2 Unix SMB/CIFS implementation.
3 test suite for lsa rpc operations
5 Copyright (C) Andrew Tridgell 2003
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "torture/torture.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/netlogon.h"
26 #include "librpc/gen_ndr/ndr_drsblobs.h"
27 #include "librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "lib/events/events.h"
29 #include "libcli/security/security.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "torture/rpc/torture_rpc.h"
32 #include "param/param.h"
33 #include "../lib/crypto/crypto.h"
34 #define TEST_MACHINENAME "lsatestmach"
35 #define TRUSTPW "12345678"
37 static void init_lsa_String(struct lsa_String *name, const char *s)
42 static bool test_OpenPolicy(struct dcerpc_binding_handle *b,
43 struct torture_context *tctx,
44 bool test_fail) /* check if the tests fails! */
46 struct lsa_ObjectAttribute attr;
47 struct policy_handle handle;
48 struct lsa_QosInfo qos;
49 struct lsa_OpenPolicy r;
50 uint16_t system_name = '\\';
52 torture_comment(tctx, "\nTesting OpenPolicy\n");
55 qos.impersonation_level = 2;
57 qos.effective_only = 0;
61 attr.object_name = NULL;
66 r.in.system_name = &system_name;
68 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
69 r.out.handle = &handle;
71 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy_r(b, tctx, &r),
73 if (!NT_STATUS_IS_OK(r.out.result)) {
74 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
75 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
77 torture_comment(tctx, "not considering %s to be an error\n",
78 nt_errstr(r.out.result));
82 torture_comment(tctx, "OpenPolicy failed - %s\n",
83 nt_errstr(r.out.result));
91 bool test_lsa_OpenPolicy2_ex(struct dcerpc_binding_handle *b,
92 struct torture_context *tctx,
93 struct policy_handle **handle,
94 NTSTATUS expected_status,
97 struct lsa_ObjectAttribute attr;
98 struct lsa_QosInfo qos;
99 struct lsa_OpenPolicy2 r;
102 torture_comment(tctx, "\nTesting OpenPolicy2\n");
104 *handle = talloc(tctx, struct policy_handle);
110 qos.impersonation_level = 2;
111 qos.context_mode = 1;
112 qos.effective_only = 0;
115 attr.root_dir = NULL;
116 attr.object_name = NULL;
118 attr.sec_desc = NULL;
121 r.in.system_name = "\\";
123 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
124 r.out.handle = *handle;
126 status = dcerpc_lsa_OpenPolicy2_r(b, tctx, &r);
127 torture_assert_ntstatus_equal(tctx, status, expected_status,
128 "OpenPolicy2 failed");
129 if (!NT_STATUS_IS_OK(expected_status)) {
132 if (!NT_STATUS_IS_OK(r.out.result)) {
133 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
134 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
136 torture_comment(tctx, "not considering %s to be an error\n",
137 nt_errstr(r.out.result));
138 talloc_free(*handle);
143 torture_comment(tctx, "OpenPolicy2 failed - %s\n",
144 nt_errstr(r.out.result));
152 bool test_lsa_OpenPolicy2(struct dcerpc_binding_handle *b,
153 struct torture_context *tctx,
154 struct policy_handle **handle)
156 return test_lsa_OpenPolicy2_ex(b, tctx, handle, NT_STATUS_OK, false);
159 static bool test_LookupNames(struct dcerpc_binding_handle *b,
160 struct torture_context *tctx,
161 struct policy_handle *handle,
162 struct lsa_TransNameArray *tnames)
164 struct lsa_LookupNames r;
165 struct lsa_TransSidArray sids;
166 struct lsa_RefDomainList *domains = NULL;
167 struct lsa_String *names;
172 torture_comment(tctx, "\nTesting LookupNames with %d names\n", tnames->count);
180 input_idx = talloc_array(tctx, uint32_t, tnames->count);
181 names = talloc_array(tctx, struct lsa_String, tnames->count);
183 for (i=0;i<tnames->count;i++) {
184 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
185 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
186 input_idx[r.in.num_names] = i;
191 r.in.handle = handle;
196 r.out.count = &count;
198 r.out.domains = &domains;
200 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
201 "LookupNames failed");
202 if (NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED) ||
203 NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
204 for (i=0;i< r.in.num_names;i++) {
205 if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) {
206 torture_comment(tctx, "LookupName of %s was unmapped\n",
207 tnames->names[i].name.string);
208 } else if (i >=count) {
209 torture_comment(tctx, "LookupName of %s failed to return a result\n",
210 tnames->names[i].name.string);
213 torture_comment(tctx, "LookupNames failed - %s\n",
214 nt_errstr(r.out.result));
216 } else if (!NT_STATUS_IS_OK(r.out.result)) {
217 torture_comment(tctx, "LookupNames failed - %s\n",
218 nt_errstr(r.out.result));
222 for (i=0;i< r.in.num_names;i++) {
224 if (sids.sids[i].sid_type != tnames->names[input_idx[i]].sid_type) {
225 torture_comment(tctx, "LookupName of %s got unexpected name type: %s\n",
226 tnames->names[input_idx[i]].name.string,
227 sid_type_lookup(sids.sids[i].sid_type));
230 if ((sids.sids[i].sid_type == SID_NAME_DOMAIN) &&
231 (sids.sids[i].rid != (uint32_t)-1)) {
232 torture_comment(tctx, "LookupName of %s got unexpected rid: %d\n",
233 tnames->names[input_idx[i]].name.string, sids.sids[i].rid);
236 } else if (i >=count) {
237 torture_comment(tctx, "LookupName of %s failed to return a result\n",
238 tnames->names[input_idx[i]].name.string);
242 torture_comment(tctx, "\n");
247 static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b,
248 struct torture_context *tctx,
249 struct policy_handle *handle)
251 struct lsa_LookupNames r;
252 struct lsa_TransSidArray sids;
253 struct lsa_RefDomainList *domains = NULL;
254 struct lsa_String names[1];
257 torture_comment(tctx, "\nTesting LookupNames with bogus name\n");
262 init_lsa_String(&names[0], "NT AUTHORITY\\BOGUS");
264 r.in.handle = handle;
270 r.out.count = &count;
272 r.out.domains = &domains;
274 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
275 "LookupNames bogus failed");
276 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
277 torture_comment(tctx, "LookupNames failed - %s\n",
278 nt_errstr(r.out.result));
282 torture_comment(tctx, "\n");
287 static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b,
288 struct torture_context *tctx,
289 struct policy_handle *handle)
291 struct lsa_LookupNames r;
292 struct lsa_TransSidArray sids;
293 struct lsa_RefDomainList *domains = NULL;
294 struct lsa_String names[1];
297 torture_comment(tctx, "\nTesting LookupNames with NULL name\n");
302 names[0].string = NULL;
304 r.in.handle = handle;
310 r.out.count = &count;
312 r.out.domains = &domains;
314 /* nt4 returns NT_STATUS_NONE_MAPPED with sid_type
315 * SID_NAME_UNKNOWN, rid 0, and sid_index -1;
317 * w2k3/w2k8 return NT_STATUS_OK with sid_type
318 * SID_NAME_DOMAIN, rid -1 and sid_index 0 and BUILTIN domain
321 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
322 "LookupNames with NULL name failed");
323 torture_assert_ntstatus_ok(tctx, r.out.result,
324 "LookupNames with NULL name failed");
326 torture_comment(tctx, "\n");
331 static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b,
332 struct torture_context *tctx,
333 struct policy_handle *handle)
335 struct lsa_TranslatedName name;
336 struct lsa_TransNameArray tnames;
339 torture_comment(tctx, "Testing LookupNames with well known names\n");
341 tnames.names = &name;
343 name.name.string = "NT AUTHORITY\\SYSTEM";
344 name.sid_type = SID_NAME_WKN_GRP;
345 ret &= test_LookupNames(b, tctx, handle, &tnames);
347 name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON";
348 name.sid_type = SID_NAME_WKN_GRP;
349 ret &= test_LookupNames(b, tctx, handle, &tnames);
351 name.name.string = "NT AUTHORITY\\Authenticated Users";
352 name.sid_type = SID_NAME_WKN_GRP;
353 ret &= test_LookupNames(b, tctx, handle, &tnames);
356 name.name.string = "NT AUTHORITY";
357 ret &= test_LookupNames(b, tctx, handle, &tnames);
359 name.name.string = "NT AUTHORITY\\";
360 ret &= test_LookupNames(b, tctx, handle, &tnames);
363 name.name.string = "BUILTIN\\";
364 name.sid_type = SID_NAME_DOMAIN;
365 ret &= test_LookupNames(b, tctx, handle, &tnames);
367 name.name.string = "BUILTIN\\Administrators";
368 name.sid_type = SID_NAME_ALIAS;
369 ret &= test_LookupNames(b, tctx, handle, &tnames);
371 name.name.string = "SYSTEM";
372 name.sid_type = SID_NAME_WKN_GRP;
373 ret &= test_LookupNames(b, tctx, handle, &tnames);
375 name.name.string = "Everyone";
376 name.sid_type = SID_NAME_WKN_GRP;
377 ret &= test_LookupNames(b, tctx, handle, &tnames);
381 static bool test_LookupNames2(struct dcerpc_binding_handle *b,
382 struct torture_context *tctx,
383 struct policy_handle *handle,
384 struct lsa_TransNameArray2 *tnames,
387 struct lsa_LookupNames2 r;
388 struct lsa_TransSidArray2 sids;
389 struct lsa_RefDomainList *domains = NULL;
390 struct lsa_String *names;
395 torture_comment(tctx, "\nTesting LookupNames2 with %d names\n", tnames->count);
402 input_idx = talloc_array(tctx, uint32_t, tnames->count);
403 names = talloc_array(tctx, struct lsa_String, tnames->count);
405 for (i=0;i<tnames->count;i++) {
406 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
407 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
408 input_idx[r.in.num_names] = i;
413 r.in.handle = handle;
418 r.in.lookup_options = 0;
419 r.in.client_revision = 0;
420 r.out.count = &count;
422 r.out.domains = &domains;
424 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames2_r(b, tctx, &r),
425 "LookupNames2 failed");
426 if (!NT_STATUS_IS_OK(r.out.result)) {
427 torture_comment(tctx, "LookupNames2 failed - %s\n",
428 nt_errstr(r.out.result));
433 torture_assert_int_equal(tctx, count, sids.count,
434 "unexpected number of results returned");
435 if (sids.count > 0) {
436 torture_assert(tctx, sids.sids, "invalid sid buffer");
440 torture_comment(tctx, "\n");
446 static bool test_LookupNames3(struct dcerpc_binding_handle *b,
447 struct torture_context *tctx,
448 struct policy_handle *handle,
449 struct lsa_TransNameArray2 *tnames,
452 struct lsa_LookupNames3 r;
453 struct lsa_TransSidArray3 sids;
454 struct lsa_RefDomainList *domains = NULL;
455 struct lsa_String *names;
460 torture_comment(tctx, "\nTesting LookupNames3 with %d names\n", tnames->count);
467 input_idx = talloc_array(tctx, uint32_t, tnames->count);
468 names = talloc_array(tctx, struct lsa_String, tnames->count);
469 for (i=0;i<tnames->count;i++) {
470 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
471 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
472 input_idx[r.in.num_names] = i;
477 r.in.handle = handle;
482 r.in.lookup_options = 0;
483 r.in.client_revision = 0;
484 r.out.count = &count;
486 r.out.domains = &domains;
488 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames3_r(b, tctx, &r),
489 "LookupNames3 failed");
490 if (!NT_STATUS_IS_OK(r.out.result)) {
491 torture_comment(tctx, "LookupNames3 failed - %s\n",
492 nt_errstr(r.out.result));
497 torture_assert_int_equal(tctx, count, sids.count,
498 "unexpected number of results returned");
499 if (sids.count > 0) {
500 torture_assert(tctx, sids.sids, "invalid sid buffer");
504 torture_comment(tctx, "\n");
509 static bool test_LookupNames4(struct dcerpc_binding_handle *b,
510 struct torture_context *tctx,
511 struct lsa_TransNameArray2 *tnames,
