mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
r9166: This checks more of auth subsystem in the PAC test.
Andrew Bartlett
(This used to be commit 1fa87223eb
)
This commit is contained in:
parent
910c1d55c2
commit
c46b658eec
@ -34,6 +34,8 @@ static BOOL torture_pac_self_check(void)
|
||||
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check");
|
||||
DATA_BLOB tmp_blob;
|
||||
struct PAC_DATA *pac_data;
|
||||
struct PAC_LOGON_INFO *logon_info;
|
||||
union netr_Validation validation;
|
||||
|
||||
/* Generate a nice, arbitary keyblock */
|
||||
uint8_t server_bytes[16];
|
||||
@ -46,6 +48,7 @@ static BOOL torture_pac_self_check(void)
|
||||
struct smb_krb5_context *smb_krb5_context;
|
||||
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_serversupplied_info *server_info_out;
|
||||
|
||||
ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
|
||||
|
||||
@ -62,10 +65,10 @@ static BOOL torture_pac_self_check(void)
|
||||
server_bytes, sizeof(server_bytes),
|
||||
&server_keyblock);
|
||||
if (ret) {
|
||||
DEBUG(1, ("Server Keyblock encoding failed: %s\n",
|
||||
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
|
||||
ret, mem_ctx)));
|
||||
|
||||
printf("Server Keyblock encoding failed: %s\n",
|
||||
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
|
||||
ret, mem_ctx));
|
||||
|
||||
talloc_free(mem_ctx);
|
||||
return False;
|
||||
}
|
||||
@ -75,10 +78,10 @@ static BOOL torture_pac_self_check(void)
|
||||
krbtgt_bytes, sizeof(krbtgt_bytes),
|
||||
&krbtgt_keyblock);
|
||||
if (ret) {
|
||||
DEBUG(1, ("KRBTGT Keyblock encoding failed: %s\n",
|
||||
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
|
||||
ret, mem_ctx)));
|
||||
|
||||
printf("KRBTGT Keyblock encoding failed: %s\n",
|
||||
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
|
||||
ret, mem_ctx));
|
||||
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
talloc_free(mem_ctx);
|
||||
@ -105,9 +108,9 @@ static BOOL torture_pac_self_check(void)
|
||||
&tmp_blob);
|
||||
|
||||
if (ret) {
|
||||
DEBUG(1, ("PAC encoding failed: %s\n",
|
||||
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
|
||||
ret, mem_ctx)));
|
||||
printf("PAC encoding failed: %s\n",
|
||||
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
|
||||
ret, mem_ctx));
|
||||
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
@ -126,11 +129,11 @@ static BOOL torture_pac_self_check(void)
|
||||
&krbtgt_keyblock,
|
||||
&server_keyblock);
|
||||
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
if (ret) {
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
DEBUG(1, ("PAC decoding failed: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
|
||||
@ -138,6 +141,52 @@ static BOOL torture_pac_self_check(void)
|
||||
return False;
|
||||
}
|
||||
|
||||
/* Now check that we can read it back */
|
||||
nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
|
||||
tmp_blob,
|
||||
smb_krb5_context,
|
||||
&krbtgt_keyblock,
|
||||
&server_keyblock);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
printf("PAC decoding (for logon info) failed: %s\n",
|
||||
nt_errstr(nt_status));
|
||||
|
||||
talloc_free(mem_ctx);
|
||||
return False;
|
||||
}
|
||||
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
|
||||
validation.sam3 = &logon_info->info3;
|
||||
nt_status = make_server_info_netlogon_validation(mem_ctx,
|
||||
"",
|
||||
3, &validation,
|
||||
&server_info_out);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
