2005-10-06 10:29:28 +00:00
2005-10-25 12:14:08 +00:00
/* do several ops to test credential chaining and various operations */
2010-03-19 14:17:18 +01:00
torture_assert_ntstatus_ok ( tctx , dcerpc_lsa_GetUserName_r ( b , tctx , & r ) ,
" lsa_GetUserName failed " ) ;
2008-10-21 01:20:53 +02:00
authority_name_p = * r . out . authority_name ;
2010-03-19 14:17:18 +01:00
if ( ! NT_STATUS_IS_OK ( r . out . result ) ) {
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " GetUserName failed - %s \n " , nt_errstr ( r . out . result ) ) ;
2007-10-06 22:28:14 +00:00
return false ;
2005-10-25 12:14:08 +00:00
} else {
if ( ! r . out . account_name ) {
2007-10-06 22:28:14 +00:00
return false ;
2005-10-25 12:14:08 +00:00
}
2011-12-13 23:30:21 +01:00
2008-10-21 01:20:53 +02:00
if ( strcmp ( account_name_p - > string , " ANONYMOUS LOGON " ) ! = 0 ) {
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " GetUserName returned wrong user: %s, expected %s \n " ,
2008-10-21 01:20:53 +02:00
account_name_p - > string , " ANONYMOUS LOGON " ) ;
2009-05-07 13:05:13 +02:00
/* FIXME: gd */
if ( ! torture_setting_bool ( tctx , " samba3 " , false ) ) {
return false ;
}
2005-10-25 12:14:08 +00:00
}
2008-10-21 01:20:53 +02:00
if ( ! authority_name_p | | ! authority_name_p - > string ) {
2007-10-06 22:28:14 +00:00
return false ;
2005-10-25 12:14:08 +00:00
}
2011-12-13 23:30:21 +01:00
2008-10-21 01:20:53 +02:00
if ( strcmp ( authority_name_p - > string , " NT AUTHORITY " ) ! = 0 ) {
2011-12-13 23:38:46 +01:00
torture_comment ( tctx , " GetUserName returned wrong user: %s, expected %s \n " ,
2008-10-21 01:20:53 +02:00
authority_name_p - > string , " NT AUTHORITY " ) ;
2009-05-07 13:05:13 +02:00
/* FIXME: gd */
if ( ! torture_setting_bool ( tctx , " samba3 " , false ) ) {
return false ;
}
2005-10-06 10:29:28 +00:00
}
}
return ret ;
}
2004-06-06 07:58:16 +00:00
/*
test a schannel connection with the given flags
*/
2007-08-31 22:34:52 +00:00
static bool test_schannel ( struct torture_context * tctx ,
2005-02-10 05:09:35 +00:00
uint16_t acct_flags , uint32_t dcerpc_flags ,
2005-10-25 12:14:08 +00:00
int i )
2004-06-06 07:14:10 +00:00
{
2005-12-30 06:49:36 +00:00
struct test_join * join_ctx ;
2004-06-06 07:14:10 +00:00
NTSTATUS status ;
2007-12-03 00:28:22 +01:00
const char * binding = torture_setting_string ( tctx , " binding " , NULL ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
struct dcerpc_binding * b ;
2005-01-06 09:26:14 +00:00
struct dcerpc_pipe * p = NULL ;
struct dcerpc_pipe * p_netlogon = NULL ;
2006-02-07 23:49:35 +00:00
struct dcerpc_pipe * p_netlogon2 = NULL ;
2006-02-21 00:07:59 +00:00
struct dcerpc_pipe * p_netlogon3 = NULL ;
2006-02-07 23:30:50 +00:00
struct dcerpc_pipe * p_samr2 = NULL ;
2005-10-06 10:29:28 +00:00
struct dcerpc_pipe * p_lsa = NULL ;
2009-04-06 22:54:44 +10:00
struct netlogon_creds_CredentialState * creds ;
2005-03-22 08:00:45 +00:00
struct cli_credentials * credentials ;
2011-12-14 11:07:11 +01:00
enum dcerpc_transport_t transport ;
2005-03-22 08:00:45 +00:00
2011-12-13 23:30:21 +01:00
join_ctx = torture_join_domain ( tctx ,
talloc_asprintf ( tctx , " %s%d " , TEST_MACHINE_NAME , i ) ,
2005-10-03 23:46:21 +00:00
acct_flags , & credentials ) ;
2007-08-31 22:34:52 +00:00
torture_assert ( tctx , join_ctx ! = NULL , " Failed to join domain " ) ;
2004-06-06 07:14:10 +00:00
2007-08-31 22:34:52 +00:00
status = dcerpc_parse_binding ( tctx , binding , & b ) ;
torture_assert_ntstatus_ok ( tctx , status , " Bad binding string " ) ;
2004-06-06 07:14:10 +00:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
b - > flags | = dcerpc_flags ;
2004-06-06 07:14:10 +00:00
2007-08-31 22:34:52 +00:00
status = dcerpc_pipe_connect_b ( tctx , & p , b , & ndr_table_samr ,
2008-04-21 17:58:23 -04:00
credentials , tctx - > ev , tctx - > lp_ctx ) ;
2011-12-13 23:30:21 +01:00
torture_assert_ntstatus_ok ( tctx , status ,
2011-12-14 11:07:11 +01:00
" Failed to connect to samr with schannel " ) ;
2004-06-06 07:14:10 +00:00
2010-03-16 11:10:16 +01:00