513 bool test_fail) /* check if the tests fails! */
515 struct lsa_LookupNames4 r;
516 struct lsa_TransSidArray3 sids;
517 struct lsa_RefDomainList *domains = NULL;
518 struct lsa_String *names;
523 torture_comment(tctx, "\nTesting LookupNames4 with %d names\n", tnames->count);
530 input_idx = talloc_array(tctx, uint32_t, tnames->count);
531 names = talloc_array(tctx, struct lsa_String, tnames->count);
532 for (i=0;i<tnames->count;i++) {
533 if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
534 init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
535 input_idx[r.in.num_names] = i;
540 r.in.num_names = tnames->count;
545 r.in.lookup_options = 0;
546 r.in.client_revision = 0;
547 r.out.count = &count;
549 r.out.domains = &domains;
551 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames4_r(b, tctx, &r),
552 "LookupNames4 failed");
553 if (!NT_STATUS_IS_OK(r.out.result)) {
554 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
555 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
557 torture_comment(tctx, "not considering %s to be an error\n",
558 nt_errstr(r.out.result));
562 torture_comment(tctx, "LookupNames4 failed - %s\n",
563 nt_errstr(r.out.result));
568 torture_assert_int_equal(tctx, count, sids.count,
569 "unexpected number of results returned");
570 if (sids.count > 0) {
571 torture_assert(tctx, sids.sids, "invalid sid buffer");
575 torture_comment(tctx, "\n");
581 static bool test_LookupSids(struct dcerpc_binding_handle *b,
582 struct torture_context *tctx,
583 struct policy_handle *handle,
584 struct lsa_SidArray *sids)
586 struct lsa_LookupSids r;
587 struct lsa_TransNameArray names;
588 struct lsa_RefDomainList *domains = NULL;
589 uint32_t count = sids->num_sids;
591 torture_comment(tctx, "\nTesting LookupSids\n");
596 r.in.handle = handle;
601 r.out.count = &count;
602 r.out.names = &names;
603 r.out.domains = &domains;
605 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
606 "LookupSids failed");
607 if (!NT_STATUS_IS_OK(r.out.result) &&
608 !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
609 torture_comment(tctx, "LookupSids failed - %s\n",
610 nt_errstr(r.out.result));
614 torture_comment(tctx, "\n");
616 if (!test_LookupNames(b, tctx, handle, &names)) {
624 static bool test_LookupSids2(struct dcerpc_binding_handle *b,
625 struct torture_context *tctx,
626 struct policy_handle *handle,
627 struct lsa_SidArray *sids)
629 struct lsa_LookupSids2 r;
630 struct lsa_TransNameArray2 names;
631 struct lsa_RefDomainList *domains = NULL;
632 uint32_t count = sids->num_sids;
634 torture_comment(tctx, "\nTesting LookupSids2\n");
639 r.in.handle = handle;
644 r.in.lookup_options = 0;
645 r.in.client_revision = 0;
646 r.out.count = &count;
647 r.out.names = &names;
648 r.out.domains = &domains;
650 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids2_r(b, tctx, &r),
651 "LookupSids2 failed");
652 if (!NT_STATUS_IS_OK(r.out.result) &&
653 !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
654 torture_comment(tctx, "LookupSids2 failed - %s\n",
655 nt_errstr(r.out.result));
659 torture_comment(tctx, "\n");
661 if (!test_LookupNames2(b, tctx, handle, &names, false)) {
665 if (!test_LookupNames3(b, tctx, handle, &names, false)) {
672 static bool test_LookupSids3(struct dcerpc_binding_handle *b,
673 struct torture_context *tctx,
674 struct lsa_SidArray *sids)
676 struct lsa_LookupSids3 r;
677 struct lsa_TransNameArray2 names;
678 struct lsa_RefDomainList *domains = NULL;
679 uint32_t count = sids->num_sids;
681 torture_comment(tctx, "\nTesting LookupSids3\n");
690 r.in.lookup_options = 0;
691 r.in.client_revision = 0;
692 r.out.domains = &domains;
693 r.out.count = &count;
694 r.out.names = &names;
696 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids3_r(b, tctx, &r),
697 "LookupSids3 failed");
699 torture_assert_ntstatus_ok(tctx,
701 "LookupSids3 failed");
703 torture_comment(tctx, "\n");
708 static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b,
709 struct torture_context *tctx,
710 struct lsa_SidArray *sids)
712 struct lsa_LookupSids3 r;
713 struct lsa_TransNameArray2 names;
714 struct lsa_RefDomainList *domains = NULL;
715 uint32_t count = sids->num_sids;
718 torture_comment(tctx, "\nTesting LookupSids3\n");
727 r.in.lookup_options = 0;
728 r.in.client_revision = 0;
729 r.out.domains = &domains;
730 r.out.count = &count;
731 r.out.names = &names;
733 status = dcerpc_lsa_LookupSids3_r(b, tctx, &r);
734 if (!NT_STATUS_IS_OK(status)) {
735 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
736 torture_comment(tctx,
737 "LookupSids3 correctly returned with "
743 torture_assert_ntstatus_equal(tctx,
745 NT_STATUS_ACCESS_DENIED,
746 "LookupSids3 return value should "
751 if (!NT_STATUS_IS_OK(r.out.result)) {
752 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
753 NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
754 torture_comment(tctx,
755 "LookupNames4 correctly returned with "
757 nt_errstr(r.out.result));
762 torture_assert_ntstatus_equal(tctx,
765 "LookupSids3 return value should be "
771 bool test_many_LookupSids(struct dcerpc_pipe *p,
772 struct torture_context *tctx,
773 struct policy_handle *handle)
776 struct lsa_SidArray sids;
778 struct dcerpc_binding_handle *b = p->binding_handle;
780 torture_comment(tctx, "\nTesting LookupSids with lots of SIDs\n");
784 sids.sids = talloc_array(tctx, struct lsa_SidPtr, sids.num_sids);
786 for (i=0; i<sids.num_sids; i++) {
787 const char *sidstr = "S-1-5-32-545";
788 sids.sids[i].sid = dom_sid_parse_talloc(tctx, sidstr);
791 count = sids.num_sids;
794 struct lsa_LookupSids r;
795 struct lsa_TransNameArray names;
796 struct lsa_RefDomainList *domains = NULL;
800 r.in.handle = handle;
804 r.in.count = &names.count;
805 r.out.count = &count;
806 r.out.names = &names;
807 r.out.domains = &domains;
809 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
810 "LookupSids failed");
811 if (!NT_STATUS_IS_OK(r.out.result)) {
812 torture_comment(tctx, "LookupSids failed - %s\n",
813 nt_errstr(r.out.result));
817 torture_comment(tctx, "\n");
819 if (!test_LookupNames(b, tctx, handle, &names)) {
824 if (p->binding->transport == NCACN_NP) {
825 struct lsa_TransNameArray2 names;
830 if (!test_LookupSids3_fail(b, tctx, &sids)) {
833 if (!test_LookupNames4(b, tctx, &names, false, true)) {
836 } else if (p->binding->transport == NCACN_IP_TCP) {
837 struct lsa_TransNameArray2 names;
842 if (p->conn->security_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
843 p->conn->security_state.auth_info->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
844 if (!test_LookupSids3(b, tctx, &sids)) {
847 if (!test_LookupNames4(b, tctx, &names, true, false)) {
852 * If we don't have a secure channel these tests must
853 * fail with ACCESS_DENIED.
855 if (!test_LookupSids3_fail(b, tctx, &sids)) {
858 if (!test_LookupNames4(b, tctx, &names, false, true)) {
864 torture_comment(tctx, "\n");
871 static void lookupsids_cb(struct tevent_req *subreq)
873 int *replies = (int *)tevent_req_callback_data_void(subreq);
876 status = dcerpc_lsa_LookupSids_r_recv(subreq, subreq);
878 if (!NT_STATUS_IS_OK(status)) {
879 printf("lookupsids returned %s\n", nt_errstr(status));
888 static bool test_LookupSids_async(struct dcerpc_binding_handle *b,
889 struct torture_context *tctx,
890 struct policy_handle *handle)
892 struct lsa_SidArray sids;
893 struct lsa_SidPtr sidptr;
895 struct lsa_TransNameArray *names;
896 struct lsa_LookupSids *r;
897 struct lsa_RefDomainList *domains = NULL;
898 struct tevent_req **req;
901 const int num_async_requests = 50;
903 count = talloc_array(tctx, uint32_t, num_async_requests);
904 names = talloc_array(tctx, struct lsa_TransNameArray, num_async_requests);
905 r = talloc_array(tctx, struct lsa_LookupSids, num_async_requests);
907 torture_comment(tctx, "\nTesting %d async lookupsids request\n", num_async_requests);
909 req = talloc_array(tctx, struct tevent_req *, num_async_requests);
913 sidptr.sid = dom_sid_parse_talloc(tctx, "S-1-5-32-545");
917 for (i=0; i<num_async_requests; i++) {
920 names[i].names = NULL;
922 r[i].in.handle = handle;
923 r[i].in.sids = &sids;
924 r[i].in.names = &names[i];
926 r[i].in.count = &names[i].count;
927 r[i].out.count = &count[i];
928 r[i].out.names = &names[i];
929 r[i].out.domains = &domains;
931 req[i] = dcerpc_lsa_LookupSids_r_send(tctx, tctx->ev, b, &r[i]);
932 if (req[i] == NULL) {
937 tevent_req_set_callback(req[i], lookupsids_cb, &replies);
940 while (replies >= 0 && replies < num_async_requests) {
941 tevent_loop_once(tctx->ev);
953 static bool test_LookupPrivValue(struct dcerpc_binding_handle *b,
954 struct torture_context *tctx,
955 struct policy_handle *handle,
956 struct lsa_String *name)
958 struct lsa_LookupPrivValue r;
959 struct lsa_LUID luid;
961 r.in.handle = handle;
965 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivValue_r(b, tctx, &r),
966 "LookupPrivValue failed");
967 if (!NT_STATUS_IS_OK(r.out.result)) {
968 torture_comment(tctx, "\nLookupPrivValue failed - %s\n",
969 nt_errstr(r.out.result));
976 static bool test_LookupPrivName(struct dcerpc_binding_handle *b,
977 struct torture_context *tctx,
978 struct policy_handle *handle,
979 struct lsa_LUID *luid)
981 struct lsa_LookupPrivName r;
982 struct lsa_StringLarge *name = NULL;
984 r.in.handle = handle;
988 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivName_r(b, tctx, &r),
989 "LookupPrivName failed");
990 if (!NT_STATUS_IS_OK(r.out.result)) {
991 torture_comment(tctx, "\nLookupPrivName failed - %s\n",
992 nt_errstr(r.out.result));
999 static bool test_RemovePrivilegesFromAccount(struct dcerpc_binding_handle *b,
1000 struct torture_context *tctx,
1001 struct policy_handle *handle,
1002 struct policy_handle *acct_handle,
1003 struct lsa_LUID *luid)
1005 struct lsa_RemovePrivilegesFromAccount r;
1006 struct lsa_PrivilegeSet privs;
1009 torture_comment(tctx, "\nTesting RemovePrivilegesFromAccount\n");
1011 r.in.handle = acct_handle;
1012 r.in.remove_all = 0;
1013 r.in.privs = &privs;
1017 privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
1018 privs.set[0].luid = *luid;
1019 privs.set[0].attribute = 0;
1021 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_RemovePrivilegesFromAccount_r(b, tctx, &r),
1022 "RemovePrivilegesFromAccount failed");
1023 if (!NT_STATUS_IS_OK(r.out.result)) {
1025 struct lsa_LookupPrivName r_name;
1026 struct lsa_StringLarge *name = NULL;
1028 r_name.in.handle = handle;
1029 r_name.in.luid = luid;
1030 r_name.out.name = &name;
1032 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivName_r(b, tctx, &r_name),
1033 "LookupPrivName failed");
1034 if (!NT_STATUS_IS_OK(r_name.out.result)) {
1035 torture_comment(tctx, "\nLookupPrivName failed - %s\n",
1036 nt_errstr(r_name.out.result));
1039 /* Windows 2008 does not allow this to be removed */
1040 if (strcmp("SeAuditPrivilege", name->string) == 0) {
1044 torture_comment(tctx, "RemovePrivilegesFromAccount failed to remove %s - %s\n",
1046 nt_errstr(r.out.result));
1053 static bool test_AddPrivilegesToAccount(struct dcerpc_binding_handle *b,
1054 struct torture_context *tctx,
1055 struct policy_handle *acct_handle,
1056 struct lsa_LUID *luid)
1058 struct lsa_AddPrivilegesToAccount r;
