mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
172ce406d4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
6149 lines
199 KiB
C
6149 lines
199 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
test suite for netlogon rpc operations
|
|
|
|
Copyright (C) Andrew Tridgell 2003
|
|
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
|
|
Copyright (C) Tim Potter 2003
|
|
Copyright (C) Matthias Dieter Wallnöfer 2009-2010
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "lib/events/events.h"
|
|
#include "lib/cmdline/cmdline.h"
|
|
#include "torture/rpc/torture_rpc.h"
|
|
#include "../lib/crypto/crypto.h"
|
|
#include "libcli/auth/libcli_auth.h"
|
|
#include "librpc/gen_ndr/ndr_netlogon_c.h"
|
|
#include "librpc/gen_ndr/ndr_lsa_c.h"
|
|
#include "param/param.h"
|
|
#include "libcli/security/security.h"
|
|
#include <ldb.h>
|
|
#include "lib/util/util_ldb.h"
|
|
#include "ldb_wrap.h"
|
|
#include "lib/replace/system/network.h"
|
|
#include "dsdb/samdb/samdb.h"
|
|
|
|
#undef strcasecmp
|
|
|
|
#define TEST_MACHINE_NAME "torturetest"
|
|
|
|
static bool test_netr_broken_binding_handle(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_DsRGetSiteName r;
|
|
const char *site = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.computer_name = talloc_asprintf(tctx, "\\\\%s",
|
|
dcerpc_server_name(p));
|
|
r.out.site = &site;
|
|
|
|
torture_comment(tctx,
|
|
"Testing netlogon request with correct binding handle: %s\n",
|
|
r.in.computer_name);
|
|
|
|
status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status,
|
|
"Netlogon request with broken binding handle");
|
|
torture_assert_werr_ok(tctx, r.out.result,
|
|
"Netlogon request with broken binding handle");
|
|
|
|
if (torture_setting_bool(tctx, "samba3", false) ||
|
|
torture_setting_bool(tctx, "samba4", false)) {
|
|
torture_skip(tctx,
|
|
"Skipping broken binding handle check against Samba");
|
|
}
|
|
|
|
r.in.computer_name = talloc_asprintf(tctx, "\\\\\\\\%s",
|
|
dcerpc_server_name(p));
|
|
|
|
torture_comment(tctx,
|
|
"Testing netlogon request with broken binding handle: %s\n",
|
|
r.in.computer_name);
|
|
|
|
status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status,
|
|
"Netlogon request with broken binding handle");
|
|
torture_assert_werr_equal(tctx, r.out.result,
|
|
WERR_INVALID_COMPUTERNAME,
|
|
"Netlogon request with broken binding handle");
|
|
|
|
r.in.computer_name = "\\\\\\\\THIS_IS_NOT_VALID";
|
|
|
|
torture_comment(tctx,
|
|
"Testing netlogon request with broken binding handle: %s\n",
|
|
r.in.computer_name);
|
|
|
|
status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status,
|
|
"Netlogon request with broken binding handle");
|
|
torture_assert_werr_equal(tctx, r.out.result,
|
|
WERR_INVALID_COMPUTERNAME,
|
|
"Netlogon request with broken binding handle");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_LogonUasLogon(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonUasLogon r;
|
|
struct netr_UasInfo *info = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.account_name = cli_credentials_get_username(
|
|
samba_cmdline_get_creds());
|
|
r.in.workstation = TEST_MACHINE_NAME;
|
|
r.out.info = &info;
|
|
|
|
status = dcerpc_netr_LogonUasLogon_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_LogonUasLogoff(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonUasLogoff r;
|
|
struct netr_UasLogoffInfo info;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.account_name = cli_credentials_get_username(
|
|
samba_cmdline_get_creds());
|
|
r.in.workstation = TEST_MACHINE_NAME;
|
|
r.out.info = &info;
|
|
|
|
status = dcerpc_netr_LogonUasLogoff_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
|
|
|
|
return true;
|
|
}
|
|
|
|
bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
struct cli_credentials *credentials,
|
|
struct netlogon_creds_CredentialState **creds_out)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
const struct samr_Password *mach_password;
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
mach_password = cli_credentials_get_nt_hash(credentials, tctx);
|
|
machine_name = cli_credentials_get_workstation(credentials);
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
mach_password, &credentials3,
|
|
0,
|
|
0);
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate_r(b, tctx, &a),
|
|
"ServerAuthenticate failed");
|
|
|
|
/* This allows the tests to continue against the more fussy windows 2008 */
|
|
if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
|
|
return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
credentials,
|
|
cli_credentials_get_secure_channel_type(credentials),
|
|
creds_out);
|
|
}
|
|
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate");
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
|
|
"Credential chaining failed");
|
|
|
|
*creds_out = creds;
|
|
return true;
|
|
}
|
|
|
|
bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
uint32_t negotiate_flags,
|
|
struct cli_credentials *machine_credentials,
|
|
const char *computer_name,
|
|
enum netr_SchannelType sec_chan_type,
|
|
NTSTATUS expected_result,
|
|
struct netlogon_creds_CredentialState **creds_out)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate2 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
const struct samr_Password *mach_password;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
const char *account_name = cli_credentials_get_username(machine_credentials);
|
|
|
|
mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = computer_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = account_name;
|
|
a.in.secure_channel_type = sec_chan_type;
|
|
a.in.computer_name = computer_name;
|
|
a.in.negotiate_flags = &negotiate_flags;
|
|
a.out.negotiate_flags = &negotiate_flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
mach_password, &credentials3,
|
|
negotiate_flags,
|
|
negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate2\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
|
|
"ServerAuthenticate2 failed");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, expected_result,
|
|
"ServerAuthenticate2 unexpected");
|
|
|
|
if (NT_STATUS_IS_OK(expected_result)) {
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
|
|
"Credential chaining failed");
|
|
} else {
|
|
torture_assert(tctx, !netlogon_creds_client_check(creds, &credentials3),
|
|
"Credential chaining passed unexpected");
|
|
}
|
|
|
|
torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
|
|
|
|
*creds_out = creds;
|
|
return true;
|
|
}
|
|
|
|
bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
uint32_t negotiate_flags,
|
|
struct cli_credentials *machine_credentials,
|
|
enum netr_SchannelType sec_chan_type,
|
|
struct netlogon_creds_CredentialState **creds_out)
|
|
{
|
|
const char *computer_name =
|
|
cli_credentials_get_workstation(machine_credentials);
|
|
|
|
return test_SetupCredentials2ex(p, tctx, negotiate_flags,
|
|
machine_credentials,
|
|
computer_name,
|
|
sec_chan_type,
|
|
NT_STATUS_OK,
|
|
creds_out);
|
|
}
|
|
|
|
bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
uint32_t negotiate_flags,
|
|
struct cli_credentials *machine_credentials,
|
|
struct netlogon_creds_CredentialState **creds_out)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
|
|
if (p == NULL) {
|
|
return false;
|
|
}
|
|
|
|
b = p->binding_handle;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &negotiate_flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &negotiate_flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
negotiate_flags,
|
|
negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
|
|
"ServerAuthenticate3 failed");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
|
|
|
|
/* Prove that requesting a challenge again won't break it */
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
|
|
|
|
*creds_out = creds;
|
|
return true;
|
|
}
|
|
|
|
bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
uint32_t negotiate_flags = 0;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &negotiate_flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &negotiate_flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
negotiate_flags,
|
|
negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
|
|
"ServerAuthenticate3 failed");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
|
|
|
|
negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
negotiate_flags,
|
|
negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
|
|
"ServerAuthenticate3 failed");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 should succeed");
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
|
|
|
|
/* Prove that requesting a challenge again won't break it */
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
|
|
|
|
return true;
|
|
}
|
|
|
|
bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
|
|
struct torture_context *tctx,
|
|
struct cli_credentials *machine_credentials,
|
|
struct netlogon_creds_CredentialState *creds,
|
|
uint32_t additional_flags,
|
|
struct dcerpc_pipe **_p2)
|
|
{
|
|
NTSTATUS status;
|
|
const struct dcerpc_binding *b1 =
|
|
dcerpc_binding_handle_get_binding(p1->binding_handle);
|
|
struct dcerpc_binding *b2 = NULL;
|
|
struct dcerpc_pipe *p2 = NULL;
|
|
|
|
b2 = dcerpc_binding_dup(tctx, b1);
|
|
torture_assert(tctx, b2 != NULL, "dcerpc_binding_dup");
|
|
dcerpc_binding_set_flags(b2,
|
|
DCERPC_SCHANNEL | additional_flags,
|
|
DCERPC_AUTH_OPTIONS);
|
|
|
|
cli_credentials_set_netlogon_creds(machine_credentials, creds);
|
|
status = dcerpc_pipe_connect_b(tctx, &p2, b2,
|
|
&ndr_table_netlogon,
|
|
machine_credentials,
|
|
tctx->ev, tctx->lp_ctx);
|
|
cli_credentials_set_netlogon_creds(machine_credentials, NULL);
|
|
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b schannel");
|
|
|
|
*_p2 = p2;
|
|
return true;
|
|
}
|
|
|
|
static bool test_ServerReqChallenge(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *credentials)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
struct netlogon_creds_CredentialState *creds = NULL;
|
|
const char *account_name = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(credentials);
|
|
mach_password = cli_credentials_get_nt_hash(credentials, tctx);
|
|
account_name = cli_credentials_get_username(credentials);
|
|
sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
r.out.result,
|
|
"ServerReqChallenge failed");
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = account_name;
|
|
a.in.secure_channel_type = sec_chan_type;
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &in_negotiate_flags;
|
|
a.out.negotiate_flags = &out_negotiate_flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
mach_password, &credentials3,
|
|
in_negotiate_flags,
|
|
in_negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate2\n");
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
|
|
"ServerAuthenticate2 failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx,
|
|
a.out.result,
|
|
NT_STATUS_OK,
|
|
"ServerAuthenticate2 unexpected");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_ServerReqChallenge_zero_challenge(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *credentials)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
struct netlogon_creds_CredentialState *creds = NULL;
|
|
const char *account_name = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(credentials);
|
|
mach_password = cli_credentials_get_nt_hash(credentials, tctx);
|
|
account_name = cli_credentials_get_username(credentials);
|
|
sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
/*
|
|
* Set the client challenge to zero, this should fail
|
|
* CVE-2020-1472(ZeroLogon)
|
|
* BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
*/
|
|
ZERO_STRUCT(credentials1);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
r.out.result,
|
|
"ServerReqChallenge failed");
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = account_name;
|
|
a.in.secure_channel_type = sec_chan_type;
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &in_negotiate_flags;
|
|
a.out.negotiate_flags = &out_negotiate_flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
mach_password, &credentials3,
|
|
in_negotiate_flags,
|
|
in_negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate2\n");
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
|
|
"ServerAuthenticate2 failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx,
|
|
a.out.result,
|
|
NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate2 unexpected");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_ServerReqChallenge_5_repeats(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *credentials)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
struct netlogon_creds_CredentialState *creds = NULL;
|
|
const char *account_name = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(credentials);
|
|
mach_password = cli_credentials_get_nt_hash(credentials, tctx);
|
|
account_name = cli_credentials_get_username(credentials);
|
|
sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
/*
|
|
* Set the first 5 bytes of the client challenge to the same value,
|
|
* this should fail CVE-2020-1472(ZeroLogon)
|
|
* BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
*/
|
|
credentials1.data[0] = 'A';
|
|
credentials1.data[1] = 'A';
|
|
credentials1.data[2] = 'A';
|
|
credentials1.data[3] = 'A';
|
|
credentials1.data[4] = 'A';
|
|
credentials1.data[5] = 'B';
|
|
credentials1.data[6] = 'C';
|
|
credentials1.data[7] = 'D';
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
r.out.result,
|
|
"ServerReqChallenge failed");
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = account_name;
|
|
a.in.secure_channel_type = sec_chan_type;
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &in_negotiate_flags;
|
|
a.out.negotiate_flags = &out_negotiate_flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
mach_password, &credentials3,
|
|
in_negotiate_flags,
|
|
in_negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate2\n");
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
|
|
"ServerAuthenticate2 failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx,
|
|
a.out.result,
|
|
NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate2 unexpected");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_ServerReqChallenge_4_repeats(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *credentials)
|
|
{
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
struct netlogon_creds_CredentialState *creds = NULL;
|
|
const char *account_name = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(credentials);
|
|
mach_password = cli_credentials_get_nt_hash(credentials, tctx);
|
|
account_name = cli_credentials_get_username(credentials);
|
|
sec_chan_type = cli_credentials_get_secure_channel_type(credentials);
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
/*
|
|
* Set the first 4 bytes of the client challenge to the same
|
|
* value, this should pass as 5 bytes identical are needed to
|
|
* fail for CVE-2020-1472(ZeroLogon)
|
|
*
|
|
* BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
*/
|
|
credentials1.data[0] = 'A';
|
|
credentials1.data[1] = 'A';
|
|
credentials1.data[2] = 'A';
|
|
credentials1.data[3] = 'A';
|
|
credentials1.data[4] = 'B';
|
|
credentials1.data[5] = 'C';
|
|
credentials1.data[6] = 'D';
|
|
credentials1.data[7] = 'E';
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
r.out.result,
|
|
"ServerReqChallenge failed");
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = account_name;
|
|
a.in.secure_channel_type = sec_chan_type;
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &in_negotiate_flags;
|
|
a.out.negotiate_flags = &out_negotiate_flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
mach_password, &credentials3,
|
|
in_negotiate_flags,
|
|
in_negotiate_flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate2\n");
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
|
|
"ServerAuthenticate2 failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx,
|
|
a.out.result,
|
|
NT_STATUS_OK,
|
|
"ServerAuthenticate2 unexpected");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Establish a NetLogon session, using a session key that encrypts the
|
|
* target character to zero
|
|
*/
|
|
static bool test_ServerAuthenticate2_encrypts_to_zero(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials,
|
|
const char target,
|
|
struct netlogon_creds_CredentialState **creds_out)
|
|
{
|
|
const char *computer_name =
|
|
cli_credentials_get_workstation(machine_credentials);
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate2 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds = NULL;
|
|
const struct samr_Password *mach_password;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
const char *account_name = cli_credentials_get_username(
|
|
machine_credentials);
|
|
uint32_t flags =
|
|
NETLOGON_NEG_AUTH2_ADS_FLAGS |
|
|
NETLOGON_NEG_SUPPORTS_AES;
|
|
enum netr_SchannelType sec_chan_type =
|
|
cli_credentials_get_secure_channel_type(machine_credentials);
|
|
/*
|
|
* Limit the number of attempts to generate a suitable session key.
