source4/torture/rpc/samsync.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for netlogon rpc operations
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
   8    Copyright (C) Tim Potter      2003
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "librpc/gen_ndr/ndr_netlogon.h"
  27 #include "auth/auth.h"
  28 #include "dlinklist.h"
  29 #include "lib/crypto/crypto.h"
  30 #include "system/time.h"
  31
  32 #define TEST_MACHINE_NAME "samsynctest"
  33 #define TEST_MACHINE_NAME2 "samsynctest2"
  34
  35 /*
  36   try a netlogon SamLogon
  37 */
  38 static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  39                               struct creds_CredentialState *creds,
  40                               const char *domain, const char *account_name,
  41                               const char *workstation,
  42                               struct samr_Password *lm_hash,
  43                               struct samr_Password *nt_hash,
  44                               struct netr_SamInfo3 **info3)
  45 {
  46         NTSTATUS status;
  47         struct netr_LogonSamLogon r;
  48         struct netr_Authenticator auth, auth2;
  49         struct netr_NetworkInfo ninfo;
  50
  51         ninfo.identity_info.domain_name.string = domain;
  52         ninfo.identity_info.parameter_control = 0;
  53         ninfo.identity_info.logon_id_low = 0;
  54         ninfo.identity_info.logon_id_high = 0;
  55         ninfo.identity_info.account_name.string = account_name;
  56         ninfo.identity_info.workstation.string = workstation;
  57         generate_random_buffer(ninfo.challenge,
  58                                sizeof(ninfo.challenge));
  59         if (nt_hash) {
  60                 ninfo.nt.length = 24;
  61                 ninfo.nt.data = talloc_size(mem_ctx, 24);
  62                 SMBOWFencrypt(nt_hash->hash, ninfo.challenge, ninfo.nt.data);
  63         } else {
  64                 ninfo.nt.length = 0;
  65                 ninfo.nt.data = NULL;
  66         }
  67
  68         if (lm_hash) {
  69                 ninfo.lm.length = 24;
  70                 ninfo.lm.data = talloc_size(mem_ctx, 24);
  71                 SMBOWFencrypt(lm_hash->hash, ninfo.challenge, ninfo.lm.data);
  72         } else {
  73                 ninfo.lm.length = 0;
  74                 ninfo.lm.data = NULL;
  75         }
  76
  77         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  78         r.in.workstation = workstation;
  79         r.in.credential = &auth;
  80         r.in.return_authenticator = &auth2;
  81         r.in.logon_level = 2;
  82         r.in.logon.network = &ninfo;
  83
  84         ZERO_STRUCT(auth2);
  85         creds_client_authenticator(creds, &auth);
  86
  87         r.in.validation_level = 3;
  88
  89         status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
  90
  91         if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
  92                 printf("Credential chaining failed\n");
  93         }
  94
  95         if (info3) {
  96                 *info3 = r.out.validation.sam3;
  97         }
  98
  99         return status;
 100 }
 101
 102 struct samsync_state {
 103 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
 104         uint64_t seq_num[3];
 105         char *domain_name[2];
 106         struct samsync_secret *secrets;
 107         struct samsync_trusted_domain *trusted_domains;
 108         struct creds_CredentialState *creds;
 109         struct creds_CredentialState *creds_netlogon_wksta;
 110         struct policy_handle *connect_handle;
 111         struct policy_handle *domain_handle[2];
 112         struct dom_sid *sid[2];
 113         struct dcerpc_pipe *p;
 114         struct dcerpc_pipe *p_netlogon_wksta;
 115         struct dcerpc_pipe *p_samr;
 116         struct dcerpc_pipe *p_lsa;
 117         struct policy_handle *lsa_handle;
 118 };
 119
 120 struct samsync_secret {
 121         struct samsync_secret *prev, *next;
 122         DATA_BLOB secret;
 123         char *name;
 124         NTTIME mtime;
 125 };
 126
 127 struct samsync_trusted_domain {
 128         struct samsync_trusted_domain *prev, *next;
 129         struct dom_sid *sid;
 130         char *name;
 131 };
 132
 133 static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx,
 134                                                  struct samsync_state *samsync_state,
 135                                                  const char *domain,
 136                                                  struct dom_sid **sid)
 137 {
 138         struct samr_String name;
 139         struct samr_OpenDomain o;
 140         struct samr_LookupDomain l;
 141         struct policy_handle *domain_handle = talloc(mem_ctx, struct policy_handle);
 142         NTSTATUS nt_status;
 143
 144         name.string = domain;
 145         l.in.connect_handle = samsync_state->connect_handle;
 146         l.in.domain_name = &name;
 147
 148         nt_status = dcerpc_samr_LookupDomain(samsync_state->p_samr, mem_ctx, &l);
 149         if (!NT_STATUS_IS_OK(nt_status)) {
 150                 printf("LookupDomain failed - %s\n", nt_errstr(nt_status));
 151                 return NULL;
 152         }
 153
 154         o.in.connect_handle = samsync_state->connect_handle;
 155         o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 156         o.in.sid = l.out.sid;
 157         o.out.domain_handle = domain_handle;
 158
 159         if (sid) {
 160                 *sid = l.out.sid;
 161         }
 162
 163         nt_status = dcerpc_samr_OpenDomain(samsync_state->p_samr, mem_ctx, &o);
 164         if (!NT_STATUS_IS_OK(nt_status)) {
 165                 printf("OpenDomain failed - %s\n", nt_errstr(nt_status));
 166                 return NULL;
 167         }
 168
 169         return domain_handle;
 170 }
 171
 172 static struct sec_desc_buf *samsync_query_samr_sec_desc(TALLOC_CTX *mem_ctx,
 173                                                         struct samsync_state *samsync_state,
 174                                                         struct policy_handle *handle)
 175 {
 176         struct samr_QuerySecurity r;
 177         NTSTATUS status;
 178
 179         r.in.handle = handle;
 180         r.in.sec_info = 0x7;
 181
 182         status = dcerpc_samr_QuerySecurity(samsync_state->p_samr, mem_ctx, &r);
 183         if (!NT_STATUS_IS_OK(status)) {
 184                 printf("SAMR QuerySecurity failed - %s\n", nt_errstr(status));
 185                 return NULL;
 186         }
 187
 188         return r.out.sdbuf;
 189 }
 190
 191 static struct sec_desc_buf *samsync_query_lsa_sec_desc(TALLOC_CTX *mem_ctx,
 192                                                        struct samsync_state *samsync_state,
 193                                                        struct policy_handle *handle)
 194 {
 195         struct lsa_QuerySecurity r;
 196         NTSTATUS status;
 197
 198         r.in.handle = handle;
 199         r.in.sec_info = 0x7;
 200
 201         status = dcerpc_lsa_QuerySecurity(samsync_state->p_lsa, mem_ctx, &r);
 202         if (!NT_STATUS_IS_OK(status)) {
 203                 printf("LSA QuerySecurity failed - %s\n", nt_errstr(status));
 204                 return NULL;
 205         }
 206
 207         return r.out.sdbuf;
 208 }
 209
 210 #define TEST_UINT64_EQUAL(i1, i2) do {\
 211         if (i1 != i2) {\
 212               printf("%s: uint64 mismatch: " #i1 ": 0x%08x%08x (%lld) != " #i2 ": 0x%08x%08x (%lld)\n", \
 213                      __location__, \
 214                      (uint32_t)(i1 >> 32), (uint32_t)(i1 & 0xFFFFFFFF), i1, \
 215                      (uint32_t)(i2 >> 32), (uint32_t)(i2 & 0xFFFFFFFF), i2);\
 216               ret = False;\
 217         } \
 218 } while (0)
 219 #define TEST_INT_EQUAL(i1, i2) do {\
 220         if (i1 != i2) {\
 221               printf("%s: integer mismatch: " #i1 ":%d != " #i2 ": %d\n", \
 222                      __location__, i1, i2);\
 223               ret = False;\
 224         } \
 225 } while (0)
 226 #define TEST_TIME_EQUAL(t1, t2) do {\
