mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
35fbc7bbda
This is consistent with the test names used by selftest, should make the names less confusing and easier to integrate with other tools. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Dec 11 04:16:13 CET 2010 on sn-devel-104
1198 lines
32 KiB
C
1198 lines
32 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
test suite for accessmasks on the SAMR pipe
|
|
|
|
Copyright (C) Ronnie Sahlberg 2007
|
|
Copyright (C) Guenther Deschner 2009
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "librpc/gen_ndr/ndr_samr_c.h"
|
|
#include "torture/rpc/torture_rpc.h"
|
|
#include "param/param.h"
|
|
#include "libcli/security/security.h"
|
|
|
|
|
|
/* test user created to test the ACLs associated to SAMR objects */
|
|
#define TEST_USER_NAME "samr_testuser"
|
|
#define TEST_MACHINENAME "samrtestmach"
|
|
|
|
static NTSTATUS torture_samr_Close(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
struct policy_handle *h)
|
|
{
|
|
NTSTATUS status;
|
|
struct samr_Close cl;
|
|
|
|
cl.in.handle = h;
|
|
cl.out.handle = h;
|
|
status = dcerpc_samr_Close_r(b, tctx, &cl);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
|
|
return cl.out.result;
|
|
}
|
|
|
|
static NTSTATUS torture_samr_Connect5(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
uint32_t mask, struct policy_handle *h)
|
|
{
|
|
NTSTATUS status;
|
|
struct samr_Connect5 r5;
|
|
union samr_ConnectInfo info;
|
|
uint32_t level_out = 0;
|
|
|
|
info.info1.client_version = 0;
|
|
info.info1.unknown2 = 0;
|
|
r5.in.system_name = "";
|
|
r5.in.level_in = 1;
|
|
r5.in.info_in = &info;
|
|
r5.out.info_out = &info;
|
|
r5.out.level_out = &level_out;
|
|
r5.out.connect_handle = h;
|
|
r5.in.access_mask = mask;
|
|
|
|
status = dcerpc_samr_Connect5_r(b, tctx, &r5);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
|
|
return r5.out.result;
|
|
}
|
|
|
|
/* check which bits in accessmask allows us to connect to the server */
|
|
static bool test_samr_accessmask_Connect5(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct policy_handle h;
|
|
int i;
|
|
uint32_t mask;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
printf("Testing which bits in accessmask allows us to connect\n");
|
|
mask = 1;
|
|
for (i=0;i<33;i++) {
|
|
printf("Testing Connect5 with access mask 0x%08x", mask);
|
|
status = torture_samr_Connect5(tctx, b, mask, &h);
|
|
mask <<= 1;
|
|
|
|
switch (i) {
|
|
case 6:
|
|
case 7:
|
|
case 8:
|
|
case 9:
|
|
case 10:
|
|
case 11:
|
|
case 12:
|
|
case 13:
|
|
case 14:
|
|
case 15:
|
|
case 20:
|
|
case 21:
|
|
case 22:
|
|
case 23:
|
|
case 26:
|
|
case 27:
|
|
printf(" expecting to fail");
|
|
/* of only one of these bits are set we expect to
|
|
fail by default
|
|
*/
|
|
if(!NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
default:
|
|
/* these bits set are expected to succeed by default */
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &h);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
}
|
|
printf(" OK\n");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/* check which bits in accessmask allows us to EnumDomains()
|
|
by default we must specify at least one of :
|
|
SAMR/EnumDomains
|
|
Maximum
|
|
GenericAll
|
|
GenericRead
|
|
in the access mask to Connect5() in order to be allowed to perform
|
|
EnumDomains() on the policy handle returned from Connect5()
|
|
*/
|
|
static bool test_samr_accessmask_EnumDomains(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct samr_EnumDomains ed;
|
|
struct policy_handle ch;
|
|
int i;
|
|
uint32_t mask;
|
|
uint32_t resume_handle = 0;
|
|
struct samr_SamArray *sam = NULL;
|
|
uint32_t num_entries = 0;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
printf("Testing which bits in Connect5 accessmask allows us to EnumDomains\n");
|
|
mask = 1;
|
|
for (i=0;i<33;i++) {
|
|
printf("Testing Connect5/EnumDomains with access mask 0x%08x", mask);
|
|
status = torture_samr_Connect5(tctx, b, mask, &ch);
|
|
mask <<= 1;
|
|
|
|
switch (i) {
|
|
case 4: /* SAMR/EnumDomains */
|
|
case 25: /* Maximum */
|
|
case 28: /* GenericAll */
|
|
case 31: /* GenericRead */
|
|
/* these bits set are expected to succeed by default */
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
|
|
ed.in.connect_handle = &ch;
|
|
ed.in.resume_handle = &resume_handle;
|
|
ed.in.buf_size = (uint32_t)-1;
|
|
ed.out.resume_handle = &resume_handle;
|
|
ed.out.num_entries = &num_entries;
|
|
ed.out.sam = &sam;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_EnumDomains_r(b, tctx, &ed),
|
|
"EnumDomains failed");
|
|