torture_assert ( tctx , test_samr_ops ( tctx , p - > binding_handle ) ,
2007-08-31 22:34:52 +00:00
" Failed to process schannel secured SAMR ops " ) ;
2004-06-06 07:14:10 +00:00
2004-11-11 23:24:30 +00:00
/* Also test that when we connect to the netlogon pipe, that
* the credentials we setup on the first pipe are valid for
* the second */
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
/* Swap the binding details from SAMR to NETLOGON */
2008-04-17 13:04:04 +02:00
status = dcerpc_epm_map_binding ( tctx , b , & ndr_table_netlogon , tctx - > ev , tctx - > lp_ctx ) ;
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( tctx , status , " epm map " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
2011-12-13 23:30:21 +01:00
status = dcerpc_secondary_connection ( p , & p_netlogon ,
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
b ) ;
2011-12-14 00:06:53 +01:00
torture_assert_ntstatus_ok ( tctx , status , " secondary connection " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
2011-12-13 23:30:21 +01:00
status = dcerpc_bind_auth ( p_netlogon , & ndr_table_netlogon ,
2010-07-16 14:32:42 +10:00
credentials , lpcfg_gensec_settings ( tctx , tctx - > lp_ctx ) ,
2007-12-07 02:37:04 +01:00
DCERPC_AUTH_TYPE_SCHANNEL ,
2006-01-12 09:33:49 +00:00
dcerpc_auth_level ( p - > conn ) ,
2005-11-20 16:28:39 +00:00
NULL ) ;
2004-11-11 23:24:30 +00:00
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( tctx , status , " bind auth " ) ;
2004-11-11 23:24:30 +00:00
2007-08-31 22:34:52 +00:00
status = dcerpc_schannel_creds ( p_netlogon - > conn - > security_state . generic_state , tctx , & creds ) ;
torture_assert_ntstatus_ok ( tctx , status , " schannel creds " ) ;
2004-11-11 23:24:30 +00:00
2009-09-19 21:14:17 +02:00
/* checks the capabilities */
torture_assert ( tctx , test_netlogon_capabilities ( p_netlogon , tctx , credentials , creds ) ,
" Failed to process schannel secured capability ops (on fresh connection) " ) ;
2004-11-11 23:24:30 +00:00
/* do a couple of logins */
2007-08-31 22:34:52 +00:00
torture_assert ( tctx , test_netlogon_ops ( p_netlogon , tctx , credentials , creds ) ,
" Failed to process schannel secured NETLOGON ops " ) ;
2005-10-06 10:29:28 +00:00
2007-08-31 22:34:52 +00:00
torture_assert ( tctx , test_netlogon_ex_ops ( p_netlogon , tctx , credentials , creds ) ,
" Failed to process schannel secured NETLOGON EX ops " ) ;
2006-02-07 23:49:35 +00:00
2012-07-06 00:00:04 +02:00
/* we *MUST* use ncacn_np for openpolicy etc. */
transport = b - > transport ;
b - > transport = NCACN_NP ;
2005-10-06 10:29:28 +00:00
/* Swap the binding details from SAMR to LSARPC */
2008-04-17 13:04:04 +02:00
status = dcerpc_epm_map_binding ( tctx , b , & ndr_table_lsarpc , tctx - > ev , tctx - > lp_ctx ) ;
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( tctx , status , " epm map " ) ;
2005-10-06 10:29:28 +00:00
2011-12-14 11:07:11 +01:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_pipe_connect_b ( tctx , & p_lsa , b , & ndr_table_lsarpc ,
credentials , tctx - > ev , tctx - > lp_ctx ) ,
" failed to connect lsarpc with schannel " ) ;
2005-10-06 10:29:28 +00:00
2011-12-14 11:07:11 +01:00
torture_assert ( tctx , test_lsa_ops ( tctx , p_lsa ) ,
" Failed to process schannel secured LSA ops " ) ;
2004-11-11 23:24:30 +00:00
2011-12-14 11:07:11 +01:00
talloc_free ( p_lsa ) ;
p_lsa = NULL ;
2005-10-06 10:29:28 +00:00
2012-07-06 00:00:04 +02:00
b - > transport = transport ;
2011-12-14 11:07:11 +01:00
/* we *MUST* use ncacn_ip_tcp for lookupsids3/lookupnames4 */
transport = b - > transport ;
b - > transport = NCACN_IP_TCP ;
2005-10-06 10:29:28 +00:00
2011-12-14 11:07:11 +01:00
torture_assert_ntstatus_ok ( tctx ,
dcerpc_epm_map_binding ( tctx , b , & ndr_table_lsarpc , tctx - > ev , tctx - > lp_ctx ) ,
" failed to call epm map " ) ;
torture_assert_ntstatus_ok ( tctx ,
dcerpc_pipe_connect_b ( tctx , & p_lsa , b , & ndr_table_lsarpc ,
credentials , tctx - > ev , tctx - > lp_ctx ) ,
" failed to connect lsarpc with schannel " ) ;
torture_assert ( tctx ,