 227         if (t1 != t2) {\
 228               printf("%s: NTTIME mismatch: " #t1 ":%s != " #t2 ": %s\n", \
 229                      __location__, nt_time_string(mem_ctx, t1),  nt_time_string(mem_ctx, t2));\
 230               ret = False;\
 231         } \
 232 } while (0)
 233
 234 #define TEST_STRING_EQUAL(s1, s2) do {\
 235         if (!((!s1.string || s1.string[0]=='\0') && (!s2.string || s2.string[0]=='\0')) \
 236             && strcmp_safe(s1.string, s2.string) != 0) {\
 237               printf("%s: string mismatch: " #s1 ":%s != " #s2 ": %s\n", \
 238                      __location__, s1.string, s2.string);\
 239               ret = False;\
 240         } \
 241 } while (0)
 242
 243 #define TEST_SID_EQUAL(s1, s2) do {\
 244         if (!dom_sid_equal(s1, s2)) {\
 245               printf("%s: dom_sid mismatch: " #s1 ":%s != " #s2 ": %s\n", \
 246                      __location__, dom_sid_string(mem_ctx, s1), dom_sid_string(mem_ctx, s2));\
 247               ret = False;\
 248         } \
 249 } while (0)
 250
 251 /* The ~SEC_DESC_SACL_PRESENT is because we don't, as administrator,
 252  * get back the SACL part of the SD when we ask over SAMR */
 253
 254 #define TEST_SEC_DESC_EQUAL(sd1, pipe, handle) do {\
 255         struct sec_desc_buf *sdbuf = samsync_query_ ##pipe## _sec_desc(mem_ctx, samsync_state, \
 256                                                             handle); \
 257         if (!sdbuf || !sdbuf->sd) { \
 258                 printf("Could not obtain security descriptor to match " #sd1 "\n");\
 259                 ret = False; \
 260         } else {\
 261                 if (!security_descriptor_mask_equal(sd1.sd, sdbuf->sd, \
 262                             ~SEC_DESC_SACL_PRESENT)) {\
 263                         printf("Security Descriptor Mismatch for %s:\n", #sd1);\
 264                         ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamSync", sd1.sd);\
 265                         ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamR", sdbuf->sd);\
 266                         ret = False;\
 267                 }\
 268         }\
 269 } while (0)
 270
 271 static BOOL samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 272                            int database_id, struct netr_DELTA_ENUM *delta)
 273 {
 274         struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain;
 275         struct dom_sid *dom_sid;
 276         struct samr_QueryDomainInfo q[14]; /* q[0] will be unused simple for clarity */
 277         uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13};
 278         NTSTATUS nt_status;
 279         int i;
 280         BOOL ret = True;
 281
 282         samsync_state->seq_num[database_id] =
 283                 domain->sequence_num;
 284         switch (database_id) {
 285         case SAM_DATABASE_DOMAIN:
 286                 break;
 287         case SAM_DATABASE_BUILTIN:
 288                 if (StrCaseCmp("BUILTIN", domain->domain_name.string) != 0) {
 289                         printf("BUILTIN domain has different name: %s\n", domain->domain_name.string);
 290                 }
 291                 break;
 292         case SAM_DATABASE_PRIVS:
 293                 printf("DOMAIN entry on privs DB!\n");
 294                 return False;
 295                 break;
 296         }
 297
 298         if (!samsync_state->domain_name[database_id]) {
 299                 samsync_state->domain_name[database_id] =
 300                         talloc_reference(samsync_state, domain->domain_name.string);
 301         } else {
 302                 if (StrCaseCmp(samsync_state->domain_name[database_id], domain->domain_name.string) != 0) {
 303                         printf("Domain has name varies!: %s != %s\n", samsync_state->domain_name[database_id],
 304                                domain->domain_name.string);
 305                         return False;
 306                 }
 307         }
 308
 309         if (!samsync_state->domain_handle[database_id]) {
 310                 samsync_state->domain_handle[database_id]
 311                         = samsync_open_domain(mem_ctx, samsync_state, samsync_state->domain_name[database_id],
 312                                               &dom_sid);
 313         }
 314         if (samsync_state->domain_handle[database_id]) {
 315                 samsync_state->sid[database_id] = talloc_reference(samsync_state, dom_sid);
 316         }
 317
 318         printf("\tsequence_nums[%d/%s]=%llu\n",
 319                database_id, domain->domain_name.string,
 320                samsync_state->seq_num[database_id]);
 321
 322         for (i=0;i<ARRAY_SIZE(levels);i++) {
 323                 q[levels[i]].in.domain_handle = samsync_state->domain_handle[database_id];
 324                 q[levels[i]].in.level = levels[i];
 325
 326                 nt_status = dcerpc_samr_QueryDomainInfo(samsync_state->p_samr, mem_ctx, &q[levels[i]]);
 327
 328                 if (!NT_STATUS_IS_OK(nt_status)) {
 329                         printf("QueryDomainInfo level %u failed - %s\n",
 330                                q[levels[i]].in.level, nt_errstr(nt_status));
 331                         return False;
 332                 }
 333         }
 334
 335         TEST_STRING_EQUAL(q[5].out.info->info5.domain_name, domain->domain_name);
 336
 337         TEST_STRING_EQUAL(q[2].out.info->info2.comment, domain->comment);
 338         TEST_STRING_EQUAL(q[4].out.info->info4.comment, domain->comment);
 339         TEST_TIME_EQUAL(q[2].out.info->info2.force_logoff_time, domain->force_logoff_time);
 340         TEST_TIME_EQUAL(q[3].out.info->info3.force_logoff_time, domain->force_logoff_time);
 341
 342         TEST_TIME_EQUAL(q[1].out.info->info1.min_password_length, domain->min_password_length);
 343         TEST_TIME_EQUAL(q[1].out.info->info1.password_history_length, domain->password_history_length);
 344         TEST_TIME_EQUAL(q[1].out.info->info1.max_password_age, domain->max_password_age);
 345         TEST_TIME_EQUAL(q[1].out.info->info1.min_password_age, domain->min_password_age);
 346
 347         TEST_UINT64_EQUAL(q[8].out.info->info8.sequence_num,
 348                         domain->sequence_num);
 349         TEST_TIME_EQUAL(q[8].out.info->info8.domain_create_time,
 350                         domain->domain_create_time);
 351         TEST_TIME_EQUAL(q[13].out.info->info13.domain_create_time,
 352                         domain->domain_create_time);
 353
 354         TEST_SEC_DESC_EQUAL(domain->sdbuf, samr, samsync_state->domain_handle[database_id]);
 355
 356         return ret;
 357 }
 358
 359 static BOOL samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 360                            int database_id, struct netr_DELTA_ENUM *delta)
 361 {
 362         struct netr_DELTA_POLICY *policy = delta->delta_union.policy;
 363
 364         samsync_state->seq_num[database_id] =
 365                 policy->sequence_num;
 366
 367         if (!samsync_state->domain_name[SAM_DATABASE_DOMAIN]) {
 368                 samsync_state->domain_name[SAM_DATABASE_DOMAIN] =
 369                         talloc_reference(samsync_state, policy->primary_domain_name.string);
 370         } else {
 371                 if (StrCaseCmp(samsync_state->domain_name[SAM_DATABASE_DOMAIN], policy->primary_domain_name.string) != 0) {
 372                         printf("PRIMARY domain has name varies between DOMAIN and POLICY!: %s != %s\n", samsync_state->domain_name[SAM_DATABASE_DOMAIN],
 373                                policy->primary_domain_name.string);
 374                         return False;
 375                 }
 376         }
 377
 378         if (!dom_sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
 379                 printf("Domain SID from POLICY (%s) does not match domain sid from SAMR (%s)\n",
 380                        dom_sid_string(mem_ctx, policy->sid), dom_sid_string(mem_ctx, samsync_state->sid[SAM_DATABASE_DOMAIN]));
 381                 return False;
 382         }
 383
 384         printf("\tsequence_nums[%d/PRIVS]=%llu\n",