|
|
*/
|
|
const unsigned MAX_ITER = 4096;
|
|
unsigned i = 0;
|
|
|
|
mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = computer_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
credentials1.data[0] = target;
|
|
i = 0;
|
|
torture_comment(tctx, "Generating candidate session keys\n");
|
|
do {
|
|
TALLOC_FREE(creds);
|
|
i++;
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge failed");
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
r.out.result,
|
|
"ServerReqChallenge failed");
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = account_name;
|
|
a.in.secure_channel_type = sec_chan_type;
|
|
a.in.computer_name = computer_name;
|
|
a.in.negotiate_flags = &flags;
|
|
a.out.negotiate_flags = &flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
|
|
creds = netlogon_creds_client_init(
|
|
tctx,
|
|
a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1,
|
|
&credentials2,
|
|
mach_password,
|
|
&credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
} while (credentials3.data[0] != 0 && i < MAX_ITER);
|
|
|
|
if (i >= MAX_ITER) {
|
|
torture_comment(
|
|
tctx,
|
|
"Unable to obtain a suitable session key, "
|
|
"after [%u] attempts\n",
|
|
i);
|
|
torture_fail(tctx, "Unable to obtain suitable session key");
|
|
}
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
|
|
"ServerAuthenticate2 failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx,
|
|
a.out.result,
|
|
NT_STATUS_OK,
|
|
"ServerAuthenticate2 unexpected result code");
|
|
|
|
*creds_out = creds;
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a change password for our machine account
|
|
*/
|
|
static bool test_SetPassword(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordSet r;
|
|
const char *password;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct samr_Password new_password;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
NTSTATUS status;
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
password = generate_random_password(tctx, 8, 255);
|
|
E_md4hash(password, new_password.hash);
|
|
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_Password(creds,
|
|
&new_password,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_Password");
|
|
|
|
torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
|
|
torture_comment(tctx, "Changing machine account password to '%s'\n",
|
|
password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
|
|
"ServerPasswordSet failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
/* by changing the machine password twice we test the
|
|
credentials chaining fully, and we verify that the server
|
|
allows the password to be set to the same value twice in a
|
|
row (match win2k3) */
|
|
torture_comment(tctx,
|
|
"Testing a second ServerPasswordSet on machine account\n");
|
|
torture_comment(tctx,
|
|
"Changing machine account password to '%s' (same as previous run)\n", password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
|
|
"ServerPasswordSet (2) failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
|
|
|
|
torture_assert(tctx,
|
|
test_SetupCredentials(p, tctx, machine_credentials, &creds),
|
|
"ServerPasswordSet failed to actually change the password");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a change password for our machine account
|
|
*/
|
|
static bool test_SetPassword_flags(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials,
|
|
uint32_t negotiate_flags)
|
|
{
|
|
struct netr_ServerPasswordSet r;
|
|
const char *password;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct samr_Password new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
|
|
machine_credentials,
|
|
cli_credentials_get_secure_channel_type(machine_credentials),
|
|
&creds)) {
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
|
|
DCERPC_SIGN | DCERPC_SEAL, &p)) {
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
password = generate_random_password(tctx, 8, 255);
|
|
E_md4hash(password, new_password.hash);
|
|
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_Password(creds,
|
|
&new_password,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_Password");
|
|
|
|
torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
|
|
torture_comment(tctx, "Changing machine account password to '%s'\n",
|
|
password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
|
|
"ServerPasswordSet failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
/* by changing the machine password twice we test the
|
|
credentials chaining fully, and we verify that the server
|
|
allows the password to be set to the same value twice in a
|
|
row (match win2k3) */
|
|
torture_comment(tctx,
|
|
"Testing a second ServerPasswordSet on machine account\n");
|
|
torture_comment(tctx,
|
|
"Changing machine account password to '%s' (same as previous run)\n", password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
|
|
"ServerPasswordSet (2) failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
|
|
|
|
torture_assert(tctx,
|
|
test_SetupCredentials(p, tctx, machine_credentials, &creds),
|
|
"ServerPasswordSet failed to actually change the password");
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
/*
|
|
generate a random password for password change tests
|
|
*/
|
|
static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
|
|
{
|
|
int i;
|
|
DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
|
|
generate_random_buffer(password.data, password.length);
|
|
|
|
for (i=0; i < len; i++) {
|
|
if (((uint16_t *)password.data)[i] == 0) {
|
|
((uint16_t *)password.data)[i] = 1;
|
|
}
|
|
}
|
|
|
|
return password;
|
|
}
|
|
|
|
/*
|
|
try a change password for our machine account
|
|
*/
|
|
static bool test_SetPassword2_with_flags(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials,
|
|
uint32_t flags)
|
|
{
|
|
struct netr_ServerPasswordSet2 r;
|
|
const char *password;
|
|
DATA_BLOB new_random_pass;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_CryptPassword password_buf;
|
|
struct samr_Password nt_hash;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_SetupCredentials2(p1, tctx, flags, machine_credentials,
|
|
cli_credentials_get_secure_channel_type(machine_credentials),
|
|
&creds)) {
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
|
|
DCERPC_SIGN | DCERPC_SEAL, &p)) {
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
password = generate_random_password(tctx, 8, 255);
|
|
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
|
|
torture_comment(tctx, "Changing machine account password to '%s'\n", password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
|
|
|
|
/*
|
|
* As a consequence of CVE-2020-1472(ZeroLogon)
|
|
* Samba explicitly disallows the setting of an empty machine account
|
|
* password.
|
|
*
|
|
* Note that this may fail against Windows, and leave a machine account
|
|
* with an empty password.
|
|
*/
|
|
password = "";
|
|
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
torture_comment(tctx,
|
|
"Testing ServerPasswordSet2 on machine account\n");
|
|
torture_comment(tctx,
|
|
"Changing machine account password to '%s'\n", password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx,
|
|
r.out.result,
|
|
NT_STATUS_WRONG_PASSWORD,
|
|
"ServerPasswordSet2 did not return NT_STATUS_WRONG_PASSWORD");
|
|
|
|
/* now try a random password */
|
|
password = generate_random_password(tctx, 8, 255);
|
|
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
|
|
torture_comment(tctx, "Changing machine account password to '%s'\n", password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 (2) failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 (2) failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
/* by changing the machine password twice we test the
|
|
credentials chaining fully, and we verify that the server
|
|
allows the password to be set to the same value twice in a
|
|
row (match win2k3) */
|
|
torture_comment(tctx,
|
|
"Testing a second ServerPasswordSet2 on machine account\n");
|
|
torture_comment(tctx,
|
|
"Changing machine account password to '%s' (same as previous run)\n", password);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet (3) failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
|
|
|
|
torture_assert (tctx,
|
|
test_SetupCredentials(p, tctx, machine_credentials, &creds),
|
|
"ServerPasswordSet failed to actually change the password");
|
|
|
|
new_random_pass = netlogon_very_rand_pass(tctx, 128);
|
|
|
|
/* now try a random stream of bytes for a password */
|
|
set_pw_in_buffer(password_buf.data, &new_random_pass);
|
|
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
torture_comment(tctx,
|
|
"Testing a third ServerPasswordSet2 on machine account, with a completely random password\n");
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet (3) failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
|
|
|
|
cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
|
|
cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
|
|
|
|
torture_assert (tctx,
|
|
test_SetupCredentials(p, tctx, machine_credentials, &creds),
|
|
"ServerPasswordSet failed to actually change the password");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try to change the password of our machine account using a buffer of all zeros,
|
|
and a session key that encrypts that to all zeros.
|
|
|
|
Note: The test does use sign and seal, it's purpose is to exercise
|
|
the detection code in dcesrv_netr_ServerPasswordSet2
|
|
*/
|
|
static bool test_SetPassword2_encrypted_to_all_zeros(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordSet2 r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_CryptPassword password_buf;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_ServerAuthenticate2_encrypts_to_zero(
|
|
tctx,
|
|
p1,
|
|
machine_credentials,
|
|
'\0',
|
|
&creds)) {
|
|
|
|
return false;
|
|
}
|
|
|
|
if (!test_SetupCredentialsPipe(
|
|
p1,
|
|
tctx,
|
|
machine_credentials,
|
|
creds,
|
|
DCERPC_SIGN | DCERPC_SEAL,
|
|
&p))
|
|
{
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(
|
|
tctx,
|
|
"\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type =
|
|
cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
ZERO_STRUCT(password_buf);
|
|
|
|
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
|
|
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
|
|
}
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
if(!all_zero(password_buf.data, 516)) {
|
|
torture_fail(tctx, "Password did not encrypt to all zeros\n");
|
|
}
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
torture_assert_int_equal(
|
|
tctx,
|
|
new_password.length,
|
|
0,
|
|
"Length should have encrypted to 0");
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 zero length check failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, "");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Choose a session key that encrypts a password of all zeros to all zeros.
|
|
* Then try to set the password, using a zeroed buffer, with a non zero
|
|
* length.
|
|
*
|
|
* This exercises the password self encryption check.
|
|
*
|
|
* Note: The test does use sign and seal, it's purpose is to exercise
|
|
* the detection code in dcesrv_netr_ServerPasswordSet2
|
|
*/
|
|
static bool test_SetPassword2_password_encrypts_to_zero(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordSet2 r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_CryptPassword password_buf;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_ServerAuthenticate2_encrypts_to_zero(
|
|
tctx,
|
|
p1,
|
|
machine_credentials,
|
|
0x00,
|
|
&creds)) {
|
|
|
|
return false;
|
|
}
|
|
|
|
if (!test_SetupCredentialsPipe(
|
|
p1,
|
|
tctx,
|
|
machine_credentials,
|
|
creds,
|
|
DCERPC_SIGN | DCERPC_SEAL,
|
|
&p))
|
|
{
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(
|
|
tctx,
|
|
"\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type =
|
|
cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
ZERO_STRUCT(password_buf);
|
|
SIVAL(password_buf.data, 512, 512);
|
|
|
|
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
|
|
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
|
|
}
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 password encrypts to zero check failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, "");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Check that an all zero confounder, that encrypts to all zeros is
|
|
* rejected.
|
|
*
|
|
* Note: The test does use sign and seal, it's purpose is to exercise
|
|
* the detection code in dcesrv_netr_ServerPasswordSet2
|
|
*/
|
|
static bool test_SetPassword2_confounder(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordSet2 r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_CryptPassword password_buf;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_ServerAuthenticate2_encrypts_to_zero(
|
|
tctx,
|
|
p1,
|
|
machine_credentials,
|
|
'\0',
|
|
&creds)) {
|
|
|
|
return false;
|
|
}
|
|
|
|
if (!test_SetupCredentialsPipe(
|
|
p1,
|
|
tctx,
|
|
machine_credentials,
|
|
creds,
|
|
DCERPC_SIGN | DCERPC_SEAL,
|
|
&p))
|
|
{
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(
|
|
tctx,
|
|
"\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type =
|
|
cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
ZERO_STRUCT(password_buf);
|
|
password_buf.data[511] = 'A';
|
|
SIVAL(password_buf.data, 512, 2);
|
|
|
|
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
|
|
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
|
|
}
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 confounder check failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, "");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* try a change password for our machine account, using an all zero
|
|
* request. This should fail on the zero length check.
|
|
*
|
|
* Note: This test uses ARC4 encryption to exercise the desired check.
|
|
*/
|
|
static bool test_SetPassword2_all_zeros(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordSet2 r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_CryptPassword password_buf;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_SetupCredentials2(
|
|
p1,
|
|
tctx,
|
|
flags,
|
|
machine_credentials,
|
|
cli_credentials_get_secure_channel_type(machine_credentials),
|
|
&creds))
|
|
{
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(
|
|
p1,
|
|
tctx,
|
|
machine_credentials,
|
|
creds,
|
|
DCERPC_SIGN | DCERPC_SEAL,
|
|
&p))
|
|
{
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(
|
|
tctx,
|
|
"\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type =
|
|
cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
ZERO_STRUCT(password_buf.data);
|
|
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
|
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES enabled\n");
|
|
}
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
torture_comment(
|
|
tctx,
|
|
"Testing ServerPasswordSet2 on machine account\n");
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 zero length check failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, "");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a change password for our machine account, using a maximum length
|
|
password
|
|
*/
|
|
static bool test_SetPassword2_maximum_length_password(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordSet2 r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_CryptPassword password_buf;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
DATA_BLOB new_random_pass = data_blob_null;
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_SetupCredentials2(
|
|
p1,
|
|
tctx,
|
|
flags,
|
|
machine_credentials,
|
|
cli_credentials_get_secure_channel_type(machine_credentials),
|
|
&creds))
|
|
{
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(
|
|
p1,
|
|
tctx,
|
|
machine_credentials,
|
|
creds,
|
|
DCERPC_SIGN | DCERPC_SEAL,
|
|
&p))
|
|
{
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(
|
|
tctx,
|
|
"\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type =
|
|
cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
new_random_pass = netlogon_very_rand_pass(tctx, 256);
|
|
set_pw_in_buffer(password_buf.data, &new_random_pass);
|
|
SIVAL(password_buf.data, 512, 512);
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
torture_comment(
|
|
tctx,
|
|
"Testing ServerPasswordSet2 on machine account\n");
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 zero length check failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx, r.out.result, NT_STATUS_OK, "");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a change password for our machine account, using a password of
|
|
all zeros, and a non zero password length.
|
|
|
|
This test relies on the buffer being encrypted with ARC4, to
|
|
trigger the appropriate check in the rpc server code
|
|
*/
|
|
static bool test_SetPassword2_all_zero_password(
|
|
struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordSet2 r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_CryptPassword password_buf;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
|
enum dcerpc_AuthType auth_type;
|
|
enum dcerpc_AuthLevel auth_level;
|
|
NTSTATUS status;
|
|
|
|
if (!test_SetupCredentials2(
|
|
p1,
|
|
tctx,
|
|
flags,
|
|
machine_credentials,
|
|
cli_credentials_get_secure_channel_type(machine_credentials),
|
|
&creds))
|
|
{
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(
|
|
p1,
|
|
tctx,
|
|
machine_credentials,
|
|
creds,
|
|
DCERPC_SIGN | DCERPC_SEAL,
|
|
&p))
|
|
{
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(
|
|
tctx,
|
|
"\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type =
|
|
cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.in.new_password = &new_password;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
ZERO_STRUCT(password_buf.data);
|
|
SIVAL(password_buf.data, 512, 128);
|
|
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
|
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES set");
|
|
}
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
|
&password_buf,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
|
|
|
memcpy(new_password.data, password_buf.data, 512);
|
|
new_password.length = IVAL(password_buf.data, 512);
|
|
|
|
torture_comment(
|
|
tctx,
|
|
"Testing ServerPasswordSet2 on machine account\n");
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(
|
|
tctx,
|
|
dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
|
|
"ServerPasswordSet2 all zero password check failed");
|
|
torture_assert_ntstatus_equal(
|
|
tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, "");
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
static bool test_SetPassword2(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS);
|
|
}
|
|
|
|
static bool test_SetPassword2_AES(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
|
|
}
|
|
|
|
static bool test_GetPassword(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerPasswordGet r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_Authenticator credential;
|
|
NTSTATUS status;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct samr_Password password;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
r.out.password = &password;
|
|
|
|
status = dcerpc_netr_ServerPasswordGet_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordGet");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_GetTrustPasswords(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_ServerTrustPasswordsGet r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_Authenticator credential;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct samr_Password password, password2;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &credential;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
r.out.new_owf_password = &password;
|
|
r.out.old_owf_password = &password2;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerTrustPasswordsGet_r(b, tctx, &r),
|
|
"ServerTrustPasswordsGet failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerTrustPasswordsGet failed");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon SamLogon
|
|
*/
|
|
static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
struct cli_credentials *credentials,
|
|
struct netlogon_creds_CredentialState *creds,
|
|
bool null_domain)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonSamLogon r;
|
|
struct netr_Authenticator auth, auth2;
|
|
union netr_LogonLevel logon;
|
|
union netr_Validation validation;
|
|
uint8_t authoritative;
|
|
struct netr_NetworkInfo ninfo;
|
|
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
|
|
int i;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
int flags = CLI_CRED_NTLM_AUTH;
|
|
if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
|
|
flags |= CLI_CRED_LANMAN_AUTH;
|
|
}
|
|
|
|
if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx) && !null_domain) {
|
|
flags |= CLI_CRED_NTLMv2_AUTH;
|
|
}
|
|
|
|
cli_credentials_get_ntlm_username_domain(samba_cmdline_get_creds(),
|
|
tctx,
|
|
&ninfo.identity_info.account_name.string,
|
|
&ninfo.identity_info.domain_name.string);
|
|
|
|
if (null_domain) {
|
|
ninfo.identity_info.domain_name.string = NULL;
|
|
}
|
|
|
|
generate_random_buffer(ninfo.challenge,
|
|
sizeof(ninfo.challenge));
|
|
chal = data_blob_const(ninfo.challenge,
|
|
sizeof(ninfo.challenge));
|
|
|
|
names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
|
|
cli_credentials_get_domain(credentials));
|
|
|
|
status = cli_credentials_get_ntlm_response(
|
|
samba_cmdline_get_creds(), tctx,
|
|
&flags,
|
|
chal,
|
|
NULL, /* server_timestamp */
|
|
names_blob,
|
|
&lm_resp, &nt_resp,
|
|
NULL, NULL);
|
|
torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
|
|
|
|
ninfo.lm.data = lm_resp.data;
|
|
ninfo.lm.length = lm_resp.length;
|
|
|
|
ninfo.nt.data = nt_resp.data;
|
|
ninfo.nt.length = nt_resp.length;
|
|
|
|
ninfo.identity_info.parameter_control = 0;
|
|
ninfo.identity_info.logon_id = 0;
|
|
ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
|
|
|
|
logon.network = &ninfo;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computer_name = cli_credentials_get_workstation(credentials);
|
|
r.in.credential = &auth;
|
|
r.in.return_authenticator = &auth2;
|
|
r.in.logon_level = NetlogonNetworkInformation;
|
|
r.in.logon = &logon;
|
|
r.out.validation = &validation;
|
|
r.out.authoritative = &authoritative;
|
|
|
|
d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
|
|
|
|
for (i=2;i<=3;i++) {
|
|
ZERO_STRUCT(auth2);
|
|
netlogon_creds_client_authenticator(creds, &auth);
|
|
|
|
r.in.validation_level = i;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
|
|
"LogonSamLogon failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
|
&r.out.return_authenticator->cred),
|
|
"Credential chaining failed");
|
|
torture_assert_int_equal(tctx, *r.out.authoritative, 1,
|
|
"LogonSamLogon invalid *r.out.authoritative");
|
|
}
|
|
|
|
/* this makes sure we get the unmarshalling right for invalid levels */
|
|
for (i=52;i<53;i++) {
|
|
ZERO_STRUCT(auth2);
|
|
/* the authenticator should be ignored by the server */
|
|
generate_random_buffer((uint8_t *) &auth, sizeof(auth));
|
|
|
|
r.in.validation_level = i;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
|
|
"LogonSamLogon failed");
|
|
torture_assert_ntstatus_equal(tctx, r.out.result,
|
|
NT_STATUS_INVALID_INFO_CLASS,
|
|
"LogonSamLogon failed");
|
|
|
|
torture_assert_int_equal(tctx, *r.out.authoritative, 1,
|
|
"LogonSamLogon invalid *r.out.authoritative");
|
|
torture_assert(tctx,
|
|
all_zero((uint8_t *)&auth2, sizeof(auth2)),
|
|
"Return authenticator non zero");
|
|
}
|
|
|
|
for (i=2;i<=3;i++) {
|
|
ZERO_STRUCT(auth2);
|
|
netlogon_creds_client_authenticator(creds, &auth);
|
|
|
|
r.in.validation_level = i;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
|
|
"LogonSamLogon failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
|
&r.out.return_authenticator->cred),
|
|
"Credential chaining failed");
|
|
torture_assert_int_equal(tctx, *r.out.authoritative, 1,
|
|
"LogonSamLogon invalid *r.out.authoritative");
|
|
}
|
|
|
|
r.in.logon_level = 52;
|
|
|
|
for (i=2;i<=3;i++) {
|
|
ZERO_STRUCT(auth2);
|
|
/* the authenticator should be ignored by the server */
|
|
generate_random_buffer((uint8_t *) &auth, sizeof(auth));
|
|
|
|
r.in.validation_level = i;
|
|
|
|
torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
|
|
"LogonSamLogon failed");
|
|
torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
|
|
"LogonSamLogon expected INVALID_PARAMETER");
|
|
|
|
torture_assert(tctx,
|
|
all_zero((uint8_t *)&auth2, sizeof(auth2)),
|
|
"Return authenticator non zero");
|
|
torture_assert_int_equal(tctx, *r.out.authoritative, 1,
|
|
"LogonSamLogon invalid *r.out.authoritative");
|
|
}
|
|
|
|
r.in.credential = NULL;
|
|
|
|
for (i=2;i<=3;i++) {
|
|
ZERO_STRUCT(auth2);
|
|
|
|
r.in.validation_level = i;
|
|
|
|
torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
|
|
"LogonSamLogon failed");
|
|
torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
|
|
"LogonSamLogon expected INVALID_PARAMETER");
|
|
|
|
torture_assert(tctx,
|
|
all_zero((uint8_t *)&auth2, sizeof(auth2)),
|
|
"Return authenticator non zero");
|
|
torture_assert_int_equal(tctx, *r.out.authoritative, 1,
|
|
"LogonSamLogon invalid *r.out.authoritative");
|
|
}
|
|
|
|
r.in.logon_level = NetlogonNetworkInformation;
|
|
r.in.credential = &auth;
|
|
|
|
for (i=2;i<=3;i++) {
|
|
ZERO_STRUCT(auth2);
|
|
netlogon_creds_client_authenticator(creds, &auth);
|
|
|
|
r.in.validation_level = i;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
|
|
"LogonSamLogon failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
|
&r.out.return_authenticator->cred),
|
|
"Credential chaining failed");
|
|
torture_assert_int_equal(tctx, *r.out.authoritative, 1,
|
|
"LogonSamLogon invalid *r.out.authoritative");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
struct cli_credentials *credentials,
|
|
struct netlogon_creds_CredentialState *creds)
|
|
{
|
|
return test_netlogon_ops_args(p, tctx, credentials, creds, false);
|
|
}
|
|
|
|
/*
|
|
try a netlogon GetCapabilities
|
|
*/
|
|
bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
struct cli_credentials *credentials,
|
|
uint32_t requested_flags,
|
|
struct netlogon_creds_CredentialState *creds)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonGetCapabilities r;
|
|
union netr_Capabilities capabilities;
|
|
struct netr_Authenticator auth, return_auth;
|
|
struct netlogon_creds_CredentialState tmp_creds;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computer_name = cli_credentials_get_workstation(credentials);
|
|
r.in.credential = &auth;
|
|
r.in.return_authenticator = &return_auth;
|
|
r.in.query_level = 1;
|
|
r.out.capabilities = &capabilities;
|
|
r.out.return_authenticator = &return_auth;
|
|
|
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
|
|
|
|
r.in.query_level = 0;
|
|
ZERO_STRUCT(return_auth);
|
|
|
|
/*
|
|
* we need to operate on a temporary copy of creds
|
|
* because dcerpc_netr_LogonGetCapabilities with
|
|
* an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
* => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
|
* without looking at the authenticator.
