sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-20 22:50:26 +03:00
Code

s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function

Browse Source 
This create a schannel connection to netlogon, this makes the tests
more realistic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1)
This commit is contained in:
Stefan Metzmacher 2015-12-22 12:10:12 +01:00
parent 1103a6b3d0
commit 46f52e7ad8
5 changed files with 132 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
source4/torture/rpc/forest_trust.c
View File

@ -516,7 +516,8 @@ static bool test_validate_trust(struct torture_context *tctx,
NTSTATUS status;
struct cli_credentials *credentials;
struct dcerpc_binding *b;
struct dcerpc_pipe *p;
struct dcerpc_pipe *p1 = NULL;
struct dcerpc_pipe *p = NULL;
struct netr_GetForestTrustInformation fr;
struct lsa_ForestTrustInformation *forest_trust_info;
@ -547,7 +548,7 @@ static bool test_validate_trust(struct torture_context *tctx,
trusted_dom_name, CRED_SPECIFIED);
cli_credentials_set_secure_channel_type(credentials, SEC_CHAN_DOMAIN);
status = dcerpc_pipe_connect_b(tctx, &p, b,
status = dcerpc_pipe_connect_b(tctx, &p1, b,
&ndr_table_netlogon, credentials,
tctx->ev, tctx->lp_ctx);
@ -559,11 +560,16 @@ static bool test_validate_trust(struct torture_context *tctx,
return false;
}
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
credentials, &creds)) {
torture_comment(tctx, "test_SetupCredentials3 failed.\n");
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, credentials, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
torture_comment(tctx, "test_SetupCredentialsPipe failed.\n");
return false;
}
netlogon_creds_client_authenticator(creds, &a);

14
source4/torture/rpc/lsa.c
View File

@ -4134,7 +4134,8 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
struct netr_Authenticator req_auth;
struct netr_Authenticator rep_auth;
struct netr_ServerPasswordSet2 s;
struct dcerpc_pipe *p2;
struct dcerpc_pipe *p1 = NULL;
struct dcerpc_pipe *p2 = NULL;
NTSTATUS status;
bool ok;
int rc;
@ -4223,18 +4224,25 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
status = dcerpc_parse_binding(tctx, binding, &b2);
torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
status = dcerpc_pipe_connect_b(tctx, &p2, b2,
status = dcerpc_pipe_connect_b(tctx, &p1, b2,
&ndr_table_netlogon,
cli_credentials_init_anon(tctx),
tctx->ev, tctx->lp_ctx);
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
ok = check_pw_with_ServerAuthenticate3(p2, tctx,
ok = check_pw_with_ServerAuthenticate3(p1, tctx,
NETLOGON_NEG_AUTH2_ADS_FLAGS,
server_name,
incoming_creds, &creds);
torture_assert_int_equal(tctx, ok, expected_result,
"check_pw_with_ServerAuthenticate3");
if (expected_result == true) {
ok = test_SetupCredentialsPipe(p1, tctx, incoming_creds, creds,
DCERPC_SIGN | DCERPC_SEAL, &p2);
torture_assert_int_equal(tctx, ok, true,
"test_SetupCredentialsPipe");
}
TALLOC_FREE(p1);
if (trusted->trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
#ifdef SAMBA4_USES_HEIMDAL