 385                database_id,
 386                samsync_state->seq_num[database_id]);
 387         return True;
 388 }
 389
 390 static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 391                                 int database_id, struct netr_DELTA_ENUM *delta)
 392 {
 393         uint32_t rid = delta->delta_id_union.rid;
 394         struct netr_DELTA_USER *user = delta->delta_union.user;
 395         struct netr_SamInfo3 *info3;
 396         struct samr_Password lm_hash;
 397         struct samr_Password nt_hash;
 398         struct samr_Password *lm_hash_p = NULL;
 399         struct samr_Password *nt_hash_p = NULL;
 400         const char *domain = samsync_state->domain_name[database_id];
 401         const char *username = user->account_name.string;
 402         NTSTATUS nt_status;
 403         BOOL ret = True;
 404
 405         struct samr_OpenUser r;
 406         struct samr_QueryUserInfo q;
 407         struct policy_handle user_handle;
 408
 409         if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
 410                 printf("SamSync needs domain information before the users\n");
 411                 return False;
 412         }
 413
 414         r.in.domain_handle = samsync_state->domain_handle[database_id];
 415         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 416         r.in.rid = rid;
 417         r.out.user_handle = &user_handle;
 418
 419         nt_status = dcerpc_samr_OpenUser(samsync_state->p_samr, mem_ctx, &r);
 420         if (!NT_STATUS_IS_OK(nt_status)) {
 421                 printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
 422                 return False;
 423         }
 424
 425         q.in.user_handle = &user_handle;
 426         q.in.level = 21;
 427
 428         TEST_SEC_DESC_EQUAL(user->sdbuf, samr, &user_handle);
 429
 430         nt_status = dcerpc_samr_QueryUserInfo(samsync_state->p_samr, mem_ctx, &q);
 431         if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &user_handle)) {
 432                 printf("samr_handle_Close failed - %s\n",
 433                        nt_errstr(nt_status));
 434                 return False;
 435         }
 436
 437         if (!NT_STATUS_IS_OK(nt_status)) {
 438                 printf("QueryUserInfo level %u failed - %s\n",
 439                        q.in.level, nt_errstr(nt_status));
 440                 return False;
 441         }
 442
 443         TEST_STRING_EQUAL(q.out.info->info21.account_name, user->account_name);
 444         TEST_STRING_EQUAL(q.out.info->info21.full_name, user->full_name);
 445         TEST_INT_EQUAL(q.out.info->info21.rid, user->rid);
 446         TEST_INT_EQUAL(q.out.info->info21.primary_gid, user->primary_gid);
 447         TEST_STRING_EQUAL(q.out.info->info21.home_directory, user->home_directory);
 448         TEST_STRING_EQUAL(q.out.info->info21.home_drive, user->home_drive);
 449         TEST_STRING_EQUAL(q.out.info->info21.logon_script, user->logon_script);
 450         TEST_STRING_EQUAL(q.out.info->info21.description, user->description);
 451         TEST_STRING_EQUAL(q.out.info->info21.workstations, user->workstations);
 452
 453         TEST_TIME_EQUAL(q.out.info->info21.last_logon, user->last_logon);
 454         TEST_TIME_EQUAL(q.out.info->info21.last_logoff, user->last_logoff);
 455
 456
 457         TEST_INT_EQUAL(q.out.info->info21.logon_hours.units_per_week,
 458                        user->logon_hours.units_per_week);
 459         if (ret) {
 460                 if (memcmp(q.out.info->info21.logon_hours.bits, user->logon_hours.bits,
 461                            q.out.info->info21.logon_hours.units_per_week/8) != 0) {
 462                         printf("Logon hours mismatch\n");
 463                         ret = False;
 464                 }
 465         }
 466
 467         TEST_INT_EQUAL(q.out.info->info21.bad_password_count,
 468                        user->bad_password_count);
 469         TEST_INT_EQUAL(q.out.info->info21.logon_count,
 470                        user->logon_count);
 471
 472         TEST_TIME_EQUAL(q.out.info->info21.last_password_change,
 473                        user->last_password_change);
 474         TEST_TIME_EQUAL(q.out.info->info21.acct_expiry,
 475                        user->acct_expiry);
 476
 477         TEST_INT_EQUAL(q.out.info->info21.acct_flags, user->acct_flags);
 478         TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present);
 479         TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present);
 480         TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired);
 481
 482         TEST_STRING_EQUAL(q.out.info->info21.comment, user->comment);
 483         TEST_STRING_EQUAL(q.out.info->info21.parameters, user->parameters);
 484
 485         TEST_INT_EQUAL(q.out.info->info21.country_code, user->country_code);
 486         TEST_INT_EQUAL(q.out.info->info21.code_page, user->code_page);
 487
 488         TEST_STRING_EQUAL(q.out.info->info21.profile_path, user->profile_path);
 489
 490         if (user->lm_password_present) {
 491                 sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0);
 492                 lm_hash_p = &lm_hash;
 493         }
 494         if (user->nt_password_present) {
 495                 sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0);
 496                 nt_hash_p = &nt_hash;
 497         }
 498
 499         if (user->user_private_info.SensitiveData) {
 500                 DATA_BLOB data;
 501                 struct netr_USER_KEYS keys;
 502                 data.data = user->user_private_info.SensitiveData;
 503                 data.length = user->user_private_info.DataLength;
 504                 creds_arcfour_crypt(samsync_state->creds, data.data, data.length);
 505                 nt_status = ndr_pull_struct_blob(&data, mem_ctx, &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
 506                 if (NT_STATUS_IS_OK(nt_status)) {
 507                         if (keys.keys.keys2.lmpassword.length == 16) {
 508                                 sam_rid_crypt(rid, keys.keys.keys2.lmpassword.pwd.hash, lm_hash.hash, 0);
 509                                 lm_hash_p = &lm_hash;
 510                         }
 511                         if (keys.keys.keys2.ntpassword.length == 16) {
 512                                 sam_rid_crypt(rid, keys.keys.keys2.ntpassword.pwd.hash, nt_hash.hash, 0);
 513                                 nt_hash_p = &nt_hash;
 514                         }
 515                 } else {
 516                         printf("Failed to parse Sensitive Data for %s:\n", username);
 517 #if 0
 518                         dump_data(0, data.data, data.length);
 519 #endif
 520                         return False;
 521                 }
 522         }
 523
 524         nt_status = test_SamLogon(samsync_state->p, mem_ctx, samsync_state->creds,
 525                                   domain,
 526                                   username,
 527                                   TEST_MACHINE_NAME,
 528                                   lm_hash_p,
 529                                   nt_hash_p,
 530                                   &info3);
 531
 532         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
 533                 if (user->acct_flags & ACB_DISABLED) {
 534                         return True;
 535                 }
 536         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)) {
 537                 if (user->acct_flags & ACB_WSTRUST) {
 538                         return True;
 539                 }
 540         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)) {
 541                 if (user->acct_flags & ACB_SVRTRUST) {
 542                         return True;
 543                 }
 544         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
 545                 if (user->acct_flags & ACB_DOMTRUST) {
 546                         return True;
 547                 }
 548         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
 549                 if (user->acct_flags & ACB_DOMTRUST) {