printf("PAC decoding (make server info) failed: %s\n",
|
||||
nt_errstr(nt_status));
|
||||
|
||||
talloc_free(mem_ctx);
|
||||
return False;
|
||||
}
|
||||
|
||||
if (!dom_sid_equal(server_info->account_sid,
|
||||
server_info_out->account_sid)) {
|
||||
printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
|
||||
dom_sid_string(mem_ctx, server_info->account_sid),
|
||||
dom_sid_string(mem_ctx, server_info_out->account_sid));
|
||||
talloc_free(mem_ctx);
|
||||
return False;
|
||||
}
|
||||
|
||||
talloc_free(mem_ctx);
|
||||
return True;
|
||||
}
|
||||
@ -196,6 +245,11 @@ static BOOL torture_pac_saved_check(void)
|
||||
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
|
||||
DATA_BLOB tmp_blob, validate_blob;
|
||||
struct PAC_DATA *pac_data;
|
||||
struct PAC_LOGON_INFO *logon_info;
|
||||
union netr_Validation validation;
|
||||
|
||||
struct auth_serversupplied_info *server_info_out;
|
||||
|
||||
krb5_keyblock server_keyblock;
|
||||
krb5_keyblock krbtgt_keyblock;
|
||||
uint8_t server_bytes[16];
|
||||
@ -255,9 +309,9 @@ static BOOL torture_pac_saved_check(void)
|
||||
}
|
||||
|
||||
tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
|
||||
|
||||
|
||||
/*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
|
||||
|
||||
|
||||
dump_data(10,tmp_blob.data,tmp_blob.length);
|
||||
|
||||
/* Decode and verify the signaure on the PAC */
|
||||
@ -278,6 +332,52 @@ static BOOL torture_pac_saved_check(void)
|
||||
return False;
|
||||
}
|
||||
|
||||
/* Parse the PAC again, for the logon info this time */
|
||||
nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
|
||||
tmp_blob,
|
||||
smb_krb5_context,
|
||||
&krbtgt_keyblock,
|
||||
&server_keyblock);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
printf("PAC decoding (for logon info) failed: %s\n",
|
||||
nt_errstr(nt_status));
|
||||
|
||||
talloc_free(mem_ctx);
|
||||
return False;
|
||||
}
|
||||
|
||||
validation.sam3 = &logon_info->info3;
|
||||
nt_status = make_server_info_netlogon_validation(mem_ctx,
|
||||
"",
|
||||
3, &validation,
|
||||
&server_info_out);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
|
||||
printf("PAC decoding (make server info) failed: %s\n",
|
||||
nt_errstr(nt_status));
|
||||
|
||||
talloc_free(mem_ctx);
|
||||
return False;
|
||||
}
|
||||
|
||||
if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"),
|
||||
server_info_out->account_sid)) {
|
||||
printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
|
||||
"S-1-5-21-3048156945-3961193616-3706469200-1005",
|
||||
dom_sid_string(mem_ctx, server_info_out->account_sid));
|
||||
talloc_free(mem_ctx);
|
||||
return False;
|
||||
}
|
||||
|
||||
ret = kerberos_encode_pac(mem_ctx,
|
||||
pac_data,
|
||||
smb_krb5_context->krb5_context,
|
||||
|
@ -1259,10 +1259,11 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
|
||||
/*
|
||||
test an ADS style interactive domain logon
|
||||
*/
|
||||
static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
|
||||
struct creds_CredentialState *creds,
|
||||
const char *account_domain, const char *account_name,
|
||||
const char *plain_pass)
|
||||
BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
|
||||
struct creds_CredentialState *creds,
|
||||
const char *workstation_name,
|
||||
const char *account_domain, const char *account_name,
|
||||
const char *plain_pass)
|
||||
{
|
||||
NTSTATUS status;
|
||||
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
|
||||