test_many_LookupSids ( p_lsa , tctx , NULL ) ,
" LsaLookupSids3 failed! \n " ) ;
b - > transport = transport ;
2005-10-06 10:29:28 +00:00
2006-02-07 23:30:50 +00:00
/* Drop the socket, we want to start from scratch */
talloc_free ( p ) ;
p = NULL ;
/* Now see what we are still allowed to do */
2011-12-13 23:30:21 +01:00
2007-08-31 22:34:52 +00:00
status = dcerpc_parse_binding ( tctx , binding , & b ) ;
torture_assert_ntstatus_ok ( tctx , status , " Bad binding string " ) ;
2006-02-07 23:30:50 +00:00
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
b - > flags | = dcerpc_flags ;
2007-08-31 22:34:52 +00:00
status = dcerpc_pipe_connect_b ( tctx , & p_samr2 , b , & ndr_table_samr ,
2008-04-21 17:58:23 -04:00
credentials , tctx - > ev , tctx - > lp_ctx ) ;
2011-12-13 23:30:21 +01:00
torture_assert_ntstatus_ok ( tctx , status ,
2007-08-31 22:34:52 +00:00
" Failed to connect with schannel " ) ;
2006-02-07 23:30:50 +00:00
2006-02-09 03:05:22 +00:00
/* do a some SAMR operations. We have *not* done a new serverauthenticate */
2010-03-16 11:10:16 +01:00
torture_assert ( tctx , test_samr_ops ( tctx , p_samr2 - > binding_handle ) ,
2007-08-31 22:34:52 +00:00
" Failed to process schannel secured SAMR ops (on fresh connection) " ) ;
2006-02-07 23:49:35 +00:00
/* Swap the binding details from SAMR to NETLOGON */
2008-04-17 13:04:04 +02:00
status = dcerpc_epm_map_binding ( tctx , b , & ndr_table_netlogon , tctx - > ev , tctx - > lp_ctx ) ;
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( tctx , status , " epm " ) ;
2006-02-07 23:49:35 +00:00
2011-12-13 23:30:21 +01:00
status = dcerpc_secondary_connection ( p_samr2 , & p_netlogon2 ,
2006-02-07 23:49:35 +00:00
b ) ;
2011-12-14 00:06:53 +01:00
torture_assert_ntstatus_ok ( tctx , status , " secondary connection " ) ;
2006-02-07 23:49:35 +00:00
2006-02-09 03:05:22 +00:00
/* and now setup an SCHANNEL bind on netlogon */
2007-08-19 21:23:03 +00:00
status = dcerpc_bind_auth ( p_netlogon2 , & ndr_table_netlogon ,
2010-07-16 14:32:42 +10:00
credentials , lpcfg_gensec_settings ( tctx , tctx - > lp_ctx ) ,
2007-12-07 02:37:04 +01:00
DCERPC_AUTH_TYPE_SCHANNEL ,
2006-02-07 23:49:35 +00:00
dcerpc_auth_level ( p_samr2 - > conn ) ,
NULL ) ;
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( tctx , status , " auth failed " ) ;
2011-12-13 23:30:21 +01:00
2009-09-19 21:14:17 +02:00
/* checks the capabilities */
torture_assert ( tctx , test_netlogon_capabilities ( p_netlogon2 , tctx , credentials , creds ) ,
" Failed to process schannel secured capability ops (on fresh connection) " ) ;
2006-02-09 02:30:43 +00:00
/* Try the schannel-only SamLogonEx operation */
2011-12-13 23:30:21 +01:00
torture_assert ( tctx , test_netlogon_ex_ops ( p_netlogon2 , tctx , credentials , creds ) ,
2007-08-31 22:34:52 +00:00
" Failed to process schannel secured NETLOGON EX ops (on fresh connection) " ) ;
2011-12-13 23:30:21 +01:00
2006-02-07 23:30:50 +00:00
2006-02-09 03:05:22 +00:00
/* And the more traditional style, proving that the
* credentials chaining state is fully present */
2007-08-31 22:34:52 +00:00
torture_assert ( tctx , test_netlogon_ops ( p_netlogon2 , tctx , credentials , creds ) ,
" Failed to process schannel secured NETLOGON ops (on fresh connection) " ) ;
2006-02-21 00:07:59 +00:00
/* Drop the socket, we want to start from scratch (again) */
talloc_free ( p_samr2 ) ;
/* We don't want schannel for this test */
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
2007-08-31 22:34:52 +00:00
status = dcerpc_pipe_connect_b ( tctx , & p_netlogon3 , b , & ndr_table_netlogon ,
2008-04-21 17:58:23 -04:00
credentials , tctx - > ev , tctx - > lp_ctx ) ;
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( tctx , status , " Failed to connect without schannel " ) ;
2006-02-21 00:07:59 +00:00
2007-08-31 22:34:52 +00:00
torture_assert ( tctx , ! test_netlogon_ex_ops ( p_netlogon3 , tctx , credentials , creds ) ,
" Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe) " ) ;
2006-02-21 00:07:59 +00:00
2007-08-31 22:34:52 +00:00