 550                         return True;
 551                 }
 552         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
 553                 if (user->acct_flags & ACB_AUTOLOCK) {
 554                         return True;
 555                 }
 556         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
 557                 if (!lm_hash_p && !nt_hash_p) {
 558                         return True;
 559                 }
 560         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE)) {
 561                 /* We would need to know the server's current time to test this properly */
 562                 return True;
 563         } else if (NT_STATUS_IS_OK(nt_status)) {
 564                 TEST_INT_EQUAL(user->rid, info3->base.rid);
 565                 TEST_INT_EQUAL(user->primary_gid, info3->base.primary_gid);
 566                 /* this is 0x0 from NT4 sp6 */
 567                 if (info3->base.acct_flags) {
 568                         TEST_INT_EQUAL(user->acct_flags, info3->base.acct_flags);
 569                 }
 570                 /* this is NULL from NT4 sp6 */
 571                 if (info3->base.account_name.string) {
 572                         TEST_STRING_EQUAL(user->account_name, info3->base.account_name);
 573                 }
 574                 TEST_STRING_EQUAL(user->full_name, info3->base.full_name);
 575                 TEST_STRING_EQUAL(user->logon_script, info3->base.logon_script);
 576                 TEST_STRING_EQUAL(user->profile_path, info3->base.profile_path);
 577                 TEST_STRING_EQUAL(user->home_directory, info3->base.home_directory);
 578                 TEST_STRING_EQUAL(user->home_drive, info3->base.home_drive);
 579                 TEST_STRING_EQUAL(user->logon_script, info3->base.logon_script);
 580
 581
 582                 TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon);
 583                 TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry);
 584                 TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change);
 585
 586                 /* Does the concept of a logoff time ever really
 587                  * exist? (not in any sensible way, according to the
 588                  * doco I read -- abartlet) */
 589
 590                 /* This copes with the two different versions of 0 I see */
 591                 /* with NT4 sp6 we have the || case */
 592                 if (!((user->last_logoff == 0)
 593                       || (info3->base.last_logoff == 0x7fffffffffffffffLL))) {
 594                         TEST_TIME_EQUAL(user->last_logoff, info3->base.last_logoff);
 595                 }
 596                 return ret;
 597         } else {
 598                 printf("Could not validate password for user %s\\%s: %s\n",
 599                        domain, username, nt_errstr(nt_status));
 600                 return False;
 601         }
 602         return False;
 603 }
 604
 605 static BOOL samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 606                                  int database_id, struct netr_DELTA_ENUM *delta)
 607 {
 608         uint32_t rid = delta->delta_id_union.rid;
 609         struct netr_DELTA_ALIAS *alias = delta->delta_union.alias;
 610         NTSTATUS nt_status;
 611         BOOL ret = True;
 612
 613         struct samr_OpenAlias r;
 614         struct samr_QueryAliasInfo q;
 615         struct policy_handle alias_handle;
 616
 617         if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
 618                 printf("SamSync needs domain information before the users\n");
 619                 return False;
 620         }
 621
 622         r.in.domain_handle = samsync_state->domain_handle[database_id];
 623         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 624         r.in.rid = rid;
 625         r.out.alias_handle = &alias_handle;
 626
 627         nt_status = dcerpc_samr_OpenAlias(samsync_state->p_samr, mem_ctx, &r);
 628         if (!NT_STATUS_IS_OK(nt_status)) {
 629                 printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
 630                 return False;
 631         }
 632
 633         q.in.alias_handle = &alias_handle;
 634         q.in.level = 1;
 635
 636         TEST_SEC_DESC_EQUAL(alias->sdbuf, samr, &alias_handle);
 637
 638         nt_status = dcerpc_samr_QueryAliasInfo(samsync_state->p_samr, mem_ctx, &q);
 639         if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &alias_handle)) {
 640                 return False;
 641         }
 642
 643         if (!NT_STATUS_IS_OK(nt_status)) {
 644                 printf("QueryAliasInfo level %u failed - %s\n",
 645                        q.in.level, nt_errstr(nt_status));
 646                 return False;
 647         }
 648
 649         TEST_STRING_EQUAL(q.out.info->all.name, alias->alias_name);
 650         TEST_STRING_EQUAL(q.out.info->all.description, alias->description);
 651         return ret;
 652 }
 653
 654 static BOOL samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 655                                  int database_id, struct netr_DELTA_ENUM *delta)
 656 {
 657         uint32_t rid = delta->delta_id_union.rid;
 658         struct netr_DELTA_GROUP *group = delta->delta_union.group;
 659         NTSTATUS nt_status;
 660         BOOL ret = True;
 661
 662         struct samr_OpenGroup r;
 663         struct samr_QueryGroupInfo q;
 664         struct policy_handle group_handle;
 665
 666         if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
 667                 printf("SamSync needs domain information before the users\n");
 668                 return False;
 669         }
 670
 671         r.in.domain_handle = samsync_state->domain_handle[database_id];
 672         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 673         r.in.rid = rid;
 674         r.out.group_handle = &group_handle;
 675
 676         nt_status = dcerpc_samr_OpenGroup(samsync_state->p_samr, mem_ctx, &r);
 677         if (!NT_STATUS_IS_OK(nt_status)) {
 678                 printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
 679                 return False;
 680         }
 681
 682         q.in.group_handle = &group_handle;
 683         q.in.level = 1;
 684
 685         TEST_SEC_DESC_EQUAL(group->sdbuf, samr, &group_handle);
 686
 687         nt_status = dcerpc_samr_QueryGroupInfo(samsync_state->p_samr, mem_ctx, &q);
 688         if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &group_handle)) {
 689                 return False;
 690         }
 691
 692         if (!NT_STATUS_IS_OK(nt_status)) {
 693                 printf("QueryGroupInfo level %u failed - %s\n",
 694                        q.in.level, nt_errstr(nt_status));
 695                 return False;
 696         }
 697
 698         TEST_STRING_EQUAL(q.out.info->all.name, group->group_name);
 699         TEST_INT_EQUAL(q.out.info->all.attributes, group->attributes);
 700         TEST_STRING_EQUAL(q.out.info->all.description, group->description);
 701         return ret;
 702 }
 703
 704 static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 705                                   int database_id, struct netr_DELTA_ENUM *delta)
 706 {
 707         struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
 708         const char *name = delta->delta_id_union.name;
 709         struct samsync_secret *new = talloc(samsync_state, struct samsync_secret);
 710         struct samsync_secret *old = talloc(mem_ctx, struct samsync_secret);
 711         struct lsa_QuerySecret q;
 712         struct lsa_OpenSecret o;
 713         struct policy_handle sec_handle;
 714         struct lsa_DATA_BUF_PTR bufp1;
 715         struct lsa_DATA_BUF_PTR bufp2;
 716         NTTIME new_mtime;
 717         NTTIME old_mtime;
 718         BOOL ret = True;
 719         DATA_BLOB lsa_blob1, lsa_blob_out, session_key;
 720         NTSTATUS status;
 721
 722         creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data,
 723                             secret->current_cipher.maxlen);
 724
 725         creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data,