1059 struct lsa_PrivilegeSet privs;
1062 torture_comment(tctx, "\nTesting AddPrivilegesToAccount\n");
1064 r.in.handle = acct_handle;
1065 r.in.privs = &privs;
1069 privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
1070 privs.set[0].luid = *luid;
1071 privs.set[0].attribute = 0;
1073 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_AddPrivilegesToAccount_r(b, tctx, &r),
1074 "AddPrivilegesToAccount failed");
1075 if (!NT_STATUS_IS_OK(r.out.result)) {
1076 torture_comment(tctx, "AddPrivilegesToAccount failed - %s\n",
1077 nt_errstr(r.out.result));
1084 static bool test_EnumPrivsAccount(struct dcerpc_binding_handle *b,
1085 struct torture_context *tctx,
1086 struct policy_handle *handle,
1087 struct policy_handle *acct_handle)
1089 struct lsa_EnumPrivsAccount r;
1090 struct lsa_PrivilegeSet *privs = NULL;
1093 torture_comment(tctx, "\nTesting EnumPrivsAccount\n");
1095 r.in.handle = acct_handle;
1096 r.out.privs = &privs;
1098 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumPrivsAccount_r(b, tctx, &r),
1099 "EnumPrivsAccount failed");
1100 if (!NT_STATUS_IS_OK(r.out.result)) {
1101 torture_comment(tctx, "EnumPrivsAccount failed - %s\n",
1102 nt_errstr(r.out.result));
1106 if (privs && privs->count > 0) {
1108 for (i=0;i<privs->count;i++) {
1109 test_LookupPrivName(b, tctx, handle,
1110 &privs->set[i].luid);
1113 ret &= test_RemovePrivilegesFromAccount(b, tctx, handle, acct_handle,
1114 &privs->set[0].luid);
1115 ret &= test_AddPrivilegesToAccount(b, tctx, acct_handle,
1116 &privs->set[0].luid);
1122 static bool test_GetSystemAccessAccount(struct dcerpc_binding_handle *b,
1123 struct torture_context *tctx,
1124 struct policy_handle *handle,
1125 struct policy_handle *acct_handle)
1127 uint32_t access_mask;
1128 struct lsa_GetSystemAccessAccount r;
1130 torture_comment(tctx, "\nTesting GetSystemAccessAccount\n");
1132 r.in.handle = acct_handle;
1133 r.out.access_mask = &access_mask;
1135 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetSystemAccessAccount_r(b, tctx, &r),
1136 "GetSystemAccessAccount failed");
1137 if (!NT_STATUS_IS_OK(r.out.result)) {
1138 torture_comment(tctx, "GetSystemAccessAccount failed - %s\n",
1139 nt_errstr(r.out.result));
1143 if (r.out.access_mask != NULL) {
1144 torture_comment(tctx, "Rights:");
1145 if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE)
1146 torture_comment(tctx, " LSA_POLICY_MODE_INTERACTIVE");
1147 if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK)
1148 torture_comment(tctx, " LSA_POLICY_MODE_NETWORK");
1149 if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH)
1150 torture_comment(tctx, " LSA_POLICY_MODE_BATCH");
1151 if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE)
1152 torture_comment(tctx, " LSA_POLICY_MODE_SERVICE");
1153 if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY)
1154 torture_comment(tctx, " LSA_POLICY_MODE_PROXY");
1155 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE)
1156 torture_comment(tctx, " LSA_POLICY_MODE_DENY_INTERACTIVE");
1157 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK)
1158 torture_comment(tctx, " LSA_POLICY_MODE_DENY_NETWORK");
1159 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH)
1160 torture_comment(tctx, " LSA_POLICY_MODE_DENY_BATCH");
1161 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE)
1162 torture_comment(tctx, " LSA_POLICY_MODE_DENY_SERVICE");
1163 if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE)
1164 torture_comment(tctx, " LSA_POLICY_MODE_REMOTE_INTERACTIVE");
1165 if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE)
1166 torture_comment(tctx, " LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE");
1167 if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL)
1168 torture_comment(tctx, " LSA_POLICY_MODE_ALL");
1169 if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4)
1170 torture_comment(tctx, " LSA_POLICY_MODE_ALL_NT4");
1171 torture_comment(tctx, "\n");
1177 static bool test_Delete(struct dcerpc_binding_handle *b,
1178 struct torture_context *tctx,
1179 struct policy_handle *handle)
1181 struct lsa_Delete r;
1183 torture_comment(tctx, "\nTesting Delete\n");
1185 r.in.handle = handle;
1186 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Delete_r(b, tctx, &r),
1188 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1189 torture_comment(tctx, "Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(r.out.result));
1196 static bool test_DeleteObject(struct dcerpc_binding_handle *b,
1197 struct torture_context *tctx,
1198 struct policy_handle *handle)
1200 struct lsa_DeleteObject r;
1202 torture_comment(tctx, "\nTesting DeleteObject\n");
1204 r.in.handle = handle;
1205 r.out.handle = handle;
1206 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteObject_r(b, tctx, &r),
1207 "DeleteObject failed");
1208 if (!NT_STATUS_IS_OK(r.out.result)) {
1209 torture_comment(tctx, "DeleteObject failed - %s\n",
1210 nt_errstr(r.out.result));
1218 static bool test_CreateAccount(struct dcerpc_binding_handle *b,
1219 struct torture_context *tctx,
1220 struct policy_handle *handle)
1222 struct lsa_CreateAccount r;
1223 struct dom_sid2 *newsid;
1224 struct policy_handle acct_handle;
1226 newsid = dom_sid_parse_talloc(tctx, "S-1-5-12349876-4321-2854");
1228 torture_comment(tctx, "\nTesting CreateAccount\n");
1230 r.in.handle = handle;
1232 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1233 r.out.acct_handle = &acct_handle;
1235 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateAccount_r(b, tctx, &r),
1236 "CreateAccount failed");
1237 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
1238 struct lsa_OpenAccount r_o;
1239 r_o.in.handle = handle;
1240 r_o.in.sid = newsid;
1241 r_o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1242 r_o.out.acct_handle = &acct_handle;
1244 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenAccount_r(b, tctx, &r_o),
1245 "OpenAccount failed");
1246 if (!NT_STATUS_IS_OK(r_o.out.result)) {
1247 torture_comment(tctx, "OpenAccount failed - %s\n",
1248 nt_errstr(r_o.out.result));
1251 } else if (!NT_STATUS_IS_OK(r.out.result)) {
1252 torture_comment(tctx, "CreateAccount failed - %s\n",
1253 nt_errstr(r.out.result));
1257 if (!test_Delete(b, tctx, &acct_handle)) {
1261 if (!test_DeleteObject(b, tctx, &acct_handle)) {
1268 static bool test_DeleteTrustedDomain(struct dcerpc_binding_handle *b,
1269 struct torture_context *tctx,
1270 struct policy_handle *handle,
1271 struct lsa_StringLarge name)
1273 struct lsa_OpenTrustedDomainByName r;
1274 struct policy_handle trustdom_handle;
1276 r.in.handle = handle;
1277 r.in.name.string = name.string;
1278 r.in.access_mask = SEC_STD_DELETE;
1279 r.out.trustdom_handle = &trustdom_handle;
1281 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomainByName_r(b, tctx, &r),
1282 "OpenTrustedDomainByName failed");
1283 if (!NT_STATUS_IS_OK(r.out.result)) {
1284 torture_comment(tctx, "OpenTrustedDomainByName failed - %s\n", nt_errstr(r.out.result));
1288 if (!test_Delete(b, tctx, &trustdom_handle)) {
1292 if (!test_DeleteObject(b, tctx, &trustdom_handle)) {
1299 static bool test_DeleteTrustedDomainBySid(struct dcerpc_binding_handle *b,
1300 struct torture_context *tctx,
1301 struct policy_handle *handle,
1302 struct dom_sid *sid)
1304 struct lsa_DeleteTrustedDomain r;
1306 r.in.handle = handle;
1309 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteTrustedDomain_r(b, tctx, &r),
1310 "DeleteTrustedDomain failed");
1311 if (!NT_STATUS_IS_OK(r.out.result)) {
1312 torture_comment(tctx, "DeleteTrustedDomain failed - %s\n", nt_errstr(r.out.result));
1320 static bool test_CreateSecret(struct dcerpc_pipe *p,
1321 struct torture_context *tctx,
1322 struct policy_handle *handle)
1325 struct lsa_CreateSecret r;
1326 struct lsa_OpenSecret r2;
1327 struct lsa_SetSecret r3;
1328 struct lsa_QuerySecret r4;
1329 struct lsa_SetSecret r5;
1330 struct lsa_QuerySecret r6;
1331 struct lsa_SetSecret r7;
1332 struct lsa_QuerySecret r8;
1333 struct policy_handle sec_handle, sec_handle2, sec_handle3;
1334 struct lsa_DeleteObject d_o;
1335 struct lsa_DATA_BUF buf1;
1336 struct lsa_DATA_BUF_PTR bufp1;
1337 struct lsa_DATA_BUF_PTR bufp2;
1340 DATA_BLOB session_key;
1341 NTTIME old_mtime, new_mtime;
1343 const char *secret1 = "abcdef12345699qwerty";
1345 const char *secret3 = "ABCDEF12345699QWERTY";
1347 const char *secret5 = "NEW-SAMBA4-SECRET";
1351 const int LOCAL = 0;
1352 const int GLOBAL = 1;
1353 struct dcerpc_binding_handle *b = p->binding_handle;
1355 secname[LOCAL] = talloc_asprintf(tctx, "torturesecret-%u", (unsigned int)random());
1356 secname[GLOBAL] = talloc_asprintf(tctx, "G$torturesecret-%u", (unsigned int)random());
1358 for (i=0; i< 2; i++) {
1359 torture_comment(tctx, "\nTesting CreateSecret of %s\n", secname[i]);
1361 init_lsa_String(&r.in.name, secname[i]);
1363 r.in.handle = handle;
1364 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1365 r.out.sec_handle = &sec_handle;
1367 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateSecret_r(b, tctx, &r),
1368 "CreateSecret failed");
1369 if (!NT_STATUS_IS_OK(r.out.result)) {
1370 torture_comment(tctx, "CreateSecret failed - %s\n", nt_errstr(r.out.result));
1374 r.in.handle = handle;
1375 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1376 r.out.sec_handle = &sec_handle3;
1378 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateSecret_r(b, tctx, &r),
1379 "CreateSecret failed");
1380 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
1381 torture_comment(tctx, "CreateSecret should have failed OBJECT_NAME_COLLISION - %s\n", nt_errstr(r.out.result));
1385 r2.in.handle = handle;
1386 r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1387 r2.in.name = r.in.name;
1388 r2.out.sec_handle = &sec_handle2;
1390 torture_comment(tctx, "Testing OpenSecret\n");
1392 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(b, tctx, &r2),
1393 "OpenSecret failed");
1394 if (!NT_STATUS_IS_OK(r2.out.result)) {
1395 torture_comment(tctx, "OpenSecret failed - %s\n", nt_errstr(r2.out.result));
1399 status = dcerpc_fetch_session_key(p, &session_key);
1400 if (!NT_STATUS_IS_OK(status)) {
1401 torture_comment(tctx, "dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
1405 enc_key = sess_encrypt_string(secret1, &session_key);
1407 r3.in.sec_handle = &sec_handle;
1408 r3.in.new_val = &buf1;
1409 r3.in.old_val = NULL;
1410 r3.in.new_val->data = enc_key.data;
1411 r3.in.new_val->length = enc_key.length;
1412 r3.in.new_val->size = enc_key.length;
1414 torture_comment(tctx, "Testing SetSecret\n");
1416 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r3),
1417 "SetSecret failed");
1418 if (!NT_STATUS_IS_OK(r3.out.result)) {
1419 torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r3.out.result));
1423 r3.in.sec_handle = &sec_handle;
1424 r3.in.new_val = &buf1;
1425 r3.in.old_val = NULL;
1426 r3.in.new_val->data = enc_key.data;
1427 r3.in.new_val->length = enc_key.length;
1428 r3.in.new_val->size = enc_key.length;
1430 /* break the encrypted data */
1433 torture_comment(tctx, "Testing SetSecret with broken key\n");
1435 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r3),
1436 "SetSecret failed");
1437 if (!NT_STATUS_EQUAL(r3.out.result, NT_STATUS_UNKNOWN_REVISION)) {
