2004-06-06 11:14:10 +04:00
/*
Unix SMB / CIFS implementation .
test suite for schannel operations
Copyright ( C ) Andrew Tridgell 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2004-11-11 07:32:01 +03:00
# include "librpc/gen_ndr/ndr_netlogon.h"
2006-02-04 17:08:24 +03:00
# include "torture/rpc/proto.h"
2006-02-08 02:49:35 +03:00
# include "lib/cmdline/popt_common.h"
2004-06-06 11:14:10 +04:00
2005-10-25 16:14:08 +04:00
# define TEST_MACHINE_NAME "schannel"
2004-06-06 11:14:10 +04:00
2006-02-08 02:49:35 +03:00
/*
try a netlogon SamLogon
*/
BOOL test_netlogon_ex_ops ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
struct cli_credentials * credentials ,
struct creds_CredentialState * creds )
{
NTSTATUS status ;
struct netr_LogonSamLogonEx r ;
struct netr_NetworkInfo ninfo ;
DATA_BLOB names_blob , chal , lm_resp , nt_resp ;
int i ;
BOOL ret = True ;
int flags = CLI_CRED_NTLM_AUTH ;
if ( lp_client_lanman_auth ( ) ) {
flags | = CLI_CRED_LANMAN_AUTH ;
}
if ( lp_client_ntlmv2_auth ( ) ) {
flags | = CLI_CRED_NTLMv2_AUTH ;
}
cli_credentials_get_ntlm_username_domain ( cmdline_credentials , mem_ctx ,
& ninfo . identity_info . account_name . string ,
& ninfo . identity_info . domain_name . string ) ;
generate_random_buffer ( ninfo . challenge ,
sizeof ( ninfo . challenge ) ) ;
chal = data_blob_const ( ninfo . challenge ,
sizeof ( ninfo . challenge ) ) ;
names_blob = NTLMv2_generate_names_blob ( mem_ctx , cli_credentials_get_workstation ( credentials ) ,
cli_credentials_get_domain ( credentials ) ) ;
status = cli_credentials_get_ntlm_response ( cmdline_credentials , mem_ctx ,
& flags ,
chal ,
names_blob ,
& lm_resp , & nt_resp ,
NULL , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " cli_credentials_get_ntlm_response failed: %s \n " ,
nt_errstr ( status ) ) ;
return False ;
}
ninfo . lm . data = lm_resp . data ;
ninfo . lm . length = lm_resp . length ;
ninfo . nt . data = nt_resp . data ;
ninfo . nt . length = nt_resp . length ;
ninfo . identity_info . parameter_control = 0 ;
ninfo . identity_info . logon_id_low = 0 ;
ninfo . identity_info . logon_id_high = 0 ;
ninfo . identity_info . workstation . string = cli_credentials_get_workstation ( credentials ) ;
r . in . server_name = talloc_asprintf ( mem_ctx , " \\ \\ %s " , dcerpc_server_name ( p ) ) ;
2006-02-21 03:07:59 +03:00
r . in . computer_name = cli_credentials_get_workstation ( credentials ) ;
2006-02-08 02:49:35 +03:00
r . in . logon_level = 2 ;
r . in . logon . network = & ninfo ;
r . in . flags = 0 ;
printf ( " Testing LogonSamLogonEx with name %s \n " , ninfo . identity_info . account_name . string ) ;
for ( i = 2 ; i < 3 ; i + + ) {
r . in . validation_level = i ;
status = dcerpc_netr_LogonSamLogonEx ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LogonSamLogon failed: %s \n " ,
nt_errstr ( status ) ) ;
return False ;
}
}
return ret ;
}
2004-06-06 11:58:16 +04:00
/*
do some samr ops using the schannel connection
*/
2004-06-06 11:14:10 +04:00
static BOOL test_samr_ops ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
struct samr_GetDomPwInfo r ;
2005-08-03 00:08:23 +04:00
struct samr_Connect connect ;
struct samr_OpenDomain opendom ;
2004-06-06 11:14:10 +04:00
int i ;
2005-07-08 12:09:02 +04:00
struct lsa_String name ;
2005-08-03 00:08:23 +04:00
struct policy_handle handle ;