 726                             secret->old_cipher.maxlen);
 727
 728         new->name = talloc_reference(new, name);
 729         new->secret = data_blob_talloc(new, secret->current_cipher.cipher_data, secret->current_cipher.maxlen);
 730         new->mtime = secret->current_cipher_set_time;
 731
 732         DLIST_ADD(samsync_state->secrets, new);
 733
 734         old->name = talloc_reference(old, name);
 735         old->secret = data_blob_const(secret->old_cipher.cipher_data, secret->old_cipher.maxlen);
 736         old->mtime = secret->old_cipher_set_time;
 737
 738         o.in.handle = samsync_state->lsa_handle;
 739         o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 740         o.in.name.string = name;
 741         o.out.sec_handle = &sec_handle;
 742
 743         status = dcerpc_lsa_OpenSecret(samsync_state->p_lsa, mem_ctx, &o);
 744         if (!NT_STATUS_IS_OK(status)) {
 745                 printf("OpenSecret failed - %s\n", nt_errstr(status));
 746                 return False;
 747         }
 748
 749 /*
 750   We would like to do this, but it is NOT_SUPPORTED on win2k3
 751   TEST_SEC_DESC_EQUAL(secret->sdbuf, lsa, &sec_handle);
 752 */
 753         status = dcerpc_fetch_session_key(samsync_state->p_lsa, &session_key);
 754         if (!NT_STATUS_IS_OK(status)) {
 755                 printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
 756                 return False;
 757         }
 758
 759
 760         ZERO_STRUCT(new_mtime);
 761         ZERO_STRUCT(old_mtime);
 762
 763         /* fetch the secret back again */
 764         q.in.sec_handle = &sec_handle;
 765         q.in.new_val = &bufp1;
 766         q.in.new_mtime = &new_mtime;
 767         q.in.old_val = &bufp2;
 768         q.in.old_mtime = &old_mtime;
 769
 770         bufp1.buf = NULL;
 771         bufp2.buf = NULL;
 772
 773         status = dcerpc_lsa_QuerySecret(samsync_state->p_lsa, mem_ctx, &q);
 774         if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
 775                 /* some things are just off limits */
 776                 return True;
 777         } else if (!NT_STATUS_IS_OK(status)) {
 778                 printf("QuerySecret failed - %s\n", nt_errstr(status));
 779                 return False;
 780         }
 781
 782         if (q.out.old_val->buf == NULL) {
 783                 /* probably just not available due to ACLs */
 784         } else {
 785                 lsa_blob1.data = q.out.old_val->buf->data;
 786                 lsa_blob1.length = q.out.old_val->buf->length;
 787
 788                 status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
 789                 if (!NT_STATUS_IS_OK(status)) {
 790                         printf("Failed to decrypt secrets OLD blob\n");
 791                         return False;
 792                 }
 793
 794                 if (!q.out.old_mtime) {
 795                         printf("OLD mtime not available on LSA for secret %s\n", old->name);
 796                         ret = False;
 797                 }
 798                 if (old->mtime != *q.out.old_mtime) {
 799                         printf("OLD mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
 800                                old->name, nt_time_string(mem_ctx, old->mtime),
 801                                nt_time_string(mem_ctx, *q.out.old_mtime));
 802                         ret = False;
 803                 }
 804
 805                 if (old->secret.length != lsa_blob_out.length) {
 806                         printf("Returned secret %s doesn't match: %d != %d\n",
 807                                old->name, old->secret.length, lsa_blob_out.length);
 808                         ret = False;
 809                 } else if (memcmp(lsa_blob_out.data,
 810                            old->secret.data, old->secret.length) != 0) {
 811                         printf("Returned secret %s doesn't match: \n",
 812                                old->name);
 813                         DEBUG(1, ("SamSync Secret:\n"));
 814                         dump_data(1, old->secret.data, old->secret.length);
 815                         DEBUG(1, ("LSA Secret:\n"));
 816                         dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
 817                         ret = False;
 818                 }
 819
 820         }
 821
 822         if (q.out.new_val->buf == NULL) {
 823                 /* probably just not available due to ACLs */
 824         } else {
 825                 lsa_blob1.data = q.out.new_val->buf->data;
 826                 lsa_blob1.length = q.out.new_val->buf->length;
 827
 828                 status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
 829                 if (!NT_STATUS_IS_OK(status)) {
 830                         printf("Failed to decrypt secrets OLD blob\n");
 831                         return False;
 832                 }
 833
 834                 if (!q.out.new_mtime) {
 835                         printf("NEW mtime not available on LSA for secret %s\n", new->name);
 836                         ret = False;
 837                 }
 838                 if (new->mtime != *q.out.new_mtime) {
 839                         printf("NEW mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
 840                                new->name, nt_time_string(mem_ctx, new->mtime),
 841                                nt_time_string(mem_ctx, *q.out.new_mtime));
 842                         ret = False;
 843                 }
 844
 845                 if (new->secret.length != lsa_blob_out.length) {
 846                         printf("Returned secret %s doesn't match: %d != %d\n",
 847                                new->name, new->secret.length, lsa_blob_out.length);
 848                         ret = False;
 849                 } else if (memcmp(lsa_blob_out.data,
 850                            new->secret.data, new->secret.length) != 0) {
 851                         printf("Returned secret %s doesn't match: \n",
 852                                new->name);
 853                         DEBUG(1, ("SamSync Secret:\n"));
 854                         dump_data(1, new->secret.data, new->secret.length);
 855                         DEBUG(1, ("LSA Secret:\n"));
 856                         dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
 857                         ret = False;
 858                 }
 859         }
 860
 861         return ret;
 862 }
 863
 864 static BOOL samsync_handle_trusted_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 865                                           int database_id, struct netr_DELTA_ENUM *delta)
 866 {
 867         NTSTATUS status;
 868         BOOL ret = True;
 869         struct netr_DELTA_TRUSTED_DOMAIN *trusted_domain = delta->delta_union.trusted_domain;
 870         struct dom_sid *dom_sid = delta->delta_id_union.sid;
 871
 872         struct samsync_trusted_domain *new = talloc(samsync_state, struct samsync_trusted_domain);
 873         struct lsa_OpenTrustedDomain t;
 874         struct policy_handle trustdom_handle;
 875         struct lsa_QueryTrustedDomainInfo q;
 876         union lsa_TrustedDomainInfo *info[9];
 877         int levels [] = {1, 3, 8};
 878         int i;
 879
 880         new->name = talloc_reference(new, trusted_domain->domain_name.string);
 881         new->sid = talloc_reference(new, dom_sid);
 882
 883         t.in.handle = samsync_state->lsa_handle;
 884         t.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 885         t.in.sid = dom_sid;
 886         t.out.trustdom_handle = &trustdom_handle;
 887
 888         status = dcerpc_lsa_OpenTrustedDomain(samsync_state->p_lsa, mem_ctx, &t);
 889         if (!NT_STATUS_IS_OK(status)) {
 890                 printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
 891                 return False;
 892         }
 893
 894         for (i=0; i< ARRAY_SIZE(levels); i++) {
 895                 q.in.trustdom_handle = &trustdom_handle;
 896                 q.in.level = levels[i];