1438 torture_comment(tctx, "SetSecret should have failed UNKNOWN_REVISION - %s\n", nt_errstr(r3.out.result));
1442 data_blob_free(&enc_key);
1444 ZERO_STRUCT(new_mtime);
1445 ZERO_STRUCT(old_mtime);
1447 /* fetch the secret back again */
1448 r4.in.sec_handle = &sec_handle;
1449 r4.in.new_val = &bufp1;
1450 r4.in.new_mtime = &new_mtime;
1451 r4.in.old_val = NULL;
1452 r4.in.old_mtime = NULL;
1456 torture_comment(tctx, "Testing QuerySecret\n");
1457 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r4),
1458 "QuerySecret failed");
1459 if (!NT_STATUS_IS_OK(r4.out.result)) {
1460 torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r4.out.result));
1463 if (r4.out.new_val == NULL || r4.out.new_val->buf == NULL) {
1464 torture_comment(tctx, "No secret buffer returned\n");
1467 blob1.data = r4.out.new_val->buf->data;
1468 blob1.length = r4.out.new_val->buf->size;
1470 secret2 = sess_decrypt_string(tctx,
1471 &blob1, &session_key);
1473 if (strcmp(secret1, secret2) != 0) {
1474 torture_comment(tctx, "Returned secret (r4) '%s' doesn't match '%s'\n",
1481 enc_key = sess_encrypt_string(secret3, &session_key);
1483 r5.in.sec_handle = &sec_handle;
1484 r5.in.new_val = &buf1;
1485 r5.in.old_val = NULL;
1486 r5.in.new_val->data = enc_key.data;
1487 r5.in.new_val->length = enc_key.length;
1488 r5.in.new_val->size = enc_key.length;
1492 torture_comment(tctx, "Testing SetSecret (existing value should move to old)\n");
1494 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r5),
1495 "SetSecret failed");
1496 if (!NT_STATUS_IS_OK(r5.out.result)) {
1497 torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r5.out.result));
1501 data_blob_free(&enc_key);
1503 ZERO_STRUCT(new_mtime);
1504 ZERO_STRUCT(old_mtime);
1506 /* fetch the secret back again */
1507 r6.in.sec_handle = &sec_handle;
1508 r6.in.new_val = &bufp1;
1509 r6.in.new_mtime = &new_mtime;
1510 r6.in.old_val = &bufp2;
1511 r6.in.old_mtime = &old_mtime;
1516 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r6),
1517 "QuerySecret failed");
1518 if (!NT_STATUS_IS_OK(r6.out.result)) {
1519 torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r6.out.result));
1524 if (r6.out.new_val->buf == NULL || r6.out.old_val->buf == NULL
1525 || r6.out.new_mtime == NULL || r6.out.old_mtime == NULL) {
1526 torture_comment(tctx, "Both secret buffers and both times not returned\n");
1530 blob1.data = r6.out.new_val->buf->data;
1531 blob1.length = r6.out.new_val->buf->size;
1533 secret4 = sess_decrypt_string(tctx,
1534 &blob1, &session_key);
1536 if (strcmp(secret3, secret4) != 0) {
1537 torture_comment(tctx, "Returned NEW secret %s doesn't match %s\n", secret4, secret3);
1541 blob1.data = r6.out.old_val->buf->data;
1542 blob1.length = r6.out.old_val->buf->length;
1544 secret2 = sess_decrypt_string(tctx,
1545 &blob1, &session_key);
1547 if (strcmp(secret1, secret2) != 0) {
1548 torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret2, secret1);
1552 if (*r6.out.new_mtime == *r6.out.old_mtime) {
1553 torture_comment(tctx, "Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s\n",
1556 nt_time_string(tctx, *r6.out.old_mtime),
1557 nt_time_string(tctx, *r6.out.new_mtime));
1563 enc_key = sess_encrypt_string(secret5, &session_key);
1565 r7.in.sec_handle = &sec_handle;
1566 r7.in.old_val = &buf1;
1567 r7.in.old_val->data = enc_key.data;
1568 r7.in.old_val->length = enc_key.length;
1569 r7.in.old_val->size = enc_key.length;
1570 r7.in.new_val = NULL;
1572 torture_comment(tctx, "Testing SetSecret of old Secret only\n");
1574 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r7),
1575 "SetSecret failed");
1576 if (!NT_STATUS_IS_OK(r7.out.result)) {
1577 torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r7.out.result));
1581 data_blob_free(&enc_key);
1583 /* fetch the secret back again */
1584 r8.in.sec_handle = &sec_handle;
1585 r8.in.new_val = &bufp1;
1586 r8.in.new_mtime = &new_mtime;
1587 r8.in.old_val = &bufp2;
1588 r8.in.old_mtime = &old_mtime;
1593 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r8),
1594 "QuerySecret failed");
1595 if (!NT_STATUS_IS_OK(r8.out.result)) {
1596 torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r8.out.result));
1599 if (!r8.out.new_val || !r8.out.old_val) {
1600 torture_comment(tctx, "in/out pointers not returned, despite being set on in for QuerySecret\n");
1602 } else if (r8.out.new_val->buf != NULL) {
1603 torture_comment(tctx, "NEW secret buffer must not be returned after OLD set\n");
1605 } else if (r8.out.old_val->buf == NULL) {
1606 torture_comment(tctx, "OLD secret buffer was not returned after OLD set\n");
1608 } else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) {
1609 torture_comment(tctx, "Both times not returned after OLD set\n");
1612 blob1.data = r8.out.old_val->buf->data;
1613 blob1.length = r8.out.old_val->buf->size;
1615 secret6 = sess_decrypt_string(tctx,
1616 &blob1, &session_key);
1618 if (strcmp(secret5, secret6) != 0) {
1619 torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret5, secret6);
1623 if (*r8.out.new_mtime != *r8.out.old_mtime) {
1624 torture_comment(tctx, "Returned secret (r8) %s did not had same mtime for both secrets: %s != %s\n",
1626 nt_time_string(tctx, *r8.out.old_mtime),
1627 nt_time_string(tctx, *r8.out.new_mtime));
1633 if (!test_Delete(b, tctx, &sec_handle)) {
1637 if (!test_DeleteObject(b, tctx, &sec_handle)) {
1641 d_o.in.handle = &sec_handle2;
1642 d_o.out.handle = &sec_handle2;
1643 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteObject_r(b, tctx, &d_o),
1644 "DeleteObject failed");
1645 if (!NT_STATUS_EQUAL(d_o.out.result, NT_STATUS_INVALID_HANDLE)) {
1646 torture_comment(tctx, "Second delete expected INVALID_HANDLE - %s\n", nt_errstr(d_o.out.result));
1650 torture_comment(tctx, "Testing OpenSecret of just-deleted secret\n");
1652 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(b, tctx, &r2),
1653 "OpenSecret failed");
1654 if (!NT_STATUS_EQUAL(r2.out.result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1655 torture_comment(tctx, "OpenSecret expected OBJECT_NAME_NOT_FOUND - %s\n", nt_errstr(r2.out.result));
1666 static bool test_EnumAccountRights(struct dcerpc_binding_handle *b,
1667 struct torture_context *tctx,
1668 struct policy_handle *acct_handle,
1669 struct dom_sid *sid)
1671 struct lsa_EnumAccountRights r;
1672 struct lsa_RightSet rights;
1674 torture_comment(tctx, "\nTesting EnumAccountRights\n");
1676 r.in.handle = acct_handle;
1678 r.out.rights = &rights;
1680 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccountRights_r(b, tctx, &r),
1681 "EnumAccountRights failed");
1682 if (!NT_STATUS_IS_OK(r.out.result)) {
1683 torture_comment(tctx, "EnumAccountRights of %s failed - %s\n",
1684 dom_sid_string(tctx, sid), nt_errstr(r.out.result));
1692 static bool test_QuerySecurity(struct dcerpc_binding_handle *b,
1693 struct torture_context *tctx,
1694 struct policy_handle *handle,
1695 struct policy_handle *acct_handle)
1697 struct lsa_QuerySecurity r;
1698 struct sec_desc_buf *sdbuf = NULL;
1700 if (torture_setting_bool(tctx, "samba4", false)) {
1701 torture_comment(tctx, "\nskipping QuerySecurity test against Samba4\n");
1705 torture_comment(tctx, "\nTesting QuerySecurity\n");
1707 r.in.handle = acct_handle;
1708 r.in.sec_info = SECINFO_OWNER |
1711 r.out.sdbuf = &sdbuf;
1713 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecurity_r(b, tctx, &r),
1714 "QuerySecurity failed");
1715 if (!NT_STATUS_IS_OK(r.out.result)) {
1716 torture_comment(tctx, "QuerySecurity failed - %s\n", nt_errstr(r.out.result));
1723 static bool test_OpenAccount(struct dcerpc_binding_handle *b,
1724 struct torture_context *tctx,
1725 struct policy_handle *handle,
1726 struct dom_sid *sid)
1728 struct lsa_OpenAccount r;
1729 struct policy_handle acct_handle;
1731 torture_comment(tctx, "\nTesting OpenAccount\n");
1733 r.in.handle = handle;
1735 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1736 r.out.acct_handle = &acct_handle;
1738 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenAccount_r(b, tctx, &r),
1739 "OpenAccount failed");
1740 if (!NT_STATUS_IS_OK(r.out.result)) {
1741 torture_comment(tctx, "OpenAccount failed - %s\n", nt_errstr(r.out.result));
1745 if (!test_EnumPrivsAccount(b, tctx, handle, &acct_handle)) {
1749 if (!test_GetSystemAccessAccount(b, tctx, handle, &acct_handle)) {
1753 if (!test_QuerySecurity(b, tctx, handle, &acct_handle)) {
1760 static bool test_EnumAccounts(struct dcerpc_binding_handle *b,
1761 struct torture_context *tctx,
1762 struct policy_handle *handle)
1764 struct lsa_EnumAccounts r;
1765 struct lsa_SidArray sids1, sids2;
1766 uint32_t resume_handle = 0;
1770 torture_comment(tctx, "\nTesting EnumAccounts\n");
1772 r.in.handle = handle;
1773 r.in.resume_handle = &resume_handle;
1774 r.in.num_entries = 100;
1775 r.out.resume_handle = &resume_handle;
1776 r.out.sids = &sids1;
1780 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccounts_r(b, tctx, &r),
1781 "EnumAccounts failed");
1782 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
1785 if (!NT_STATUS_IS_OK(r.out.result)) {
1786 torture_comment(tctx, "EnumAccounts failed - %s\n", nt_errstr(r.out.result));
1790 if (!test_LookupSids(b, tctx, handle, &sids1)) {
1794 if (!test_LookupSids2(b, tctx, handle, &sids1)) {
1798 /* Can't test lookupSids3 here, as clearly we must not
1799 * be on schannel, or we would not be able to do the
1802 torture_comment(tctx, "Testing all accounts\n");
1803 for (i=0;i<sids1.num_sids;i++) {
1804 ret &= test_OpenAccount(b, tctx, handle, sids1.sids[i].sid);
1805 ret &= test_EnumAccountRights(b, tctx, handle, sids1.sids[i].sid);
1807 torture_comment(tctx, "\n");
1810 if (sids1.num_sids < 3) {
1814 torture_comment(tctx, "Trying EnumAccounts partial listing (asking for 1 at 2)\n");
1816 r.in.num_entries = 1;
1817 r.out.sids = &sids2;
1819 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccounts_r(b, tctx, &r),
1820 "EnumAccounts failed");
1821 if (!NT_STATUS_IS_OK(r.out.result)) {
1822 torture_comment(tctx, "EnumAccounts failed - %s\n", nt_errstr(r.out.result));
1826 if (sids2.num_sids != 1) {
1827 torture_comment(tctx, "Returned wrong number of entries (%d)\n", sids2.num_sids);
1834 static bool test_LookupPrivDisplayName(struct dcerpc_binding_handle *b,
1835 struct torture_context *tctx,
1836 struct policy_handle *handle,
1837 struct lsa_String *priv_name)
1839 struct lsa_LookupPrivDisplayName r;
1840 /* produce a reasonable range of language output without screwing up
1842 uint16_t language_id = (random() % 4) + 0x409;
1843 uint16_t returned_language_id = 0;
1844 struct lsa_StringLarge *disp_name = NULL;
1846 torture_comment(tctx, "\nTesting LookupPrivDisplayName(%s)\n", priv_name->string);
1848 r.in.handle = handle;
1849 r.in.name = priv_name;
1850 r.in.language_id = language_id;
1851 r.in.language_id_sys = 0;
1852 r.out.returned_language_id = &returned_language_id;
1853 r.out.disp_name = &disp_name;
1855 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivDisplayName_r(b, tctx, &r),
1856 "LookupPrivDisplayName failed");
1857 if (!NT_STATUS_IS_OK(r.out.result)) {
1858 torture_comment(tctx, "LookupPrivDisplayName failed - %s\n", nt_errstr(r.out.result));
1861 torture_comment(tctx, "%s -> \"%s\" (language 0x%x/0x%x)\n",