if (!NT_STATUS_IS_OK(ed.out.result)) {
|
|
printf("EnumDomains failed - %s\n", nt_errstr(ed.out.result));
|
|
return false;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
default:
|
|
printf(" expecting to fail");
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf(" OK\n");
|
|
continue;
|
|
}
|
|
|
|
ed.in.connect_handle = &ch;
|
|
ed.in.resume_handle = &resume_handle;
|
|
ed.in.buf_size = (uint32_t)-1;
|
|
ed.out.resume_handle = &resume_handle;
|
|
ed.out.num_entries = &num_entries;
|
|
ed.out.sam = &sam;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_EnumDomains_r(b, tctx, &ed),
|
|
"EnumDomains failed");
|
|
if(!NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, ed.out.result)) {
|
|
printf("EnumDomains failed - %s\n", nt_errstr(ed.out.result));
|
|
return false;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
}
|
|
printf(" OK\n");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
/*
|
|
* test how ACLs affect how/if a user can connect to the SAMR service
|
|
*
|
|
* samr_SetSecurity() returns SUCCESS when changing the ACL for
|
|
* a policy handle got from Connect5() but the ACL is not changed on
|
|
* the server
|
|
*/
|
|
static bool test_samr_connect_user_acl(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
struct cli_credentials *test_credentials,
|
|
const struct dom_sid *test_sid)
|
|
|
|
{
|
|
NTSTATUS status;
|
|
struct policy_handle ch;
|
|
struct policy_handle uch;
|
|
struct samr_QuerySecurity qs;
|
|
struct samr_SetSecurity ss;
|
|
struct security_ace ace;
|
|
struct security_descriptor *sd;
|
|
struct sec_desc_buf sdb, *sdbuf = NULL;
|
|
bool ret = true;
|
|
int sd_size;
|
|
struct dcerpc_pipe *test_p;
|
|
struct dcerpc_binding_handle *test_b;
|
|
const char *binding = torture_setting_string(tctx, "binding", NULL);
|
|
|
|
printf("Testing ACLs to allow/prevent users to connect to SAMR");
|
|
|
|
/* connect to SAMR */
|
|
status = torture_samr_Connect5(tctx, b, SEC_FLAG_MAXIMUM_ALLOWED, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
|
|
|
|
/* get the current ACL for the SAMR policy handle */
|
|
qs.in.handle = &ch;
|
|
qs.in.sec_info = SECINFO_DACL;
|
|
qs.out.sdbuf = &sdbuf;
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_QuerySecurity_r(b, tctx, &qs),
|
|
"QuerySecurity failed");
|
|
if (!NT_STATUS_IS_OK(qs.out.result)) {
|
|
printf("QuerySecurity failed - %s\n", nt_errstr(qs.out.result));
|
|
ret = false;
|
|
}
|
|
|
|
/* how big is the security descriptor? */
|
|
sd_size = sdbuf->sd_size;
|
|
|
|
|
|
/* add an ACE to the security descriptor to deny the user the
|
|
* 'connect to server' right
|
|
*/
|
|
sd = sdbuf->sd;
|
|
ace.type = SEC_ACE_TYPE_ACCESS_DENIED;
|
|
ace.flags = 0;
|
|
ace.access_mask = SAMR_ACCESS_CONNECT_TO_SERVER;
|
|
ace.trustee = *test_sid;
|
|
status = security_descriptor_dacl_add(sd, &ace);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Failed to add ACE to security descriptor\n");
|
|
ret = false;
|
|
}
|
|
ss.in.handle = &ch;
|
|
ss.in.sec_info = SECINFO_DACL;
|
|
ss.in.sdbuf = &sdb;
|
|
sdb.sd = sd;
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetSecurity_r(b, tctx, &ss),
|
|
"SetSecurity failed");
|
|
if (!NT_STATUS_IS_OK(ss.out.result)) {
|
|
printf("SetSecurity failed - %s\n", nt_errstr(ss.out.result));
|
|
ret = false;
|
|
}
|
|
|
|
|
|
/* Try to connect as the test user */
|
|
status = dcerpc_pipe_connect(tctx,
|
|
&test_p, binding, &ndr_table_samr,
|
|
test_credentials, tctx->ev, tctx->lp_ctx);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("dcerpc_pipe_connect failed: %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
test_b = test_p->binding_handle;
|
|
|
|
/* connect to SAMR as the user */
|
|
status = torture_samr_Connect5(tctx, test_b, SEC_FLAG_MAXIMUM_ALLOWED, &uch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
/* disconnec the user */
|
|
talloc_free(test_p);
|
|
|
|
|
|
/* read the sequrity descriptor back. it should not have changed
|
|
* eventhough samr_SetSecurity returned SUCCESS
|
|
*/
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_QuerySecurity_r(b, tctx, &qs),
|
|
"QuerySecurity failed");
|
|
if (!NT_STATUS_IS_OK(qs.out.result)) {
|
|
printf("QuerySecurity failed - %s\n", nt_errstr(qs.out.result));
|
|
ret = false;
|
|
}
|
|
if (sd_size != sdbuf->sd_size) {
|
|
printf("security descriptor changed\n");
|
|
ret = false;
|
|
}
|
|
|
|
|
|
status = torture_samr_Close(tctx, b, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
ret = false;
|
|
}
|
|
|
|
if (ret == true) {
|
|
printf(" OK\n");
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* test if the ACLs are enforced for users.
