mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG for unsupported query_levels, we allow it to work with servers with or without support for query_level=2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
5f87888ed5
commit
404ce08e90
3
selftest/knownfail.d/netr_LogonGetCapabilities
Normal file
3
selftest/knownfail.d/netr_LogonGetCapabilities
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
||||||
|
^samba3.rpc.schannel.*\.schannel\(ad_dc
|
||||||
|
^samba4.rpc.schannel.*\.schannel\(ad_dc
|
@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
|||||||
r.out.capabilities = &capabilities;
|
r.out.capabilities = &capabilities;
|
||||||
r.out.return_authenticator = &return_auth;
|
r.out.return_authenticator = &return_auth;
|
||||||
|
|
||||||
torture_comment(tctx, "Testing LogonGetCapabilities\n");
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
|
||||||
|
|
||||||
|
r.in.query_level = 0;
|
||||||
|
ZERO_STRUCT(return_auth);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* we need to operate on a temporary copy of creds
|
||||||
|
* because dcerpc_netr_LogonGetCapabilities with
|
||||||
|
* an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
* => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
* without looking a the authenticator.
|
||||||
|
*/
|
||||||
|
tmp_creds = *creds;
|
||||||
|
netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||||
|
|
||||||
|
status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||||
|
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
||||||
|
"LogonGetCapabilities query_level=0 failed");
|
||||||
|
|
||||||
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
|
||||||
|
|
||||||
|
r.in.query_level = 3;
|
||||||
|
ZERO_STRUCT(return_auth);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* we need to operate on a temporary copy of creds
|
||||||
|
* because dcerpc_netr_LogonGetCapabilities with
|
||||||
|
* an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
* => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
* without looking a the authenticator.
|
||||||
|
*/
|
||||||
|
tmp_creds = *creds;
|
||||||
|
netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||||
|
|
||||||
|
status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||||
|
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
||||||
|
"LogonGetCapabilities query_level=0 failed");
|
||||||
|
|
||||||
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
|
||||||
|
|
||||||
|
r.in.query_level = 1;
|
||||||
ZERO_STRUCT(return_auth);
|
ZERO_STRUCT(return_auth);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
|||||||
|
|
||||||
*creds = tmp_creds;
|
*creds = tmp_creds;
|
||||||
|
|
||||||
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
||||||
|
&r.out.return_authenticator->cred),
|
||||||
|
"Credential chaining failed");
|
||||||
|
|
||||||
|
torture_assert_int_equal(tctx, creds->negotiate_flags,
|
||||||
|
capabilities.server_capabilities,
|
||||||
|
"negotiate flags");
|
||||||
|
|
||||||
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
|
||||||
|
|
||||||
|
r.in.query_level = 2;
|
||||||
|
ZERO_STRUCT(return_auth);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* we need to operate on a temporary copy of creds
|
||||||
|
* because dcerpc_netr_LogonGetCapabilities with
|
||||||
|
* an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||||
|
* => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
* without looking a the authenticator.
|
||||||
|
*/
|
||||||
|
tmp_creds = *creds;
|
||||||
|
netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||||
|
|
||||||
|
status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||||
|
if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
|
||||||
|
/*
|
||||||
|
* an server without KB5028166 returns
|
||||||
|
* DCERPC_NCA_S_FAULT_INVALID_TAG =>
|
||||||
|
* NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||||
|
*/
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
|
||||||
|
|
||||||
|
*creds = tmp_creds;
|
||||||
|
|
||||||
torture_assert(tctx, netlogon_creds_client_check(creds,
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
||||||
&r.out.return_authenticator->cred),
|
&r.out.return_authenticator->cred),
|
||||||
"Credential chaining failed");
|
"Credential chaining failed");
|
||||||
|
Loading…
Reference in New Issue
Block a user