1862 priv_name->string, disp_name->string,
1863 r.in.language_id, *r.out.returned_language_id);
1868 static bool test_EnumAccountsWithUserRight(struct dcerpc_binding_handle *b,
1869 struct torture_context *tctx,
1870 struct policy_handle *handle,
1871 struct lsa_String *priv_name)
1873 struct lsa_EnumAccountsWithUserRight r;
1874 struct lsa_SidArray sids;
1878 torture_comment(tctx, "\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string);
1880 r.in.handle = handle;
1881 r.in.name = priv_name;
1884 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccountsWithUserRight_r(b, tctx, &r),
1885 "EnumAccountsWithUserRight failed");
1887 /* NT_STATUS_NO_MORE_ENTRIES means noone has this privilege */
1888 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
1892 if (!NT_STATUS_IS_OK(r.out.result)) {
1893 torture_comment(tctx, "EnumAccountsWithUserRight failed - %s\n", nt_errstr(r.out.result));
1901 static bool test_EnumPrivs(struct dcerpc_binding_handle *b,
1902 struct torture_context *tctx,
1903 struct policy_handle *handle)
1905 struct lsa_EnumPrivs r;
1906 struct lsa_PrivArray privs1;
1907 uint32_t resume_handle = 0;
1911 torture_comment(tctx, "\nTesting EnumPrivs\n");
1913 r.in.handle = handle;
1914 r.in.resume_handle = &resume_handle;
1915 r.in.max_count = 100;
1916 r.out.resume_handle = &resume_handle;
1917 r.out.privs = &privs1;
1920 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumPrivs_r(b, tctx, &r),
1921 "EnumPrivs failed");
1922 if (!NT_STATUS_IS_OK(r.out.result)) {
1923 torture_comment(tctx, "EnumPrivs failed - %s\n", nt_errstr(r.out.result));
1927 for (i = 0; i< privs1.count; i++) {
1928 test_LookupPrivDisplayName(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
1929 test_LookupPrivValue(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
1930 if (!test_EnumAccountsWithUserRight(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name)) {
1938 static bool test_QueryForestTrustInformation(struct dcerpc_binding_handle *b,
1939 struct torture_context *tctx,
1940 struct policy_handle *handle,
1941 const char *trusted_domain_name)
1944 struct lsa_lsaRQueryForestTrustInformation r;
1945 struct lsa_String string;
1946 struct lsa_ForestTrustInformation info, *info_ptr;
1948 torture_comment(tctx, "\nTesting lsaRQueryForestTrustInformation\n");
1950 if (torture_setting_bool(tctx, "samba4", false)) {
1951 torture_comment(tctx, "skipping QueryForestTrustInformation against Samba4\n");
1955 ZERO_STRUCT(string);
1957 if (trusted_domain_name) {
1958 init_lsa_String(&string, trusted_domain_name);
1963 r.in.handle = handle;
1964 r.in.trusted_domain_name = &string;
1966 r.out.forest_trust_info = &info_ptr;
1968 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_lsaRQueryForestTrustInformation_r(b, tctx, &r),
1969 "lsaRQueryForestTrustInformation failed");
1971 if (!NT_STATUS_IS_OK(r.out.result)) {
1972 torture_comment(tctx, "lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(r.out.result));
1979 static bool test_query_each_TrustDomEx(struct dcerpc_binding_handle *b,
1980 struct torture_context *tctx,
1981 struct policy_handle *handle,
1982 struct lsa_DomainListEx *domains)
1987 for (i=0; i< domains->count; i++) {
1989 if (domains->domains[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1990 ret &= test_QueryForestTrustInformation(b, tctx, handle,
1991 domains->domains[i].domain_name.string);
1998 static bool test_query_each_TrustDom(struct dcerpc_binding_handle *b,
1999 struct torture_context *tctx,
2000 struct policy_handle *handle,
2001 struct lsa_DomainList *domains)
2006 torture_comment(tctx, "\nTesting OpenTrustedDomain, OpenTrustedDomainByName and QueryInfoTrustedDomain\n");
2007 for (i=0; i< domains->count; i++) {
2008 struct lsa_OpenTrustedDomain trust;
2009 struct lsa_OpenTrustedDomainByName trust_by_name;
2010 struct policy_handle trustdom_handle;
2011 struct policy_handle handle2;
2013 struct lsa_CloseTrustedDomainEx c_trust;
2014 int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13};
2015 int ok[] = {1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1};
2017 if (domains->domains[i].sid) {
2018 trust.in.handle = handle;
2019 trust.in.sid = domains->domains[i].sid;
2020 trust.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2021 trust.out.trustdom_handle = &trustdom_handle;
2023 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomain_r(b, tctx, &trust),
2024 "OpenTrustedDomain failed");
2026 if (!NT_STATUS_IS_OK(trust.out.result)) {
2027 torture_comment(tctx, "OpenTrustedDomain failed - %s\n", nt_errstr(trust.out.result));
2031 c.in.handle = &trustdom_handle;
2032 c.out.handle = &handle2;
2034 c_trust.in.handle = &trustdom_handle;
2035 c_trust.out.handle = &handle2;
2037 for (j=0; j < ARRAY_SIZE(levels); j++) {
2038 struct lsa_QueryTrustedDomainInfo q;
2039 union lsa_TrustedDomainInfo *info = NULL;
2040 q.in.trustdom_handle = &trustdom_handle;
2041 q.in.level = levels[j];
2043 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2044 "QueryTrustedDomainInfo failed");
2045 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2046 torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n",
2047 levels[j], nt_errstr(q.out.result));
2049 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2050 torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
2051 levels[j], nt_errstr(q.out.result));
2056 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CloseTrustedDomainEx_r(b, tctx, &c_trust),
2057 "CloseTrustedDomainEx failed");
2058 if (!NT_STATUS_EQUAL(c_trust.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
2059 torture_comment(tctx, "Expected CloseTrustedDomainEx to return NT_STATUS_NOT_IMPLEMENTED, instead - %s\n", nt_errstr(c_trust.out.result));
2063 c.in.handle = &trustdom_handle;
2064 c.out.handle = &handle2;
2066 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &c),
2068 if (!NT_STATUS_IS_OK(c.out.result)) {
2069 torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(c.out.result));
2073 for (j=0; j < ARRAY_SIZE(levels); j++) {
2074 struct lsa_QueryTrustedDomainInfoBySid q;
2075 union lsa_TrustedDomainInfo *info = NULL;
2077 if (!domains->domains[i].sid) {
2081 q.in.handle = handle;
2082 q.in.dom_sid = domains->domains[i].sid;
2083 q.in.level = levels[j];
2086 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfoBySid_r(b, tctx, &q),
2087 "lsa_QueryTrustedDomainInfoBySid failed");
2088 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2089 torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d failed - %s\n",
2090 levels[j], nt_errstr(q.out.result));
2092 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2093 torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d unexpectedly succeeded - %s\n",
2094 levels[j], nt_errstr(q.out.result));
2100 trust_by_name.in.handle = handle;
2101 trust_by_name.in.name.string = domains->domains[i].name.string;
2102 trust_by_name.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2103 trust_by_name.out.trustdom_handle = &trustdom_handle;
2105 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomainByName_r(b, tctx, &trust_by_name),
2106 "OpenTrustedDomainByName failed");
2108 if (!NT_STATUS_IS_OK(trust_by_name.out.result)) {
2109 torture_comment(tctx, "OpenTrustedDomainByName failed - %s\n", nt_errstr(trust_by_name.out.result));
2113 for (j=0; j < ARRAY_SIZE(levels); j++) {
2114 struct lsa_QueryTrustedDomainInfo q;
2115 union lsa_TrustedDomainInfo *info = NULL;
2116 q.in.trustdom_handle = &trustdom_handle;
2117 q.in.level = levels[j];
2119 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2120 "QueryTrustedDomainInfo failed");
2121 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2122 torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n",
2123 levels[j], nt_errstr(q.out.result));
2125 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2126 torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
2127 levels[j], nt_errstr(q.out.result));
2132 c.in.handle = &trustdom_handle;
2133 c.out.handle = &handle2;
2135 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &c),
2137 if (!NT_STATUS_IS_OK(c.out.result)) {
2138 torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(c.out.result));
2142 for (j=0; j < ARRAY_SIZE(levels); j++) {
2143 struct lsa_QueryTrustedDomainInfoByName q;
2144 union lsa_TrustedDomainInfo *info = NULL;
2145 struct lsa_String name;
2147 name.string = domains->domains[i].name.string;
2149 q.in.handle = handle;
2150 q.in.trusted_domain = &name;
2151 q.in.level = levels[j];
2153 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfoByName_r(b, tctx, &q),
2154 "QueryTrustedDomainInfoByName failed");
2155 if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
2156 torture_comment(tctx, "QueryTrustedDomainInfoByName level %d failed - %s\n",
2157 levels[j], nt_errstr(q.out.result));
2159 } else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
2160 torture_comment(tctx, "QueryTrustedDomainInfoByName level %d unexpectedly succeeded - %s\n",
2161 levels[j], nt_errstr(q.out.result));
2169 static bool test_EnumTrustDom(struct dcerpc_binding_handle *b,
2170 struct torture_context *tctx,
2171 struct policy_handle *handle)
2173 struct lsa_EnumTrustDom r;
2174 uint32_t in_resume_handle = 0;
2175 uint32_t out_resume_handle;
2176 struct lsa_DomainList domains;
2179 torture_comment(tctx, "\nTesting EnumTrustDom\n");
2181 r.in.handle = handle;
2182 r.in.resume_handle = &in_resume_handle;
2184 r.out.domains = &domains;
2185 r.out.resume_handle = &out_resume_handle;
2187 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b, tctx, &r),
2188 "lsa_EnumTrustDom failed");
2190 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
2191 * always be larger than the previous input resume handle, in
2192 * particular when hitting the last query it is vital to set the
2193 * resume handle correctly to avoid infinite client loops, as
2194 * seen e.g. with Windows XP SP3 when resume handle is 0 and
2195 * status is NT_STATUS_OK - gd */
2197 if (NT_STATUS_IS_OK(r.out.result) ||
2198 NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES) ||
2199 NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
2201 if (out_resume_handle <= in_resume_handle) {
2202 torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
2203 out_resume_handle, in_resume_handle);
2208 if (NT_STATUS_IS_OK(r.out.result)) {
2209 if (domains.count == 0) {
2210 torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2213 } else if (!(NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES))) {
2214 torture_comment(tctx, "EnumTrustDom of zero size failed - %s\n", nt_errstr(r.out.result));
2218 /* Start from the bottom again */
2219 in_resume_handle = 0;
2222 r.in.handle = handle;
2223 r.in.resume_handle = &in_resume_handle;
2224 r.in.max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3;
2225 r.out.domains = &domains;
2226 r.out.resume_handle = &out_resume_handle;
2228 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b, tctx, &r),
2229 "EnumTrustDom failed");
2231 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
2232 * always be larger than the previous input resume handle, in
2233 * particular when hitting the last query it is vital to set the
2234 * resume handle correctly to avoid infinite client loops, as