struct policy_handle domain_handle ;
2004-06-06 11:14:10 +04:00
2004-11-13 16:45:41 +03:00
name . string = lp_workgroup ( ) ;
2005-02-13 03:26:43 +03:00
r . in . domain_name = & name ;
2004-06-06 11:14:10 +04:00
2005-08-03 00:08:23 +04:00
connect . in . system_name = 0 ;
connect . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
connect . out . connect_handle = & handle ;
printf ( " Testing Connect and OpenDomain on BUILTIN \n " ) ;
status = dcerpc_samr_Connect ( p , mem_ctx , & connect ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-10-25 16:14:08 +04:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
printf ( " Connect failed (expected, schannel mapped to anonymous): %s \n " ,
nt_errstr ( status ) ) ;
} else {
printf ( " Connect failed - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
} else {
opendom . in . connect_handle = & handle ;
opendom . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
opendom . in . sid = dom_sid_parse_talloc ( mem_ctx , " S-1-5-32 " ) ;
opendom . out . domain_handle = & domain_handle ;
status = dcerpc_samr_OpenDomain ( p , mem_ctx , & opendom ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " OpenDomain failed - %s \n " , nt_errstr ( status ) ) ;
return False ;
}
2005-08-03 00:08:23 +04:00
}
2005-02-13 03:26:43 +03:00
printf ( " Testing GetDomPwInfo with name %s \n " , r . in . domain_name - > string ) ;
2004-06-06 11:14:10 +04:00
/* do several ops to test credential chaining */
for ( i = 0 ; i < 5 ; i + + ) {
status = dcerpc_samr_GetDomPwInfo ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-10-25 16:14:08 +04:00
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
printf ( " GetDomPwInfo op %d failed - %s \n " , i , nt_errstr ( status ) ) ;
return False ;
}
2004-06-06 11:14:10 +04:00
}
}
return True ;
}
2004-11-12 02:24:30 +03:00
2005-10-06 14:29:28 +04:00
/*
do some lsa ops using the schannel connection
*/
static BOOL test_lsa_ops ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx )
{
struct lsa_GetUserName r ;
NTSTATUS status ;
BOOL ret = True ;
struct lsa_StringPointer authority_name_p ;
printf ( " \n Testing GetUserName \n " ) ;
r . in . system_name = " \\ " ;
r . in . account_name = NULL ;
r . in . authority_name = & authority_name_p ;
authority_name_p . string = NULL ;
2005-10-25 16:14:08 +04:00
/* do several ops to test credential chaining and various operations */
status = dcerpc_lsa_GetUserName ( p , mem_ctx , & r ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED ) ) {
printf ( " not considering %s to be an error \n " , nt_errstr ( status ) ) ;
} else if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " GetUserName failed - %s \n " , nt_errstr ( status ) ) ;
return False ;
} else {
if ( ! r . out . account_name ) {
return False ;
}
2005-10-06 14:29:28 +04:00
2005-10-25 16:14:08 +04:00
if ( strcmp ( r . out . account_name - > string , " ANONYMOUS LOGON " ) ! = 0 ) {
printf ( " GetUserName returned wrong user: %s, expected %s \n " ,
r . out . account_name - > string , " ANONYMOUS LOGON " ) ;
return False ;
}
if ( ! r . out . authority_name | | ! r . out . authority_name - > string ) {
return False ;
}
if ( strcmp ( r . out . authority_name - > string - > string , " NT AUTHORITY " ) ! = 0 ) {
printf ( " GetUserName returned wrong user: %s, expected %s \n " ,