|
|
* a normal testuser only gets the rights provided in hte ACL for
|
|
* Everyone which does not include the SAMR_ACCESS_SHUTDOWN_SERVER
|
|
* right. If the ACLs are checked when a user connects
|
|
* a testuser that requests the accessmask with only this bit set
|
|
* the connect should fail.
|
|
*/
|
|
static bool test_samr_connect_user_acl_enforced(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
struct cli_credentials *test_credentials,
|
|
const struct dom_sid *test_sid)
|
|
|
|
{
|
|
NTSTATUS status;
|
|
struct policy_handle uch;
|
|
bool ret = true;
|
|
struct dcerpc_pipe *test_p;
|
|
struct dcerpc_binding_handle *test_b;
|
|
const char *binding = torture_setting_string(tctx, "binding", NULL);
|
|
|
|
printf("Testing if ACLs are enforced for non domain admin users when connecting to SAMR");
|
|
|
|
|
|
status = dcerpc_pipe_connect(tctx,
|
|
&test_p, binding, &ndr_table_samr,
|
|
test_credentials, tctx->ev, tctx->lp_ctx);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("dcerpc_pipe_connect failed: %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
test_b = test_p->binding_handle;
|
|
|
|
/* connect to SAMR as the user */
|
|
status = torture_samr_Connect5(tctx, test_b, SAMR_ACCESS_SHUTDOWN_SERVER, &uch);
|
|
if (NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
printf(" OK\n");
|
|
|
|
/* disconnec the user */
|
|
talloc_free(test_p);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* check which bits in accessmask allows us to LookupDomain()
|
|
by default we must specify at least one of :
|
|
in the access mask to Connect5() in order to be allowed to perform
|
|
case 5: samr/opendomain
|
|
case 25: Maximum
|
|
case 28: GenericAll
|
|
case 29: GenericExecute
|
|
LookupDomain() on the policy handle returned from Connect5()
|
|
*/
|
|
static bool test_samr_accessmask_LookupDomain(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct samr_LookupDomain ld;
|
|
struct dom_sid2 *sid = NULL;
|
|
struct policy_handle ch;
|
|
struct lsa_String dn;
|
|
int i;
|
|
uint32_t mask;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
printf("Testing which bits in Connect5 accessmask allows us to LookupDomain\n");
|
|
mask = 1;
|
|
for (i=0;i<33;i++) {
|
|
printf("Testing Connect5/LookupDomain with access mask 0x%08x", mask);
|
|
status = torture_samr_Connect5(tctx, b, mask, &ch);
|
|
mask <<= 1;
|
|
|
|
switch (i) {
|
|
case 5:
|
|
case 25: /* Maximum */
|
|
case 28: /* GenericAll */
|
|
case 29: /* GenericExecute */
|
|
/* these bits set are expected to succeed by default */
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
|
|
ld.in.connect_handle = &ch;
|
|
ld.in.domain_name = &dn;
|
|
ld.out.sid = &sid;
|
|
dn.string = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_LookupDomain_r(b, tctx, &ld),
|
|
"LookupDomain failed");
|
|
if (!NT_STATUS_IS_OK(ld.out.result)) {
|
|
printf("LookupDomain failed - %s\n", nt_errstr(ld.out.result));
|
|
return false;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
default:
|
|
printf(" expecting to fail");
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf(" OK\n");
|
|
continue;
|
|
}
|
|
|
|
ld.in.connect_handle = &ch;
|
|
ld.in.domain_name = &dn;
|
|
ld.out.sid = &sid;
|
|
dn.string = lpcfg_workgroup(tctx->lp_ctx);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_LookupDomain_r(b, tctx, &ld),
|
|
"LookupDomain failed");
|
|
if(!NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, ld.out.result)) {
|
|
printf("LookupDomain failed - %s\n", nt_errstr(ld.out.result));
|
|
return false;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
}
|
|
printf(" OK\n");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/* check which bits in accessmask allows us to OpenDomain()
|
|
by default we must specify at least one of :
|
|
samr/opendomain
|
|
Maximum
|
|
GenericAll
|
|
GenericExecute
|
|
in the access mask to Connect5() in order to be allowed to perform