 897                 status = dcerpc_lsa_QueryTrustedDomainInfo(samsync_state->p_lsa, mem_ctx, &q);
 898                 if (!NT_STATUS_IS_OK(status)) {
 899                         if (q.in.level == 8 && NT_STATUS_EQUAL(status,NT_STATUS_INVALID_PARAMETER)) {
 900                                 info[levels[i]] = NULL;
 901                                 continue;
 902                         }
 903                         printf("QueryInfoTrustedDomain level %d failed - %s\n",
 904                                levels[i], nt_errstr(status));
 905                         return False;
 906                 }
 907                 info[levels[i]]  = q.out.info;
 908         }
 909
 910         if (info[8]) {
 911                 TEST_SID_EQUAL(info[8]->full_info.info_ex.sid, dom_sid);
 912                 TEST_STRING_EQUAL(info[8]->full_info.info_ex.netbios_name, trusted_domain->domain_name);
 913         }
 914         TEST_STRING_EQUAL(info[1]->name.netbios_name, trusted_domain->domain_name);
 915         TEST_INT_EQUAL(info[3]->posix_offset.posix_offset, trusted_domain->posix_offset);
 916 /*
 917   We would like to do this, but it is NOT_SUPPORTED on win2k3
 918         TEST_SEC_DESC_EQUAL(trusted_domain->sdbuf, lsa, &trustdom_handle);
 919 */
 920         DLIST_ADD(samsync_state->trusted_domains, new);
 921
 922         return ret;
 923 }
 924
 925 static BOOL samsync_handle_account(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 926                                           int database_id, struct netr_DELTA_ENUM *delta)
 927 {
 928         NTSTATUS status;
 929         BOOL ret = True;
 930         struct netr_DELTA_ACCOUNT *account = delta->delta_union.account;
 931         struct dom_sid *dom_sid = delta->delta_id_union.sid;
 932
 933         struct lsa_OpenAccount a;
 934         struct policy_handle acct_handle;
 935         struct lsa_EnumPrivsAccount e;
 936         struct lsa_LookupPrivName r;
 937
 938         int i, j;
 939
 940         BOOL *found_priv_in_lsa;
 941
 942         a.in.handle = samsync_state->lsa_handle;
 943         a.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 944         a.in.sid = dom_sid;
 945         a.out.acct_handle = &acct_handle;
 946
 947         status = dcerpc_lsa_OpenAccount(samsync_state->p_lsa, mem_ctx, &a);
 948         if (!NT_STATUS_IS_OK(status)) {
 949                 printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
 950                 return False;
 951         }
 952
 953         TEST_SEC_DESC_EQUAL(account->sdbuf, lsa, &acct_handle);
 954
 955         found_priv_in_lsa = talloc_zero_array(mem_ctx, BOOL, account->privilege_entries);
 956
 957         e.in.handle = &acct_handle;
 958
 959         status = dcerpc_lsa_EnumPrivsAccount(samsync_state->p_lsa, mem_ctx, &e);
 960         if (!NT_STATUS_IS_OK(status)) {
 961                 printf("EnumPrivsAccount failed - %s\n", nt_errstr(status));
 962                 return False;
 963         }
 964
 965         if ((account->privilege_entries && !e.out.privs)) {
 966                 printf("Account %s has privilages in SamSync, but not LSA\n",
 967                        dom_sid_string(mem_ctx, dom_sid));
 968                 return False;
 969         }
 970
 971         if (!account->privilege_entries && e.out.privs && e.out.privs->count) {
 972                 printf("Account %s has privilages in LSA, but not SamSync\n",
 973                        dom_sid_string(mem_ctx, dom_sid));
 974                 return False;
 975         }
 976
 977         TEST_INT_EQUAL(account->privilege_entries, e.out.privs->count);
 978
 979         for (i=0;i< e.out.privs->count; i++) {
 980                 r.in.handle = samsync_state->lsa_handle;
 981                 r.in.luid = &e.out.privs->set[i].luid;
 982
 983                 status = dcerpc_lsa_LookupPrivName(samsync_state->p_lsa, mem_ctx, &r);
 984                 if (!NT_STATUS_IS_OK(status)) {
 985                         printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
 986                         return False;
 987                 }
 988
 989                 if (!r.out.name) {
 990                         printf("\nLookupPrivName failed to return a name\n");
 991                         return False;
 992                 }
 993                 for (j=0;j<account->privilege_entries; j++) {
 994                         if (strcmp(r.out.name->string, account->privilege_name[j].string) == 0) {
 995                                 found_priv_in_lsa[j] = True;
 996                                 break;
 997                         }
 998                 }
 999         }
1000         for (j=0;j<account->privilege_entries; j++) {
1001                 if (!found_priv_in_lsa[j]) {
1002                         printf("Privilage %s on account %s not found in LSA\n", account->privilege_name[j].string,
1003                                dom_sid_string(mem_ctx, dom_sid));
1004                         ret = False;
1005                 }
1006         }
1007         return ret;
1008 }
1009
1010 /*
1011   try a netlogon DatabaseSync
1012 */
1013 static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
1014                               TALLOC_CTX *mem_ctx)
1015 {
1016         NTSTATUS status;
1017         struct netr_DatabaseSync r;
1018         const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
1019         int i, d;
1020         BOOL ret = True;
1021         struct samsync_trusted_domain *t;
1022         struct samsync_secret *s;
1023
1024         const char *domain, *username;
1025
1026         r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(samsync_state->p));
1027         r.in.computername = TEST_MACHINE_NAME;
1028         r.in.preferredmaximumlength = (uint32_t)-1;
1029         ZERO_STRUCT(r.in.return_authenticator);
1030
1031         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1032                 r.in.sync_context = 0;
1033                 r.in.database_id = database_ids[i];
1034
1035                 printf("Testing DatabaseSync of id %d\n", r.in.database_id);
1036
1037                 do {
1038                         creds_client_authenticator(samsync_state->creds, &r.in.credential);
1039
1040                         status = dcerpc_netr_DatabaseSync(samsync_state->p, mem_ctx, &r);
1041                         if (!NT_STATUS_IS_OK(status) &&
1042                             !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
1043                                 printf("DatabaseSync - %s\n", nt_errstr(status));
1044                                 ret = False;
1045                                 break;
1046                         }
1047
1048                         if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator.cred)) {
1049                                 printf("Credential chaining failed\n");
1050                         }
1051
1052                         r.in.sync_context = r.out.sync_context;
1053
1054                         for (d=0; d < r.out.delta_enum_array->num_deltas; d++) {
1055                                 switch (r.out.delta_enum_array->delta_enum[d].delta_type) {
1056                                 case NETR_DELTA_DOMAIN:
1057                                         if (!samsync_handle_domain(mem_ctx, samsync_state,
1058                                                                    r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1059                                                 printf("Failed to handle DELTA_DOMAIN\n");
1060                                                 ret = False;
1061                                         }
1062                                         break;
1063                                 case NETR_DELTA_GROUP:
1064                                         if (!samsync_handle_group(mem_ctx, samsync_state,
1065                                                                   r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1066                                                 printf("Failed to handle DELTA_USER\n");
1067                                                 ret = False;