|
|
*/
|
|
tmp_creds = *creds;
|
|
netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
|
|
|
status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
|
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
|
"LogonGetCapabilities query_level=0 failed");
|
|
|
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
|
|
|
|
r.in.query_level = 3;
|
|
ZERO_STRUCT(return_auth);
|
|
|
|
/*
|
|
* we need to operate on a temporary copy of creds
|
|
* because dcerpc_netr_LogonGetCapabilities with
|
|
* an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
* => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
|
* without looking at the authenticator.
|
|
*/
|
|
tmp_creds = *creds;
|
|
netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
|
|
|
status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
|
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
|
"LogonGetCapabilities query_level=0 failed");
|
|
|
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
|
|
|
|
r.in.query_level = 1;
|
|
ZERO_STRUCT(return_auth);
|
|
|
|
/*
|
|
* we need to operate on a temporary copy of creds
|
|
* because dcerpc_netr_LogonGetCapabilities was
|
|
* dcerpc_netr_DummyFunction and returns NT_STATUS_NOT_IMPLEMENTED
|
|
* without looking at the authenticator.
|
|
*/
|
|
tmp_creds = *creds;
|
|
netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
|
|
|
status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status,
|
|
"LogonGetCapabilities query_level=1 failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"LogonGetCapabilities query_level=1 failed");
|
|
|
|
*creds = tmp_creds;
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
|
&r.out.return_authenticator->cred),
|
|
"Credential chaining failed");
|
|
|
|
torture_assert_int_equal(tctx, creds->negotiate_flags,
|
|
capabilities.server_capabilities,
|
|
"negotiate flags");
|
|
|
|
torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
|
|
|
|
r.in.query_level = 2;
|
|
ZERO_STRUCT(return_auth);
|
|
|
|
/*
|
|
* we need to operate on a temporary copy of creds
|
|
* because dcerpc_netr_LogonGetCapabilities with
|
|
* an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
|
* => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
|
* without looking at the authenticator.
|
|
*/
|
|
tmp_creds = *creds;
|
|
netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
|
|
|
status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status,
|
|
"LogonGetCapabilities query_level=2 failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"LogonGetCapabilities query_level=2 failed");
|
|
|
|
*creds = tmp_creds;
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds,
|
|
&r.out.return_authenticator->cred),
|
|
"Credential chaining failed");
|
|
|
|
torture_assert_int_equal(tctx, requested_flags,
|
|
capabilities.requested_flags,
|
|
"negotiate flags");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon SamLogon
|
|
*/
|
|
static bool test_SamLogon(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *credentials)
|
|
{
|
|
struct netlogon_creds_CredentialState *creds;
|
|
|
|
if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
return test_netlogon_ops(p, tctx, credentials, creds);
|
|
}
|
|
|
|
static bool test_invalidAuthenticate2(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *credentials)
|
|
{
|
|
struct netlogon_creds_CredentialState *creds;
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
|
torture_comment(tctx, "Testing invalidAuthenticate2\n");
|
|
|
|
if (!test_SetupCredentials2(p, tctx, flags,
|
|
credentials,
|
|
cli_credentials_get_secure_channel_type(credentials),
|
|
&creds)) {
|
|
return false;
|
|
}
|
|
|
|
if (!test_SetupCredentials2ex(p, tctx, flags,
|
|
credentials,
|
|
"1234567890123456",
|
|
cli_credentials_get_secure_channel_type(credentials),
|
|
STATUS_BUFFER_OVERFLOW,
|
|
&creds)) {
|
|
return false;
|
|
}
|
|
|
|
if (!test_SetupCredentials2ex(p, tctx, flags,
|
|
credentials,
|
|
"123456789012345",
|
|
cli_credentials_get_secure_channel_type(credentials),
|
|
NT_STATUS_OK,
|
|
&creds)) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_ServerReqChallengeGlobal(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b1 = p1->binding_handle;
|
|
const struct dcerpc_binding *bd1 = dcerpc_binding_handle_get_binding(b1);
|
|
struct dcerpc_pipe *p2 = NULL;
|
|
struct dcerpc_binding_handle *b2 = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
dcerpc_pipe_connect_b(tctx, &p2, bd1,
|
|
&ndr_table_netlogon,
|
|
machine_credentials,
|
|
tctx->ev, tctx->lp_ctx),
|
|
"dcerpc_pipe_connect_b failed");
|
|
b2 = p2->binding_handle;
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
|
|
"ServerReqChallenge failed on b1");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3 on b2\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2, tctx, &a),
|
|
"ServerAuthenticate3 failed on b2");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed on b2");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Test the re-use of the challenge is not possible on a third
|
|
* connection, after first using it second one.
|
|
*/
|
|
|
|
static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b1 = p1->binding_handle;
|
|
const struct dcerpc_binding *bd1 = dcerpc_binding_handle_get_binding(b1);
|
|
struct dcerpc_pipe *p2 = NULL;
|
|
struct dcerpc_binding_handle *b2 = NULL;
|
|
struct dcerpc_pipe *p3 = NULL;
|
|
struct dcerpc_binding_handle *b3 = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
dcerpc_pipe_connect_b(tctx, &p2, bd1,
|
|
&ndr_table_netlogon,
|
|
machine_credentials,
|
|
tctx->ev, tctx->lp_ctx),
|
|
"dcerpc_pipe_connect_b failed");
|
|
b2 = p2->binding_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
dcerpc_pipe_connect_b(tctx, &p3, bd1,
|
|
&ndr_table_netlogon,
|
|
machine_credentials,
|
|
tctx->ev, tctx->lp_ctx),
|
|
"dcerpc_pipe_connect_b failed");
|
|
b3 = p3->binding_handle;
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
|
|
"ServerReqChallenge failed on b1");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3 on b2\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2, tctx, &a),
|
|
"ServerAuthenticate3 failed on b2");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed on b2");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
/* We have to re-run this part */
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b3, tctx, &a),
|
|
"ServerAuthenticate3 failed on b3");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate3 should have failed on b3, due to credential reuse");
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Test if use of the per-pipe challenge will wipe out the globally cached challenge
|
|
*/
|
|
static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b1 = p1->binding_handle;
|
|
const struct dcerpc_binding *bd1 = dcerpc_binding_handle_get_binding(b1);
|
|
struct dcerpc_pipe *p2 = NULL;
|
|
struct dcerpc_binding_handle *b2 = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
dcerpc_pipe_connect_b(tctx, &p2, bd1,
|
|
&ndr_table_netlogon,
|
|
machine_credentials,
|
|
tctx->ev, tctx->lp_ctx),
|
|
"dcerpc_pipe_connect_b failed");
|
|
b2 = p2->binding_handle;
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
|
|
"ServerReqChallenge failed on b1");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3 on b2\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b1, tctx, &a),
|
|
"ServerAuthenticate3 failed on b");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed on b");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
/* We have to re-run this part */
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2, tctx, &a),
|
|
"ServerAuthenticate3 failed on b2");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate3 should have failed on b2, due to credential reuse");
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Test if use of the globally cached challenge will wipe out the
|
|
* per-pipe challenge
|
|
*/
|
|
static bool test_ServerReqChallengeReuseGlobal3(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b1 = p1->binding_handle;
|
|
const struct dcerpc_binding *bd1 = dcerpc_binding_handle_get_binding(b1);
|
|
struct dcerpc_pipe *p2 = NULL;
|
|
struct dcerpc_binding_handle *b2 = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
dcerpc_pipe_connect_b(tctx, &p2, bd1,
|
|
&ndr_table_netlogon,
|
|
machine_credentials,
|
|
tctx->ev, tctx->lp_ctx),
|
|
"dcerpc_pipe_connect_b failed");
|
|
b2 = p2->binding_handle;
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
|
|
"ServerReqChallenge failed on b1");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3 on b2\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2, tctx, &a),
|
|
"ServerAuthenticate3 failed on b2");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed on b");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
/* We have to re-run this part */
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b1, tctx, &a),
|
|
"ServerAuthenticate3 failed on b1");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate3 should have failed on b1, due to credential reuse");
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Test if more than one globally cached challenge works
|
|
*/
|
|
static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials1_random,
|
|
credentials2, credentials3, credentials_discard;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b1 = p1->binding_handle;
|
|
const struct dcerpc_binding *bd1 = dcerpc_binding_handle_get_binding(b1);
|
|
struct dcerpc_pipe *p2 = NULL;
|
|
struct dcerpc_binding_handle *b2 = NULL;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
dcerpc_pipe_connect_b(tctx, &p2, bd1,
|
|
&ndr_table_netlogon,
|
|
machine_credentials,
|
|
tctx->ev, tctx->lp_ctx),
|
|
"dcerpc_pipe_connect_b failed");
|
|
b2 = p2->binding_handle;
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = "CHALTEST1";
|
|
r.in.credentials = &credentials1_random;
|
|
r.out.return_credentials = &credentials_discard;
|
|
|
|
netlogon_creds_random_challenge(&credentials1_random);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
|
|
"ServerReqChallenge failed on b1");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
/* Now ask for the actual client name */
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
|
|
"ServerReqChallenge failed on b1");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = "CHALTEST2";
|
|
r.in.credentials = &credentials1_random;
|
|
r.out.return_credentials = &credentials_discard;
|
|
|
|
netlogon_creds_random_challenge(&credentials1_random);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
|
|
"ServerReqChallenge failed on b1");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3 on b2 (must use global credentials)\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2, tctx, &a),
|
|
"ServerAuthenticate3 failed on b2");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed on b2");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
/* We have to re-run this part */
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b1, tctx, &a),
|
|
"ServerAuthenticate3 failed on b1");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate3 should have failed on b1, due to credential reuse");
|
|
return true;
|
|
}
|
|
|
|
static bool test_ServerReqChallengeReuse(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
struct netr_ServerReqChallenge r;
|
|
struct netr_ServerAuthenticate3 a;
|
|
struct netr_Credential credentials1, credentials2, credentials3;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct samr_Password mach_password;
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const char *plain_pass;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
machine_name = cli_credentials_get_workstation(machine_credentials);
|
|
torture_assert(tctx, machine_name != NULL, "machine_name");
|
|
plain_pass = cli_credentials_get_password(machine_credentials);
|
|
torture_assert(tctx, plain_pass != NULL, "plain_pass");
|
|
|
|
torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
|
|
|
|
r.in.server_name = NULL;
|
|
r.in.computer_name = machine_name;
|
|
r.in.credentials = &credentials1;
|
|
r.out.return_credentials = &credentials2;
|
|
|
|
netlogon_creds_random_challenge(&credentials1);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
|
|
"ServerReqChallenge");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
|
|
|
|
E_md4hash(plain_pass, mach_password.hash);
|
|
|
|
a.in.server_name = NULL;
|
|
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
|
|
a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
a.in.computer_name = machine_name;
|
|
a.in.negotiate_flags = &flags;
|
|
a.in.credentials = &credentials3;
|
|
a.out.return_credentials = &credentials3;
|
|
a.out.negotiate_flags = &flags;
|
|
a.out.rid = &rid;
|
|
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
|
|
"ServerAuthenticate3 failed");
|
|
torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
|
|
|
|
/* We have to re-run this part */
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
|
|
"ServerAuthenticate3 failed");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate3 should have failed on b3, due to credential reuse");
|
|
|
|
ZERO_STRUCT(credentials1.data);
|
|
ZERO_STRUCT(credentials2.data);
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
&credentials1, &credentials2,
|
|
&mach_password, &credentials3,
|
|
flags,
|
|
flags);
|
|
|
|
torture_assert(tctx, creds != NULL, "memory allocation");
|
|
|
|
torture_comment(tctx, "Testing ServerAuthenticate3 with zero'ed challenge\n");
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
|
|
"ServerAuthenticate3 failed");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_ACCESS_DENIED,
|
|
"ServerAuthenticate3 should have failed on b3, due to credential reuse");
|
|
return true;
|
|
}
|
|
|
|
static bool test_SamLogon_NULL_domain(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *credentials)
|
|
{
|
|
struct netlogon_creds_CredentialState *creds;
|
|
|
|
if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
return test_netlogon_ops_args(p, tctx, credentials, creds, true);
|
|
}
|
|
|
|
/* we remember the sequence numbers so we can easily do a DatabaseDelta */
|
|
static uint64_t sequence_nums[3];
|
|
|
|
/*
|
|
try a netlogon DatabaseSync
|
|
*/
|
|
static bool test_DatabaseSync(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_DatabaseSync r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
|
|
int i;
|
|
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
|
|
struct netr_Authenticator credential, return_authenticator;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
ZERO_STRUCT(return_authenticator);
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computername = TEST_MACHINE_NAME;
|
|
r.in.preferredmaximumlength = (uint32_t)-1;
|
|
r.in.return_authenticator = &return_authenticator;
|
|
r.out.delta_enum_array = &delta_enum_array;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
|
|
|
|
uint32_t sync_context = 0;
|
|
|
|
r.in.database_id = database_ids[i];
|
|
r.in.sync_context = &sync_context;
|
|
r.out.sync_context = &sync_context;
|
|
|
|
torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
|
|
|
|
do {
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
r.in.credential = &credential;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync_r(b, tctx, &r),
|
|
"DatabaseSync failed");
|
|
if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
|
|
break;
|
|
|
|
/* Native mode servers don't do this */
|
|
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
|
|
return true;
|
|
}
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
if (delta_enum_array &&
|
|
delta_enum_array->num_deltas > 0 &&
|
|
delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
|
|
delta_enum_array->delta_enum[0].delta_union.domain) {
|
|
sequence_nums[r.in.database_id] =
|
|
delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
|
|
torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
|
|
r.in.database_id,
|
|
(unsigned long long)sequence_nums[r.in.database_id]);
|
|
}
|
|
} while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
/*
|
|
try a netlogon DatabaseDeltas
|
|
*/
|
|
static bool test_DatabaseDeltas(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_DatabaseDeltas r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_Authenticator credential;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
|
|
const uint32_t database_ids[] = {0, 1, 2};
|
|
int i;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computername = TEST_MACHINE_NAME;
|
|
r.in.preferredmaximumlength = (uint32_t)-1;
|
|
ZERO_STRUCT(r.in.return_authenticator);
|
|
r.out.return_authenticator = &return_authenticator;
|
|
r.out.delta_enum_array = &delta_enum_array;
|
|
|
|
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
|
|
r.in.database_id = database_ids[i];
|
|
r.in.sequence_num = &sequence_nums[r.in.database_id];
|
|
|
|
if (*r.in.sequence_num == 0) continue;
|
|
|
|
*r.in.sequence_num -= 1;
|
|
|
|
torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
|
|
r.in.database_id, (unsigned long long)*r.in.sequence_num);
|
|
|
|
do {
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseDeltas_r(b, tctx, &r),
|
|
"DatabaseDeltas failed");
|
|
if (NT_STATUS_EQUAL(r.out.result,
|
|
NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
|
|
torture_comment(tctx, "not considering %s to be an error\n",
|
|
nt_errstr(r.out.result));
|
|
return true;
|
|
}
|
|
if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
|
|
break;
|
|
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseDeltas");
|
|
|
|
if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
(*r.in.sequence_num)++;
|
|
} while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_DatabaseRedo(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_DatabaseRedo r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_Authenticator credential;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
|
|
struct netr_ChangeLogEntry e;
|
|
struct dom_sid null_sid, *sid;
|
|
int i,d;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
ZERO_STRUCT(null_sid);
|
|
|
|
sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
