1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

s4:tortore/rpc: let rpc.backupkey without privacy pass against Windows 2022

The server disconnects after the first fault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8c6b5b8743)
This commit is contained in:
Stefan Metzmacher 2024-09-25 23:10:25 +02:00 committed by Jule Anger
parent 24e89430b1
commit 2d2d5f675d
2 changed files with 172 additions and 16 deletions

View File

@ -0,0 +1,108 @@
^samba4.rpc.backupkey.with..backupkey.restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.restore_guid.version.3\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.restore_guid_2nd\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.unable_to_decrypt_secret\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.wrong_user_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.wrong_version_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.empty_request_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_empty_request\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.restore_guid.version.3\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.restore_guid_2nd\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.unable_to_decrypt_secret\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.wrong_user_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.wrong_version_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.empty_request_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_empty_request\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.restore_guid.version.3\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.restore_guid_2nd\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.unable_to_decrypt_secret\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.wrong_user_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.wrong_version_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.empty_request_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_empty_request\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.restore_guid.version.3\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.restore_guid_2nd\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.unable_to_decrypt_secret\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.wrong_user_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.wrong_version_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.empty_request_restore_guid\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_empty_request\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)

View File

@ -886,8 +886,11 @@ static bool test_RestoreGUID_ko(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Wrong error code");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -916,8 +919,11 @@ static bool test_RestoreGUID_wrongversion(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Wrong error code on wrong version");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -946,8 +952,11 @@ static bool test_RestoreGUID_wronguser(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_ACCESS, "Restore GUID");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -977,8 +986,11 @@ static bool test_RestoreGUID_v3(struct torture_context *tctx,
torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -1010,8 +1022,11 @@ static bool test_RestoreGUID(struct torture_context *tctx,
torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -1040,8 +1055,11 @@ static bool test_RestoreGUID_badmagiconsecret(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Wrong error code while providing bad magic in secret");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -1070,8 +1088,11 @@ static bool test_RestoreGUID_emptyrequest(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Bad error code on wrong has in access check");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -1107,8 +1128,11 @@ static bool test_RestoreGUID_badcertguid(struct torture_context *tctx,
}
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -1137,8 +1161,11 @@ static bool test_RestoreGUID_badmagicaccesscheck(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -1167,8 +1194,11 @@ static bool test_RestoreGUID_badhashaccesscheck(struct torture_context *tctx,
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
} else {
struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED, "Get GUID");
NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
}
return true;
@ -1367,9 +1397,12 @@ static bool test_RetrieveBackupKeyGUID_validate(struct torture_context *tctx,
2048,
"RSA Key doesn't have 2048 bits");
} else {
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, r),
NT_STATUS_ACCESS_DENIED,
NT_STATUS_CONNECTION_DISCONNECTED,
"Get GUID");
}
@ -1409,9 +1442,12 @@ static bool test_ServerWrap_encrypt_decrypt(struct torture_context *tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
"encrypt");
} else {
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
NT_STATUS_ACCESS_DENIED,
NT_STATUS_CONNECTION_DISCONNECTED,
"encrypt");
return true;
}
@ -1501,9 +1537,12 @@ static bool test_ServerWrap_decrypt_wrong_keyGUID(struct torture_context *tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
"encrypt");
} else {
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
NT_STATUS_ACCESS_DENIED,
NT_STATUS_CONNECTION_DISCONNECTED,
"encrypt");
return true;
}
@ -1595,9 +1634,12 @@ static bool test_ServerWrap_decrypt_empty_request(struct torture_context *tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
"encrypt");
} else {
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
NT_STATUS_ACCESS_DENIED,
NT_STATUS_CONNECTION_DISCONNECTED,
"encrypt");
return true;
}
@ -1692,9 +1734,12 @@ static bool test_ServerWrap_decrypt_short_request(struct torture_context *tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
"encrypt");
} else {
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
NT_STATUS_ACCESS_DENIED,
NT_STATUS_CONNECTION_DISCONNECTED,
"encrypt");
return true;
}
@ -2104,9 +2149,12 @@ static bool test_ServerWrap_decrypt_wrong_stuff(struct torture_context *tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
"encrypt");
} else {
if (!dcerpc_binding_handle_is_connected(b)) {
torture_skip(tctx, "already disconnected");
}
torture_assert_ntstatus_equal(tctx,
dcerpc_bkrp_BackupKey_r(b, tctx, &r),
NT_STATUS_ACCESS_DENIED,
NT_STATUS_CONNECTION_DISCONNECTED,
"encrypt");
return true;
}