/* Required because the previous call will mark the current context as having failed */
tctx - > last_result = TORTURE_OK ;
tctx - > last_reason = NULL ;
2006-02-09 02:30:43 +00:00
2007-08-31 22:34:52 +00:00
torture_assert ( tctx , test_netlogon_ops ( p_netlogon3 , tctx , credentials , creds ) ,
" Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth " ) ;
2004-06-06 07:14:10 +00:00
2008-06-14 11:24:17 -04:00
torture_leave_domain ( tctx , join_ctx ) ;
2007-08-31 22:34:52 +00:00
return true ;
2004-06-06 07:14:10 +00:00
}
2007-05-23 07:44:51 +00:00
2004-06-06 07:58:16 +00:00
/*
a schannel test suite
*/
2007-08-31 22:34:52 +00:00
bool torture_rpc_schannel ( struct torture_context * torture )
2004-06-06 07:14:10 +00:00
{
2007-10-06 22:28:14 +00:00
bool ret = true ;
2004-06-06 07:14:10 +00:00
struct {
2005-02-10 05:09:35 +00:00
uint16_t acct_flags ;
uint32_t dcerpc_flags ;
2004-06-06 07:14:10 +00:00
} tests [ ] = {
2011-12-13 15:20:53 +01:00
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AUTO } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_AUTO } ,
2005-10-25 12:14:08 +00:00
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 } ,
2012-01-02 16:27:45 +01:00
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AES } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_AES } ,
2011-12-13 15:20:53 +01:00
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AUTO } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_AUTO } ,
2005-10-25 12:14:08 +00:00
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 } ,
2012-01-02 16:27:45 +01:00
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AES } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_AES }
2004-06-06 07:14:10 +00:00
} ;
int i ;
for ( i = 0 ; i < ARRAY_SIZE ( tests ) ; i + + ) {
2011-12-14 11:07:11 +01:00
torture_comment ( torture , " Testing with acct_flags=0x%x dcerpc_flags=0x%x \n " ,
tests [ i ] . acct_flags , tests [ i ] . dcerpc_flags ) ;
2011-12-13 23:30:21 +01:00
if ( ! test_schannel ( torture ,
2005-10-25 12:14:08 +00:00
tests [ i ] . acct_flags , tests [ i ] . dcerpc_flags ,
i ) ) {
2007-08-31 22:34:52 +00:00
torture_comment ( torture , " Failed with acct_flags=0x%x dcerpc_flags=0x%x \n " ,
2005-10-25 12:14:08 +00:00
tests [ i ] . acct_flags , tests [ i ] . dcerpc_flags ) ;
2007-08-31 22:34:52 +00:00
ret = false ;
2004-06-06 07:14:10 +00:00
}
}
return ret ;
}
2007-05-23 07:44:51 +00:00
/*
test two schannel connections
*/
2007-08-31 22:34:52 +00:00
bool torture_rpc_schannel2 ( struct torture_context * torture )
2007-05-23 07:44:51 +00:00
{
struct test_join * join_ctx ;
NTSTATUS status ;
2007-08-28 00:16:58 +00:00
const char * binding = torture_setting_string ( torture , " binding " , NULL ) ;
2007-05-23 07:44:51 +00:00
struct dcerpc_binding * b ;
struct dcerpc_pipe * p1 = NULL , * p2 = NULL ;
struct cli_credentials * credentials1 , * credentials2 ;
uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN ;
2011-12-13 23:30:21 +01:00
join_ctx = torture_join_domain ( torture , talloc_asprintf ( torture , " %s2 " , TEST_MACHINE_NAME ) ,
2007-08-31 22:34:52 +00:00
ACB_WSTRUST , & credentials1 ) ;
2011-12-13 23:30:21 +01:00
torture_assert ( torture , join_ctx ! = NULL ,
2007-08-31 22:34:52 +00:00
" Failed to join domain with acct_flags=ACB_WSTRUST " ) ;
2007-05-23 07:44:51 +00:00
2013-07-31 13:23:41 +02:00
credentials2 = cli_credentials_shallow_copy ( torture , credentials1 ) ;
cli_credentials_set_netlogon_creds ( credentials1 , NULL ) ;
cli_credentials_set_netlogon_creds ( credentials2 , NULL ) ;
2007-05-23 07:44:51 +00:00
2007-08-31 22:34:52 +00:00
status = dcerpc_parse_binding ( torture , binding , & b ) ;
torture_assert_ntstatus_ok ( torture , status , " Bad binding string " ) ;
2007-05-23 07:44:51 +00:00
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
b - > flags | = dcerpc_flags ;
2011-12-13 23:38:46 +01:00
torture_comment ( torture , " Opening first connection \n " ) ;
2007-08-31 22:34:52 +00:00
status = dcerpc_pipe_connect_b ( torture , & p1 , b , & ndr_table_netlogon ,
2008-04-21 17:58:23 -04:00