98
source4/torture/rpc/netlogon.c
View File

@ -359,6 +359,35 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
return true;
}
bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
struct torture_context *tctx,
struct cli_credentials *machine_credentials,
struct netlogon_creds_CredentialState *creds,
uint32_t additional_flags,
struct dcerpc_pipe **_p2)
{
NTSTATUS status;
struct dcerpc_binding *b2 = NULL;
struct dcerpc_pipe *p2 = NULL;
b2 = dcerpc_binding_dup(tctx, p1->binding);
torture_assert(tctx, b2 != NULL, "dcerpc_binding_dup");
dcerpc_binding_set_flags(b2,
DCERPC_SCHANNEL | additional_flags,
DCERPC_AUTH_OPTIONS);
cli_credentials_set_netlogon_creds(machine_credentials, creds);
status = dcerpc_pipe_connect_b(tctx, &p2, b2,
&ndr_table_netlogon,
machine_credentials,
tctx->ev, tctx->lp_ctx);
cli_credentials_set_netlogon_creds(machine_credentials, NULL);
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b schannel");
*_p2 = p2;
return true;
}
/*
try a change password for our machine account
*/
@ -436,7 +465,7 @@ static bool test_SetPassword(struct torture_context *tctx,
try a change password for our machine account
*/
static bool test_SetPassword_flags(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *machine_credentials,
uint32_t negotiate_flags)
{
@ -445,14 +474,20 @@ static bool test_SetPassword_flags(struct torture_context *tctx,
struct netlogon_creds_CredentialState *creds;
struct netr_Authenticator credential, return_authenticator;
struct samr_Password new_password;
struct dcerpc_binding_handle *b = p->binding_handle;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
if (!test_SetupCredentials2(p, tctx, negotiate_flags,
if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
machine_credentials,
cli_credentials_get_secure_channel_type(machine_credentials),
&creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
b = p->binding_handle;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
@ -532,7 +567,7 @@ static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
try a change password for our machine account
*/
static bool test_SetPassword2_with_flags(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *machine_credentials,
uint32_t flags)
{
@ -544,11 +579,19 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
struct samr_Password nt_hash;
struct netr_Authenticator credential, return_authenticator;
struct netr_CryptPassword new_password;
struct dcerpc_binding_handle *b = p->binding_handle;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
if (!test_SetupCredentials2(p, tctx, flags, machine_credentials, cli_credentials_get_secure_channel_type(machine_credentials), &creds)) {
if (!test_SetupCredentials2(p1, tctx, flags, machine_credentials,
cli_credentials_get_secure_channel_type(machine_credentials),
&creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
b = p->binding_handle;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
@ -2507,7 +2550,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx,
}
static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *machine_credentials)
{
struct netr_GetForestTrustInformation r;
@ -2515,12 +2558,18 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
struct netr_Authenticator a;
struct netr_Authenticator return_authenticator;
struct lsa_ForestTrustInformation *forest_trust_info;
struct dcerpc_binding_handle *b = p->binding_handle;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
machine_credentials, &creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
b = p->binding_handle;
netlogon_creds_client_authenticator(creds, &a);
@ -3343,7 +3392,7 @@ static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
}
static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *machine_credentials,
uint32_t negotiate_flags)
{
@ -3356,14 +3405,20 @@ static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx,
struct netr_TrustInfo *trust_info;
struct netlogon_creds_CredentialState *creds;
struct dcerpc_binding_handle *b = p->binding_handle;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
struct samr_Password nt_hash;
if (!test_SetupCredentials3(p, tctx, negotiate_flags,
if (!test_SetupCredentials3(p1, tctx, negotiate_flags,
machine_credentials, &creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
b = p->binding_handle;
netlogon_creds_client_authenticator(creds, &a);
@ -3413,7 +3468,7 @@ static bool test_netr_ServerGetTrustInfo_AES(struct torture_context *tctx,
}
static bool test_GetDomainInfo(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *machine_credentials)
{
struct netr_LogonGetDomainInfo r;
@ -3436,14 +3491,20 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
char **spns = NULL;
int num_spns = 0;
char *temp_str;
struct dcerpc_binding_handle *b = p->binding_handle;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
machine_credentials, &creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
b = p->binding_handle;
/* We won't double-check this when we are over 'local' transports */
if (dcerpc_server_name(p)) {
@ -3868,7 +3929,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
}
static bool test_GetDomainInfo_async(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *machine_credentials)
{
NTSTATUS status;
@ -3882,6 +3943,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
int i;
union netr_WorkstationInfo query;
union netr_DomainInfo info;
struct dcerpc_pipe *p = NULL;
torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
@ -3889,6 +3951,10 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
machine_credentials, &creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
ZERO_STRUCT(r);
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));

7
source4/torture/rpc/netlogon.h
View File

@ -28,3 +28,10 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
uint32_t negotiate_flags,
struct cli_credentials *machine_credentials,
struct netlogon_creds_CredentialState **creds_out);
bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
struct torture_context *tctx,
struct cli_credentials *machine_credentials,
struct netlogon_creds_CredentialState *creds,
uint32_t additional_flags,
struct dcerpc_pipe **_p2);

34
source4/torture/rpc/remote_pac.c
View File

@ -118,7 +118,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
/* Also happens to be a really good one-step verfication of our Kerberos stack */
static bool test_PACVerify(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *credentials,
enum netr_SchannelType secure_channel_type,
const char *test_machine_name,
@ -151,7 +151,8 @@ static bool test_PACVerify(struct torture_context *tctx,
struct auth_session_info *session_info;
struct pac_data *pac_data;
struct dcerpc_binding_handle *b = p->binding_handle;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(tctx);
torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
@ -175,11 +176,16 @@ static bool test_PACVerify(struct torture_context *tctx,
credentials);
torture_assert(tctx, server_creds, "Failed to copy of credentials");
if (!test_SetupCredentials2(p, tctx, negotiate_flags,
if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
server_creds, secure_channel_type,
&creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
b = p->binding_handle;
auth_context = talloc_zero(tmp_ctx, struct auth4_context);
torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
@ -525,14 +531,15 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx,
/* Check various ways to get the PAC, in particular check the group membership and other details between the PAC from a normal kinit, S2U4Self and a SamLogon */
static bool test_S2U4Self(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct dcerpc_pipe *p1,
struct cli_credentials *credentials,
enum netr_SchannelType secure_channel_type,
const char *test_machine_name,
uint32_t negotiate_flags)
{
NTSTATUS status;
struct dcerpc_binding_handle *b = p->binding_handle;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
struct netr_LogonSamLogon r;
@ -584,6 +591,17 @@ static bool test_S2U4Self(struct torture_context *tctx,
credentials);
torture_assert(tctx, server_creds, "Failed to copy of credentials");
if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
server_creds, secure_channel_type,
&creds)) {
return false;
}
if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
DCERPC_SIGN | DCERPC_SEAL, &p)) {
return false;
}
b = p->binding_handle;
auth_context = talloc_zero(tmp_ctx, struct auth4_context);
torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
@ -744,12 +762,6 @@ static bool test_S2U4Self(struct torture_context *tctx,
r.out.validation = &validation;
r.out.authoritative = &authoritative;
if (!test_SetupCredentials2(p, tctx, negotiate_flags,
server_creds, secure_channel_type,
&creds)) {
return false;
}
ZERO_STRUCT(auth2);
netlogon_creds_client_authenticator(creds, &auth);