|
|
|
|
{
|
|
|
|
struct {
|
|
uint32_t rid;
|
|
uint16_t flags;
|
|
uint8_t db_index;
|
|
uint8_t delta_type;
|
|
struct dom_sid sid;
|
|
const char *name;
|
|
NTSTATUS expected_error;
|
|
uint32_t expected_num_results;
|
|
uint8_t expected_delta_type_1;
|
|
uint8_t expected_delta_type_2;
|
|
const char *comment;
|
|
} changes[] = {
|
|
|
|
/* SAM_DATABASE_DOMAIN */
|
|
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_MODIFY_COUNT,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
|
|
.expected_num_results = 0,
|
|
.comment = "NETR_DELTA_MODIFY_COUNT"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = 0,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
|
|
.comment = "NULL DELTA"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_DOMAIN,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
|
|
.comment = "NETR_DELTA_DOMAIN"
|
|
},
|
|
{
|
|
.rid = DOMAIN_RID_ADMINISTRATOR,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_USER,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_USER,
|
|
.comment = "NETR_DELTA_USER by rid 500"
|
|
},
|
|
{
|
|
.rid = DOMAIN_RID_GUEST,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_USER,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_USER,
|
|
.comment = "NETR_DELTA_USER by rid 501"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_USER,
|
|
.sid = *sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
|
|
.comment = "NETR_DELTA_USER by sid and flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_USER,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
|
|
.comment = "NETR_DELTA_USER by null_sid and flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_NAME_INCLUDED,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_USER,
|
|
.sid = null_sid,
|
|
.name = "administrator",
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
|
|
.comment = "NETR_DELTA_USER by name 'administrator'"
|
|
},
|
|
{
|
|
.rid = DOMAIN_RID_ADMINS,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_GROUP,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 2,
|
|
.expected_delta_type_1 = NETR_DELTA_GROUP,
|
|
.expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
|
|
.comment = "NETR_DELTA_GROUP by rid 512"
|
|
},
|
|
{
|
|
.rid = DOMAIN_RID_ADMINS,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_DOMAIN,
|
|
.delta_type = NETR_DELTA_GROUP_MEMBER,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 2,
|
|
.expected_delta_type_1 = NETR_DELTA_GROUP,
|
|
.expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
|
|
.comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
|
|
},
|
|
|
|
|
|
/* SAM_DATABASE_BUILTIN */
|
|
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_MODIFY_COUNT,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
|
|
.expected_num_results = 0,
|
|
.comment = "NETR_DELTA_MODIFY_COUNT"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_DOMAIN,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
|
|
.comment = "NETR_DELTA_DOMAIN"
|
|
},
|
|
{
|
|
.rid = DOMAIN_RID_ADMINISTRATOR,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_USER,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
|
|
.comment = "NETR_DELTA_USER by rid 500"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_USER,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
|
|
.comment = "NETR_DELTA_USER"
|
|
},
|
|
{
|
|
.rid = 544,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_ALIAS,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 2,
|
|
.expected_delta_type_1 = NETR_DELTA_ALIAS,
|
|
.expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
|
|
.comment = "NETR_DELTA_ALIAS by rid 544"
|
|
},
|
|
{
|
|
.rid = 544,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_ALIAS_MEMBER,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 2,
|
|
.expected_delta_type_1 = NETR_DELTA_ALIAS,
|
|
.expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
|
|
.comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
|
|
},
|
|
{
|
|
.rid = 544,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = 0,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
|
|
.comment = "NULL DELTA by rid 544"
|
|
},
|
|
{
|
|
.rid = 544,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = 0,
|
|
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
|
|
.comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
|
|
},
|
|
{
|
|
.rid = 544,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_ALIAS,
|
|
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 2,
|
|
.expected_delta_type_1 = NETR_DELTA_ALIAS,
|
|
.expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
|
|
.comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_BUILTIN,
|
|
.delta_type = NETR_DELTA_ALIAS,
|
|
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
|
|
.comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
|
|
},
|
|
|
|
/* SAM_DATABASE_PRIVS */
|
|
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = 0,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_ACCESS_DENIED,
|
|
.expected_num_results = 0,
|
|
.comment = "NULL DELTA"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_MODIFY_COUNT,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
|
|
.expected_num_results = 0,
|
|
.comment = "NETR_DELTA_MODIFY_COUNT"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_POLICY,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_POLICY,
|
|
.comment = "NETR_DELTA_POLICY"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_POLICY,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_POLICY,
|
|
.comment = "NETR_DELTA_POLICY by null sid and flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_POLICY,
|
|
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_POLICY,
|
|
.comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
|
|
},
|
|
{
|
|
.rid = DOMAIN_RID_ADMINISTRATOR,
|
|
.flags = 0,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_ACCOUNT,
|
|
.sid = null_sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
|
|
.expected_num_results = 0,
|
|
.comment = "NETR_DELTA_ACCOUNT by rid 500"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_ACCOUNT,
|
|
.sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_ACCOUNT,
|
|
.comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED |
|
|
NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_ACCOUNT,
|
|
.sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_ACCOUNT,
|
|
.comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED |
|
|
NETR_CHANGELOG_NAME_INCLUDED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_ACCOUNT,
|
|
.sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_INVALID_PARAMETER,
|
|
.expected_num_results = 0,
|
|
.comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
|
|
},
|
|
{
|
|
.rid = DOMAIN_RID_ADMINISTRATOR,
|
|
.flags = NETR_CHANGELOG_SID_INCLUDED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_ACCOUNT,
|
|
.sid = *sid,
|
|
.name = NULL,
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
|
|
.comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_NAME_INCLUDED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_SECRET,
|
|
.sid = null_sid,
|
|
.name = "IsurelydontexistIhope",
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
|
|
.comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
|
|
},
|
|
{
|
|
.rid = 0,
|
|
.flags = NETR_CHANGELOG_NAME_INCLUDED,
|
|
.db_index = SAM_DATABASE_PRIVS,
|
|
.delta_type = NETR_DELTA_SECRET,
|
|
.sid = null_sid,
|
|
.name = "G$BCKUPKEY_P",
|
|
.expected_error = NT_STATUS_OK,
|
|
.expected_num_results = 1,
|
|
.expected_delta_type_1 = NETR_DELTA_SECRET,
|
|
.comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
|
|
}
|
|
};
|
|
|
|
ZERO_STRUCT(return_authenticator);
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computername = TEST_MACHINE_NAME;
|
|
r.in.return_authenticator = &return_authenticator;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
r.out.delta_enum_array = &delta_enum_array;
|
|
|
|
for (d=0; d<3; d++) {
|
|
const char *database = NULL;
|
|
|
|
switch (d) {
|
|
case 0:
|
|
database = "SAM";
|
|
break;
|
|
case 1:
|
|
database = "BUILTIN";
|
|
break;
|
|
case 2:
|
|
database = "LSA";
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
torture_comment(tctx, "Testing DatabaseRedo\n");
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
for (i=0;i<ARRAY_SIZE(changes);i++) {
|
|
|
|
if (d != changes[i].db_index) {
|
|
continue;
|
|
}
|
|
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
r.in.credential = &credential;
|
|
|
|
e.serial_number1 = 0;
|
|
e.serial_number2 = 0;
|
|
e.object_rid = changes[i].rid;
|
|
e.flags = changes[i].flags;
|
|
e.db_index = changes[i].db_index;
|
|
e.delta_type = changes[i].delta_type;
|
|
|
|
switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
|
|
case NETR_CHANGELOG_SID_INCLUDED:
|
|
e.object.object_sid = changes[i].sid;
|
|
break;
|
|
case NETR_CHANGELOG_NAME_INCLUDED:
|
|
e.object.object_name = changes[i].name;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
r.in.change_log_entry = e;
|
|
|
|
torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
|
|
database, changes[i].comment);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseRedo_r(b, tctx, &r),
|
|
"DatabaseRedo failed");
|
|
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
|
|
return true;
|
|
}
|
|
|
|
torture_assert_ntstatus_equal(tctx, r.out.result, changes[i].expected_error, changes[i].comment);
|
|
if (delta_enum_array) {
|
|
torture_assert_int_equal(tctx,
|
|
delta_enum_array->num_deltas,
|
|
changes[i].expected_num_results,
|
|
changes[i].comment);
|
|
if (delta_enum_array->num_deltas > 0) {
|
|
torture_assert_int_equal(tctx,
|
|
delta_enum_array->delta_enum[0].delta_type,
|
|
changes[i].expected_delta_type_1,
|
|
changes[i].comment);
|
|
}
|
|
if (delta_enum_array->num_deltas > 1) {
|
|
torture_assert_int_equal(tctx,
|
|
delta_enum_array->delta_enum[1].delta_type,
|
|
changes[i].expected_delta_type_2,
|
|
changes[i].comment);
|
|
}
|
|
}
|
|
|
|
if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon AccountDeltas
|
|
*/
|
|
static bool test_AccountDeltas(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_AccountDeltas r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
|
|
struct netr_AccountBuffer buffer;
|
|
uint32_t count_returned = 0;
|
|
uint32_t total_entries = 0;
|
|
struct netr_UAS_INFO_0 recordid;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
ZERO_STRUCT(return_authenticator);
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computername = TEST_MACHINE_NAME;
|
|
r.in.return_authenticator = &return_authenticator;
|
|
netlogon_creds_client_authenticator(creds, &r.in.credential);
|
|
ZERO_STRUCT(r.in.uas);
|
|
r.in.count=10;
|
|
r.in.level=0;
|
|
r.in.buffersize=100;
|
|
r.out.buffer = &buffer;
|
|
r.out.count_returned = &count_returned;
|
|
r.out.total_entries = &total_entries;
|
|
r.out.recordid = &recordid;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
/* w2k3 returns "NOT IMPLEMENTED" for this call */
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountDeltas_r(b, tctx, &r),
|
|
"AccountDeltas failed");
|
|
torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon AccountSync
|
|
*/
|
|
static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_AccountSync r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
|
|
struct netr_AccountBuffer buffer;
|
|
uint32_t count_returned = 0;
|
|
uint32_t total_entries = 0;
|
|
uint32_t next_reference = 0;
|
|
struct netr_UAS_INFO_0 recordid;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
ZERO_STRUCT(recordid);
|
|
ZERO_STRUCT(return_authenticator);
|
|
|
|
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computername = TEST_MACHINE_NAME;
|
|
r.in.return_authenticator = &return_authenticator;
|
|
netlogon_creds_client_authenticator(creds, &r.in.credential);
|
|
r.in.recordid = &recordid;
|
|
r.in.reference=0;
|
|
r.in.level=0;
|
|
r.in.buffersize=100;
|
|
r.out.buffer = &buffer;
|
|
r.out.count_returned = &count_returned;
|
|
r.out.total_entries = &total_entries;
|
|
r.out.next_reference = &next_reference;
|
|
r.out.recordid = &recordid;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
|
|
/* w2k3 returns "NOT IMPLEMENTED" for this call */
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountSync_r(b, tctx, &r),
|
|
"AccountSync failed");
|
|
torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon GetDcName
|
|
*/
|
|
static bool test_GetDcName(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
struct netr_GetDcName r;
|
|
const char *dcname = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.domainname = lpcfg_workgroup(tctx->lp_ctx);
|
|
r.out.dcname = &dcname;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_GetDcName_r(b, tctx, &r),
|
|
"GetDcName failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "GetDcName failed");
|
|
|
|
torture_comment(tctx, "\tDC is at '%s'\n", dcname);
|
|
|
|
return true;
|
|
}
|
|
|
|
static const char *function_code_str(TALLOC_CTX *mem_ctx,
|
|
enum netr_LogonControlCode function_code)
|
|
{
|
|
switch (function_code) {
|
|
case NETLOGON_CONTROL_QUERY:
|
|
return "NETLOGON_CONTROL_QUERY";
|
|
case NETLOGON_CONTROL_REPLICATE:
|
|
return "NETLOGON_CONTROL_REPLICATE";
|
|
case NETLOGON_CONTROL_SYNCHRONIZE:
|
|
return "NETLOGON_CONTROL_SYNCHRONIZE";
|
|
case NETLOGON_CONTROL_PDC_REPLICATE:
|
|
return "NETLOGON_CONTROL_PDC_REPLICATE";
|
|
case NETLOGON_CONTROL_REDISCOVER:
|
|
return "NETLOGON_CONTROL_REDISCOVER";
|
|
case NETLOGON_CONTROL_TC_QUERY:
|
|
return "NETLOGON_CONTROL_TC_QUERY";
|
|
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
|
|
return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
|
|
case NETLOGON_CONTROL_FIND_USER:
|
|
return "NETLOGON_CONTROL_FIND_USER";
|
|
case NETLOGON_CONTROL_CHANGE_PASSWORD:
|
|
return "NETLOGON_CONTROL_CHANGE_PASSWORD";
|
|
case NETLOGON_CONTROL_TC_VERIFY:
|
|
return "NETLOGON_CONTROL_TC_VERIFY";
|
|
case NETLOGON_CONTROL_FORCE_DNS_REG:
|
|
return "NETLOGON_CONTROL_FORCE_DNS_REG";
|
|
case NETLOGON_CONTROL_QUERY_DNS_REG:
|
|
return "NETLOGON_CONTROL_QUERY_DNS_REG";
|
|
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
|
|
return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
|
|
case NETLOGON_CONTROL_TRUNCATE_LOG:
|
|
return "NETLOGON_CONTROL_TRUNCATE_LOG";
|
|
case NETLOGON_CONTROL_SET_DBFLAG:
|
|
return "NETLOGON_CONTROL_SET_DBFLAG";
|
|
case NETLOGON_CONTROL_BREAKPOINT:
|
|
return "NETLOGON_CONTROL_BREAKPOINT";
|
|
default:
|
|
return talloc_asprintf(mem_ctx, "unknown function code: %d",
|
|
function_code);
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
try a netlogon LogonControl
|
|
*/
|
|
static bool test_LogonControl(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonControl r;
|
|
union netr_CONTROL_QUERY_INFORMATION query;
|
|
int i,f;
|
|
enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
uint32_t function_codes[] = {
|
|
NETLOGON_CONTROL_QUERY,
|
|
NETLOGON_CONTROL_REPLICATE,
|
|
NETLOGON_CONTROL_SYNCHRONIZE,
|
|
NETLOGON_CONTROL_PDC_REPLICATE,
|
|
NETLOGON_CONTROL_REDISCOVER,
|
|
NETLOGON_CONTROL_TC_QUERY,
|
|
NETLOGON_CONTROL_TRANSPORT_NOTIFY,
|
|
NETLOGON_CONTROL_FIND_USER,
|
|
NETLOGON_CONTROL_CHANGE_PASSWORD,
|
|
NETLOGON_CONTROL_TC_VERIFY,
|
|
NETLOGON_CONTROL_FORCE_DNS_REG,
|
|
NETLOGON_CONTROL_QUERY_DNS_REG,
|
|
NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
|
|
NETLOGON_CONTROL_TRUNCATE_LOG,
|
|
NETLOGON_CONTROL_SET_DBFLAG,
|
|
NETLOGON_CONTROL_BREAKPOINT
|
|
};
|
|
|
|
if (machine_credentials) {
|
|
secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
}
|
|
|
|
torture_comment(tctx, "Testing LogonControl with secure channel type: %d\n",
|
|
secure_channel_type);
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.function_code = 1;
|
|
r.out.query = &query;
|
|
|
|
for (f=0;f<ARRAY_SIZE(function_codes); f++) {
|
|
for (i=1;i<5;i++) {
|
|
|
|
r.in.function_code = function_codes[f];
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
|
|
|
|
switch (r.in.level) {
|
|
case 1:
|
|
switch (r.in.function_code) {
|
|
case NETLOGON_CONTROL_REPLICATE:
|
|
case NETLOGON_CONTROL_SYNCHRONIZE:
|
|
case NETLOGON_CONTROL_PDC_REPLICATE:
|
|
case NETLOGON_CONTROL_BREAKPOINT:
|
|
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
|
|
if ((secure_channel_type == SEC_CHAN_BDC) ||
|
|
(secure_channel_type == SEC_CHAN_WKSTA)) {
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
|
|
"LogonControl returned unexpected error code");
|
|
} else {
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
|
|
"LogonControl returned unexpected error code");
|
|
}
|
|
break;
|
|
|
|
case NETLOGON_CONTROL_REDISCOVER:
|
|
case NETLOGON_CONTROL_TC_QUERY:
|
|
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
|
|
case NETLOGON_CONTROL_FIND_USER:
|
|
case NETLOGON_CONTROL_CHANGE_PASSWORD:
|
|
case NETLOGON_CONTROL_TC_VERIFY:
|
|
case NETLOGON_CONTROL_FORCE_DNS_REG:
|
|
case NETLOGON_CONTROL_QUERY_DNS_REG:
|
|
case NETLOGON_CONTROL_SET_DBFLAG:
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
|
|
"LogonControl returned unexpected error code");
|
|
break;
|
|
case NETLOGON_CONTROL_TRUNCATE_LOG:
|
|
if ((secure_channel_type == SEC_CHAN_BDC) ||
|
|
(secure_channel_type == SEC_CHAN_WKSTA)) {
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
|
|
"LogonControl returned unexpected error code");
|
|
} else if (!W_ERROR_EQUAL(r.out.result, WERR_NOT_SUPPORTED)) {
|
|
torture_assert_werr_ok(tctx, r.out.result,
|
|
"LogonControl returned unexpected result");
|
|
}
|
|
break;
|
|
default:
|
|
torture_assert_werr_ok(tctx, r.out.result,
|
|
"LogonControl returned unexpected result");
|
|
break;
|
|
}
|
|
break;
|
|
case 2:
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
|
|
"LogonControl returned unexpected error code");
|
|
break;
|
|
default:
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL,
|
|
"LogonControl returned unexpected error code");
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
r.in.level = 52;
|
|
torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
status = dcerpc_netr_LogonControl_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL, "LogonControl");