credentials1 , torture - > ev , torture - > lp_ctx ) ;
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( torture , status , " Failed to connect with schannel " ) ;
2007-05-23 07:44:51 +00:00
2007-08-31 22:34:52 +00:00
torture_comment ( torture , " Opening second connection \n " ) ;
status = dcerpc_pipe_connect_b ( torture , & p2 , b , & ndr_table_netlogon ,
2008-04-21 17:58:23 -04:00
credentials2 , torture - > ev , torture - > lp_ctx ) ;
2007-08-31 22:34:52 +00:00
torture_assert_ntstatus_ok ( torture , status , " Failed to connect with schannel " ) ;
2007-05-23 07:44:51 +00:00
2013-07-31 13:23:41 +02:00
cli_credentials_set_netlogon_creds ( credentials1 , NULL ) ;
cli_credentials_set_netlogon_creds ( credentials2 , NULL ) ;
2007-05-23 07:44:51 +00:00
2007-08-31 22:34:52 +00:00
torture_comment ( torture , " Testing logon on pipe1 \n " ) ;
if ( ! test_netlogon_ex_ops ( p1 , torture , credentials1 , NULL ) )
return false ;
2007-05-23 07:44:51 +00:00
2007-08-31 22:34:52 +00:00
torture_comment ( torture , " Testing logon on pipe2 \n " ) ;
if ( ! test_netlogon_ex_ops ( p2 , torture , credentials2 , NULL ) )
return false ;
2007-05-23 07:44:51 +00:00
2007-08-31 22:34:52 +00:00
torture_comment ( torture , " Again on pipe1 \n " ) ;
if ( ! test_netlogon_ex_ops ( p1 , torture , credentials1 , NULL ) )
return false ;
2007-05-23 07:44:51 +00:00
2007-08-31 22:34:52 +00:00
torture_comment ( torture , " Again on pipe2 \n " ) ;
if ( ! test_netlogon_ex_ops ( p2 , torture , credentials2 , NULL ) )
return false ;
2007-05-23 07:44:51 +00:00
2008-06-14 11:24:17 -04:00
torture_leave_domain ( torture , join_ctx ) ;
2007-08-31 22:34:52 +00:00
return true ;
2007-05-23 07:44:51 +00:00
}
2008-05-13 09:10:25 +02:00
struct torture_schannel_bench ;
struct torture_schannel_bench_conn {
struct torture_schannel_bench * s ;
int index ;
struct cli_credentials * wks_creds ;
struct dcerpc_pipe * pipe ;
struct netr_LogonSamLogonEx r ;
struct netr_NetworkInfo ninfo ;
TALLOC_CTX * tmp ;
uint64_t total ;
uint32_t count ;
} ;
struct torture_schannel_bench {
struct torture_context * tctx ;
bool progress ;
int timelimit ;
int nprocs ;
int nconns ;
struct torture_schannel_bench_conn * conns ;
2008-05-16 15:51:27 +02:00
struct test_join * join_ctx1 ;
struct cli_credentials * wks_creds1 ;
struct test_join * join_ctx2 ;
struct cli_credentials * wks_creds2 ;
2008-05-13 09:10:25 +02:00
struct cli_credentials * user1_creds ;
struct cli_credentials * user2_creds ;
struct dcerpc_binding * b ;
NTSTATUS error ;
uint64_t total ;
uint32_t count ;
bool stopped ;
} ;
static void torture_schannel_bench_connected ( struct composite_context * c )
{
2008-05-16 15:44:14 +02:00
struct torture_schannel_bench_conn * conn =
( struct torture_schannel_bench_conn * ) c - > async . private_data ;
2008-05-13 09:10:25 +02:00
struct torture_schannel_bench * s = talloc_get_type ( conn - > s ,
struct torture_schannel_bench ) ;
s - > error = dcerpc_pipe_connect_b_recv ( c , s - > conns , & conn - > pipe ) ;
torture_comment ( s - > tctx , " conn[%u]: %s \n " , conn - > index , nt_errstr ( s - > error ) ) ;
if ( NT_STATUS_IS_OK ( s - > error ) ) {
s - > nconns + + ;
}
}
2010-03-09 15:46:55 +01:00
static void torture_schannel_bench_recv ( struct tevent_req * subreq ) ;
2008-05-13 09:10:25 +02:00
static bool torture_schannel_bench_start ( struct torture_schannel_bench_conn * conn )
{
struct torture_schannel_bench * s = conn - > s ;
NTSTATUS status ;
DATA_BLOB names_blob , chal , lm_resp , nt_resp ;
int flags = CLI_CRED_NTLM_AUTH ;
2010-03-09 15:46:55 +01:00
struct tevent_req * subreq ;
2008-05-13 09:10:25 +02:00
struct cli_credentials * user_creds ;
if ( conn - > total % 2 ) {
user_creds = s - > user1_creds ;
} else {
user_creds = s - > user2_creds ;
}
2010-07-16 14:32:42 +10:00
if ( lpcfg_client_lanman_auth ( s - > tctx - > lp_ctx ) ) {
2008-05-13 09:10:25 +02:00
flags | = CLI_CRED_LANMAN_AUTH ;
}
2010-07-16 14:32:42 +10:00
if ( lpcfg_client_ntlmv2_auth ( s - > tctx - > lp_ctx ) ) {
2008-05-13 09:10:25 +02:00