|
|
OpenDomain() on the policy handle returned from Connect5()
|
|
*/
|
|
static bool test_samr_accessmask_OpenDomain(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
NTSTATUS status;
|
|
struct samr_LookupDomain ld;
|
|
struct dom_sid2 *sid = NULL;
|
|
struct samr_OpenDomain od;
|
|
struct policy_handle ch;
|
|
struct policy_handle dh;
|
|
struct lsa_String dn;
|
|
int i;
|
|
uint32_t mask;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
|
|
/* first we must grab the sid of the domain */
|
|
status = torture_samr_Connect5(tctx, b, SEC_FLAG_MAXIMUM_ALLOWED, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
|
|
ld.in.connect_handle = &ch;
|
|
ld.in.domain_name = &dn;
|
|
ld.out.sid = &sid;
|
|
dn.string = lpcfg_workgroup(tctx->lp_ctx);
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_LookupDomain_r(b, tctx, &ld),
|
|
"LookupDomain failed");
|
|
if (!NT_STATUS_IS_OK(ld.out.result)) {
|
|
printf("LookupDomain failed - %s\n", nt_errstr(ld.out.result));
|
|
return false;
|
|
}
|
|
|
|
|
|
|
|
printf("Testing which bits in Connect5 accessmask allows us to OpenDomain\n");
|
|
mask = 1;
|
|
for (i=0;i<33;i++) {
|
|
printf("Testing Connect5/OpenDomain with access mask 0x%08x", mask);
|
|
status = torture_samr_Connect5(tctx, b, mask, &ch);
|
|
mask <<= 1;
|
|
|
|
switch (i) {
|
|
case 5:
|
|
case 25: /* Maximum */
|
|
case 28: /* GenericAll */
|
|
case 29: /* GenericExecute */
|
|
/* these bits set are expected to succeed by default */
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Connect5 failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
|
|
od.in.connect_handle = &ch;
|
|
od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
|
|
od.in.sid = sid;
|
|
od.out.domain_handle = &dh;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenDomain_r(b, tctx, &od),
|
|
"OpenDomain failed");
|
|
if (!NT_STATUS_IS_OK(od.out.result)) {
|
|
printf("OpenDomain failed - %s\n", nt_errstr(od.out.result));
|
|
return false;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &dh);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
default:
|
|
printf(" expecting to fail");
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf(" OK\n");
|
|
continue;
|
|
}
|
|
|
|
status = torture_samr_Close(tctx, b, &ch);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("Close failed - %s\n", nt_errstr(status));
|
|
return false;
|
|
}
|
|
break;
|
|
}
|
|
printf(" OK\n");
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_samr_connect(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p)
|
|
{
|
|
void *testuser;
|
|
const char *testuser_passwd;
|
|
struct cli_credentials *test_credentials;
|
|
bool ret = true;
|
|
const struct dom_sid *test_sid;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (torture_setting_bool(tctx, "samba3", false)) {
|
|
torture_skip(tctx, "Skipping test against Samba 3");
|
|
}
|
|
|
|
/* create a test user */
|
|
testuser = torture_create_testuser(tctx, TEST_USER_NAME, lpcfg_workgroup(tctx->lp_ctx),
|
|
ACB_NORMAL, &testuser_passwd);
|
|
if (!testuser) {
|
|
printf("Failed to create test user\n");
|
|
return false;
|
|
}
|
|
test_credentials = cli_credentials_init(tctx);
|
|
cli_credentials_set_workstation(test_credentials, "localhost", CRED_SPECIFIED);
|
|
cli_credentials_set_domain(test_credentials, lpcfg_workgroup(tctx->lp_ctx),
|
|
CRED_SPECIFIED);
|
|
cli_credentials_set_username(test_credentials, TEST_USER_NAME, CRED_SPECIFIED);
|
|
cli_credentials_set_password(test_credentials, testuser_passwd, CRED_SPECIFIED);
|
|
test_sid = torture_join_user_sid(testuser);
|
|
|
|
|
|
/* test if ACLs can be changed for the policy handle
|
|
* returned by Connect5
|
|
*/
|
|
if (!test_samr_connect_user_acl(tctx, b, test_credentials, test_sid)) {
|
|
ret = false;
|
|
}
|
|
|
|
/* test if the ACLs that are reported from the Connect5
|
|
* policy handle is enforced.