@ -1290,7 +1291,7 @@ static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
|
||||
pinfo.identity_info.logon_id_low = 0;
|
||||
pinfo.identity_info.logon_id_high = 0;
|
||||
pinfo.identity_info.account_name.string = account_name;
|
||||
pinfo.identity_info.workstation.string = TEST_MACHINE_NAME;
|
||||
pinfo.identity_info.workstation.string = workstation_name;
|
||||
|
||||
if (!E_deshash(plain_pass, pinfo.lmpassword.hash)) {
|
||||
ZERO_STRUCT(pinfo.lmpassword.hash);
|
||||
@ -1491,6 +1492,7 @@ BOOL torture_rpc_samlogon(void)
|
||||
for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
|
||||
|
||||
if (!test_InteractiveLogon(p, mem_ctx, creds,
|
||||
TEST_MACHINE_NAME,
|
||||
usercreds[ci].domain,
|
||||
usercreds[ci].username,
|
||||
usercreds[ci].password)) {
|
||||
@ -1514,6 +1516,7 @@ BOOL torture_rpc_samlogon(void)
|
||||
|
||||
for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
|
||||
if (!test_InteractiveLogon(p, mem_ctx, creds,
|
||||
TEST_MACHINE_NAME,
|
||||
usercreds[0].domain,
|
||||
usercreds[0].username,
|
||||
usercreds[0].password)) {
|
||||
|
@ -29,6 +29,7 @@
|
||||
#include "libcli/composite/composite.h"
|
||||
|
||||
#if 0
|
||||
|
||||
static NTSTATUS after_negprot(struct smbcli_transport **dst_transport,
|
||||
const char *dest_host, uint16_t port,
|
||||
const char *my_name)
|
||||
@ -501,79 +502,6 @@ static NTSTATUS setup_netlogon_creds(struct smbcli_transport *transport,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
static NTSTATUS torture_samlogon(struct dcerpc_pipe *p,
|
||||
struct creds_CredentialState *netlogon_creds,
|
||||
const char *workstation,
|
||||
const char *domain,
|
||||
const char *username,
|
||||
const char *password)
|
||||
{
|
||||
TALLOC_CTX *mem_ctx;
|
||||
struct netr_LogonSamLogon log;
|
||||
struct netr_NetworkInfo ninfo;
|
||||
struct netr_Authenticator auth, auth2;
|
||||
uint8_t user_session_key[16];
|
||||
DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
|
||||
DATA_BLOB lmv2_response = data_blob(NULL, 0);
|
||||
DATA_BLOB names_blob;
|
||||
DATA_BLOB chall;
|
||||
NTSTATUS status;
|
||||
|
||||
mem_ctx = talloc_init("torture_samlogon");
|
||||
|
||||
ZERO_STRUCT(user_session_key);
|
||||
|
||||
printf("testing netr_LogonSamLogon\n");
|
||||
|
||||
log.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s",
|
||||
dcerpc_server_name(p));
|
||||
log.in.workstation = workstation;
|
||||
log.in.credential = &auth;
|
||||
log.in.return_authenticator = &auth2;
|
||||
log.in.validation_level = 3;
|
||||
log.in.logon_level = 2;
|
||||
log.in.logon.network = &ninfo;
|
||||
|
||||
chall = data_blob_talloc(mem_ctx, NULL, 8);
|
||||
generate_random_buffer(chall.data, 8);
|
||||
|
||||
names_blob = NTLMv2_generate_names_blob(mem_ctx, workstation,
|
||||
lp_workgroup());
|
||||
ZERO_STRUCT(user_session_key);
|
||||
|
||||
if (!SMBNTLMv2encrypt(username, domain, password,
|
||||
&chall, &names_blob,
|
||||
&lmv2_response, &ntlmv2_response,
|
||||
NULL, NULL)) {
|
||||
data_blob_free(&names_blob);
|
||||
talloc_free(mem_ctx);
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
data_blob_free(&names_blob);
|
||||
|
||||
ninfo.identity_info.domain_name.string = domain;
|
||||
ninfo.identity_info.parameter_control = 0;
|
||||
ninfo.identity_info.logon_id_low = 0;
|
||||
ninfo.identity_info.logon_id_high = 0;
|
||||
ninfo.identity_info.account_name.string = username;
|
||||
ninfo.identity_info.workstation.string = workstation;
|
||||
memcpy(ninfo.challenge, chall.data, 8);