flags | = CLI_CRED_NTLMv2_AUTH ;
}
talloc_free ( conn - > tmp ) ;
conn - > tmp = talloc_new ( s ) ;
ZERO_STRUCT ( conn - > ninfo ) ;
ZERO_STRUCT ( conn - > r ) ;
cli_credentials_get_ntlm_username_domain ( user_creds , conn - > tmp ,
& conn - > ninfo . identity_info . account_name . string ,
& conn - > ninfo . identity_info . domain_name . string ) ;
generate_random_buffer ( conn - > ninfo . challenge ,
sizeof ( conn - > ninfo . challenge ) ) ;
chal = data_blob_const ( conn - > ninfo . challenge ,
sizeof ( conn - > ninfo . challenge ) ) ;
2011-12-13 23:30:21 +01:00
names_blob = NTLMv2_generate_names_blob ( conn - > tmp ,
2008-05-13 09:10:25 +02:00
cli_credentials_get_workstation ( conn - > wks_creds ) ,
cli_credentials_get_domain ( conn - > wks_creds ) ) ;
status = cli_credentials_get_ntlm_response ( user_creds , conn - > tmp ,
& flags ,
chal ,
names_blob ,
& lm_resp , & nt_resp ,
NULL , NULL ) ;
torture_assert_ntstatus_ok ( s - > tctx , status ,
" cli_credentials_get_ntlm_response failed " ) ;
conn - > ninfo . lm . data = lm_resp . data ;
conn - > ninfo . lm . length = lm_resp . length ;
conn - > ninfo . nt . data = nt_resp . data ;
conn - > ninfo . nt . length = nt_resp . length ;
conn - > ninfo . identity_info . parameter_control = 0 ;
conn - > ninfo . identity_info . logon_id_low = 0 ;
conn - > ninfo . identity_info . logon_id_high = 0 ;
conn - > ninfo . identity_info . workstation . string = cli_credentials_get_workstation ( conn - > wks_creds ) ;
conn - > r . in . server_name = talloc_asprintf ( conn - > tmp , " \\ \\ %s " , dcerpc_server_name ( conn - > pipe ) ) ;
conn - > r . in . computer_name = cli_credentials_get_workstation ( conn - > wks_creds ) ;
2012-12-05 16:11:19 +01:00
conn - > r . in . logon_level = NetlogonNetworkInformation ;
2008-10-28 19:03:50 +01:00
conn - > r . in . logon = talloc ( conn - > tmp , union netr_LogonLevel ) ;
conn - > r . in . logon - > network = & conn - > ninfo ;
conn - > r . in . flags = talloc ( conn - > tmp , uint32_t ) ;
2008-05-13 09:10:25 +02:00
conn - > r . in . validation_level = 2 ;
2008-10-28 19:03:50 +01:00
conn - > r . out . validation = talloc ( conn - > tmp , union netr_Validation ) ;
conn - > r . out . authoritative = talloc ( conn - > tmp , uint8_t ) ;
conn - > r . out . flags = conn - > r . in . flags ;
2008-05-13 09:10:25 +02:00
2010-03-09 15:46:55 +01:00
subreq = dcerpc_netr_LogonSamLogonEx_r_send ( s , s - > tctx - > ev ,
conn - > pipe - > binding_handle ,
& conn - > r ) ;
torture_assert ( s - > tctx , subreq , " Failed to setup LogonSamLogonEx request " ) ;
2008-05-13 09:10:25 +02:00
2010-03-09 15:46:55 +01:00
tevent_req_set_callback ( subreq , torture_schannel_bench_recv , conn ) ;
2008-05-13 09:10:25 +02:00
return true ;
}
2010-03-09 15:46:55 +01:00
static void torture_schannel_bench_recv ( struct tevent_req * subreq )
2008-05-13 09:10:25 +02:00
{
bool ret ;
2008-05-16 15:44:14 +02:00
struct torture_schannel_bench_conn * conn =
2010-03-09 15:46:55 +01:00
( struct torture_schannel_bench_conn * ) tevent_req_callback_data_void ( subreq ) ;
2008-05-13 09:10:25 +02:00
struct torture_schannel_bench * s = talloc_get_type ( conn - > s ,
struct torture_schannel_bench ) ;
2010-03-09 15:46:55 +01:00
s - > error = dcerpc_netr_LogonSamLogonEx_r_recv ( subreq , subreq ) ;
TALLOC_FREE ( subreq ) ;
2008-05-13 09:10:25 +02:00
if ( ! NT_STATUS_IS_OK ( s - > error ) ) {
return ;
}
conn - > total + + ;
conn - > count + + ;
if ( s - > stopped ) {
return ;
}
ret = torture_schannel_bench_start ( conn ) ;
if ( ! ret ) {
s - > error = NT_STATUS_INTERNAL_ERROR ;
}
}
/*
test multiple schannel connection in parallel
*/
bool torture_rpc_schannel_bench1 ( struct torture_context * torture )
{
bool ret = true ;
NTSTATUS status ;
const char * binding = torture_setting_string ( torture , " binding " , NULL ) ;
struct torture_schannel_bench * s ;
struct timeval start ;
struct timeval end ;
int i ;
const char * tmp ;
s = talloc_zero ( torture , struct torture_schannel_bench ) ;
s - > tctx = torture ;