|
|
* i.e. an ordinary user only has the same rights as Everybody
|
|
* ReadControl
|
|
* Samr/OpenDomain
|
|
* Samr/EnumDomains
|
|
* Samr/ConnectToServer
|
|
* is granted and should therefore not be able to connect when
|
|
* requesting SAMR_ACCESS_SHUTDOWN_SERVER
|
|
*/
|
|
if (!test_samr_connect_user_acl_enforced(tctx, b, test_credentials, test_sid)) {
|
|
ret = false;
|
|
}
|
|
|
|
/* remove the test user */
|
|
torture_leave_domain(tctx, testuser);
|
|
|
|
return ret;
|
|
}
|
|
|
|
struct torture_suite *torture_rpc_samr_accessmask(TALLOC_CTX *mem_ctx)
|
|
{
|
|
struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.accessmask");
|
|
struct torture_rpc_tcase *tcase;
|
|
|
|
tcase = torture_suite_add_rpc_iface_tcase(suite, "samr",
|
|
&ndr_table_samr);
|
|
|
|
torture_rpc_tcase_add_test(tcase, "connect", test_samr_connect);
|
|
|
|
/* test which bits in the accessmask to Connect5 will allow
|
|
* us to call OpenDomain() */
|
|
torture_rpc_tcase_add_test(tcase, "OpenDomain",
|
|
test_samr_accessmask_OpenDomain);
|
|
|
|
/* test which bits in the accessmask to Connect5 will allow
|
|
* us to call LookupDomain() */
|
|
torture_rpc_tcase_add_test(tcase, "LookupDomain",
|
|
test_samr_accessmask_LookupDomain);
|
|
|
|
/* test which bits in the accessmask to Connect5 will allow
|
|
* us to call EnumDomains() */
|
|
torture_rpc_tcase_add_test(tcase, "EnumDomains",
|
|
test_samr_accessmask_EnumDomains);
|
|
|
|
/* test which bits in the accessmask to Connect5
|
|
will allow us to connect to the server */
|
|
torture_rpc_tcase_add_test(tcase, "Connect5",
|
|
test_samr_accessmask_Connect5);
|
|
|
|
return suite;
|
|
}
|
|
|
|
static bool test_LookupRids(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
struct policy_handle *domain_handle,
|
|
uint32_t rid)
|
|
{
|
|
struct samr_LookupRids r;
|
|
struct lsa_Strings names;
|
|
struct samr_Ids types;
|
|
|
|
torture_comment(tctx, "Testing LookupRids %d\n", rid);
|
|
|
|
r.in.domain_handle = domain_handle;
|
|
r.in.num_rids = 1;
|
|
r.in.rids = &rid;
|
|
r.out.names = &names;
|
|
r.out.types = &types;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_LookupRids_r(b, tctx, &r),
|
|
"failed to call samr_LookupRids");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to call samr_LookupRids");
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
static bool test_user(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
struct policy_handle *domain_handle,
|
|
uint32_t access_mask,
|
|
struct samr_DispEntryGeneral *u)
|
|
{
|
|
struct policy_handle user_handle;
|
|
|
|
torture_comment(tctx, "Testing user %s (%d)\n", u->account_name.string, u->rid);
|
|
|
|
torture_assert(tctx, test_LookupRids(tctx, b, domain_handle, u->rid),
|
|
"failed to call lookuprids");
|
|
|
|
{
|
|
struct samr_OpenUser r;
|
|
|
|
r.in.domain_handle = domain_handle;
|
|
r.in.access_mask = access_mask;
|
|
r.in.rid = u->rid;
|
|
r.out.user_handle = &user_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenUser_r(b, tctx, &r),
|
|
"failed to open user");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to open user");
|
|
}
|
|
{
|
|
struct samr_QueryUserInfo r;
|
|
union samr_UserInfo *info;
|
|
uint32_t levels[] = { 16, 21 };
|
|
int i;
|
|
|
|
r.in.user_handle = &user_handle;
|
|
r.out.info = &info;
|
|
|
|
for (i=0; i < ARRAY_SIZE(levels); i++) {
|
|
|
|
r.in.level = levels[i];
|
|
|
|
torture_comment(tctx, "Testing QueryUserInfo rid: %d level: %d\n",
|
|
u->rid, r.in.level);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &r),
|
|
talloc_asprintf(tctx, "failed to query user info level %d", r.in.level));
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
talloc_asprintf(tctx, "failed to query user info level %d", r.in.level));
|
|
}
|
|
}
|
|
{
|
|
struct samr_GetGroupsForUser r;
