s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels

The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/netr_LogonGetCapabilities

@@ -0,0 +1,3 @@
+^samba3.rpc.schannel.*\.schannel\(nt4_dc
+^samba3.rpc.schannel.*\.schannel\(ad_dc
+^samba4.rpc.schannel.*\.schannel\(ad_dc

source4/torture/rpc/netlogon.c

@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 	r.out.capabilities = &capabilities;
 	r.out.return_authenticator = &return_auth;
 
-	torture_comment(tctx, "Testing LogonGetCapabilities\n");
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
 
+	r.in.query_level = 0;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
+
+	r.in.query_level = 3;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
+
+	r.in.query_level = 1;
 	ZERO_STRUCT(return_auth);
 
 	/*
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 
 	*creds = tmp_creds;
 
+	torture_assert(tctx, netlogon_creds_client_check(creds,
+							 &r.out.return_authenticator->cred),
+		       "Credential chaining failed");
+
+	torture_assert_int_equal(tctx, creds->negotiate_flags,
+				 capabilities.server_capabilities,
+				 "negotiate flags");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
+
+	r.in.query_level = 2;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
+		/*
+		 * an server without KB5028166 returns
+		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
+		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+		 */
+		return true;
+	}
+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
+
+	*creds = tmp_creds;
+
 	torture_assert(tctx, netlogon_creds_client_check(creds,
 							 &r.out.return_authenticator->cred),
 		       "Credential chaining failed");