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
/*
|
|
try a netlogon GetAnyDCName
|
|
*/
|
|
static bool test_GetAnyDCName(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_GetAnyDCName r;
|
|
const char *dcname = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.domainname = lpcfg_workgroup(tctx->lp_ctx);
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.out.dcname = &dcname;
|
|
|
|
status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
|
|
if ((!W_ERROR_IS_OK(r.out.result)) &&
|
|
(!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
|
|
return false;
|
|
}
|
|
|
|
if (dcname) {
|
|
torture_comment(tctx, "\tDC is at '%s'\n", dcname);
|
|
}
|
|
|
|
r.in.domainname = NULL;
|
|
|
|
status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
|
|
if ((!W_ERROR_IS_OK(r.out.result)) &&
|
|
(!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
|
|
return false;
|
|
}
|
|
|
|
r.in.domainname = "";
|
|
|
|
status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
|
|
if ((!W_ERROR_IS_OK(r.out.result)) &&
|
|
(!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
/*
|
|
try a netlogon LogonControl2
|
|
*/
|
|
static bool test_LogonControl2(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonControl2 r;
|
|
union netr_CONTROL_DATA_INFORMATION data;
|
|
union netr_CONTROL_QUERY_INFORMATION query;
|
|
enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
|
|
int i;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
data.domain = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
if (machine_credentials) {
|
|
secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
}
|
|
|
|
torture_comment(tctx, "Testing LogonControl2 with secure channel type: %d\n",
|
|
secure_channel_type);
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
|
|
r.in.data = &data;
|
|
r.out.query = &query;
|
|
|
|
for (i=1;i<4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
|
|
}
|
|
|
|
data.domain = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
|
|
r.in.data = &data;
|
|
|
|
for (i=1;i<4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
|
|
}
|
|
|
|
data.domain = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
|
|
r.in.data = &data;
|
|
|
|
for (i=1;i<4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
|
|
}
|
|
|
|
data.debug_level = ~0;
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
|
|
r.in.data = &data;
|
|
|
|
for (i=1;i<4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
|
|
}
|
|
|
|
ZERO_STRUCT(data);
|
|
r.in.function_code = 52;
|
|
r.in.data = &data;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
|
|
switch (secure_channel_type) {
|
|
case SEC_CHAN_NULL:
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, "LogonControl2");
|
|
break;
|
|
default:
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED, "LogonControl2");
|
|
break;
|
|
}
|
|
data.debug_level = ~0;
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
|
|
r.in.data = &data;
|
|
|
|
r.in.level = 52;
|
|
torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL, "LogonControl2");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon DatabaseSync2
|
|
*/
|
|
static bool test_DatabaseSync2(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_DatabaseSync2 r;
|
|
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
|
|
struct netr_Authenticator return_authenticator, credential;
|
|
|
|
struct netlogon_creds_CredentialState *creds;
|
|
const uint32_t database_ids[] = {0, 1, 2};
|
|
int i;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
|
|
machine_credentials,
|
|
cli_credentials_get_secure_channel_type(machine_credentials),
|
|
&creds)) {
|
|
return false;
|
|
}
|
|
|
|
ZERO_STRUCT(return_authenticator);
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computername = TEST_MACHINE_NAME;
|
|
r.in.preferredmaximumlength = (uint32_t)-1;
|
|
r.in.return_authenticator = &return_authenticator;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
r.out.delta_enum_array = &delta_enum_array;
|
|
|
|
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
|
|
|
|
uint32_t sync_context = 0;
|
|
|
|
r.in.database_id = database_ids[i];
|
|
r.in.sync_context = &sync_context;
|
|
r.out.sync_context = &sync_context;
|
|
r.in.restart_state = 0;
|
|
|
|
torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
|
|
|
|
do {
|
|
netlogon_creds_client_authenticator(creds, &credential);
|
|
|
|
r.in.credential = &credential;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync2_r(b, tctx, &r),
|
|
"DatabaseSync2 failed");
|
|
if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
|
|
break;
|
|
|
|
/* Native mode servers don't do this */
|
|
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
|
|
return true;
|
|
}
|
|
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync2");
|
|
|
|
if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
|
|
torture_comment(tctx, "Credential chaining failed\n");
|
|
}
|
|
|
|
} while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
/*
|
|
try a netlogon LogonControl2Ex
|
|
*/
|
|
|
|
static bool test_LogonControl2Ex(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonControl2Ex r;
|
|
union netr_CONTROL_DATA_INFORMATION data;
|
|
union netr_CONTROL_QUERY_INFORMATION query;
|
|
enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
|
|
int i;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
data.domain = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
if (machine_credentials) {
|
|
secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
}
|
|
|
|
torture_comment(tctx, "Testing LogonControl2Ex with secure channel type: %d\n",
|
|
secure_channel_type);
|
|
|
|
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
|
|
r.in.data = &data;
|
|
r.out.query = &query;
|
|
|
|
for (i=1;i<4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
|
|
}
|
|
|
|
data.domain = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
|
|
r.in.data = &data;
|
|
|
|
for (i=1;i<4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
|
|
}
|
|
|
|
data.domain = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
|
|
r.in.data = &data;
|
|
|
|
for (i=1;i<4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
|
|
}
|
|
|
|
data.debug_level = ~0;
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
|
|
r.in.data = &data;
|
|
|
|
for (i=1;i<=4;i++) {
|
|
r.in.level = i;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
|
|
}
|
|
|
|
ZERO_STRUCT(data);
|
|
r.in.function_code = 52;
|
|
r.in.data = &data;
|
|
|
|
torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
|
|
switch (secure_channel_type) {
|
|
case SEC_CHAN_NULL:
|
|
torture_assert(tctx,
|
|
W_ERROR_EQUAL(r.out.result, WERR_NOT_SUPPORTED) ||
|
|
W_ERROR_EQUAL(r.out.result, WERR_INVALID_PARAMETER),
|
|
"LogonControl2Ex");
|
|
break;
|
|
default:
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED, "LogonControl2Ex");
|
|
break;
|
|
}
|
|
data.debug_level = ~0;
|
|
|
|
r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
|
|
r.in.data = &data;
|
|
|
|
r.in.level = 52;
|
|
torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
|
|
function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
|
|
|
|
status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
|
|
torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL, "LogonControl2Ex");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_GetForestTrustInformation r;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_Authenticator a;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct lsa_ForestTrustInformation *forest_trust_info;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
|
|
if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
|
|
DCERPC_SIGN | DCERPC_SEAL, &p)) {
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &a;
|
|
r.in.flags = 0;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
r.out.forest_trust_info = &forest_trust_info;
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
dcerpc_netr_GetForestTrustInformation_r(b, tctx, &r),
|
|
"netr_GetForestTrustInformation failed");
|
|
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
|
|
torture_comment(tctx, "not considering NT_STATUS_NOT_IMPLEMENTED as an error\n");
|
|
} else {
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"netr_GetForestTrustInformation failed");
|
|
}
|
|
|
|
torture_assert(tctx,
|
|
netlogon_creds_client_check(creds, &return_authenticator.cred),
|
|
"Credential chaining failed");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p, const char *trusted_domain_name)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_DsRGetForestTrustInformation r;
|
|
struct lsa_ForestTrustInformation info, *info_ptr;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
info_ptr = &info;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.trusted_domain_name = trusted_domain_name;
|
|
r.in.flags = 0;
|
|
r.out.forest_trust_info = &info_ptr;
|
|
|
|
torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
|
|
|
|
status = dcerpc_netr_DsRGetForestTrustInformation_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
|
|
torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon netr_DsrEnumerateDomainTrusts
|
|
*/
|
|
static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_DsrEnumerateDomainTrusts r;
|
|
struct netr_DomainTrustList trusts;
|
|
int i;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.trust_flags = 0x3f;
|
|
r.out.trusts = &trusts;
|
|
|
|
status = dcerpc_netr_DsrEnumerateDomainTrusts_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
|
|
torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
|
|
|
|
/* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
|
|
* will show non-forest trusts and all UPN suffixes of the own forest
|
|
* as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
|
|
|
|
if (r.out.trusts->count) {
|
|
if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
for (i=0; i<r.out.trusts->count; i++) {
|
|
|
|
/* get info for transitive forest trusts */
|
|
|
|
if (r.out.trusts->array[i].trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
|
|
if (!test_netr_DsRGetForestTrustInformation(tctx, p,
|
|
r.out.trusts->array[i].dns_name)) {
|
|
return false;
|
|
}
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_NetrEnumerateTrustedDomains r;
|
|
struct netr_Blob trusted_domains_blob;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.out.trusted_domains_blob = &trusted_domains_blob;
|
|
|
|
status = dcerpc_netr_NetrEnumerateTrustedDomains_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_NetrEnumerateTrustedDomainsEx r;
|
|
struct netr_DomainTrustList dom_trust_list;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.out.dom_trust_list = &dom_trust_list;
|
|
|
|
status = dcerpc_netr_NetrEnumerateTrustedDomainsEx_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
|
|
torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
const char *computer_name,
|
|
const char *expected_site)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_DsRGetSiteName r;
|
|
const char *site = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.computer_name = computer_name;
|
|
r.out.site = &site;
|
|
torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
|
|
|
|
status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
|
|
torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
|
|
torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
try a netlogon netr_DsRGetDCName
|
|
*/
|
|
static bool test_netr_DsRGetDCName(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_DsRGetDCName r;
|
|
struct netr_DsRGetDCNameInfo *info = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
|
|
r.in.domain_guid = NULL;
|
|
r.in.site_guid = NULL;
|
|
r.in.flags = DS_RETURN_DNS_NAME;
|
|
r.out.info = &info;
|
|
|
|
status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
|
|
torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
|
|
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_CONTROLLER)),
|
|
DS_DNS_CONTROLLER,
|
|
"DsRGetDCName");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_DOMAIN)),
|
|
DS_DNS_DOMAIN,
|
|
"DsRGetDCName");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_FOREST_ROOT)),
|
|
DS_DNS_FOREST_ROOT,
|
|
"DsRGetDCName");
|
|
|
|
r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
|
|
r.in.flags = 0;
|
|
|
|
status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
|
|
torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
|
|
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_CONTROLLER)), 0,
|
|
"DsRGetDCName");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_DOMAIN)), 0,
|
|
"DsRGetDCName");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_FOREST_ROOT)),
|
|
DS_DNS_FOREST_ROOT,
|
|
"DsRGetDCName");
|
|
|
|
if (strcasecmp(info->dc_site_name, info->client_site_name) == 0) {
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_SERVER_CLOSEST)),
|
|
DS_SERVER_CLOSEST,
|
|
"DsRGetDCName");
|
|
}
|
|
|
|
return test_netr_DsRGetSiteName(p, tctx,
|
|
info->dc_unc,
|
|
info->dc_site_name);
|
|
}
|
|
|
|
/*
|
|
try a netlogon netr_DsRGetDCNameEx
|
|
*/
|
|
static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_DsRGetDCNameEx r;
|
|
struct netr_DsRGetDCNameInfo *info = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
|
|
r.in.domain_guid = NULL;
|
|
r.in.site_name = NULL;
|
|
r.in.flags = DS_RETURN_DNS_NAME;
|
|
r.out.info = &info;
|
|
|
|
status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
|
|
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
|
|
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_CONTROLLER)),
|
|
DS_DNS_CONTROLLER,
|
|
"DsRGetDCNameEx");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_DOMAIN)),
|
|
DS_DNS_DOMAIN,
|
|
"DsRGetDCNameEx");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_FOREST_ROOT)),
|
|
DS_DNS_FOREST_ROOT,
|
|
"DsRGetDCNameEx");
|
|
|
|
r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
|
|
r.in.flags = 0;
|
|
|
|
status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
|
|
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
|
|
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_CONTROLLER)), 0,
|
|
"DsRGetDCNameEx");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_DOMAIN)), 0,
|
|
"DsRGetDCNameEx");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_FOREST_ROOT)),
|
|
DS_DNS_FOREST_ROOT,
|
|
"DsRGetDCNameEx");
|
|
|
|
if (strcasecmp(info->dc_site_name, info->client_site_name) == 0) {
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_SERVER_CLOSEST)),
|
|
DS_SERVER_CLOSEST,
|
|
"DsRGetDCNameEx");
|
|
}
|
|
|
|
return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
|
|
info->dc_site_name);
|
|
}
|
|
|
|
/*
|
|
try a netlogon netr_DsRGetDCNameEx2
|
|
*/
|
|
static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_DsRGetDCNameEx2 r;
|
|
struct netr_DsRGetDCNameInfo *info = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with no inputs\n");
|
|
ZERO_STRUCT(r.in);
|
|
r.in.flags = DS_RETURN_DNS_NAME;
|
|
r.out.info = &info;
|
|
|
|
status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
|
|
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
|
|
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_CONTROLLER)),
|
|
DS_DNS_CONTROLLER,
|
|
"DsRGetDCNameEx2");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_DOMAIN)),
|
|
DS_DNS_DOMAIN,
|
|
"DsRGetDCNameEx2");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_FOREST_ROOT)),
|
|
DS_DNS_FOREST_ROOT,
|
|
"DsRGetDCNameEx2");
|
|
|
|
r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.client_account = NULL;
|
|
r.in.mask = 0x00000000;
|
|
r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
|
|
r.in.domain_guid = NULL;
|
|
r.in.site_name = NULL;
|
|
r.in.flags = DS_RETURN_DNS_NAME;
|
|
r.out.info = &info;
|
|
|
|
torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
|
|
|
|
status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
|
|
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
|
|
|
|
r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
|
|
r.in.flags = 0;
|
|
|
|
status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
|
|
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
|
|
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_CONTROLLER)), 0,
|
|
"DsRGetDCNameEx2");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_DOMAIN)), 0,
|
|
"DsRGetDCNameEx2");
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_DNS_FOREST_ROOT)),
|
|
DS_DNS_FOREST_ROOT,
|
|
"DsRGetDCNameEx2");
|
|
|
|
if (strcasecmp(info->dc_site_name, info->client_site_name) == 0) {
|
|
torture_assert_int_equal(tctx,
|
|
(info->dc_flags & (DS_SERVER_CLOSEST)),
|
|
DS_SERVER_CLOSEST,
|
|
"DsRGetDCNameEx2");
|
|
}
|
|
|
|
torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client account\n");
|
|
r.in.client_account = TEST_MACHINE_NAME"$";
|
|
r.in.mask = ACB_SVRTRUST;
|
|
r.in.flags = DS_RETURN_FLAT_NAME;
|
|
r.out.info = &info;
|
|
|
|
status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
|
|
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
|
|
|
|
return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
|
|
info->dc_site_name);
|
|
}
|
|
|
|
/* This is a substitution for "samdb_server_site_name" which relies on the
|
|
* correct "lp_ctx" and therefore can't be used here. */
|
|
static const char *server_site_name(struct torture_context *tctx,
|
|
struct ldb_context *ldb)
|
|
{
|
|
TALLOC_CTX *tmp_ctx;
|
|
struct ldb_dn *dn, *server_dn;
|
|
const struct ldb_val *site_name_val;
|
|
const char *server_dn_str, *site_name;
|
|
|
|
tmp_ctx = talloc_new(ldb);
|
|
if (tmp_ctx == NULL) {
|
|
goto failed;
|
|
}
|
|
|
|
dn = ldb_dn_new(tmp_ctx, ldb, "");
|
|
if (dn == NULL) {
|
|
goto failed;
|
|
}
|
|
|
|
server_dn_str = samdb_search_string(ldb, tmp_ctx, dn, "serverName",
|
|
NULL);
|
|
if (server_dn_str == NULL) {
|
|
goto failed;
|
|
}
|
|
|
|
server_dn = ldb_dn_new(tmp_ctx, ldb, server_dn_str);
|
|
if (server_dn == NULL) {
|
|
goto failed;
|
|
}
|
|
|
|
/* CN=<Server name>, CN=Servers, CN=<Site name>, CN=Sites, ... */
|
|
site_name_val = ldb_dn_get_component_val(server_dn, 2);
|
|
if (site_name_val == NULL) {
|
|
goto failed;
|
|
}
|
|
|
|
site_name = (const char *) site_name_val->data;