|
|
struct samr_RidWithAttributeArray *rids;
|
|
|
|
r.in.user_handle = &user_handle;
|
|
r.out.rids = &rids;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_GetGroupsForUser_r(b, tctx, &r),
|
|
"failed to query groups for user");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to query groups for user");
|
|
}
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
torture_samr_Close(tctx, b, &user_handle),
|
|
"failed to close user handle");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_samr_group(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
struct policy_handle *domain_handle,
|
|
uint32_t access_mask,
|
|
struct samr_SamEntry *g)
|
|
{
|
|
struct policy_handle group_handle;
|
|
|
|
torture_comment(tctx, "Testing group %s (%d)\n", g->name.string, g->idx);
|
|
|
|
torture_assert(tctx, test_LookupRids(tctx, b, domain_handle, g->idx),
|
|
"failed to call lookuprids");
|
|
{
|
|
struct samr_OpenGroup r;
|
|
|
|
r.in.domain_handle = domain_handle;
|
|
r.in.access_mask = access_mask;
|
|
r.in.rid = g->idx;
|
|
r.out.group_handle = &group_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenGroup_r(b, tctx, &r),
|
|
"failed to open group");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to open group");
|
|
}
|
|
{
|
|
struct samr_QueryGroupMember r;
|
|
struct samr_RidAttrArray *rids;
|
|
|
|
r.in.group_handle = &group_handle;
|
|
r.out.rids = &rids;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryGroupMember_r(b, tctx, &r),
|
|
"failed to query group member");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to query group member");
|
|
|
|
}
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
torture_samr_Close(tctx, b, &group_handle),
|
|
"failed to close group handle");
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_samr_alias(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
struct policy_handle *domain_handle,
|
|
struct samr_SamEntry *a)
|
|
{
|
|
torture_comment(tctx, "Testing alias %s (%d)\n", a->name.string, a->idx);
|
|
|
|
torture_assert(tctx, test_LookupRids(tctx, b, domain_handle, a->idx),
|
|
"failed to call lookuprids");
|
|
|
|
{
|
|
struct samr_GetAliasMembership r;
|
|
struct lsa_SidArray sids;
|
|
struct samr_Ids rids;
|
|
|
|
ZERO_STRUCT(sids);
|
|
|
|
r.in.domain_handle = domain_handle;
|
|
r.in.sids = &sids;
|
|
r.out.rids = &rids;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_GetAliasMembership_r(b, tctx, &r),
|
|
"failed to get alias membership");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to get alias membership");
|
|
}
|
|
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_samr_domain(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
uint32_t access_mask,
|
|
const char *domain_name,
|
|
struct policy_handle *connect_handle,
|
|
struct policy_handle *domain_handle_p)
|
|
{
|
|
struct policy_handle domain_handle;
|
|
struct dom_sid *domain_sid;
|
|
|
|
if (!domain_name) {
|
|
struct samr_EnumDomains r;
|
|
uint32_t resume_handle;
|
|
struct samr_SamArray *sam;
|
|
uint32_t num_entries;
|
|
int i;
|
|
|
|
r.in.connect_handle = connect_handle;
|
|
r.in.buf_size = 0xffff;
|
|
r.in.resume_handle = &resume_handle;
|
|
r.out.sam = &sam;
|
|
r.out.num_entries = &num_entries;
|
|
r.out.resume_handle = &resume_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_EnumDomains_r(b, tctx, &r),
|
|
"failed to enum domains");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to enum domains");
|
|
|
|
torture_assert_int_equal(tctx, num_entries, 2,
|
|
"unexpected number of domains");
|
|
|
|
torture_assert(tctx, sam,
|
|
"no domain pointer returned");
|
|
|
|
for (i=0; i < sam->count; i++) {
|
|
if (!strequal(sam->entries[i].name.string, "builtin")) {
|
|
domain_name = sam->entries[i].name.string;
|
|