2235 * seen e.g. with Windows XP SP3 when resume handle is 0 and
2236 * status is NT_STATUS_OK - gd */
2238 if (NT_STATUS_IS_OK(r.out.result) ||
2239 NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES) ||
2240 NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
2242 if (out_resume_handle <= in_resume_handle) {
2243 torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
2244 out_resume_handle, in_resume_handle);
2249 /* NO_MORE_ENTRIES is allowed */
2250 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
2251 if (domains.count == 0) {
2254 torture_comment(tctx, "EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
2256 } else if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES)) {
2257 /* Windows 2003 gets this off by one on the first run */
2258 if (r.out.domains->count < 3 || r.out.domains->count > 4) {
2259 torture_comment(tctx, "EnumTrustDom didn't fill the buffer we "
2260 "asked it to (got %d, expected %d / %d == %d entries)\n",
2261 r.out.domains->count, LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3,
2262 LSA_ENUM_TRUST_DOMAIN_MULTIPLIER, r.in.max_size);
2265 } else if (!NT_STATUS_IS_OK(r.out.result)) {
2266 torture_comment(tctx, "EnumTrustDom failed - %s\n", nt_errstr(r.out.result));
2270 if (domains.count == 0) {
2271 torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2275 ret &= test_query_each_TrustDom(b, tctx, handle, &domains);
2277 in_resume_handle = out_resume_handle;
2279 } while ((NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES)));
2284 static bool test_EnumTrustDomEx(struct dcerpc_binding_handle *b,
2285 struct torture_context *tctx,
2286 struct policy_handle *handle)
2288 struct lsa_EnumTrustedDomainsEx r_ex;
2289 uint32_t resume_handle = 0;
2290 struct lsa_DomainListEx domains_ex;
2293 torture_comment(tctx, "\nTesting EnumTrustedDomainsEx\n");
2295 r_ex.in.handle = handle;
2296 r_ex.in.resume_handle = &resume_handle;
2297 r_ex.in.max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3;
2298 r_ex.out.domains = &domains_ex;
2299 r_ex.out.resume_handle = &resume_handle;
2301 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustedDomainsEx_r(b, tctx, &r_ex),
2302 "EnumTrustedDomainsEx failed");
2304 if (!(NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(r_ex.out.result, NT_STATUS_NO_MORE_ENTRIES))) {
2305 torture_comment(tctx, "EnumTrustedDomainEx of zero size failed - %s\n", nt_errstr(r_ex.out.result));
2311 r_ex.in.handle = handle;
2312 r_ex.in.resume_handle = &resume_handle;
2313 r_ex.in.max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3;
2314 r_ex.out.domains = &domains_ex;
2315 r_ex.out.resume_handle = &resume_handle;
2317 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustedDomainsEx_r(b, tctx, &r_ex),
2318 "EnumTrustedDomainsEx failed");
2320 /* NO_MORE_ENTRIES is allowed */
2321 if (NT_STATUS_EQUAL(r_ex.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
2322 if (domains_ex.count == 0) {
2325 torture_comment(tctx, "EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
2327 } else if (NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES)) {
2328 /* Windows 2003 gets this off by one on the first run */
2329 if (r_ex.out.domains->count < 3 || r_ex.out.domains->count > 4) {
2330 torture_comment(tctx, "EnumTrustDom didn't fill the buffer we "
2331 "asked it to (got %d, expected %d / %d == %d entries)\n",
2332 r_ex.out.domains->count,
2334 LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER,
2335 r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER);
2337 } else if (!NT_STATUS_IS_OK(r_ex.out.result)) {
2338 torture_comment(tctx, "EnumTrustedDomainEx failed - %s\n", nt_errstr(r_ex.out.result));
2342 if (domains_ex.count == 0) {
2343 torture_comment(tctx, "EnumTrustDomainEx failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2347 ret &= test_query_each_TrustDomEx(b, tctx, handle, &domains_ex);
2349 } while ((NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES)));
2355 static bool test_CreateTrustedDomain(struct dcerpc_binding_handle *b,
2356 struct torture_context *tctx,
2357 struct policy_handle *handle,
2358 uint32_t num_trusts)
2361 struct lsa_CreateTrustedDomain r;
2362 struct lsa_DomainInfo trustinfo;
2363 struct dom_sid **domsid;
2364 struct policy_handle *trustdom_handle;
2365 struct lsa_QueryTrustedDomainInfo q;
2366 union lsa_TrustedDomainInfo *info = NULL;
2369 torture_comment(tctx, "\nTesting CreateTrustedDomain for %d domains\n", num_trusts);
2371 if (!test_EnumTrustDom(b, tctx, handle)) {
2375 if (!test_EnumTrustDomEx(b, tctx, handle)) {
2379 domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
2380 trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);
2382 for (i=0; i< num_trusts; i++) {
2383 char *trust_name = talloc_asprintf(tctx, "torturedom%02d", i);
2384 char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-100%02d", i);
2386 domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);
2388 trustinfo.sid = domsid[i];
2389 init_lsa_String((struct lsa_String *)&trustinfo.name, trust_name);
2391 r.in.policy_handle = handle;
2392 r.in.info = &trustinfo;
2393 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2394 r.out.trustdom_handle = &trustdom_handle[i];
2396 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomain_r(b, tctx, &r),
2397 "CreateTrustedDomain failed");
2398 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
2399 test_DeleteTrustedDomain(b, tctx, handle, trustinfo.name);
2400 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomain_r(b, tctx, &r),
2401 "CreateTrustedDomain failed");
2403 if (!NT_STATUS_IS_OK(r.out.result)) {
2404 torture_comment(tctx, "CreateTrustedDomain failed - %s\n", nt_errstr(r.out.result));
2408 q.in.trustdom_handle = &trustdom_handle[i];
2409 q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
2411 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2412 "QueryTrustedDomainInfo failed");
2413 if (!NT_STATUS_IS_OK(q.out.result)) {
2414 torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n", q.in.level, nt_errstr(q.out.result));
2416 } else if (!q.out.info) {
2419 if (strcmp(info->info_ex.netbios_name.string, trustinfo.name.string) != 0) {
2420 torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n",
2421 info->info_ex.netbios_name.string, trustinfo.name.string);
2424 if (info->info_ex.trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
2425 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
2426 trust_name, info->info_ex.trust_type, LSA_TRUST_TYPE_DOWNLEVEL);
2429 if (info->info_ex.trust_attributes != 0) {
2430 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
2431 trust_name, info->info_ex.trust_attributes, 0);
2434 if (info->info_ex.trust_direction != LSA_TRUST_DIRECTION_OUTBOUND) {
2435 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
2436 trust_name, info->info_ex.trust_direction, LSA_TRUST_DIRECTION_OUTBOUND);
2443 /* now that we have some domains to look over, we can test the enum calls */
2444 if (!test_EnumTrustDom(b, tctx, handle)) {
2448 if (!test_EnumTrustDomEx(b, tctx, handle)) {
2452 for (i=0; i<num_trusts; i++) {
2453 if (!test_DeleteTrustedDomainBySid(b, tctx, handle, domsid[i])) {
2461 static bool gen_authinfo_internal(TALLOC_CTX *mem_ctx, const char *password,
2462 DATA_BLOB session_key,
2463 struct lsa_TrustDomainInfoAuthInfoInternal **_authinfo_internal)
2465 struct lsa_TrustDomainInfoAuthInfoInternal *authinfo_internal;
2466 struct trustDomainPasswords auth_struct;
2467 struct AuthenticationInformation *auth_info_array;
2468 size_t converted_size;
2469 DATA_BLOB auth_blob;
2470 enum ndr_err_code ndr_err;
2472 authinfo_internal = talloc_zero(mem_ctx, struct lsa_TrustDomainInfoAuthInfoInternal);
2473 if (authinfo_internal == NULL) {
2477 auth_info_array = talloc_array(mem_ctx,
2478 struct AuthenticationInformation, 1);
2479 if (auth_info_array == NULL) {
2483 generate_random_buffer(auth_struct.confounder, sizeof(auth_struct.confounder));
2485 auth_info_array[0].AuthType = TRUST_AUTH_TYPE_CLEAR;
2487 if (!convert_string_talloc(mem_ctx, CH_UNIX, CH_UTF16, password,
2489 &auth_info_array[0].AuthInfo.clear.password,
2494 auth_info_array[0].AuthInfo.clear.size = converted_size;
2496 auth_struct.outgoing.count = 1;
2497 auth_struct.outgoing.current.count = 1;
2498 auth_struct.outgoing.current.array = auth_info_array;
2499 auth_struct.outgoing.previous.count = 0;
2500 auth_struct.outgoing.previous.array = NULL;
2502 auth_struct.incoming.count = 1;
2503 auth_struct.incoming.current.count = 1;
2504 auth_struct.incoming.current.array = auth_info_array;
2505 auth_struct.incoming.previous.count = 0;
2506 auth_struct.incoming.previous.array = NULL;
2509 ndr_err = ndr_push_struct_blob(&auth_blob, mem_ctx, &auth_struct,
2510 (ndr_push_flags_fn_t)ndr_push_trustDomainPasswords);
2511 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2515 arcfour_crypt_blob(auth_blob.data, auth_blob.length, &session_key);
2517 authinfo_internal->auth_blob.size = auth_blob.length;
2518 authinfo_internal->auth_blob.data = auth_blob.data;
2520 *_authinfo_internal = authinfo_internal;
2525 static bool gen_authinfo(TALLOC_CTX *mem_ctx, const char *password,
2526 struct lsa_TrustDomainInfoAuthInfo **_authinfo)
2528 struct lsa_TrustDomainInfoAuthInfo *authinfo;
2529 struct lsa_TrustDomainInfoBuffer *info_buffer;
2530 size_t converted_size;
2532 authinfo = talloc_zero(mem_ctx, struct lsa_TrustDomainInfoAuthInfo);
2533 if (authinfo == NULL) {
2537 info_buffer = talloc_zero(mem_ctx, struct lsa_TrustDomainInfoBuffer);
2538 if (info_buffer == NULL) {
2542 info_buffer->AuthType = TRUST_AUTH_TYPE_CLEAR;
2544 if (!convert_string_talloc(mem_ctx, CH_UNIX, CH_UTF16, password,
2546 &info_buffer->data.data,
2551 info_buffer->data.size = converted_size;
2553 authinfo->incoming_count = 1;
2554 authinfo->incoming_current_auth_info = info_buffer;
2555 authinfo->incoming_previous_auth_info = NULL;
2556 authinfo->outgoing_count = 1;
2557 authinfo->outgoing_current_auth_info = info_buffer;
2558 authinfo->outgoing_previous_auth_info = NULL;
2560 *_authinfo = authinfo;
2565 static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p,
2566 struct torture_context *tctx,
2567 uint32_t negotiate_flags,
2568 struct cli_credentials *machine_credentials,
2569 struct netlogon_creds_CredentialState **creds_out)
2571 struct netr_ServerReqChallenge r;
2572 struct netr_ServerAuthenticate3 a;
2573 struct netr_Credential credentials1, credentials2, credentials3;
2574 struct netlogon_creds_CredentialState *creds;
2575 struct samr_Password mach_password;
2577 const char *machine_name;
2578 const char *plain_pass;
2579 struct dcerpc_binding_handle *b = p->binding_handle;
2581 machine_name = cli_credentials_get_workstation(machine_credentials);
2582 plain_pass = cli_credentials_get_password(machine_credentials);
2584 r.in.server_name = NULL;
2585 r.in.computer_name = machine_name;
2586 r.in.credentials = &credentials1;
2587 r.out.return_credentials = &credentials2;
2589 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
2591 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2592 "ServerReqChallenge failed");
2593 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
2595 E_md4hash(plain_pass, mach_password.hash);
2597 a.in.server_name = NULL;