|
|
|
|
talloc_steal(tctx, site_name);
|
|
talloc_free(tmp_ctx);
|
|
|
|
return site_name;
|
|
|
|
failed:
|
|
talloc_free(tmp_ctx);
|
|
return NULL;
|
|
}
|
|
|
|
static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
char *url;
|
|
struct ldb_context *sam_ctx = NULL;
|
|
NTSTATUS status;
|
|
struct netr_DsrGetDcSiteCoverageW r;
|
|
struct DcSitesCtr *ctr = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
torture_comment(tctx, "This does only pass with the default site\n");
|
|
|
|
/* We won't double-check this when we are over 'local' transports */
|
|
if (dcerpc_server_name(p)) {
|
|
/* Set up connection to SAMDB on DC */
|
|
url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
|
|
sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
|
|
NULL,
|
|
samba_cmdline_get_creds(),
|
|
0);
|
|
|
|
torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
|
|
}
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.out.ctr = &ctr;
|
|
|
|
status = dcerpc_netr_DsrGetDcSiteCoverageW_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "failed");
|
|
|
|
torture_assert(tctx, ctr->num_sites == 1,
|
|
"we should per default only get the default site");
|
|
if (sam_ctx != NULL) {
|
|
torture_assert_casestr_equal(tctx, ctr->sites[0].string,
|
|
server_site_name(tctx, sam_ctx),
|
|
"didn't return default site");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
char *url;
|
|
struct ldb_context *sam_ctx = NULL;
|
|
NTSTATUS status;
|
|
struct netr_DsRAddressToSitenamesW r;
|
|
struct netr_DsRAddress addrs[6];
|
|
struct sockaddr_in *addr;
|
|
#ifdef HAVE_IPV6
|
|
struct sockaddr_in6 *addr6;
|
|
#endif
|
|
struct netr_DsRAddressToSitenamesWCtr *ctr;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
uint32_t i;
|
|
int ret;
|
|
|
|
torture_comment(tctx, "This does only pass with the default site\n");
|
|
|
|
/* We won't double-check this when we are over 'local' transports */
|
|
if (dcerpc_server_name(p)) {
|
|
/* Set up connection to SAMDB on DC */
|
|
url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
|
|
sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
|
|
NULL,
|
|
samba_cmdline_get_creds(),
|
|
0);
|
|
|
|
torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
|
|
}
|
|
|
|
/* First try valid IP addresses */
|
|
|
|
addrs[0].size = sizeof(struct sockaddr_in);
|
|
addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
|
|
addr = (struct sockaddr_in *) addrs[0].buffer;
|
|
addrs[0].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[1].size = sizeof(struct sockaddr_in);
|
|
addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
|
|
addr = (struct sockaddr_in *) addrs[1].buffer;
|
|
addrs[1].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[2].size = sizeof(struct sockaddr_in);
|
|
addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
|
|
addr = (struct sockaddr_in *) addrs[2].buffer;
|
|
addrs[2].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
#ifdef HAVE_IPV6
|
|
addrs[3].size = sizeof(struct sockaddr_in6);
|
|
addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
|
|
addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
|
|
addrs[3].buffer[0] = AF_INET6;
|
|
ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[4].size = sizeof(struct sockaddr_in6);
|
|
addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
|
|
addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
|
|
addrs[4].buffer[0] = AF_INET6;
|
|
ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[5].size = sizeof(struct sockaddr_in6);
|
|
addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
|
|
addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
|
|
addrs[5].buffer[0] = AF_INET6;
|
|
ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
#else
|
|
/* the test cases are repeated to have exactly 6. This is for
|
|
* compatibility with IPv4-only machines */
|
|
addrs[3].size = sizeof(struct sockaddr_in);
|
|
addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
|
|
addr = (struct sockaddr_in *) addrs[3].buffer;
|
|
addrs[3].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[4].size = sizeof(struct sockaddr_in);
|
|
addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
|
|
addr = (struct sockaddr_in *) addrs[4].buffer;
|
|
addrs[4].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[5].size = sizeof(struct sockaddr_in);
|
|
addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
|
|
addr = (struct sockaddr_in *) addrs[5].buffer;
|
|
addrs[5].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
#endif
|
|
|
|
ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.count = 6;
|
|
r.in.addresses = addrs;
|
|
r.out.ctr = &ctr;
|
|
|
|
status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "failed");
|
|
|
|
if (sam_ctx != NULL) {
|
|
for (i = 0; i < 3; i++) {
|
|
torture_assert_casestr_equal(tctx,
|
|
ctr->sitename[i].string,
|
|
server_site_name(tctx, sam_ctx),
|
|
"didn't return default site");
|
|
}
|
|
for (i = 3; i < 6; i++) {
|
|
/* Windows returns "NULL" for the sitename if it isn't
|
|
* IPv6 configured */
|
|
if (torture_setting_bool(tctx, "samba4", false)) {
|
|
torture_assert_casestr_equal(tctx,
|
|
ctr->sitename[i].string,
|
|
server_site_name(tctx, sam_ctx),
|
|
"didn't return default site");
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Now try invalid ones (too short buffers) */
|
|
|
|
addrs[0].size = 0;
|
|
addrs[1].size = 1;
|
|
addrs[2].size = 4;
|
|
|
|
addrs[3].size = 0;
|
|
addrs[4].size = 1;
|
|
addrs[5].size = 4;
|
|
|
|
status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "failed");
|
|
|
|
for (i = 0; i < 6; i++) {
|
|
torture_assert(tctx, ctr->sitename[i].string == NULL,
|
|
"sitename should be null");
|
|
}
|
|
|
|
/* Now try invalid ones (wrong address types) */
|
|
|
|
addrs[0].size = 10;
|
|
addrs[0].buffer[0] = AF_UNSPEC;
|
|
addrs[1].size = 10;
|
|
addrs[1].buffer[0] = AF_UNIX; /* AF_LOCAL = AF_UNIX */
|
|
addrs[2].size = 10;
|
|
addrs[2].buffer[0] = AF_UNIX;
|
|
|
|
addrs[3].size = 10;
|
|
addrs[3].buffer[0] = 250;
|
|
addrs[4].size = 10;
|
|
addrs[4].buffer[0] = 251;
|
|
addrs[5].size = 10;
|
|
addrs[5].buffer[0] = 252;
|
|
|
|
status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "failed");
|
|
|
|
for (i = 0; i < 6; i++) {
|
|
torture_assert(tctx, ctr->sitename[i].string == NULL,
|
|
"sitename should be null");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
char *url;
|
|
struct ldb_context *sam_ctx = NULL;
|
|
NTSTATUS status;
|
|
struct netr_DsRAddressToSitenamesExW r;
|
|
struct netr_DsRAddress addrs[6];
|
|
struct sockaddr_in *addr;
|
|
#ifdef HAVE_IPV6
|
|
struct sockaddr_in6 *addr6;
|
|
#endif
|
|
struct netr_DsRAddressToSitenamesExWCtr *ctr;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
uint32_t i;
|
|
int ret;
|
|
|
|
torture_comment(tctx, "This does pass with the default site\n");
|
|
|
|
/* We won't double-check this when we are over 'local' transports */
|
|
if (dcerpc_server_name(p)) {
|
|
/* Set up connection to SAMDB on DC */
|
|
url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
|
|
sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
|
|
NULL,
|
|
samba_cmdline_get_creds(),
|
|
0);
|
|
|
|
torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
|
|
}
|
|
|
|
/* First try valid IP addresses */
|
|
|
|
addrs[0].size = sizeof(struct sockaddr_in);
|
|
addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
|
|
addr = (struct sockaddr_in *) addrs[0].buffer;
|
|
addrs[0].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[1].size = sizeof(struct sockaddr_in);
|
|
addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
|
|
addr = (struct sockaddr_in *) addrs[1].buffer;
|
|
addrs[1].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[2].size = sizeof(struct sockaddr_in);
|
|
addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
|
|
addr = (struct sockaddr_in *) addrs[2].buffer;
|
|
addrs[2].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
#ifdef HAVE_IPV6
|
|
addrs[3].size = sizeof(struct sockaddr_in6);
|
|
addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
|
|
addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
|
|
addrs[3].buffer[0] = AF_INET6;
|
|
ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[4].size = sizeof(struct sockaddr_in6);
|
|
addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
|
|
addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
|
|
addrs[4].buffer[0] = AF_INET6;
|
|
ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[5].size = sizeof(struct sockaddr_in6);
|
|
addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
|
|
addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
|
|
addrs[5].buffer[0] = AF_INET6;
|
|
ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
#else
|
|
/* the test cases are repeated to have exactly 6. This is for
|
|
* compatibility with IPv4-only machines */
|
|
addrs[3].size = sizeof(struct sockaddr_in);
|
|
addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
|
|
addr = (struct sockaddr_in *) addrs[3].buffer;
|
|
addrs[3].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[4].size = sizeof(struct sockaddr_in);
|
|
addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
|
|
addr = (struct sockaddr_in *) addrs[4].buffer;
|
|
addrs[4].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
|
|
addrs[5].size = sizeof(struct sockaddr_in);
|
|
addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
|
|
addr = (struct sockaddr_in *) addrs[5].buffer;
|
|
addrs[5].buffer[0] = AF_INET;
|
|
ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
|
|
torture_assert(tctx, ret > 0, "inet_pton failed");
|
|
#endif
|
|
|
|
ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.count = 6;
|
|
r.in.addresses = addrs;
|
|
r.out.ctr = &ctr;
|
|
|
|
status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "failed");
|
|
|
|
if (sam_ctx != NULL) {
|
|
for (i = 0; i < 3; i++) {
|
|
torture_assert_casestr_equal(tctx,
|
|
ctr->sitename[i].string,
|
|
server_site_name(tctx, sam_ctx),
|
|
"didn't return default site");
|
|
torture_assert(tctx, ctr->subnetname[i].string == NULL,
|
|
"subnet should be null");
|
|
}
|
|
for (i = 3; i < 6; i++) {
|
|
/* Windows returns "NULL" for the sitename if it isn't
|
|
* IPv6 configured */
|
|
if (torture_setting_bool(tctx, "samba4", false)) {
|
|
torture_assert_casestr_equal(tctx,
|
|
ctr->sitename[i].string,
|
|
server_site_name(tctx, sam_ctx),
|
|
"didn't return default site");
|
|
}
|
|
torture_assert(tctx, ctr->subnetname[i].string == NULL,
|
|
"subnet should be null");
|
|
}
|
|
}
|
|
|
|
/* Now try invalid ones (too short buffers) */
|
|
|
|
addrs[0].size = 0;
|
|
addrs[1].size = 1;
|
|
addrs[2].size = 4;
|
|
|
|
addrs[3].size = 0;
|
|
addrs[4].size = 1;
|
|
addrs[5].size = 4;
|
|
|
|
status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "failed");
|
|
|
|
for (i = 0; i < 6; i++) {
|
|
torture_assert(tctx, ctr->sitename[i].string == NULL,
|
|
"sitename should be null");
|
|
torture_assert(tctx, ctr->subnetname[i].string == NULL,
|
|
"subnet should be null");
|
|
}
|
|
|
|
addrs[0].size = 10;
|
|
addrs[0].buffer[0] = AF_UNSPEC;
|
|
addrs[1].size = 10;
|
|
addrs[1].buffer[0] = AF_UNIX; /* AF_LOCAL = AF_UNIX */
|
|
addrs[2].size = 10;
|
|
addrs[2].buffer[0] = AF_UNIX;
|
|
|
|
addrs[3].size = 10;
|
|
addrs[3].buffer[0] = 250;
|
|
addrs[4].size = 10;
|
|
addrs[4].buffer[0] = 251;
|
|
addrs[5].size = 10;
|
|
addrs[5].buffer[0] = 252;
|
|
|
|
status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
|
|
torture_assert_ntstatus_ok(tctx, status, "failed");
|
|
torture_assert_werr_ok(tctx, r.out.result, "failed");
|
|
|
|
for (i = 0; i < 6; i++) {
|
|
torture_assert(tctx, ctr->sitename[i].string == NULL,
|
|
"sitename should be null");
|
|
torture_assert(tctx, ctr->subnetname[i].string == NULL,
|
|
"subnet should be null");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials,
|
|
uint32_t negotiate_flags)
|
|
{
|
|
struct netr_ServerGetTrustInfo r;
|
|
|
|
struct netr_Authenticator a;
|
|
struct netr_Authenticator return_authenticator;
|
|
struct samr_Password new_owf_password;
|
|
struct samr_Password old_owf_password;
|
|
struct netr_TrustInfo *trust_info;
|
|
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
|
|
struct samr_Password nt_hash;
|
|
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
NTSTATUS status;
|
|
|
|
if (!test_SetupCredentials3(p1, tctx, negotiate_flags,
|
|
machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
|
|
DCERPC_SIGN | DCERPC_SEAL, &p)) {
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
|
|
r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &a;
|
|
|
|
r.out.return_authenticator = &return_authenticator;
|
|
r.out.new_owf_password = &new_owf_password;
|
|
r.out.old_owf_password = &old_owf_password;
|
|
r.out.trust_info = &trust_info;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerGetTrustInfo_r(b, tctx, &r),
|
|
"ServerGetTrustInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "ServerGetTrustInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
|
|
|
|
E_md4hash(cli_credentials_get_password(machine_credentials), nt_hash.hash);
|
|
|
|
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
|
status = netlogon_creds_decrypt_samr_Password(creds,
|
|
&new_owf_password,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "decrypt_samr_Password");
|
|
status = netlogon_creds_decrypt_samr_Password(creds,
|
|
&old_owf_password,
|
|
auth_type,
|
|
auth_level);
|
|
torture_assert_ntstatus_ok(tctx, status, "decrypt_samr_Password");
|
|
|
|
dump_data(1, new_owf_password.hash, 16);
|
|
dump_data(1, nt_hash.hash, 16);
|
|
|
|
torture_assert_mem_equal(tctx, new_owf_password.hash, nt_hash.hash, 16,
|
|
"received unexpected owf password\n");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials,
|
|
NETLOGON_NEG_AUTH2_ADS_FLAGS);
|
|
}
|
|
|
|
static bool test_netr_ServerGetTrustInfo_AES(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials,
|
|
NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
|
|
}
|
|
|
|
static bool test_GetDomainInfo(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct netr_LogonGetDomainInfo r;
|
|
struct netr_WorkstationInformation q1;
|
|
struct netr_Authenticator a;
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netr_OsVersion os;
|
|
union netr_WorkstationInfo query;
|
|
union netr_DomainInfo info;
|
|
const char* const attrs[] = { "dNSHostName", "operatingSystem",
|
|
"operatingSystemServicePack", "operatingSystemVersion",
|
|
"servicePrincipalName", NULL };
|
|
char *url;
|
|
struct ldb_context *sam_ctx = NULL;
|
|
struct ldb_message **res;
|
|
struct ldb_message_element *spn_el;
|
|
int ret, i;
|
|
char *version_str;
|
|
const char *old_dnsname = NULL;
|
|
char **spns = NULL;
|
|
int num_spns = 0;
|
|
char *temp_str = NULL;
|
|
char *temp_str2 = NULL;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
struct netr_OneDomainInfo *odi1 = NULL;
|
|
struct netr_OneDomainInfo *odi2 = NULL;
|
|
struct netr_trust_extension_info *tex2 = NULL;
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
|
|
|
|
if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
|
|
DCERPC_SIGN | DCERPC_SEAL, &p)) {
|
|
return false;
|
|
}
|
|
b = p->binding_handle;
|
|
|
|
/* We won't double-check this when we are over 'local' transports */
|
|
if (dcerpc_server_name(p)) {
|
|
/* Set up connection to SAMDB on DC */
|
|
url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
|
|
sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
|
|
NULL,
|
|
samba_cmdline_get_creds(),
|
|
0);
|
|
|
|
torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
|
|
}
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
ZERO_STRUCT(r);
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &a;
|
|
r.in.level = 1;
|
|
r.in.return_authenticator = &a;
|
|
r.in.query = &query;
|
|
r.out.return_authenticator = &a;
|
|
r.out.info = &info;
|
|
|
|
ZERO_STRUCT(os);
|
|
os.os.MajorVersion = 123;
|
|
os.os.MinorVersion = 456;
|
|
os.os.BuildNumber = 789;
|
|
os.os.CSDVersion = "Service Pack 10";
|
|
os.os.ServicePackMajor = 10;
|
|
os.os.ServicePackMinor = 1;
|
|
os.os.SuiteMask = NETR_VER_SUITE_SINGLEUSERTS;
|
|
os.os.ProductType = NETR_VER_NT_SERVER;
|
|
os.os.Reserved = 0;
|
|
|
|
version_str = talloc_asprintf(tctx, "%d.%d (%d)", os.os.MajorVersion,
|
|
os.os.MinorVersion, os.os.BuildNumber);
|
|
|
|
ZERO_STRUCT(q1);
|
|
q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
|
|
lpcfg_dnsdomain(tctx->lp_ctx));
|
|
q1.sitename = "Default-First-Site-Name";
|
|
q1.os_version.os = &os;
|
|
q1.os_name.string = talloc_asprintf(tctx,
|
|
"Tortured by Samba4 RPC-NETLOGON: %s",
|
|
timestring(tctx, time(NULL)));
|
|
|
|
/* The workstation handles the "servicePrincipalName" and DNS hostname
|
|
updates */
|
|
q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
|
|
|
|
query.workstation_info = &q1;
|
|
|
|
if (sam_ctx) {
|
|
/* Gets back the old DNS hostname in AD */
|
|
ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
|
|
"(sAMAccountName=%s$)", TEST_MACHINE_NAME);
|
|
old_dnsname =
|
|
ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL);
|
|
|
|
/* Gets back the "servicePrincipalName"s in AD */
|
|
spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
|
|
if (spn_el != NULL) {
|
|
for (i=0; i < spn_el->num_values; i++) {
|
|
spns = talloc_realloc(tctx, spns, char *, i + 1);
|
|
spns[i] = (char *) spn_el->values[i].data;
|
|
}
|
|
num_spns = i;
|
|
}
|
|
}
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
|
|
smb_msleep(250);
|
|
|
|
if (sam_ctx) {
|
|
/* AD workstation infos entry check */
|
|
ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
|
|
"(sAMAccountName=%s$)", TEST_MACHINE_NAME);
|
|
torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
|
|
q1.os_name.string, "'operatingSystem' wrong!");
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL),
|
|
os.os.CSDVersion, "'operatingSystemServicePack' wrong!");
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
|
|
version_str, "'operatingSystemVersion' wrong!");
|
|
|
|
if (old_dnsname != NULL) {
|
|
/* If before a DNS hostname was set then it should remain
|
|
the same in combination with the "servicePrincipalName"s.