r . out . authority_name - > string - > string , " NT AUTHORITY " ) ;
2005-10-06 14:29:28 +04:00
return False ;
}
}
2005-10-25 16:14:08 +04:00
if ( ! test_many_LookupSids ( p , mem_ctx , NULL ) ) {
printf ( " LsaLookupSids3 failed! \n " ) ;
return False ;
}
2005-10-06 14:29:28 +04:00
return ret ;
}
2004-06-06 11:58:16 +04:00
/*
test a schannel connection with the given flags
*/
2004-06-06 11:14:10 +04:00
static BOOL test_schannel ( TALLOC_CTX * mem_ctx ,
2005-02-10 08:09:35 +03:00
uint16_t acct_flags , uint32_t dcerpc_flags ,
2005-10-25 16:14:08 +04:00
int i )
2004-06-06 11:14:10 +04:00
{
2005-10-06 14:29:28 +04:00
BOOL ret = True ;
2005-12-30 09:49:36 +03:00
struct test_join * join_ctx ;
2004-06-06 11:14:10 +04:00
NTSTATUS status ;
2004-06-14 03:50:55 +04:00
const char * binding = lp_parm_string ( - 1 , " torture " , " binding " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
struct dcerpc_binding * b ;
2005-01-06 12:26:14 +03:00
struct dcerpc_pipe * p = NULL ;
struct dcerpc_pipe * p_netlogon = NULL ;
2006-02-08 02:49:35 +03:00
struct dcerpc_pipe * p_netlogon2 = NULL ;
2006-02-21 03:07:59 +03:00
struct dcerpc_pipe * p_netlogon3 = NULL ;
2006-02-08 02:30:50 +03:00
struct dcerpc_pipe * p_samr2 = NULL ;
2005-10-06 14:29:28 +04:00
struct dcerpc_pipe * p_lsa = NULL ;
2004-11-12 02:24:30 +03:00
struct creds_CredentialState * creds ;
2005-03-22 11:00:45 +03:00
struct cli_credentials * credentials ;
TALLOC_CTX * test_ctx = talloc_named ( mem_ctx , 0 , " test_schannel context " ) ;
2004-06-06 11:14:10 +04:00
2005-10-25 16:14:08 +04:00
join_ctx = torture_join_domain ( talloc_asprintf ( mem_ctx , " %s%d " , TEST_MACHINE_NAME , i ) ,
2005-10-04 03:46:21 +04:00
acct_flags , & credentials ) ;
2004-06-06 11:14:10 +04:00
if ( ! join_ctx ) {
printf ( " Failed to join domain with acct_flags=0x%x \n " , acct_flags ) ;
2005-03-22 11:00:45 +03:00
talloc_free ( test_ctx ) ;
2004-06-06 11:14:10 +04:00
return False ;
}
2005-03-22 11:00:45 +03:00
status = dcerpc_parse_binding ( test_ctx , binding , & b ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Bad binding string %s \n " , binding ) ;
goto failed ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
b - > flags | = dcerpc_flags ;
2004-06-06 11:14:10 +04:00
2005-12-27 17:28:01 +03:00
status = dcerpc_pipe_connect_b ( test_ctx , & p , b , & dcerpc_table_samr ,
2005-06-16 15:36:09 +04:00
credentials , NULL ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
printf ( " Failed to connect with schannel: %s \n " , nt_errstr ( status ) ) ;
2004-06-06 11:14:10 +04:00
goto failed ;
}
2005-03-22 11:00:45 +03:00
if ( ! test_samr_ops ( p , test_ctx ) ) {
2005-10-06 14:29:28 +04:00
printf ( " Failed to process schannel secured SAMR ops \n " ) ;
ret = False ;
r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2004-06-29 13:40:10 +04:00
}
2004-06-06 11:14:10 +04:00
2004-11-12 02:24:30 +03:00
/* Also test that when we connect to the netlogon pipe, that
* the credentials we setup on the first pipe are valid for
* the second */
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
/* Swap the binding details from SAMR to NETLOGON */
2005-12-27 17:28:01 +03:00
status = dcerpc_epm_map_binding ( test_ctx , b , & dcerpc_table_netlogon , NULL ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
status = dcerpc_secondary_connection ( p , & p_netlogon ,