2598 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
2599 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2600 a.in.computer_name = machine_name;
2601 a.in.negotiate_flags = &negotiate_flags;
2602 a.in.credentials = &credentials3;
2603 a.out.return_credentials = &credentials3;
2604 a.out.negotiate_flags = &negotiate_flags;
2607 creds = netlogon_creds_client_init(tctx, a.in.account_name,
2609 &credentials1, &credentials2,
2610 &mach_password, &credentials3,
2613 torture_assert(tctx, creds != NULL, "memory allocation");
2615 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
2616 "ServerAuthenticate3 failed");
2617 if (!NT_STATUS_IS_OK(a.out.result)) {
2618 if (!NT_STATUS_EQUAL(a.out.result, NT_STATUS_ACCESS_DENIED)) {
2619 torture_assert_ntstatus_ok(tctx, a.out.result,
2620 "ServerAuthenticate3 failed");
2624 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
2626 /* Prove that requesting a challenge again won't break it */
2627 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
2628 "ServerReqChallenge failed");
2629 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
2635 static bool check_dom_trust_pw(struct dcerpc_pipe *p,
2636 struct torture_context *tctx,
2637 const char *trusted_dom_name,
2638 const char *password)
2640 struct cli_credentials *credentials;
2642 struct netlogon_creds_CredentialState *creds;
2643 struct dcerpc_pipe *pipe;
2647 credentials = cli_credentials_init(tctx);
2648 if (credentials == NULL) {
2652 dummy = talloc_asprintf(tctx, "%s$", trusted_dom_name);
2653 if (dummy == NULL) {
2657 cli_credentials_set_username(credentials, dummy, CRED_SPECIFIED);
2658 cli_credentials_set_password(credentials, password, CRED_SPECIFIED);
2659 cli_credentials_set_workstation(credentials,
2660 trusted_dom_name, CRED_SPECIFIED);
2661 cli_credentials_set_secure_channel_type(credentials, SEC_CHAN_DOMAIN);
2663 status = dcerpc_pipe_connect_b(tctx, &pipe, p->binding,
2664 &ndr_table_netlogon,
2665 cli_credentials_init_anon(tctx),
2666 tctx->ev, tctx->lp_ctx);
2667 if (!NT_STATUS_IS_OK(status)) {
2668 torture_comment(tctx, "dcerpc_pipe_connect_b failed.\n");
2672 ok = check_pw_with_ServerAuthenticate3(pipe, tctx,
2673 NETLOGON_NEG_AUTH2_ADS_FLAGS,
2674 credentials, &creds);
2680 static bool test_CreateTrustedDomainEx_common(struct dcerpc_pipe *p,
2681 struct torture_context *tctx,
2682 struct policy_handle *handle,
2683 uint32_t num_trusts,
2688 struct lsa_CreateTrustedDomainEx r;
2689 struct lsa_CreateTrustedDomainEx2 r2;
2690 struct lsa_TrustDomainInfoInfoEx trustinfo;
2691 struct lsa_TrustDomainInfoAuthInfoInternal *authinfo_internal;
2692 struct lsa_TrustDomainInfoAuthInfo *authinfo;
2693 struct dom_sid **domsid;
2694 struct policy_handle *trustdom_handle;
2695 struct lsa_QueryTrustedDomainInfo q;
2696 union lsa_TrustedDomainInfo *info = NULL;
2697 DATA_BLOB session_key;
2699 struct dcerpc_binding_handle *b = p->binding_handle;
2702 torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d domains\n", num_trusts);
2704 torture_comment(tctx, "\nTesting CreateTrustedDomainEx for %d domains\n", num_trusts);
2707 domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
2708 trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);
2710 status = dcerpc_fetch_session_key(p, &session_key);
2711 if (!NT_STATUS_IS_OK(status)) {
2712 torture_comment(tctx, "dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
2716 for (i=0; i< num_trusts; i++) {
2717 char *trust_name = talloc_asprintf(tctx, "torturedom%02d", i);
2718 char *trust_name_dns = talloc_asprintf(tctx, "torturedom%02d.samba.example.com", i);
2719 char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-100%02d", i);
2721 domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);
2723 trustinfo.sid = domsid[i];
2724 trustinfo.netbios_name.string = trust_name;
2725 trustinfo.domain_name.string = trust_name_dns;
2727 /* Create inbound, some outbound, and some
2728 * bi-directional trusts in a repeating pattern based
2731 /* 1 == inbound, 2 == outbound, 3 == both */
2732 trustinfo.trust_direction = (i % 3) + 1;
2734 /* Try different trust types too */
2736 /* 1 == downlevel (NT4), 2 == uplevel (ADS), 3 == MIT (kerberos but not AD) */
2737 trustinfo.trust_type = (((i / 3) + 1) % 3) + 1;
2739 trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;
2741 if (!gen_authinfo_internal(tctx, TRUSTPW, session_key, &authinfo_internal)) {
2742 torture_comment(tctx, "gen_authinfo_internal failed");
2746 if (!gen_authinfo(tctx, TRUSTPW, &authinfo)) {
2747 torture_comment(tctx, "gen_authinfonfo failed");
2753 r2.in.policy_handle = handle;
2754 r2.in.info = &trustinfo;
2755 r2.in.auth_info_internal = authinfo_internal;
2756 r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2757 r2.out.trustdom_handle = &trustdom_handle[i];
2759 torture_assert_ntstatus_ok(tctx,
2760 dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
2761 "CreateTrustedDomainEx2 failed");
2763 status = r2.out.result;
2766 r.in.policy_handle = handle;
2767 r.in.info = &trustinfo;
2768 r.in.auth_info = authinfo;
2769 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2770 r.out.trustdom_handle = &trustdom_handle[i];
2772 torture_assert_ntstatus_ok(tctx,
2773 dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
2774 "CreateTrustedDomainEx failed");
2776 status = r.out.result;
2779 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
2780 test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name);
2782 torture_assert_ntstatus_ok(tctx,
2783 dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
2784 "CreateTrustedDomainEx2 failed");
2785 status = r2.out.result;
2787 torture_assert_ntstatus_ok(tctx,
2788 dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
2789 "CreateTrustedDomainEx2 failed");
2790 status = r.out.result;
2793 if (!NT_STATUS_IS_OK(status)) {
2794 torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status));
2797 /* For outbound and MIT trusts there is no trust account */
2798 if (trustinfo.trust_direction != 2 &&
2799 trustinfo.trust_type != 3) {
2801 if (torture_setting_bool(tctx, "samba3", false) ||
2802 torture_setting_bool(tctx, "samba4", false)) {
2803 torture_comment(tctx, "skipping trusted domain auth tests against samba");
2805 if (check_dom_trust_pw(p, tctx, trust_name,
2807 torture_comment(tctx, "Password check passed unexpectedly\n");
2810 if (!check_dom_trust_pw(p, tctx, trust_name,
2812 torture_comment(tctx, "Password check failed\n");
2818 q.in.trustdom_handle = &trustdom_handle[i];
2819 q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
2821 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
2822 "QueryTrustedDomainInfo failed");
2823 if (!NT_STATUS_IS_OK(q.out.result)) {
2824 torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(q.out.result));
2826 } else if (!q.out.info) {
2827 torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed to return an info pointer\n");
2830 if (strcmp(info->info_ex.netbios_name.string, trustinfo.netbios_name.string) != 0) {
2831 torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n",
2832 info->info_ex.netbios_name.string, trustinfo.netbios_name.string);
2835 if (info->info_ex.trust_type != trustinfo.trust_type) {
2836 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
2837 trust_name, info->info_ex.trust_type, trustinfo.trust_type);
2840 if (info->info_ex.trust_attributes != LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION) {
2841 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
2842 trust_name, info->info_ex.trust_attributes, LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION);
2845 if (info->info_ex.trust_direction != trustinfo.trust_direction) {
2846 torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
2847 trust_name, info->info_ex.trust_direction, trustinfo.trust_direction);
2854 /* now that we have some domains to look over, we can test the enum calls */
2855 if (!test_EnumTrustDom(b, tctx, handle)) {
2856 torture_comment(tctx, "test_EnumTrustDom failed\n");
2860 if (!test_EnumTrustDomEx(b, tctx, handle)) {
2861 torture_comment(tctx, "test_EnumTrustDomEx failed\n");
2865 for (i=0; i<num_trusts; i++) {
2866 if (!test_DeleteTrustedDomainBySid(b, tctx, handle, domsid[i])) {
2867 torture_comment(tctx, "test_DeleteTrustedDomainBySid failed\n");
2875 static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
2876 struct torture_context *tctx,
2877 struct policy_handle *handle,
2878 uint32_t num_trusts)
2880 return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, true);
2883 static bool test_CreateTrustedDomainEx(struct dcerpc_pipe *p,
2884 struct torture_context *tctx,
2885 struct policy_handle *handle,
2886 uint32_t num_trusts)
2888 return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, false);
2891 static bool test_QueryDomainInfoPolicy(struct dcerpc_binding_handle *b,
2892 struct torture_context *tctx,
2893 struct policy_handle *handle)
2895 struct lsa_QueryDomainInformationPolicy r;
2896 union lsa_DomainInformationPolicy *info = NULL;
2900 if (torture_setting_bool(tctx, "samba3", false)) {
2901 torture_skip(tctx, "skipping QueryDomainInformationPolicy test\n");
2904 torture_comment(tctx, "\nTesting QueryDomainInformationPolicy\n");
2907 r.in.handle = handle;
2911 torture_comment(tctx, "\nTrying QueryDomainInformationPolicy level %d\n", i);
2913 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryDomainInformationPolicy_r(b, tctx, &r),
2914 "QueryDomainInformationPolicy failed");
2916 /* If the server does not support EFS, then this is the correct return */
2917 if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
2919 } else if (!NT_STATUS_IS_OK(r.out.result)) {
2920 torture_comment(tctx, "QueryDomainInformationPolicy failed - %s\n", nt_errstr(r.out.result));
2930 static bool test_QueryInfoPolicyCalls( bool version2,
2931 struct dcerpc_binding_handle *b,
2932 struct torture_context *tctx,
2933 struct policy_handle *handle)
2935 struct lsa_QueryInfoPolicy r;
2936 union lsa_PolicyInformation *info = NULL;
2939 const char *call = talloc_asprintf(tctx, "QueryInfoPolicy%s", version2 ? "2":"");
2941 torture_comment(tctx, "\nTesting %s\n", call);
2943 if (version2 && torture_setting_bool(tctx, "samba3", false)) {
2944 torture_skip(tctx, "skipping QueryInfoPolicy2 tests\n");
2947 for (i=1;i<=14;i++) {
2948 r.in.handle = handle;
2952 torture_comment(tctx, "\nTrying %s level %d\n", call, i);
2955 /* We can perform the cast, because both types are
2956 structurally equal */
2957 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryInfoPolicy2_r(b, tctx,
2958 (struct lsa_QueryInfoPolicy2*) &r),
2959 "QueryInfoPolicy2 failed");
2961 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryInfoPolicy_r(b, tctx, &r),
2962 "QueryInfoPolicy2 failed");
2965 case LSA_POLICY_INFO_MOD:
2966 case LSA_POLICY_INFO_AUDIT_FULL_SET:
2967 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
2968 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_PARAMETER)) {
2969 torture_comment(tctx, "Server should have failed level %u: %s\n", i, nt_errstr(r.out.result));
2973 case LSA_POLICY_INFO_DOMAIN:
2974 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
2975 case LSA_POLICY_INFO_REPLICA:
2976 case LSA_POLICY_INFO_QUOTA:
2977 case LSA_POLICY_INFO_ROLE:
2978 case LSA_POLICY_INFO_AUDIT_LOG:
2979 case LSA_POLICY_INFO_AUDIT_EVENTS:
2980 case LSA_POLICY_INFO_PD:
2981 if (!NT_STATUS_IS_OK(r.out.result)) {
2982 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
2986 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
2987 case LSA_POLICY_INFO_DNS_INT:
2988 case LSA_POLICY_INFO_DNS:
2989 if (torture_setting_bool(tctx, "samba3", false)) {
2990 /* Other levels not implemented yet */
2991 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {
2992 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
2995 } else if (!NT_STATUS_IS_OK(r.out.result)) {
2996 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3001 if (torture_setting_bool(tctx, "samba4", false)) {
3002 /* Other levels not implemented yet */
3003 if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {
3004 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3007 } else if (!NT_STATUS_IS_OK(r.out.result)) {
3008 torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
3014 if (NT_STATUS_IS_OK(r.out.result) && (i == LSA_POLICY_INFO_DNS
3015 || i == LSA_POLICY_INFO_DNS_INT)) {
3016 /* Let's look up some of these names */
3018 struct lsa_TransNameArray tnames;
3020 tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count);
3021 tnames.names[0].name.string = info->dns.name.string;
3022 tnames.names[0].sid_type = SID_NAME_DOMAIN;
3023 tnames.names[1].name.string = info->dns.dns_domain.string;
3024 tnames.names[1].sid_type = SID_NAME_DOMAIN;
3025 tnames.names[2].name.string = talloc_asprintf(tctx, "%s\\", info->dns.name.string);
3026 tnames.names[2].sid_type = SID_NAME_DOMAIN;
3027 tnames.names[3].name.string = talloc_asprintf(tctx, "%s\\", info->dns.dns_domain.string);
3028 tnames.names[3].sid_type = SID_NAME_DOMAIN;
3029 tnames.names[4].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.name.string);
3030 tnames.names[4].sid_type = SID_NAME_USER;
3031 tnames.names[5].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.name.string);
3032 tnames.names[5].sid_type = SID_NAME_USER;
3033 tnames.names[6].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.dns_domain.string);
3034 tnames.names[6].sid_type = SID_NAME_USER;
3035 tnames.names[7].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.dns_domain.string);
3036 tnames.names[7].sid_type = SID_NAME_USER;
3037 tnames.names[8].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.name.string);
3038 tnames.names[8].sid_type = SID_NAME_USER;
3039 tnames.names[9].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.dns_domain.string);
3040 tnames.names[9].sid_type = SID_NAME_USER;
3041 tnames.names[10].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string);
3042 tnames.names[10].sid_type = SID_NAME_USER;
3043 tnames.names[11].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.dns_domain.string);
3044 tnames.names[11].sid_type = SID_NAME_USER;
3045 tnames.names[12].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.name.string);
3046 tnames.names[12].sid_type = SID_NAME_USER;
3047 tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string);
3048 tnames.names[13].sid_type = SID_NAME_USER;
3049 ret &= test_LookupNames(b, tctx, handle, &tnames);
3057 static bool test_QueryInfoPolicy(struct dcerpc_binding_handle *b,
3058 struct torture_context *tctx,
3059 struct policy_handle *handle)
3061 return test_QueryInfoPolicyCalls(false, b, tctx, handle);
3064 static bool test_QueryInfoPolicy2(struct dcerpc_binding_handle *b,
3065 struct torture_context *tctx,
3066 struct policy_handle *handle)
3068 return test_QueryInfoPolicyCalls(true, b, tctx, handle);
3071 static bool test_GetUserName(struct dcerpc_binding_handle *b,
3072 struct torture_context *tctx)
3074 struct lsa_GetUserName r;
3076 struct lsa_String *authority_name_p = NULL;
3077 struct lsa_String *account_name_p = NULL;
3079 torture_comment(tctx, "\nTesting GetUserName\n");
3081 r.in.system_name = "\\";
3082 r.in.account_name = &account_name_p;
3083 r.in.authority_name = NULL;
3084 r.out.account_name = &account_name_p;
3086 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetUserName_r(b, tctx, &r),
3087 "GetUserName failed");
3089 if (!NT_STATUS_IS_OK(r.out.result)) {
3090 torture_comment(tctx, "GetUserName failed - %s\n", nt_errstr(r.out.result));
3094 account_name_p = NULL;
3095 r.in.account_name = &account_name_p;
3096 r.in.authority_name = &authority_name_p;
3097 r.out.account_name = &account_name_p;
3099 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetUserName_r(b, tctx, &r),
3100 "GetUserName failed");
3102 if (!NT_STATUS_IS_OK(r.out.result)) {
3103 torture_comment(tctx, "GetUserName failed - %s\n", nt_errstr(r.out.result));
3110 bool test_lsa_Close(struct dcerpc_binding_handle *b,
3111 struct torture_context *tctx,
3112 struct policy_handle *handle)
3115 struct policy_handle handle2;
3117 torture_comment(tctx, "\nTesting Close\n");
3119 r.in.handle = handle;
3120 r.out.handle = &handle2;
3122 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &r),
3124 if (!NT_STATUS_IS_OK(r.out.result)) {
3125 torture_comment(tctx, "Close failed - %s\n",
3126 nt_errstr(r.out.result));
3130 torture_assert_ntstatus_equal(tctx, dcerpc_lsa_Close_r(b, tctx, &r),
3131 NT_STATUS_RPC_SS_CONTEXT_MISMATCH, "Close should failed");
3133 torture_comment(tctx, "\n");
3138 bool torture_rpc_lsa(struct torture_context *tctx)
3141 struct dcerpc_pipe *p;
3143 struct policy_handle *handle = NULL;
3144 struct test_join *join = NULL;
3145 struct cli_credentials *machine_creds;
3146 struct dcerpc_binding_handle *b;
3148 status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
3149 if (!NT_STATUS_IS_OK(status)) {
3152 b = p->binding_handle;
3154 /* Test lsaLookupSids3 and lsaLookupNames4 over tcpip */
3155 if (p->binding->transport == NCACN_IP_TCP) {
3156 if (!test_OpenPolicy(b, tctx, true)) {
3160 if (!test_lsa_OpenPolicy2_ex(b, tctx, &handle,
3161 NT_STATUS_OK, true)) {
3165 if (!test_many_LookupSids(p, tctx, handle)) {
3172 if (!test_OpenPolicy(b, tctx, false)) {
3176 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3181 join = torture_join_domain(tctx, TEST_MACHINENAME, ACB_WSTRUST, &machine_creds);
3186 if (!test_LookupSids_async(b, tctx, handle)) {
3190 if (!test_QueryDomainInfoPolicy(b, tctx, handle)) {
3194 if (!test_CreateSecret(p, tctx, handle)) {
3198 if (!test_QueryInfoPolicy(b, tctx, handle)) {
3202 if (!test_QueryInfoPolicy2(b, tctx, handle)) {
3206 if (!test_Delete(b, tctx, handle)) {
3210 if (!test_many_LookupSids(p, tctx, handle)) {
3214 if (!test_lsa_Close(b, tctx, handle)) {
3218 torture_leave_domain(tctx, join);
3221 if (!test_many_LookupSids(p, tctx, handle)) {
3226 if (!test_GetUserName(b, tctx)) {
3233 bool torture_rpc_lsa_get_user(struct torture_context *tctx)
3236 struct dcerpc_pipe *p;
3238 struct dcerpc_binding_handle *b;
3240 status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
3241 if (!NT_STATUS_IS_OK(status)) {
3244 b = p->binding_handle;
3246 if (!test_GetUserName(b, tctx)) {
3253 static bool testcase_LookupNames(struct torture_context *tctx,
3254 struct dcerpc_pipe *p)
3257 struct policy_handle *handle;
3258 struct lsa_TransNameArray tnames;
3259 struct lsa_TransNameArray2 tnames2;
3260 struct dcerpc_binding_handle *b = p->binding_handle;
3262 if (p->binding->transport != NCACN_NP &&
3263 p->binding->transport != NCALRPC) {
3264 torture_comment(tctx, "testcase_LookupNames is only available "
3265 "over NCACN_NP or NCALRPC");
3269 if (!test_OpenPolicy(b, tctx, false)) {
3273 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3282 tnames.names = talloc_array(tctx, struct lsa_TranslatedName, tnames.count);
3283 ZERO_STRUCT(tnames.names[0]);
3284 tnames.names[0].name.string = "BUILTIN";
3285 tnames.names[0].sid_type = SID_NAME_DOMAIN;
3287 if (!test_LookupNames(b, tctx, handle, &tnames)) {
3292 tnames2.names = talloc_array(tctx, struct lsa_TranslatedName2, tnames2.count);
3293 ZERO_STRUCT(tnames2.names[0]);
3294 tnames2.names[0].name.string = "BUILTIN";
3295 tnames2.names[0].sid_type = SID_NAME_DOMAIN;
3297 if (!test_LookupNames2(b, tctx, handle, &tnames2, true)) {
3301 if (!test_LookupNames3(b, tctx, handle, &tnames2, true)) {
3305 if (!test_LookupNames_wellknown(b, tctx, handle)) {
3309 if (!test_LookupNames_NULL(b, tctx, handle)) {
3313 if (!test_LookupNames_bogus(b, tctx, handle)) {
3317 if (!test_lsa_Close(b, tctx, handle)) {
3324 struct torture_suite *torture_rpc_lsa_lookup_names(TALLOC_CTX *mem_ctx)
3326 struct torture_suite *suite;
3327 struct torture_rpc_tcase *tcase;
3329 suite = torture_suite_create(mem_ctx, "lsa.lookupnames");
3331 tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
3333 torture_rpc_tcase_add_test(tcase, "LookupNames",
3334 testcase_LookupNames);
3339 struct lsa_trustdom_state {
3340 uint32_t num_trusts;
3343 static bool testcase_TrustedDomains(struct torture_context *tctx,
3344 struct dcerpc_pipe *p,
3348 struct policy_handle *handle;
3349 struct lsa_trustdom_state *state =
3350 talloc_get_type_abort(data, struct lsa_trustdom_state);
3351 struct dcerpc_binding_handle *b = p->binding_handle;
3353 if (p->binding->transport != NCACN_NP &&
3354 p->binding->transport != NCALRPC) {
3355 torture_comment(tctx, "testcase_TrustedDomains is only available "
3356 "over NCACN_NP or NCALRPC");
3360 torture_comment(tctx, "Testing %d domains\n", state->num_trusts);
3362 if (!test_OpenPolicy(b, tctx, false)) {
3366 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3374 if (!test_CreateTrustedDomain(b, tctx, handle, state->num_trusts)) {
3378 if (!test_CreateTrustedDomainEx(p, tctx, handle, state->num_trusts)) {
3382 if (!test_CreateTrustedDomainEx2(p, tctx, handle, state->num_trusts)) {
3386 if (!test_lsa_Close(b, tctx, handle)) {
3393 struct torture_suite *torture_rpc_lsa_trusted_domains(TALLOC_CTX *mem_ctx)
3395 struct torture_suite *suite;
3396 struct torture_rpc_tcase *tcase;
3397 struct lsa_trustdom_state *state;
3399 state = talloc(mem_ctx, struct lsa_trustdom_state);
3401 state->num_trusts = 12;
3403 suite = torture_suite_create(mem_ctx, "lsa.trusted.domains");
3405 tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
3407 torture_rpc_tcase_add_test_ex(tcase, "TrustedDomains",
3408 testcase_TrustedDomains,
3414 static bool testcase_Privileges(struct torture_context *tctx,
3415 struct dcerpc_pipe *p)
3418 struct policy_handle *handle;
3419 struct dcerpc_binding_handle *b = p->binding_handle;
3421 if (p->binding->transport != NCACN_NP &&
3422 p->binding->transport != NCALRPC) {
3423 torture_comment(tctx, "testcase_Privileges is only available "
3424 "over NCACN_NP or NCALRPC");
3428 if (!test_OpenPolicy(b, tctx, false)) {
3432 if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
3440 if (!test_CreateAccount(b, tctx, handle)) {
3444 if (!test_EnumAccounts(b, tctx, handle)) {
3448 if (!test_EnumPrivs(b, tctx, handle)) {
3452 if (!test_lsa_Close(b, tctx, handle)) {
3460 struct torture_suite *torture_rpc_lsa_privileges(TALLOC_CTX *mem_ctx)
3462 struct torture_suite *suite;
3463 struct torture_rpc_tcase *tcase;
3465 suite = torture_suite_create(mem_ctx, "lsa.privileges");
3467 tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
3469 torture_rpc_tcase_add_test(tcase, "Privileges",
3470 testcase_Privileges);