break;
|
|
}
|
|
}
|
|
|
|
torture_assert(tctx, domain_name,
|
|
"no domain found other than builtin found");
|
|
}
|
|
|
|
{
|
|
struct samr_LookupDomain r;
|
|
struct dom_sid2 *sid;
|
|
struct lsa_String name;
|
|
|
|
name.string = talloc_strdup(tctx, domain_name);
|
|
|
|
r.in.connect_handle = connect_handle;
|
|
r.in.domain_name = &name;
|
|
r.out.sid = &sid;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_LookupDomain_r(b, tctx, &r),
|
|
"failed to lookup domain");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to lookup domain");
|
|
|
|
domain_sid = dom_sid_dup(tctx, sid);
|
|
}
|
|
|
|
{
|
|
struct samr_OpenDomain r;
|
|
|
|
r.in.connect_handle = connect_handle;
|
|
r.in.access_mask = access_mask;
|
|
r.in.sid = domain_sid;
|
|
r.out.domain_handle = &domain_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenDomain_r(b, tctx, &r),
|
|
"failed to open domain");
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to open domain");
|
|
|
|
}
|
|
|
|
{
|
|
struct samr_QueryDomainInfo r;
|
|
union samr_DomainInfo *info;
|
|
uint32_t levels[] = { 1, 2, 8, 12 };
|
|
int i;
|
|
|
|
r.in.domain_handle = &domain_handle;
|
|
r.out.info = &info;
|
|
|
|
for (i=0; i < ARRAY_SIZE(levels); i++) {
|
|
|
|
r.in.level = levels[i];
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDomainInfo_r(b, tctx, &r),
|
|
talloc_asprintf(tctx, "failed to query domain info level %d", r.in.level));
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
talloc_asprintf(tctx, "failed to query domain info level %d", r.in.level));
|
|
}
|
|
|
|
}
|
|
|
|
*domain_handle_p = domain_handle;
|
|
|
|
return true;
|
|
}
|
|
|
|
static void get_query_dispinfo_params(int loop_count,
|
|
uint32_t *max_entries,
|
|
uint32_t *buf_size)
|
|
{
|
|
switch(loop_count) {
|
|
case 0:
|
|
*max_entries = 512;
|
|
*buf_size = 16383;
|
|
break;
|
|
case 1:
|
|
*max_entries = 1024;
|
|
*buf_size = 32766;
|
|
break;
|
|
case 2:
|
|
*max_entries = 2048;
|
|
*buf_size = 65532;
|
|
break;
|
|
case 3:
|
|
*max_entries = 4096;
|
|
*buf_size = 131064;
|
|
break;
|
|
default: /* loop_count >= 4 */
|
|
*max_entries = 4096;
|
|
*buf_size = 131071;
|
|
break;
|
|
}
|
|
}
|
|
|
|
|
|
static bool test_samr_users(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
uint32_t access_mask,
|
|
struct policy_handle *domain_handle)
|
|
{
|
|
{
|
|
struct samr_QueryDisplayInfo r;
|
|
uint32_t total_size;
|
|
uint32_t returned_size;
|
|
union samr_DispInfo info;
|
|
int loop_count = 0;
|
|
|
|
r.in.domain_handle = domain_handle;
|
|
r.in.level = 1;
|
|
r.in.start_idx = 0;
|
|
|
|
r.out.total_size = &total_size;
|
|
r.out.returned_size = &returned_size;
|
|
r.out.info = &info;
|
|
|
|
do {
|
|
int i;
|
|
|
|
r.in.max_entries = 0xffff;
|
|
r.in.buf_size = 0xffff;
|
|
|
|
get_query_dispinfo_params(loop_count,
|
|
&r.in.max_entries,
|
|
&r.in.buf_size);
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDisplayInfo_r(b, tctx, &r),
|
|
"QueryDisplayInfo failed");
|
|
if (NT_STATUS_IS_ERR(r.out.result)) {
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to call QueryDisplayInfo");
|
|
}
|
|
|
|
for (i=0; i < info.info1.count; i++) {
|
|
torture_assert(tctx,
|
|
test_user(tctx, b, domain_handle, access_mask, &info.info1.entries[i]),
|
|
"failed to test user");
|
|
}
|
|
loop_count++;
|
|
r.in.start_idx += info.info1.count;
|
|
|
|
} while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_samr_groups(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
uint32_t access_mask,
|
|
struct policy_handle *domain_handle)
|
|
{
|
|
{
|
|
struct samr_EnumDomainGroups r;
|
|
uint32_t resume_handle = 0;
|
|
struct samr_SamArray *sam;
|
|
uint32_t num_entries;
|
|
|
|
r.in.domain_handle = domain_handle;
|
|
r.in.resume_handle = &resume_handle;
|
|
r.in.max_size = 0xFFFF;