s - > progress = torture_setting_bool ( torture , " progress " , true ) ;
s - > timelimit = torture_setting_int ( torture , " timelimit " , 10 ) ;
s - > nprocs = torture_setting_int ( torture , " nprocs " , 4 ) ;
s - > conns = talloc_zero_array ( s , struct torture_schannel_bench_conn , s - > nprocs ) ;
2013-07-31 13:23:41 +02:00
s - > user1_creds = cli_credentials_shallow_copy ( s , cmdline_credentials ) ;
2008-05-13 09:10:25 +02:00
tmp = torture_setting_string ( s - > tctx , " extra_user1 " , NULL ) ;
if ( tmp ) {
cli_credentials_parse_string ( s - > user1_creds , tmp , CRED_SPECIFIED ) ;
}
2013-07-31 13:23:41 +02:00
s - > user2_creds = cli_credentials_shallow_copy ( s , cmdline_credentials ) ;
2008-05-13 09:10:25 +02:00
tmp = torture_setting_string ( s - > tctx , " extra_user2 " , NULL ) ;
if ( tmp ) {
cli_credentials_parse_string ( s - > user1_creds , tmp , CRED_SPECIFIED ) ;
}
2008-05-16 15:51:27 +02:00
s - > join_ctx1 = torture_join_domain ( s - > tctx , talloc_asprintf ( s , " %sb " , TEST_MACHINE_NAME ) ,
ACB_WSTRUST , & s - > wks_creds1 ) ;
torture_assert ( torture , s - > join_ctx1 ! = NULL ,
" Failed to join domain with acct_flags=ACB_WSTRUST " ) ;
s - > join_ctx2 = torture_join_domain ( s - > tctx , talloc_asprintf ( s , " %sc " , TEST_MACHINE_NAME ) ,
ACB_WSTRUST , & s - > wks_creds2 ) ;
torture_assert ( torture , s - > join_ctx2 ! = NULL ,
2008-05-13 09:10:25 +02:00
" Failed to join domain with acct_flags=ACB_WSTRUST " ) ;
2008-05-16 15:51:27 +02:00
cli_credentials_set_kerberos_state ( s - > wks_creds1 , CRED_DONT_USE_KERBEROS ) ;
cli_credentials_set_kerberos_state ( s - > wks_creds2 , CRED_DONT_USE_KERBEROS ) ;
2008-05-13 09:10:25 +02:00
for ( i = 0 ; i < s - > nprocs ; i + + ) {
2013-07-31 13:23:41 +02:00
struct cli_credentials * wks = s - > wks_creds1 ;
2008-05-16 15:51:27 +02:00
if ( ( i % 2 ) & & ( torture_setting_bool ( torture , " multijoin " , false ) ) ) {
2013-07-31 13:23:41 +02:00
wks = s - > wks_creds2 ;
2008-05-16 15:51:27 +02:00
}
2013-07-31 13:23:41 +02:00
s - > conns [ i ] . s = s ;
s - > conns [ i ] . index = i ;
s - > conns [ i ] . wks_creds = cli_credentials_shallow_copy ( s - > conns , wks ) ;
cli_credentials_set_netlogon_creds ( s - > conns [ i ] . wks_creds , NULL ) ;
2008-05-13 09:10:25 +02:00
}
status = dcerpc_parse_binding ( s , binding , & s - > b ) ;
torture_assert_ntstatus_ok ( torture , status , " Bad binding string " ) ;
s - > b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
s - > b - > flags | = DCERPC_SCHANNEL | DCERPC_SIGN ;
torture_comment ( torture , " Opening %d connections in parallel \n " , s - > nprocs ) ;
for ( i = 0 ; i < s - > nprocs ; i + + ) {
# if 1
s - > error = dcerpc_pipe_connect_b ( s - > conns , & s - > conns [ i ] . pipe , s - > b ,
& ndr_table_netlogon ,
s - > conns [ i ] . wks_creds ,
torture - > ev , torture - > lp_ctx ) ;
torture_assert_ntstatus_ok ( torture , s - > error , " Failed to connect with schannel " ) ;
# else
/*
* This path doesn ' t work against windows ,
* because of windows drops the connections
* which haven ' t reached a session setup yet
*
* The same as the reset on zero vc stuff .
*/
struct composite_context * c ;
c = dcerpc_pipe_connect_b_send ( s - > conns , s - > b ,
& ndr_table_netlogon ,
s - > conns [ i ] . wks_creds ,
torture - > ev ,
torture - > lp_ctx ) ;
torture_assert ( torture , c ! = NULL , " Failed to setup connect " ) ;
c - > async . fn = torture_schannel_bench_connected ;
c - > async . private_data = & s - > conns [ i ] ;
}
while ( NT_STATUS_IS_OK ( s - > error ) & & s - > nprocs ! = s - > nconns ) {
2010-05-25 15:23:55 -04:00
int ev_ret = tevent_loop_once ( torture - > ev ) ;
torture_assert ( torture , ev_ret = = 0 , " tevent_loop_once failed " ) ;
2008-05-13 09:10:25 +02:00
# endif
}
torture_assert_ntstatus_ok ( torture , s - > error , " Failed establish a connect " ) ;
2008-05-20 12:59:04 +02:00
/*
* Change the workstation password after establishing the netlogon
* schannel connections to prove that existing connections are not
* affected by a wks pwchange .
