1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

r9166: This checks more of auth subsystem in the PAC test.

Andrew Bartlett
(This used to be commit 1fa87223eb)
This commit is contained in:
Andrew Bartlett 2005-08-06 23:07:21 +00:00 committed by Gerald (Jerry) Carter
parent 910c1d55c2
commit c46b658eec
3 changed files with 148 additions and 118 deletions

View File

@ -34,6 +34,8 @@ static BOOL torture_pac_self_check(void)
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check");
DATA_BLOB tmp_blob;
struct PAC_DATA *pac_data;
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
/* Generate a nice, arbitary keyblock */
uint8_t server_bytes[16];
@ -46,6 +48,7 @@ static BOOL torture_pac_self_check(void)
struct smb_krb5_context *smb_krb5_context;
struct auth_serversupplied_info *server_info;
struct auth_serversupplied_info *server_info_out;
ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
@ -62,10 +65,10 @@ static BOOL torture_pac_self_check(void)
server_bytes, sizeof(server_bytes),
&server_keyblock);
if (ret) {
DEBUG(1, ("Server Keyblock encoding failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
printf("Server Keyblock encoding failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx));
talloc_free(mem_ctx);
return False;
}
@ -75,10 +78,10 @@ static BOOL torture_pac_self_check(void)
krbtgt_bytes, sizeof(krbtgt_bytes),
&krbtgt_keyblock);
if (ret) {
DEBUG(1, ("KRBTGT Keyblock encoding failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
printf("KRBTGT Keyblock encoding failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
talloc_free(mem_ctx);
@ -105,9 +108,9 @@ static BOOL torture_pac_self_check(void)
&tmp_blob);
if (ret) {
DEBUG(1, ("PAC encoding failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
printf("PAC encoding failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
@ -126,11 +129,11 @@ static BOOL torture_pac_self_check(void)
&krbtgt_keyblock,
&server_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
if (ret) {
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
DEBUG(1, ("PAC decoding failed: %s\n",
nt_errstr(nt_status)));
@ -138,6 +141,52 @@ static BOOL torture_pac_self_check(void)
return False;
}
/* Now check that we can read it back */
nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
tmp_blob,
smb_krb5_context,
&krbtgt_keyblock,
&server_keyblock);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
printf("PAC decoding (for logon info) failed: %s\n",
nt_errstr(nt_status));
talloc_free(mem_ctx);
return False;
}
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
"",
3, &validation,
&server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("PAC decoding (make server info) failed: %s\n",
nt_errstr(nt_status));
talloc_free(mem_ctx);
return False;
}
if (!dom_sid_equal(server_info->account_sid,
server_info_out->account_sid)) {
printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
dom_sid_string(mem_ctx, server_info->account_sid),
dom_sid_string(mem_ctx, server_info_out->account_sid));
talloc_free(mem_ctx);
return False;
}
talloc_free(mem_ctx);
return True;
}
@ -196,6 +245,11 @@ static BOOL torture_pac_saved_check(void)
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
DATA_BLOB tmp_blob, validate_blob;
struct PAC_DATA *pac_data;
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
struct auth_serversupplied_info *server_info_out;
krb5_keyblock server_keyblock;
krb5_keyblock krbtgt_keyblock;
uint8_t server_bytes[16];
@ -255,9 +309,9 @@ static BOOL torture_pac_saved_check(void)
}
tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
/*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
dump_data(10,tmp_blob.data,tmp_blob.length);
/* Decode and verify the signaure on the PAC */
@ -278,6 +332,52 @@ static BOOL torture_pac_saved_check(void)
return False;
}
/* Parse the PAC again, for the logon info this time */
nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
tmp_blob,
smb_krb5_context,
&krbtgt_keyblock,
&server_keyblock);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
printf("PAC decoding (for logon info) failed: %s\n",
nt_errstr(nt_status));
talloc_free(mem_ctx);
return False;
}
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
"",
3, &validation,
&server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
printf("PAC decoding (make server info) failed: %s\n",
nt_errstr(nt_status));
talloc_free(mem_ctx);
return False;
}
if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"),
server_info_out->account_sid)) {
printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, server_info_out->account_sid));
talloc_free(mem_ctx);
return False;
}
ret = kerberos_encode_pac(mem_ctx,
pac_data,
smb_krb5_context->krb5_context,

View File

@ -1259,10 +1259,11 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
/*
test an ADS style interactive domain logon
*/
static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct creds_CredentialState *creds,
const char *account_domain, const char *account_name,
const char *plain_pass)
BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct creds_CredentialState *creds,
const char *workstation_name,
const char *account_domain, const char *account_name,
const char *plain_pass)
{
NTSTATUS status;
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
@ -1290,7 +1291,7 @@ static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
pinfo.identity_info.logon_id_low = 0;
pinfo.identity_info.logon_id_high = 0;
pinfo.identity_info.account_name.string = account_name;
pinfo.identity_info.workstation.string = TEST_MACHINE_NAME;
pinfo.identity_info.workstation.string = workstation_name;
if (!E_deshash(plain_pass, pinfo.lmpassword.hash)) {
ZERO_STRUCT(pinfo.lmpassword.hash);
@ -1491,6 +1492,7 @@ BOOL torture_rpc_samlogon(void)
for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
if (!test_InteractiveLogon(p, mem_ctx, creds,
TEST_MACHINE_NAME,
usercreds[ci].domain,
usercreds[ci].username,
usercreds[ci].password)) {
@ -1514,6 +1516,7 @@ BOOL torture_rpc_samlogon(void)
for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
if (!test_InteractiveLogon(p, mem_ctx, creds,
TEST_MACHINE_NAME,
usercreds[0].domain,
usercreds[0].username,
usercreds[0].password)) {

