From 8c6b5b87434e96d4cb695c0a5cf8aa0a0472c6a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 25 Sep 2024 23:10:25 +0200
Subject: [PATCH] s4:tortore/rpc: let rpc.backupkey without privacy pass
 against Windows 2022

The server disconnects after the first fault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 selftest/knownfail.d/samba4.rpc.backupkey | 108 ++++++++++++++++++++++
 source4/torture/rpc/backupkey.c           |  80 ++++++++++++----
 2 files changed, 172 insertions(+), 16 deletions(-)
 create mode 100644 selftest/knownfail.d/samba4.rpc.backupkey

diff --git a/selftest/knownfail.d/samba4.rpc.backupkey b/selftest/knownfail.d/samba4.rpc.backupkey
new file mode 100644
index 00000000000..f48d3589e3f
--- /dev/null
+++ b/selftest/knownfail.d/samba4.rpc.backupkey
@@ -0,0 +1,108 @@
+^samba4.rpc.backupkey.with..backupkey.restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.restore_guid.version.3\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.restore_guid_2nd\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.unable_to_decrypt_secret\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.wrong_user_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.wrong_version_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.empty_request_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_empty_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with..backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.restore_guid.version.3\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.restore_guid_2nd\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.unable_to_decrypt_secret\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.wrong_user_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.wrong_version_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.empty_request_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_empty_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.validate.backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.restore_guid.version.3\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.restore_guid_2nd\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.unable_to_decrypt_secret\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.wrong_user_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.wrong_version_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.empty_request_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_empty_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.bigendian.backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.restore_guid.version.3\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.restore_guid_2nd\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.unable_to_decrypt_secret\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.wrong_user_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.wrong_version_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_magic_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_hash_on_secret_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_magic_on_accesscheck_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.bad_cert_guid_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.empty_request_restore_guid\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.retreive_backup_key_guid_validate\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_keyGUID\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_empty_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_request\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_magic\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_r2\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_zero_payload_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_wrong_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_short_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_decrypt_zero_ciphertext_length\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_remote_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_wrong_key\(ad_dc_default\)
+^samba4.rpc.backupkey.with.sign.backupkey.server_wrap_encrypt_decrypt_wrong_sid\(ad_dc_default\)
diff --git a/source4/torture/rpc/backupkey.c b/source4/torture/rpc/backupkey.c
index 738b9067c25..1d33302e94d 100644
--- a/source4/torture/rpc/backupkey.c
+++ b/source4/torture/rpc/backupkey.c
@@ -888,8 +888,11 @@ static bool test_RestoreGUID_ko(struct torture_context *tctx,
 		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Wrong error code");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -918,8 +921,11 @@ static bool test_RestoreGUID_wrongversion(struct torture_context *tctx,
 		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Wrong error code on wrong version");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -948,8 +954,11 @@ static bool test_RestoreGUID_wronguser(struct torture_context *tctx,
 		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_ACCESS, "Restore GUID");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -979,8 +988,11 @@ static bool test_RestoreGUID_v3(struct torture_context *tctx,
 		torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -1012,8 +1024,11 @@ static bool test_RestoreGUID(struct torture_context *tctx,
 		torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -1042,8 +1057,11 @@ static bool test_RestoreGUID_badmagiconsecret(struct torture_context *tctx,
 		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Wrong error code while providing bad magic in secret");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -1072,8 +1090,11 @@ static bool test_RestoreGUID_emptyrequest(struct torture_context *tctx,
 		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAMETER, "Bad error code on wrong has in access check");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -1109,8 +1130,11 @@ static bool test_RestoreGUID_badcertguid(struct torture_context *tctx,
 		}
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -1139,8 +1163,11 @@ static bool test_RestoreGUID_badmagicaccesscheck(struct torture_context *tctx,
 		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -1169,8 +1196,11 @@ static bool test_RestoreGUID_badhashaccesscheck(struct torture_context *tctx,
 		torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
 	} else {
 		struct bkrp_BackupKey *r = createRetrieveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
-			NT_STATUS_ACCESS_DENIED, "Get GUID");
+			NT_STATUS_CONNECTION_DISCONNECTED, "Get GUID");
 	}
 
 	return true;
@@ -1369,9 +1399,12 @@ static bool test_RetrieveBackupKeyGUID_validate(struct torture_context *tctx,
 						2048,
 						"RSA Key doesn't have 2048 bits");
 	} else {
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx,
 						dcerpc_bkrp_BackupKey_r(b, tctx, r),
-						NT_STATUS_ACCESS_DENIED,
+						NT_STATUS_CONNECTION_DISCONNECTED,
 						"Get GUID");
 	}
 
@@ -1411,9 +1444,12 @@ static bool test_ServerWrap_encrypt_decrypt(struct torture_context *tctx,
 					   dcerpc_bkrp_BackupKey_r(b, tctx, &r),
 					   "encrypt");
 	} else {
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx,
 					      dcerpc_bkrp_BackupKey_r(b, tctx, &r),
-					      NT_STATUS_ACCESS_DENIED,
+					      NT_STATUS_CONNECTION_DISCONNECTED,
 					      "encrypt");
 		return true;
 	}
@@ -1503,9 +1539,12 @@ static bool test_ServerWrap_decrypt_wrong_keyGUID(struct torture_context *tctx,
 					   dcerpc_bkrp_BackupKey_r(b, tctx, &r),
 					   "encrypt");
 	} else {
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx,
 					      dcerpc_bkrp_BackupKey_r(b, tctx, &r),
-					      NT_STATUS_ACCESS_DENIED,
+					      NT_STATUS_CONNECTION_DISCONNECTED,
 					      "encrypt");
 		return true;
 	}
@@ -1597,9 +1636,12 @@ static bool test_ServerWrap_decrypt_empty_request(struct torture_context *tctx,
 					   dcerpc_bkrp_BackupKey_r(b, tctx, &r),
 					   "encrypt");
 	} else {
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx,
 					      dcerpc_bkrp_BackupKey_r(b, tctx, &r),
-					      NT_STATUS_ACCESS_DENIED,
+					      NT_STATUS_CONNECTION_DISCONNECTED,
 					      "encrypt");
 		return true;
 	}
@@ -1694,9 +1736,12 @@ static bool test_ServerWrap_decrypt_short_request(struct torture_context *tctx,
 					   dcerpc_bkrp_BackupKey_r(b, tctx, &r),
 					   "encrypt");
 	} else {
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx,
 					      dcerpc_bkrp_BackupKey_r(b, tctx, &r),
-					      NT_STATUS_ACCESS_DENIED,
+					      NT_STATUS_CONNECTION_DISCONNECTED,
 					      "encrypt");
 		return true;
 	}
@@ -2107,9 +2152,12 @@ static bool test_ServerWrap_decrypt_wrong_stuff(struct torture_context *tctx,
 					   dcerpc_bkrp_BackupKey_r(b, tctx, &r),
 					   "encrypt");
 	} else {
+		if (!dcerpc_binding_handle_is_connected(b)) {
+			torture_skip(tctx, "already disconnected");
+		}
 		torture_assert_ntstatus_equal(tctx,
 					      dcerpc_bkrp_BackupKey_r(b, tctx, &r),
-					      NT_STATUS_ACCESS_DENIED,
+					      NT_STATUS_CONNECTION_DISCONNECTED,
 					      "encrypt");
 		return true;
 	}