|
|
|
|
r.out.sam = &sam;
|
|
r.out.num_entries = &num_entries;
|
|
r.out.resume_handle = &resume_handle;
|
|
|
|
do {
|
|
int i;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_EnumDomainGroups_r(b, tctx, &r),
|
|
"EnumDomainGroups failed");
|
|
if (NT_STATUS_IS_ERR(r.out.result)) {
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to call EnumDomainGroups");
|
|
}
|
|
|
|
for (i=0; i < num_entries; i++) {
|
|
torture_assert(tctx,
|
|
test_samr_group(tctx, b, domain_handle, access_mask, &sam->entries[i]),
|
|
"failed to test group");
|
|
}
|
|
|
|
} while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool test_samr_aliases(struct torture_context *tctx,
|
|
struct dcerpc_binding_handle *b,
|
|
uint32_t access_mask,
|
|
struct policy_handle *domain_handle)
|
|
{
|
|
{
|
|
struct samr_EnumDomainAliases r;
|
|
uint32_t resume_handle = 0;
|
|
struct samr_SamArray *sam;
|
|
uint32_t num_entries;
|
|
|
|
r.in.domain_handle = domain_handle;
|
|
r.in.resume_handle = &resume_handle;
|
|
r.in.max_size = 0xFFFF;
|
|
|
|
r.out.sam = &sam;
|
|
r.out.num_entries = &num_entries;
|
|
r.out.resume_handle = &resume_handle;
|
|
|
|
do {
|
|
int i;
|
|
|
|
torture_assert_ntstatus_ok(tctx, dcerpc_samr_EnumDomainAliases_r(b, tctx, &r),
|
|
"EnumDomainAliases failed");
|
|
if (NT_STATUS_IS_ERR(r.out.result)) {
|
|
torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
"failed to call EnumDomainAliases");
|
|
}
|
|
|
|
for (i=0; i < num_entries; i++) {
|
|
torture_assert(tctx,
|
|
test_samr_alias(tctx, b, domain_handle, &sam->entries[i]),
|
|
"failed to test alias");
|
|
}
|
|
|
|
} while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool torture_rpc_samr_workstation_query(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p,
|
|
struct cli_credentials *machine_credentials)
|
|
{
|
|
struct policy_handle connect_handle;
|
|
struct policy_handle domain_handle;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
torture_samr_Connect5(tctx, b, SEC_FLAG_MAXIMUM_ALLOWED,
|
|
&connect_handle),
|
|
"failed to connect to samr server");
|
|
|
|
torture_assert(tctx,
|
|
test_samr_domain(tctx, b, SEC_FLAG_MAXIMUM_ALLOWED,
|
|
lpcfg_workgroup(tctx->lp_ctx),
|
|
&connect_handle, &domain_handle),
|
|
"failed to test domain");
|
|
|
|
torture_assert(tctx,
|
|
test_samr_users(tctx, b, SEC_FLAG_MAXIMUM_ALLOWED,
|
|
&domain_handle),
|
|
"failed to test users");
|
|
|
|
torture_assert(tctx,
|
|
test_samr_groups(tctx, b, SEC_FLAG_MAXIMUM_ALLOWED,
|
|
&domain_handle),
|
|
"failed to test groups");
|
|
|
|
torture_assert(tctx,
|
|
test_samr_aliases(tctx, b, SEC_FLAG_MAXIMUM_ALLOWED,
|
|
&domain_handle),
|
|
"failed to test aliases");
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
torture_samr_Close(tctx, b, &domain_handle),
|
|
"failed to close domain handle");
|
|
|
|
torture_assert_ntstatus_ok(tctx,
|
|
torture_samr_Close(tctx, b, &connect_handle),
|
|
"failed to close connect handle");
|
|
|
|
return true;
|
|
}
|
|
|
|
/* The purpose of this test is to verify that an account authenticated as a
|
|
* domain member workstation can query a DC for various remote read calls all
|
|
* opening objects while requesting SEC_FLAG_MAXIMUM_ALLOWED access rights on
|
|
* the object open calls. This is the behavior of winbind (and most of samba's
|
|
* client code) - gd */
|
|
|
|
struct torture_suite *torture_rpc_samr_workstation_auth(TALLOC_CTX *mem_ctx)
|
|
{
|
|
struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.machine.auth");
|
|
struct torture_rpc_tcase *tcase;
|
|
|
|
tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "samr",
|
|
&ndr_table_samr,
|
|
TEST_MACHINENAME);
|
|
|
|
torture_rpc_tcase_add_test_creds(tcase, "workstation_query",
|
|
torture_rpc_samr_workstation_query);
|
|
|
|
return suite;
|
|
}
|