1068                                         }
1069                                         break;
1070                                 case NETR_DELTA_USER:
1071                                         if (!samsync_handle_user(mem_ctx, samsync_state,
1072                                                                  r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1073                                                 printf("Failed to handle DELTA_USER\n");
1074                                                 ret = False;
1075                                         }
1076                                         break;
1077                                 case NETR_DELTA_ALIAS:
1078                                         if (!samsync_handle_alias(mem_ctx, samsync_state,
1079                                                                   r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1080                                                 printf("Failed to handle DELTA_ALIAS\n");
1081                                                 ret = False;
1082                                         }
1083                                         break;
1084                                 case NETR_DELTA_POLICY:
1085                                         if (!samsync_handle_policy(mem_ctx, samsync_state,
1086                                                                    r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1087                                                 printf("Failed to handle DELTA_POLICY\n");
1088                                                 ret = False;
1089                                         }
1090                                         break;
1091                                 case NETR_DELTA_TRUSTED_DOMAIN:
1092                                         if (!samsync_handle_trusted_domain(mem_ctx, samsync_state,
1093                                                                            r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1094                                                 printf("Failed to handle DELTA_TRUSTED_DOMAIN\n");
1095                                                 ret = False;
1096                                         }
1097                                         break;
1098                                 case NETR_DELTA_ACCOUNT:
1099                                         if (!samsync_handle_account(mem_ctx, samsync_state,
1100                                                                     r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1101                                                 printf("Failed to handle DELTA_ACCOUNT\n");
1102                                                 ret = False;
1103                                         }
1104                                         break;
1105                                 case NETR_DELTA_SECRET:
1106                                         if (!samsync_handle_secret(mem_ctx, samsync_state,
1107                                                                    r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
1108                                                 printf("Failed to handle DELTA_SECRET\n");
1109                                                 ret = False;
1110                                         }
1111                                         break;
1112                                 }
1113                         }
1114                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1115
1116         }
1117
1118         domain = samsync_state->domain_name[SAM_DATABASE_DOMAIN];
1119         if (!domain) {
1120                 printf("Never got a DOMAIN object in samsync!\n");
1121                 return False;
1122         }
1123
1124         username = talloc_asprintf(mem_ctx, "%s$", domain);
1125         for (t=samsync_state->trusted_domains; t; t=t->next) {
1126                 char *secret_name = talloc_asprintf(mem_ctx, "G$$%s", t->name);
1127                 for (s=samsync_state->secrets; s; s=s->next) {
1128                         if (StrCaseCmp(s->name, secret_name) == 0) {
1129                                 NTSTATUS nt_status;
1130                                 struct samr_Password nt_hash;
1131                                 mdfour(nt_hash.hash, s->secret.data, s->secret.length);
1132
1133                                 printf("Checking password for %s\\%s\n", t->name, username);
1134                                 nt_status = test_SamLogon(samsync_state->p_netlogon_wksta, mem_ctx, samsync_state->creds_netlogon_wksta,
1135                                                           t->name,
1136                                                           username,
1137                                                           TEST_MACHINE_NAME2,
1138                                                           NULL,
1139                                                           &nt_hash,
1140                                                           NULL);
1141                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS)) {
1142                                         printf("Verifiction of trust password to %s failed: %s (the trusted domain is not available)\n",
1143                                                t->name, nt_errstr(nt_status));
1144
1145                                         break;
1146                                 }
1147                                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
1148                                         printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n",
1149                                                t->name, nt_errstr(nt_status));
1150                                         ret = False;
1151                                 }
1152
1153                                 /* break it */
1154                                 nt_hash.hash[0]++;
1155                                 nt_status = test_SamLogon(samsync_state->p_netlogon_wksta, mem_ctx, samsync_state->creds_netlogon_wksta,
1156                                                           t->name,
1157                                                           username,
1158                                                           TEST_MACHINE_NAME2,
1159                                                           NULL,
1160                                                           &nt_hash,
1161                                                           NULL);
1162
1163                                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
1164                                         printf("Verifiction of trust password to %s: should have failed (wrong password), instead: %s\n",
1165                                                t->name, nt_errstr(nt_status));
1166                                         ret = False;
1167                                 }
1168
1169                                 break;
1170                         }
1171                 }
1172         }
1173         return ret;
1174 }
1175
1176
1177 /*
1178   try a netlogon DatabaseDeltas
1179 */
1180 static BOOL test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX *mem_ctx)
1181 {
1182         NTSTATUS status;
1183         struct netr_DatabaseDeltas r;
1184         const uint32_t database_ids[] = {0, 1, 2};
1185         int i;
1186         BOOL ret = True;
1187
1188         r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(samsync_state->p));
1189         r.in.computername = TEST_MACHINE_NAME;
1190         r.in.preferredmaximumlength = (uint32_t)-1;
1191         ZERO_STRUCT(r.in.return_authenticator);
1192
1193         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1194                 r.in.database_id = database_ids[i];
1195                 r.in.sequence_num = samsync_state->seq_num[i];
1196
1197                 if (r.in.sequence_num == 0) continue;
1198
1199                 r.in.sequence_num -= 1;
1200
1201
1202                 printf("Testing DatabaseDeltas of id %d at %llu\n",