|
|
The DNS hostname should also be returned by our
|
|
"LogonGetDomainInfo" call (in the domain info structure). */
|
|
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
|
|
old_dnsname, "'DNS hostname' was not set!");
|
|
|
|
spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
|
|
torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)),
|
|
"'servicePrincipalName's not set!");
|
|
torture_assert(tctx, spn_el->num_values == num_spns,
|
|
"'servicePrincipalName's incorrect!");
|
|
for (i=0; (i < spn_el->num_values) && (i < num_spns); i++)
|
|
torture_assert_str_equal(tctx,
|
|
(char *) spn_el->values[i].data,
|
|
spns[i], "'servicePrincipalName's incorrect!");
|
|
|
|
torture_assert_str_equal(tctx,
|
|
info.domain_info->dns_hostname.string,
|
|
old_dnsname,
|
|
"Out 'DNS hostname' doesn't match the old one!");
|
|
} else {
|
|
/* If no DNS hostname was set then also now none should be set,
|
|
the "servicePrincipalName"s should remain empty and no DNS
|
|
hostname should be returned by our "LogonGetDomainInfo"
|
|
call (in the domain info structure). */
|
|
|
|
torture_assert(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL,
|
|
"'DNS hostname' was set!");
|
|
|
|
spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
|
|
torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)),
|
|
"'servicePrincipalName's were set!");
|
|
|
|
torture_assert(tctx,
|
|
info.domain_info->dns_hostname.string == NULL,
|
|
"Out 'DNS host name' was set!");
|
|
}
|
|
}
|
|
|
|
/* Checks "workstation flags" */
|
|
torture_assert(tctx,
|
|
info.domain_info->workstation_flags
|
|
== NETR_WS_FLAG_HANDLES_SPN_UPDATE,
|
|
"Out 'workstation flags' don't match!");
|
|
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname doesn't work)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
/* Wipe out the CSDVersion, and prove which values still 'stick' */
|
|
os.os.CSDVersion = "";
|
|
|
|
/* Change also the DNS hostname to test differences in behaviour */
|
|
talloc_free(discard_const_p(char, q1.dns_hostname));
|
|
q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
|
|
lpcfg_dnsdomain(tctx->lp_ctx));
|
|
|
|
/* The workstation handles the "servicePrincipalName" and DNS hostname
|
|
updates */
|
|
q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
|
|
smb_msleep(250);
|
|
|
|
if (sam_ctx) {
|
|
/* AD workstation infos entry check */
|
|
ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
|
|
"(sAMAccountName=%s$)", TEST_MACHINE_NAME);
|
|
torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
|
|
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
|
|
q1.os_name.string, "'operatingSystem' should stick!");
|
|
torture_assert(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
|
|
"'operatingSystemServicePack' shouldn't stick!");
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
|
|
version_str, "'operatingSystemVersion' wrong!");
|
|
|
|
/* The DNS host name shouldn't have been updated by the server */
|
|
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
|
|
old_dnsname, "'DNS host name' did change!");
|
|
|
|
/* Find the two "servicePrincipalName"s which the DC shouldn't have been
|
|
updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
|
|
3.5.4.3.9 */
|
|
spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
|
|
torture_assert(tctx, spn_el != NULL,
|
|
"There should exist 'servicePrincipalName's in AD!");
|
|
temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
|
|
for (i=0; i < spn_el->num_values; i++)
|
|
if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
|
|
break;
|
|
torture_assert(tctx, i != spn_el->num_values,
|
|
"'servicePrincipalName' HOST/<Netbios name> not found!");
|
|
temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
|
|
for (i=0; i < spn_el->num_values; i++)
|
|
if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
|
|
break;
|
|
torture_assert(tctx, i != spn_el->num_values,
|
|
"'servicePrincipalName' HOST/<FQDN name> not found!");
|
|
|
|
/* Check that the out DNS hostname was set properly */
|
|
torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string,
|
|
old_dnsname, "Out 'DNS hostname' doesn't match the old one!");
|
|
}
|
|
|
|
/* Checks "workstation flags" */
|
|
torture_assert(tctx,
|
|
info.domain_info->workstation_flags == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
|
|
"Out 'workstation flags' don't match!");
|
|
|
|
|
|
/* Now try the same but the workstation flags set to 0 */
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 3rd call (variation of DNS hostname doesn't work)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
/* Change also the DNS hostname to test differences in behaviour */
|
|
talloc_free(discard_const_p(char, q1.dns_hostname));
|
|
q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
|
|
lpcfg_dnsdomain(tctx->lp_ctx));
|
|
|
|
/* Wipe out the osVersion, and prove which values still 'stick' */
|
|
q1.os_version.os = NULL;
|
|
|
|
/* Let the DC handle the "servicePrincipalName" and DNS hostname
|
|
updates */
|
|
q1.workstation_flags = 0;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
|
|
smb_msleep(250);
|
|
|
|
if (sam_ctx) {
|
|
/* AD workstation infos entry check */
|
|
ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
|
|
"(sAMAccountName=%s$)", TEST_MACHINE_NAME);
|
|
torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
|
|
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
|
|
q1.os_name.string, "'operatingSystem' should stick!");
|
|
torture_assert(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
|
|
"'operatingSystemServicePack' shouldn't stick!");
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
|
|
version_str, "'operatingSystemVersion' wrong!");
|
|
|
|
/* The DNS host name shouldn't have been updated by the server */
|
|
|
|
torture_assert_str_equal(tctx,
|
|
ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
|
|
old_dnsname, "'DNS host name' did change!");
|
|
|
|
/* Find the two "servicePrincipalName"s which the DC shouldn't have been
|
|
updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
|
|
3.5.4.3.9 */
|
|
spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
|
|
torture_assert(tctx, spn_el != NULL,
|
|
"There should exist 'servicePrincipalName's in AD!");
|
|
temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
|
|
for (i=0; i < spn_el->num_values; i++)
|
|
if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
|
|
break;
|
|
torture_assert(tctx, i != spn_el->num_values,
|
|
"'servicePrincipalName' HOST/<Netbios name> not found!");
|
|
temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
|
|
for (i=0; i < spn_el->num_values; i++)
|
|
if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
|
|
break;
|
|
torture_assert(tctx, i != spn_el->num_values,
|
|
"'servicePrincipalName' HOST/<FQDN name> not found!");
|
|
|
|
/* Here the server gives us NULL as the out DNS hostname */
|
|
torture_assert(tctx, info.domain_info->dns_hostname.string == NULL,
|
|
"Out 'DNS hostname' should be NULL!");
|
|
}
|
|
|
|
/* Checks "workstation flags" */
|
|
torture_assert(tctx,
|
|
info.domain_info->workstation_flags == 0,
|
|
"Out 'workstation flags' don't match!");
|
|
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 4th call (verification of DNS hostname and check for trusted domains)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
/* Put the DNS hostname back */
|
|
talloc_free(discard_const_p(char, q1.dns_hostname));
|
|
q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
|
|
lpcfg_dnsdomain(tctx->lp_ctx));
|
|
|
|
/* The workstation handles the "servicePrincipalName" and DNS hostname
|
|
updates */
|
|
q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
|
|
smb_msleep(250);
|
|
|
|
/* Now the in/out DNS hostnames should be the same */
|
|
torture_assert_str_equal(tctx,
|
|
info.domain_info->dns_hostname.string,
|
|
query.workstation_info->dns_hostname,
|
|
"In/Out 'DNS hostnames' don't match!");
|
|
old_dnsname = info.domain_info->dns_hostname.string;
|
|
|
|
/* Checks "workstation flags" */
|
|
torture_assert(tctx,
|
|
info.domain_info->workstation_flags
|
|
== NETR_WS_FLAG_HANDLES_SPN_UPDATE,
|
|
"Out 'workstation flags' don't match!");
|
|
|
|
/* Checks for trusted domains */
|
|
torture_assert(tctx,
|
|
(info.domain_info->trusted_domain_count != 0)
|
|
&& (info.domain_info->trusted_domains != NULL),
|
|
"Trusted domains have been requested!");
|
|
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 5th call (check for trusted domains)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
/* The workstation handles the "servicePrincipalName" and DNS hostname
|
|
updates and requests inbound trusts */
|
|
q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
|
|
| NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
|
|
smb_msleep(250);
|
|
|
|
/* Checks "workstation flags" */
|
|
torture_assert(tctx,
|
|
info.domain_info->workstation_flags
|
|
== (NETR_WS_FLAG_HANDLES_SPN_UPDATE
|
|
| NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
|
|
"Out 'workstation flags' don't match!");
|
|
|
|
/* Checks for trusted domains */
|
|
torture_assert(tctx,
|
|
(info.domain_info->trusted_domain_count != 0)
|
|
&& (info.domain_info->trusted_domains != NULL),
|
|
"Trusted domains have been requested!");
|
|
|
|
odi1 = &info.domain_info->primary_domain;
|
|
|
|
torture_assert(tctx, !GUID_all_zero(&odi1->domain_guid),
|
|
"primary domain_guid needs to be valid");
|
|
|
|
for (i=0; i < info.domain_info->trusted_domain_count; i++) {
|
|
struct netr_OneDomainInfo *odiT =
|
|
&info.domain_info->trusted_domains[i];
|
|
struct netr_trust_extension_info *texT = NULL;
|
|
|
|
torture_assert_int_equal(tctx, odiT->trust_extension.length, 16,
|
|
"trust_list should have extension");
|
|
torture_assert(tctx, odiT->trust_extension.info != NULL,
|
|
"trust_list should have extension");
|
|
texT = &odiT->trust_extension.info->info;
|
|
|
|
if (GUID_equal(&odiT->domain_guid, &odi1->domain_guid)) {
|
|
odi2 = odiT;
|
|
tex2 = texT;
|
|
continue;
|
|
}
|
|
|
|
torture_assert_int_equal(tctx,
|
|
texT->flags & NETR_TRUST_FLAG_PRIMARY,
|
|
0,
|
|
"trust_list flags should not have PRIMARY");
|
|
|
|
torture_assert(tctx, odiT->domainname.string != NULL,
|
|
"trust_list domainname should be valid");
|
|
if (texT->trust_type == LSA_TRUST_TYPE_DOWNLEVEL ||
|
|
texT->trust_type == LSA_TRUST_TYPE_MIT)
|
|
{
|
|
torture_assert(tctx, odiT->dns_domainname.string == NULL,
|
|
"trust_list dns_domainname should be NULL for downlevel or MIT");
|
|
} else {
|
|
torture_assert(tctx, odiT->dns_domainname.string != NULL,
|
|
"trust_list dns_domainname should be valid for uplevel");
|
|
}
|
|
torture_assert(tctx, odiT->dns_forestname.string == NULL,
|
|
"trust_list dns_forestname needs to be NULL");
|
|
|
|
torture_assert(tctx, odiT->domain_sid != NULL,
|
|
"trust_list domain_sid needs to be valid");
|
|
}
|
|
|
|
torture_assert(tctx, odi2 != NULL,
|
|
"trust_list primary domain not found.");
|
|
|
|
torture_assert_str_equal(tctx,
|
|
odi1->domainname.string,
|
|
odi2->domainname.string,
|
|
"netbios name should match");
|
|
|
|
temp_str = talloc_strdup(tctx, odi1->dns_domainname.string);
|
|
torture_assert(tctx, temp_str != NULL,
|
|
"primary_domain dns_domainname copy");
|
|
temp_str2 = strrchr(temp_str, '.');
|
|
torture_assert(tctx, temp_str2 != NULL && temp_str2[1] == '\0',
|
|
"primary_domain dns_domainname needs trailing '.'");
|
|
temp_str2[0] = '\0';
|
|
torture_assert_str_equal(tctx,
|
|
temp_str,
|
|
odi2->dns_domainname.string,
|
|
"dns domainname should match "
|
|
"(without trailing '.')");
|
|
|
|
temp_str = talloc_strdup(tctx, odi1->dns_forestname.string);
|
|
torture_assert(tctx, temp_str != NULL,
|
|
"primary_domain dns_forestname copy");
|
|
temp_str2 = strrchr(temp_str, '.');
|
|
torture_assert(tctx, temp_str2 != NULL && temp_str2[1] == '\0',
|
|
"primary_domain dns_forestname needs trailing '.'");
|
|
temp_str2[0] = '\0';
|
|
torture_assert(tctx, odi2->dns_forestname.string == NULL,
|
|
"trust_list dns_forestname needs to be NULL");
|
|
|
|
torture_assert_guid_equal(tctx, odi1->domain_guid, odi2->domain_guid,
|
|
"domain_guid should match");
|
|
torture_assert(tctx, odi1->domain_sid != NULL,
|
|
"primary domain_sid needs to be valid");
|
|
torture_assert(tctx, odi2->domain_sid != NULL,
|
|
"trust_list domain_sid needs to be valid");
|
|
torture_assert_sid_equal(tctx, odi1->domain_sid, odi2->domain_sid,
|
|
"domain_sid should match");
|
|
|
|
torture_assert_int_equal(tctx, odi1->trust_extension.length, 0,
|
|
"primary_domain should not have extension");
|
|
torture_assert_int_equal(tctx, odi2->trust_extension.length, 16,
|
|
"trust_list should have extension");
|
|
torture_assert(tctx, odi2->trust_extension.info != NULL,
|
|
"trust_list should have extension");
|
|
tex2 = &odi2->trust_extension.info->info;
|
|
torture_assert_int_equal(tctx,
|
|
tex2->flags & NETR_TRUST_FLAG_PRIMARY,
|
|
NETR_TRUST_FLAG_PRIMARY,
|
|
"trust_list flags should have PRIMARY");
|
|
torture_assert_int_equal(tctx,
|
|
tex2->flags & NETR_TRUST_FLAG_IN_FOREST,
|
|
NETR_TRUST_FLAG_IN_FOREST,
|
|
"trust_list flags should have IN_FOREST");
|
|
torture_assert_int_equal(tctx,
|
|
tex2->flags & NETR_TRUST_FLAG_NATIVE,
|
|
NETR_TRUST_FLAG_NATIVE,
|
|
"trust_list flags should have NATIVE");
|
|
torture_assert_int_equal(tctx,
|
|
tex2->flags & ~NETR_TRUST_FLAG_TREEROOT,
|
|
NETR_TRUST_FLAG_IN_FOREST |
|
|
NETR_TRUST_FLAG_PRIMARY |
|
|
NETR_TRUST_FLAG_NATIVE,
|
|
"trust_list flags IN_FOREST, PRIMARY, NATIVE "
|
|
"(TREEROOT optional)");
|
|
if (strcmp(odi1->dns_domainname.string, odi1->dns_forestname.string) == 0) {
|
|
torture_assert_int_equal(tctx,
|
|
tex2->flags & NETR_TRUST_FLAG_TREEROOT,
|
|
NETR_TRUST_FLAG_TREEROOT,
|
|
"trust_list flags TREEROOT on forest root");
|
|
torture_assert_int_equal(tctx,
|
|
tex2->parent_index, 0,
|
|
"trust_list no parent on forest root");
|
|
}
|
|
torture_assert_int_equal(tctx,
|
|
tex2->trust_type, LSA_TRUST_TYPE_UPLEVEL,
|
|
"trust_list uplevel");
|
|
torture_assert_int_equal(tctx,
|
|
tex2->trust_attributes, 0,
|
|
"trust_list no attributes");
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 6th call (no DNS hostname)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
query.workstation_info->dns_hostname = NULL;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
|
|
/* The old DNS hostname should stick */
|
|
torture_assert_str_equal(tctx,
|
|
info.domain_info->dns_hostname.string,
|
|
old_dnsname,
|
|
"'DNS hostname' changed!");
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 7th call (extra workstation flags)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
|
|
| NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS | 0x4;
|
|
|
|
/* Put the DNS hostname back */
|
|
talloc_free(discard_const_p(char, q1.dns_hostname));
|
|
q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
|
|
lpcfg_dnsdomain(tctx->lp_ctx));