View File

@ -29,6 +29,7 @@
#include "libcli/composite/composite.h"
#if 0
static NTSTATUS after_negprot(struct smbcli_transport **dst_transport,
const char *dest_host, uint16_t port,
const char *my_name)
@ -501,79 +502,6 @@ static NTSTATUS setup_netlogon_creds(struct smbcli_transport *transport,
return NT_STATUS_OK;
}
static NTSTATUS torture_samlogon(struct dcerpc_pipe *p,
struct creds_CredentialState *netlogon_creds,
const char *workstation,
const char *domain,
const char *username,
const char *password)
{
TALLOC_CTX *mem_ctx;
struct netr_LogonSamLogon log;
struct netr_NetworkInfo ninfo;
struct netr_Authenticator auth, auth2;
uint8_t user_session_key[16];
DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
DATA_BLOB lmv2_response = data_blob(NULL, 0);
DATA_BLOB names_blob;
DATA_BLOB chall;
NTSTATUS status;
mem_ctx = talloc_init("torture_samlogon");
ZERO_STRUCT(user_session_key);
printf("testing netr_LogonSamLogon\n");
log.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s",
dcerpc_server_name(p));
log.in.workstation = workstation;
log.in.credential = &auth;
log.in.return_authenticator = &auth2;
log.in.validation_level = 3;
log.in.logon_level = 2;
log.in.logon.network = &ninfo;
chall = data_blob_talloc(mem_ctx, NULL, 8);
generate_random_buffer(chall.data, 8);
names_blob = NTLMv2_generate_names_blob(mem_ctx, workstation,
lp_workgroup());
ZERO_STRUCT(user_session_key);
if (!SMBNTLMv2encrypt(username, domain, password,
&chall, &names_blob,
&lmv2_response, &ntlmv2_response,
NULL, NULL)) {
data_blob_free(&names_blob);
talloc_free(mem_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
data_blob_free(&names_blob);
ninfo.identity_info.domain_name.string = domain;
ninfo.identity_info.parameter_control = 0;
ninfo.identity_info.logon_id_low = 0;
ninfo.identity_info.logon_id_high = 0;
ninfo.identity_info.account_name.string = username;
ninfo.identity_info.workstation.string = workstation;
memcpy(ninfo.challenge, chall.data, 8);
ninfo.nt.data = ntlmv2_response.data;
ninfo.nt.length = ntlmv2_response.length;
ninfo.lm.data = NULL;
ninfo.lm.length = 0;
ZERO_STRUCT(auth2);
creds_client_authenticator(netlogon_creds, &auth);
log.out.return_authenticator = NULL;
status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &log);
talloc_free(mem_ctx);
data_blob_free(&lmv2_response);
data_blob_free(&ntlmv2_response);
return status;
}
static NTSTATUS test_getgroups(struct smbcli_transport *transport,
const char *name)
{
@ -659,7 +587,7 @@ static NTSTATUS test_getgroups(struct smbcli_transport *transport,
{
struct samr_LookupNames l;
struct samr_String samr_name;
struct lsa_String samr_name;
struct samr_OpenUser o;
samr_name.string = name;
@ -832,7 +760,7 @@ static NTSTATUS test_getallsids(struct smbcli_transport *transport,
{
struct samr_LookupNames l;
struct samr_String samr_name;
struct lsa_String samr_name;
struct samr_OpenUser o;
samr_name.string = name;
@ -1038,22 +966,20 @@ static BOOL xp_login(const char *dcname, const char *wksname,
if (!NT_STATUS_IS_OK(status))
return False;
status = torture_samlogon(netlogon_schannel_pipe,
netlogon_creds, wksname, domain,
user1name, user1pw);
if (!NT_STATUS_IS_OK(status))
return False;
if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx,
netlogon_creds, wksname, domain,
user1name, user1pw)) {
return False;
}
talloc_free(netlogon_pipe);
status = torture_samlogon(netlogon_schannel_pipe,
netlogon_creds, wksname, domain,
user2name, user2pw);
if (!NT_STATUS_IS_OK(status))
return False;
if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx,
netlogon_creds, wksname, domain,
user1name, user1pw)) {
return False;
}
status = test_getgroups(transport, user2name);
if (!NT_STATUS_IS_OK(status))
@ -1093,8 +1019,6 @@ static BOOL xp_login(const char *dcname, const char *wksname,
return True;
}
#endif
struct user_pw {
const char *username;
const char *password;
@ -1112,10 +1036,8 @@ static const struct user_pw machines[] = {
BOOL torture_rpc_login(void)
{
#if 0
const char *pdcname = "pdcname";
const char *domainname = "domain";
#endif
int useridx1 = rand() % ARRAY_SIZE(users);
int useridx2 = rand() % ARRAY_SIZE(users);
@ -1125,13 +1047,18 @@ BOOL torture_rpc_login(void)
users[useridx1].username,
users[useridx2].username);
#if 0
return xp_login(pdcname, machines[machidx].username,
domainname, machines[machidx].password,
users[useridx1].username,
users[useridx1].password,
users[useridx2].username,
users[useridx2].password);
#endif
return False;
}
#else
BOOL torture_rpc_login(void)
{
return False;
}
#endif