b ) ;
2004-11-12 02:24:30 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
2005-12-27 17:28:01 +03:00
status = dcerpc_bind_auth ( p_netlogon , & dcerpc_table_netlogon ,
2005-11-20 19:28:39 +03:00
credentials , DCERPC_AUTH_TYPE_SCHANNEL ,
2006-01-12 12:33:49 +03:00
dcerpc_auth_level ( p - > conn ) ,
2005-11-20 19:28:39 +03:00
NULL ) ;
2004-11-12 02:24:30 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
2005-03-22 11:00:45 +03:00
status = dcerpc_schannel_creds ( p_netlogon - > conn - > security_state . generic_state , test_ctx , & creds ) ;
2004-11-12 02:24:30 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
/* do a couple of logins */
2005-10-25 16:14:08 +04:00
if ( ! test_netlogon_ops ( p_netlogon , test_ctx , credentials , creds ) ) {
2005-10-06 14:29:28 +04:00
printf ( " Failed to process schannel secured NETLOGON ops \n " ) ;
ret = False ;
}
2006-02-08 02:49:35 +03:00
if ( ! test_netlogon_ex_ops ( p_netlogon , test_ctx , credentials , creds ) ) {
printf ( " Failed to process schannel secured NETLOGON EX ops \n " ) ;
ret = False ;
}
2005-10-06 14:29:28 +04:00
/* Swap the binding details from SAMR to LSARPC */
2005-12-27 17:28:01 +03:00
status = dcerpc_epm_map_binding ( test_ctx , b , & dcerpc_table_lsarpc , NULL ) ;
2005-10-06 14:29:28 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
status = dcerpc_secondary_connection ( p , & p_lsa ,
b ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2004-11-12 02:24:30 +03:00
goto failed ;
}
2005-12-27 17:28:01 +03:00
status = dcerpc_bind_auth ( p_lsa , & dcerpc_table_lsarpc ,
2005-11-20 19:28:39 +03:00
credentials , DCERPC_AUTH_TYPE_SCHANNEL ,
2006-01-12 12:33:49 +03:00
dcerpc_auth_level ( p - > conn ) ,
2005-11-20 19:28:39 +03:00
NULL ) ;
2005-10-06 14:29:28 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
if ( ! test_lsa_ops ( p_lsa , test_ctx ) ) {
printf ( " Failed to process schannel secured LSA ops \n " ) ;
ret = False ;
}
2006-02-08 02:30:50 +03:00
/* Drop the socket, we want to start from scratch */
talloc_free ( p ) ;
p = NULL ;
/* Now see what we are still allowed to do */
status = dcerpc_parse_binding ( test_ctx , binding , & b ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Bad binding string %s \n " , binding ) ;
goto failed ;
}
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
b - > flags | = dcerpc_flags ;
status = dcerpc_pipe_connect_b ( test_ctx , & p_samr2 , b , & dcerpc_table_samr ,
credentials , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to connect with schannel: %s \n " , nt_errstr ( status ) ) ;
goto failed ;
}
2006-02-09 06:05:22 +03:00
/* do a some SAMR operations. We have *not* done a new serverauthenticate */
2006-02-08 02:30:50 +03:00
if ( ! test_samr_ops ( p_samr2 , test_ctx ) ) {
printf ( " Failed to process schannel secured SAMR ops (on fresh connection) \n " ) ;
2006-02-08 02:49:35 +03:00
goto failed ;
}
/* Swap the binding details from SAMR to NETLOGON */
status = dcerpc_epm_map_binding ( test_ctx , b , & dcerpc_table_netlogon , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
status = dcerpc_secondary_connection ( p_samr2 , & p_netlogon2 ,
b ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
2006-02-09 06:05:22 +03:00
/* and now setup an SCHANNEL bind on netlogon */
2006-02-08 02:49:35 +03:00
status = dcerpc_bind_auth ( p_netlogon2 , & dcerpc_table_netlogon ,