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
|
|
/* Checks "workstation flags" */
|
|
torture_assert(tctx,
|
|
info.domain_info->workstation_flags
|
|
== (NETR_WS_FLAG_HANDLES_SPN_UPDATE
|
|
| NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
|
|
"Out 'workstation flags' don't match!");
|
|
|
|
if (!torture_setting_bool(tctx, "dangerous", false)) {
|
|
torture_comment(tctx, "Not testing netr_LogonGetDomainInfo 8th call (no workstation info) - enable dangerous tests in order to do so\n");
|
|
} else {
|
|
/* Try a call without the workstation information structure */
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 8th call (no workstation info)\n");
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
query.workstation_info = NULL;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
|
|
"LogonGetDomainInfo failed");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
|
|
torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_GetDomainInfo_async(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p1,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
NTSTATUS status;
|
|
struct netr_LogonGetDomainInfo r;
|
|
struct netr_WorkstationInformation q1;
|
|
struct netr_Authenticator a;
|
|
#define ASYNC_COUNT 100
|
|
struct netlogon_creds_CredentialState *creds;
|
|
struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
|
|
struct tevent_req *req[ASYNC_COUNT];
|
|
int i;
|
|
union netr_WorkstationInfo query;
|
|
union netr_DomainInfo info;
|
|
struct dcerpc_pipe *p = NULL;
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
|
|
|
|
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
|
|
DCERPC_SIGN | DCERPC_SEAL, &p)) {
|
|
return false;
|
|
}
|
|
|
|
ZERO_STRUCT(r);
|
|
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
|
|
r.in.computer_name = TEST_MACHINE_NAME;
|
|
r.in.credential = &a;
|
|
r.in.level = 1;
|
|
r.in.return_authenticator = &a;
|
|
r.in.query = &query;
|
|
r.out.return_authenticator = &a;
|
|
r.out.info = &info;
|
|
|
|
ZERO_STRUCT(q1);
|
|
q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
|
|
lpcfg_dnsdomain(tctx->lp_ctx));
|
|
q1.sitename = "Default-First-Site-Name";
|
|
q1.os_name.string = "UNIX/Linux or similar";
|
|
|
|
query.workstation_info = &q1;
|
|
|
|
for (i=0;i<ASYNC_COUNT;i++) {
|
|
netlogon_creds_client_authenticator(creds, &a);
|
|
|
|
creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
|
|
req[i] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx, tctx->ev, p->binding_handle, &r);
|
|
|
|
/* even with this flush per request a w2k3 server seems to
|
|
clag with multiple outstanding requests. bleergh. */
|
|
torture_assert_int_equal(tctx, tevent_loop_once(tctx->ev), 0,
|
|
"tevent_loop_once failed");
|
|
}
|
|
|
|
for (i=0;i<ASYNC_COUNT;i++) {
|
|
torture_assert_int_equal(tctx, tevent_req_poll(req[i], tctx->ev), true,
|
|
"tevent_req_poll() failed");
|
|
|
|
status = dcerpc_netr_LogonGetDomainInfo_r_recv(req[i], tctx);
|
|
|
|
torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
|
|
|
|
torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred),
|
|
"Credential chaining failed at async");
|
|
}
|
|
|
|
torture_comment(tctx,
|
|
"Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT);
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_ManyGetDCName(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct cli_credentials *anon_creds;
|
|
struct dcerpc_binding *binding2;
|
|
struct dcerpc_pipe *p2;
|
|
struct lsa_ObjectAttribute attr;
|
|
struct lsa_QosInfo qos;
|
|
struct lsa_OpenPolicy2 o;
|
|
struct policy_handle lsa_handle;
|
|
struct lsa_DomainList domains;
|
|
|
|
struct lsa_EnumTrustDom t;
|
|
uint32_t resume_handle = 0;
|
|
struct netr_GetAnyDCName d;
|
|
const char *dcname = NULL;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
const struct dcerpc_binding *bd = dcerpc_binding_handle_get_binding(b);
|
|
struct dcerpc_binding_handle *b2;
|
|
|
|
int i;
|
|
|
|
if (dcerpc_binding_handle_get_transport(b) != NCACN_NP) {
|
|
torture_skip(tctx, "test_ManyGetDCName works only with NCACN_NP");
|
|
}
|
|
|
|
torture_comment(tctx, "Torturing GetDCName\n");
|
|
|
|
anon_creds = cli_credentials_init_anon(tctx);
|
|
torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon failed");
|
|
|
|
binding2 = dcerpc_binding_dup(tctx, bd);
|
|
/* Swap the binding details from NETLOGON to LSA */
|
|
status = dcerpc_epm_map_binding(tctx, binding2, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx);
|
|
dcerpc_binding_set_assoc_group_id(binding2, 0);
|
|
torture_assert_ntstatus_ok(tctx, status, "epm map");
|
|
|
|
status = dcerpc_secondary_auth_connection(p, binding2, &ndr_table_lsarpc,
|
|
anon_creds, tctx->lp_ctx,
|
|
tctx, &p2);
|
|
torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
|
|
b2 = p2->binding_handle;
|
|
|
|
qos.len = 0;
|
|
qos.impersonation_level = 2;
|
|
qos.context_mode = 1;
|
|
qos.effective_only = 0;
|
|
|
|
attr.len = 0;
|
|
attr.root_dir = NULL;
|
|
attr.object_name = NULL;
|
|
attr.attributes = 0;
|
|
attr.sec_desc = NULL;
|
|
attr.sec_qos = &qos;
|
|
|
|
o.in.system_name = "\\";
|
|
o.in.attr = &attr;
|
|
o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
|
|
o.out.handle = &lsa_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b2, tctx, &o),
|
|
"OpenPolicy2 failed");
|
|
torture_assert_ntstatus_ok(tctx, o.out.result, "OpenPolicy2 failed");
|
|
|
|
t.in.handle = &lsa_handle;
|
|
t.in.resume_handle = &resume_handle;
|
|
t.in.max_size = 1000;
|
|
t.out.domains = &domains;
|
|
t.out.resume_handle = &resume_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b2, tctx, &t),
|
|
"EnumTrustDom failed");
|
|
|
|
if ((!NT_STATUS_IS_OK(t.out.result) &&
|
|
(!NT_STATUS_EQUAL(t.out.result, NT_STATUS_NO_MORE_ENTRIES))))
|
|
torture_fail(tctx, "Could not list domains");
|
|
|
|
talloc_free(p2);
|
|
|
|
d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
|
|
dcerpc_server_name(p));
|
|
d.out.dcname = &dcname;
|
|
|
|
for (i=0; i<domains.count * 4; i++) {
|
|
struct lsa_DomainInfo *info =
|
|
&domains.domains[rand()%domains.count];
|
|
|
|
d.in.domainname = info->name.string;
|
|
|
|
status = dcerpc_netr_GetAnyDCName_r(b, tctx, &d);
|
|
torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
|
|
|
|
torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
|
|
dcname ? dcname : "unknown");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_lsa_over_netlogon(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct cli_credentials *anon_creds;
|
|
const struct dcerpc_binding *binding2;
|
|
struct dcerpc_pipe *p2;
|
|
struct lsa_ObjectAttribute attr;
|
|
struct lsa_QosInfo qos;
|
|
struct lsa_OpenPolicy2 o;
|
|
struct policy_handle lsa_handle;
|
|
|
|
struct dcerpc_binding_handle *b2;
|
|
|
|
|
|
if (dcerpc_binding_handle_get_transport(p->binding_handle) != NCACN_NP) {
|
|
torture_skip(tctx, "test_lsa_over_netlogon works only with NCACN_NP");
|
|
}
|
|
|
|
torture_comment(tctx, "Testing if we can access the LSA server over\n"
|
|
" \\\\pipe\\netlogon rather than \\\\pipe\\lsarpc\n");
|
|
|
|
anon_creds = cli_credentials_init_anon(tctx);
|
|
torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon failed");
|
|
|
|
binding2 = dcerpc_binding_handle_get_binding(p->binding_handle);
|
|
|
|
status = dcerpc_secondary_auth_connection(p, binding2, &ndr_table_lsarpc,
|
|
anon_creds, tctx->lp_ctx,
|
|
tctx, &p2);
|
|
torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
|
|
b2 = p2->binding_handle;
|
|
|
|
qos.len = 0;
|
|
qos.impersonation_level = 2;
|
|
qos.context_mode = 1;
|
|
qos.effective_only = 0;
|
|
|
|
attr.len = 0;
|
|
attr.root_dir = NULL;
|
|
attr.object_name = NULL;
|
|
attr.attributes = 0;
|
|
attr.sec_desc = NULL;
|
|
attr.sec_qos = &qos;
|
|
|
|
o.in.system_name = "\\";
|
|
o.in.attr = &attr;
|
|
o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
|
|
o.out.handle = &lsa_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b2, tctx, &o),
|
|
"OpenPolicy2 failed");
|
|
torture_assert_ntstatus_ok(tctx, o.out.result, "OpenPolicy2 failed");
|
|
|
|
talloc_free(p2);
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_SetPassword_with_flags(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
uint32_t flags[] = { 0, NETLOGON_NEG_STRONG_KEYS };
|
|
struct netlogon_creds_CredentialState *creds;
|
|
int i;
|
|
|
|
if (!test_SetupCredentials2(p, tctx, 0,
|
|
machine_credentials,
|
|
cli_credentials_get_secure_channel_type(machine_credentials),
|
|
&creds)) {
|
|
torture_skip(tctx, "DC does not support negotiation of 64bit session keys");
|
|
}
|
|
|
|
for (i=0; i < ARRAY_SIZE(flags); i++) {
|
|
torture_assert(tctx,
|
|
test_SetPassword_flags(tctx, p, machine_credentials, flags[i]),
|
|
talloc_asprintf(tctx, "failed to test SetPassword negotiating with 0x%08x flags", flags[i]));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
|
|
{
|
|
struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon");
|
|
struct torture_rpc_tcase *tcase;
|
|
struct torture_test *test;
|
|
|
|
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
|
|
&ndr_table_netlogon, TEST_MACHINE_NAME);
|
|
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetupCredentialsDowngrade", test_SetupCredentialsDowngrade);
|
|
torture_rpc_tcase_add_test(tcase, "lsa_over_netlogon", test_lsa_over_netlogon);
|
|
|
|
torture_rpc_tcase_add_test_creds(tcase, "GetForestTrustInformation", test_netr_GetForestTrustInformation);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo_AES", test_netr_ServerGetTrustInfo_AES);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
|
|
torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
|
|
torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
|
|
torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
|
|
torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
|
|
torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
|
|
torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
|
|
test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
|
|
test->dangerous = true;
|
|
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
|
|
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
|
|
torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
|
|
torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
|
|
torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
|
|
torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
|
|
torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
|
|
torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
|
|
torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
|
|
torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
|
|
torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
|
|
torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
|
|
torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
|
|
torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
|
|
torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeReuse", test_ServerReqChallengeReuse);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeReuseGlobal4", test_ServerReqChallengeReuseGlobal4);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeReuseGlobal3", test_ServerReqChallengeReuseGlobal3);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeReuseGlobal2", test_ServerReqChallengeReuseGlobal2);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeReuseGlobal", test_ServerReqChallengeReuseGlobal);
|
|
torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeGlobal", test_ServerReqChallengeGlobal);
|
|
torture_rpc_tcase_add_test_creds(tcase, "invalidAuthenticate2", test_invalidAuthenticate2);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
|
|
torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
|
|
torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
|
|
|
|
torture_rpc_tcase_add_test(tcase, "Broken RPC binding handle",
|
|
test_netr_broken_binding_handle);
|
|
|
|
return suite;
|
|
}
|
|
|
|
struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
|
|
{
|
|
struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon-s3");
|
|
struct torture_rpc_tcase *tcase;
|
|
|
|
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
|
|
&ndr_table_netlogon, TEST_MACHINE_NAME);
|
|
|
|
torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SamLogon_NULL_domain", test_SamLogon_NULL_domain);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
|
|
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES);
|
|
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
|
|
|
|
return suite;
|
|
}
|
|
|
|
struct torture_suite *torture_rpc_netlogon_zerologon(TALLOC_CTX *mem_ctx)
|
|
{
|
|
struct torture_suite *suite = torture_suite_create(
|
|
mem_ctx,
|
|
"netlogon.zerologon");
|
|
struct torture_rpc_tcase *tcase;
|
|
|
|
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(
|
|
suite,
|
|
"netlogon",
|
|
&ndr_table_netlogon,
|
|
TEST_MACHINE_NAME);
|
|
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"ServerReqChallenge",
|
|
test_ServerReqChallenge);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"ServerReqChallenge_zero_challenge",
|
|
test_ServerReqChallenge_zero_challenge);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"ServerReqChallenge_5_repeats",
|
|
test_ServerReqChallenge_5_repeats);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"ServerReqChallenge_4_repeats",
|
|
test_ServerReqChallenge_4_repeats);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"test_SetPassword2_encrypted_to_all_zeros",
|
|
test_SetPassword2_encrypted_to_all_zeros);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"test_SetPassword2_password_encrypts_to_zero",
|
|
test_SetPassword2_password_encrypts_to_zero);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"test_SetPassword2_confounder",
|
|
test_SetPassword2_confounder);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"test_SetPassword2_all_zeros",
|
|
test_SetPassword2_all_zeros);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"test_SetPassword2_all_zero_password",
|
|
test_SetPassword2_all_zero_password);
|
|
torture_rpc_tcase_add_test_creds(
|
|
tcase,
|
|
"test_SetPassword2_maximum_length_password",
|
|
test_SetPassword2_maximum_length_password);
|
|
|
|
return suite;
|
|
}
|
|
|
|
struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
|
|
{
|
|
struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon.admin");
|
|
struct torture_rpc_tcase *tcase;
|
|
|
|
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "bdc",
|
|
&ndr_table_netlogon, TEST_MACHINE_NAME);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
|
|
|
|
tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "wkst",
|
|
&ndr_table_netlogon, TEST_MACHINE_NAME);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
|
|
|
|
tcase = torture_suite_add_rpc_iface_tcase(suite, "admin",
|
|
&ndr_table_netlogon);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
|
|
torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
|
|
|
|
return suite;
|
|
}
|