*/
{
struct netr_ServerPasswordSet pwset ;
2010-02-24 15:12:17 +01:00
char * password = generate_random_password ( s - > join_ctx1 , 8 , 255 ) ;
2009-04-06 22:54:44 +10:00
struct netlogon_creds_CredentialState * creds_state ;
2008-05-20 12:59:04 +02:00
struct dcerpc_pipe * net_pipe ;
2008-10-29 01:34:49 +01:00
struct netr_Authenticator credential , return_authenticator ;
struct samr_Password new_password ;
2008-05-20 12:59:04 +02:00
status = dcerpc_pipe_connect_b ( s , & net_pipe , s - > b ,
& ndr_table_netlogon ,
s - > wks_creds1 ,
torture - > ev , torture - > lp_ctx ) ;
torture_assert_ntstatus_ok ( torture , status ,
" dcerpc_pipe_connect_b failed " ) ;
pwset . in . server_name = talloc_asprintf (
net_pipe , " \\ \\ %s " , dcerpc_server_name ( net_pipe ) ) ;
pwset . in . computer_name =
cli_credentials_get_workstation ( s - > wks_creds1 ) ;
pwset . in . account_name = talloc_asprintf (
net_pipe , " %s$ " , pwset . in . computer_name ) ;
pwset . in . secure_channel_type = SEC_CHAN_WKSTA ;
2008-10-29 01:34:49 +01:00
pwset . in . credential = & credential ;
pwset . in . new_password = & new_password ;
pwset . out . return_authenticator = & return_authenticator ;
E_md4hash ( password , new_password . hash ) ;
2008-05-20 12:59:04 +02:00
creds_state = cli_credentials_get_netlogon_creds (
s - > wks_creds1 ) ;
2009-04-06 22:54:44 +10:00
netlogon_creds_des_encrypt ( creds_state , & new_password ) ;
netlogon_creds_client_authenticator ( creds_state , & credential ) ;
2008-05-20 12:59:04 +02:00
2010-03-19 14:17:18 +01:00
torture_assert_ntstatus_ok ( torture , dcerpc_netr_ServerPasswordSet_r ( net_pipe - > binding_handle , torture , & pwset ) ,
" ServerPasswordSet failed " ) ;
torture_assert_ntstatus_ok ( torture , pwset . out . result ,
2008-05-20 12:59:04 +02:00
" ServerPasswordSet failed " ) ;
2009-04-06 22:54:44 +10:00
if ( ! netlogon_creds_client_check ( creds_state ,
2008-10-29 01:34:49 +01:00
& pwset . out . return_authenticator - > cred ) ) {
2011-12-13 23:38:46 +01:00
torture_comment ( torture , " Credential chaining failed \n " ) ;
2008-05-20 12:59:04 +02:00
}
cli_credentials_set_password ( s - > wks_creds1 , password ,
CRED_SPECIFIED ) ;
talloc_free ( net_pipe ) ;
/* Just as a test, connect with the new creds */
2013-07-31 13:23:41 +02:00
cli_credentials_set_netlogon_creds ( s - > wks_creds1 , NULL ) ;
2008-05-20 12:59:04 +02:00
status = dcerpc_pipe_connect_b ( s , & net_pipe , s - > b ,
& ndr_table_netlogon ,
s - > wks_creds1 ,
torture - > ev , torture - > lp_ctx ) ;
torture_assert_ntstatus_ok ( torture , status ,
" dcerpc_pipe_connect_b failed " ) ;
talloc_free ( net_pipe ) ;
}
2008-05-13 09:10:25 +02:00
torture_comment ( torture , " Start looping LogonSamLogonEx on %d connections for %d secs \n " ,
s - > nprocs , s - > timelimit ) ;
for ( i = 0 ; i < s - > nprocs ; i + + ) {
ret = torture_schannel_bench_start ( & s - > conns [ i ] ) ;
torture_assert ( torture , ret , " Failed to setup LogonSamLogonEx " ) ;
}
start = timeval_current ( ) ;
end = timeval_add ( & start , s - > timelimit , 0 ) ;
while ( NT_STATUS_IS_OK ( s - > error ) & & ! timeval_expired ( & end ) ) {
2010-05-25 15:23:55 -04:00
int ev_ret = tevent_loop_once ( torture - > ev ) ;
torture_assert ( torture , ev_ret = = 0 , " tevent_loop_once failed " ) ;
2008-05-13 09:10:25 +02:00
}
torture_assert_ntstatus_ok ( torture , s - > error , " Failed some request " ) ;
s - > stopped = true ;
talloc_free ( s - > conns ) ;
for ( i = 0 ; i < s - > nprocs ; i + + ) {
s - > total + = s - > conns [ i ] . total ;
}
torture_comment ( torture ,
" Total ops[%llu] (%u ops/s) \n " ,
( unsigned long long ) s - > total ,
( unsigned ) s - > total / s - > timelimit ) ;
2008-06-14 11:24:17 -04:00
torture_leave_domain ( torture , s - > join_ctx1 ) ;
torture_leave_domain ( torture , s - > join_ctx2 ) ;
2008-05-13 09:10:25 +02:00
return true ;
}