credentials , DCERPC_AUTH_TYPE_SCHANNEL ,
dcerpc_auth_level ( p_samr2 - > conn ) ,
NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto failed ;
}
2006-02-09 05:30:43 +03:00
/* Try the schannel-only SamLogonEx operation */
2006-02-08 02:49:35 +03:00
if ( ! test_netlogon_ex_ops ( p_netlogon2 , test_ctx , credentials , creds ) ) {
2006-02-21 03:07:59 +03:00
printf ( " Failed to process schannel secured NETLOGON EX ops (on fresh connection) \n " ) ;
2006-02-08 02:30:50 +03:00
ret = False ;
}
2006-02-09 06:05:22 +03:00
/* And the more traditional style, proving that the
* credentials chaining state is fully present */
2006-02-09 05:30:43 +03:00
if ( ! test_netlogon_ops ( p_netlogon2 , test_ctx , credentials , creds ) ) {
2006-02-21 03:07:59 +03:00
printf ( " Failed to process schannel secured NETLOGON ops (on fresh connection) \n " ) ;
ret = False ;
}
/* Drop the socket, we want to start from scratch (again) */
talloc_free ( p_samr2 ) ;
/* We don't want schannel for this test */
b - > flags & = ~ DCERPC_AUTH_OPTIONS ;
status = dcerpc_pipe_connect_b ( test_ctx , & p_netlogon3 , b , & dcerpc_table_netlogon ,
credentials , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " Failed to connect without schannel: %s \n " , nt_errstr ( status ) ) ;
goto failed ;
}
if ( test_netlogon_ex_ops ( p_netlogon3 , test_ctx , credentials , creds ) ) {
printf ( " Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe) \n " ) ;
ret = False ;
}
if ( ! test_netlogon_ops ( p_netlogon3 , test_ctx , credentials , creds ) ) {
printf ( " Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth \n " ) ;
2006-02-09 05:30:43 +03:00
ret = False ;
}
2004-06-06 11:14:10 +04:00
torture_leave_domain ( join_ctx ) ;
2005-03-22 11:00:45 +03:00
talloc_free ( test_ctx ) ;
2005-10-06 14:29:28 +04:00
return ret ;
2004-06-06 11:14:10 +04:00
failed :
torture_leave_domain ( join_ctx ) ;
2005-03-22 11:00:45 +03:00
talloc_free ( test_ctx ) ;
2004-06-06 11:14:10 +04:00
return False ;
}
2004-06-06 11:58:16 +04:00
/*
a schannel test suite
*/
2004-10-28 17:40:50 +04:00
BOOL torture_rpc_schannel ( void )
2004-06-06 11:14:10 +04:00
{
TALLOC_CTX * mem_ctx ;
BOOL ret = True ;
struct {
2005-02-10 08:09:35 +03:00
uint16_t acct_flags ;
uint32_t dcerpc_flags ;
2004-06-06 11:14:10 +04:00
} tests [ ] = {
2005-10-25 16:14:08 +04:00
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SIGN } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SEAL } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 } ,
{ ACB_WSTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SIGN } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SEAL } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 } ,
{ ACB_SVRTRUST , DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
2004-06-06 11:14:10 +04:00
} ;
int i ;
mem_ctx = talloc_init ( " torture_rpc_schannel " ) ;
for ( i = 0 ; i < ARRAY_SIZE ( tests ) ; i + + ) {
if ( ! test_schannel ( mem_ctx ,
2005-10-25 16:14:08 +04:00
tests [ i ] . acct_flags , tests [ i ] . dcerpc_flags ,
i ) ) {
printf ( " Failed with acct_flags=0x%x dcerpc_flags=0x%x \n " ,
tests [ i ] . acct_flags , tests [ i ] . dcerpc_flags ) ;
2004-06-06 11:14:10 +04:00
ret = False ;
break ;
}
}
2004-10-30 15:37:17 +04:00
talloc_free ( mem_ctx ) ;
2004-06-06 11:14:10 +04:00
return ret ;
}