|
||||
ninfo.nt.data = ntlmv2_response.data;
|
||||
ninfo.nt.length = ntlmv2_response.length;
|
||||
ninfo.lm.data = NULL;
|
||||
ninfo.lm.length = 0;
|
||||
|
||||
ZERO_STRUCT(auth2);
|
||||
creds_client_authenticator(netlogon_creds, &auth);
|
||||
|
||||
log.out.return_authenticator = NULL;
|
||||
status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &log);
|
||||
talloc_free(mem_ctx);
|
||||
data_blob_free(&lmv2_response);
|
||||
data_blob_free(&ntlmv2_response);
|
||||
return status;
|
||||
}
|
||||
|
||||
static NTSTATUS test_getgroups(struct smbcli_transport *transport,
|
||||
const char *name)
|
||||
{
|
||||
@ -659,7 +587,7 @@ static NTSTATUS test_getgroups(struct smbcli_transport *transport,
|
||||
|
||||
{
|
||||
struct samr_LookupNames l;
|
||||
struct samr_String samr_name;
|
||||
struct lsa_String samr_name;
|
||||
struct samr_OpenUser o;
|
||||
|
||||
samr_name.string = name;
|
||||
@ -832,7 +760,7 @@ static NTSTATUS test_getallsids(struct smbcli_transport *transport,
|
||||
|
||||
{
|
||||
struct samr_LookupNames l;
|
||||
struct samr_String samr_name;
|
||||
struct lsa_String samr_name;
|
||||
struct samr_OpenUser o;
|
||||
|
||||
samr_name.string = name;
|
||||
@ -1038,22 +966,20 @@ static BOOL xp_login(const char *dcname, const char *wksname,
|
||||
if (!NT_STATUS_IS_OK(status))
|
||||
return False;
|
||||
|
||||
status = torture_samlogon(netlogon_schannel_pipe,
|
||||
netlogon_creds, wksname, domain,
|
||||
user1name, user1pw);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status))
|
||||
return False;
|
||||
|
||||
if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx,
|
||||
netlogon_creds, wksname, domain,
|
||||
user1name, user1pw)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
talloc_free(netlogon_pipe);
|
||||
|
||||
status = torture_samlogon(netlogon_schannel_pipe,
|
||||
netlogon_creds, wksname, domain,
|
||||
user2name, user2pw);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status))
|
||||
return False;
|
||||
|
||||
if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx,
|
||||
netlogon_creds, wksname, domain,
|
||||
user1name, user1pw)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
status = test_getgroups(transport, user2name);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status))
|
||||
@ -1093,8 +1019,6 @@ static BOOL xp_login(const char *dcname, const char *wksname,
|
||||
return True;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
struct user_pw {
|
||||
const char *username;
|
||||
const char *password;
|
||||
@ -1112,10 +1036,8 @@ static const struct user_pw machines[] = {
|
||||
|
||||
BOOL torture_rpc_login(void)
|
||||
{
|
||||
#if 0
|
||||
const char *pdcname = "pdcname";
|
||||
const char *domainname = "domain";
|
||||
#endif
|
||||
|
||||
int useridx1 = rand() % ARRAY_SIZE(users);
|
||||
int useridx2 = rand() % ARRAY_SIZE(users);
|
||||
@ -1125,13 +1047,18 @@ BOOL torture_rpc_login(void)
|
||||
users[useridx1].username,
|
||||
users[useridx2].username);
|
||||
|
||||
#if 0
|
||||
return xp_login(pdcname, machines[machidx].username,
|
||||
domainname, machines[machidx].password,
|
||||
users[useridx1].username,
|
||||
users[useridx1].password,
|
||||
users[useridx2].username,
|
||||
users[useridx2].password);
|
||||
#endif
|
||||
return False;
|
||||
}
|
||||
#else
|
||||
|
||||
BOOL torture_rpc_login(void)
|
||||
{
|
||||
return False;
|
||||
}
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user