1203                        r.in.database_id, r.in.sequence_num);
1204
1205                 do {
1206                         creds_client_authenticator(samsync_state->creds, &r.in.credential);
1207
1208                         status = dcerpc_netr_DatabaseDeltas(samsync_state->p, mem_ctx, &r);
1209                         if (!NT_STATUS_IS_OK(status) &&
1210                             !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) &&
1211                             !NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
1212                                 printf("DatabaseDeltas - %s\n", nt_errstr(status));
1213                                 ret = False;
1214                                 break;
1215                         }
1216
1217                         if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator.cred)) {
1218                                 printf("Credential chaining failed\n");
1219                         }
1220
1221                         r.in.sequence_num++;
1222                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1223         }
1224
1225         return ret;
1226 }
1227
1228
1229 /*
1230   try a netlogon DatabaseSync2
1231 */
1232 static BOOL test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
1233                                struct creds_CredentialState *creds)
1234 {
1235         NTSTATUS status;
1236         struct netr_DatabaseSync2 r;
1237         const uint32_t database_ids[] = {0, 1, 2};
1238         int i;
1239         BOOL ret = True;
1240
1241         r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
1242         r.in.computername = TEST_MACHINE_NAME;
1243         r.in.preferredmaximumlength = (uint32_t)-1;
1244         ZERO_STRUCT(r.in.return_authenticator);
1245
1246         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1247                 r.in.sync_context = 0;
1248                 r.in.database_id = database_ids[i];
1249                 r.in.restart_state = 0;
1250
1251                 printf("Testing DatabaseSync2 of id %d\n", r.in.database_id);
1252
1253                 do {
1254                         creds_client_authenticator(creds, &r.in.credential);
1255
1256                         status = dcerpc_netr_DatabaseSync2(p, mem_ctx, &r);
1257                         if (!NT_STATUS_IS_OK(status) &&
1258                             !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
1259                                 printf("DatabaseSync2 - %s\n", nt_errstr(status));
1260                                 ret = False;
1261                                 break;
1262                         }
1263
1264                         if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
1265                                 printf("Credential chaining failed\n");
1266                         }
1267
1268                         r.in.sync_context = r.out.sync_context;
1269                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1270         }
1271
1272         return ret;
1273 }
1274
1275
1276
1277 BOOL torture_rpc_samsync(void)
1278 {
1279         NTSTATUS status;
1280         TALLOC_CTX *mem_ctx;
1281         BOOL ret = True;
1282         struct test_join *join_ctx;
1283         struct test_join *join_ctx2;
1284         const char *machine_password;
1285         const char *machine_password2;
1286         const char *binding = lp_parm_string(-1, "torture", "binding");
1287         struct dcerpc_binding b;
1288         struct dcerpc_binding b_netlogon_wksta;
1289         struct samr_Connect c;
1290         struct samr_SetDomainInfo s;
1291         struct policy_handle *domain_policy;
1292
1293         struct lsa_ObjectAttribute attr;
1294         struct lsa_QosInfo qos;
1295         struct lsa_OpenPolicy2 r;
1296
1297         struct samsync_state *samsync_state;
1298
1299         mem_ctx = talloc_init("torture_rpc_netlogon");
1300
1301         join_ctx = torture_join_domain(TEST_MACHINE_NAME, lp_workgroup(), ACB_SVRTRUST,
1302                                        &machine_password);
1303         if (!join_ctx) {
1304                 printf("Failed to join as BDC\n");
1305                 return False;
1306         }
1307
1308         join_ctx2 = torture_join_domain(TEST_MACHINE_NAME2, lp_workgroup(), ACB_WSTRUST,
1309                                        &machine_password2);
1310         if (!join_ctx2) {
1311                 printf("Failed to join as member\n");
1312                 return False;
1313         }
1314
1315         samsync_state = talloc_zero(mem_ctx, struct samsync_state);
1316
1317         samsync_state->p_samr = torture_join_samr_pipe(join_ctx);
1318         samsync_state->connect_handle = talloc_zero(samsync_state, struct policy_handle);
1319         samsync_state->lsa_handle = talloc_zero(samsync_state, struct policy_handle);
1320         c.in.system_name = NULL;
1321         c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1322         c.out.connect_handle = samsync_state->connect_handle;
1323
1324         status = dcerpc_samr_Connect(samsync_state->p_samr, mem_ctx, &c);
1325         if (!NT_STATUS_IS_OK(status)) {
1326                 printf("samr_Connect failed\n");
1327                 ret = False;
1328                 goto failed;
1329         }
1330
1331         domain_policy = samsync_open_domain(mem_ctx, samsync_state, lp_workgroup(), NULL);
1332         if (!domain_policy) {
1333                 printf("samrsync_open_domain failed\n");
1334                 ret = False;
1335                 goto failed;
1336         }
1337
1338         s.in.domain_handle = domain_policy;
1339         s.in.level = 4;
1340         s.in.info = talloc(mem_ctx, union samr_DomainInfo);
1341
1342         s.in.info->info4.comment.string
1343                 = talloc_asprintf(mem_ctx,
1344                                   "Tortured by Samba4: %s",
1345                                   timestring(mem_ctx, time(NULL)));
1346         status = dcerpc_samr_SetDomainInfo(samsync_state->p_samr, mem_ctx, &s);
1347
1348         if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, domain_policy)) {
1349                 ret = False;
1350                 goto failed;
1351         }
1352
1353         if (!NT_STATUS_IS_OK(status)) {
1354                 printf("SetDomainInfo level %u failed - %s\n",
1355                        s.in.level, nt_errstr(status));
1356                 ret = False;
1357                 goto failed;
1358         }
1359
1360
1361         status = torture_rpc_connection(&samsync_state->p_lsa,
1362                                         DCERPC_LSARPC_NAME,
1363                                         DCERPC_LSARPC_UUID,
1364                                         DCERPC_LSARPC_VERSION);
1365
1366         if (!NT_STATUS_IS_OK(status)) {
1367                 ret = False;
1368                 goto failed;
1369         }
1370
1371         qos.len = 0;
1372         qos.impersonation_level = 2;
1373         qos.context_mode = 1;
1374         qos.effective_only = 0;
1375
1376         attr.len = 0;
1377         attr.root_dir = NULL;
1378         attr.object_name = NULL;
1379         attr.attributes = 0;
1380         attr.sec_desc = NULL;
1381         attr.sec_qos = &qos;
1382
1383         r.in.system_name = "\\";
1384         r.in.attr = &attr;
1385         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1386         r.out.handle = samsync_state->lsa_handle;
1387
1388         status = dcerpc_lsa_OpenPolicy2(samsync_state->p_lsa, mem_ctx, &r);
1389         if (!NT_STATUS_IS_OK(status)) {
1390                 printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
1391                 ret = False;
1392                 goto failed;
1393         }
1394
1395         status = dcerpc_parse_binding(mem_ctx, binding, &b);
1396         if (!NT_STATUS_IS_OK(status)) {
1397                 printf("Bad binding string %s\n", binding);
1398                 ret = False;
1399                 goto failed;
1400         }
1401
1402         b.flags &= ~DCERPC_AUTH_OPTIONS;
1403         b.flags |= DCERPC_SCHANNEL_BDC | DCERPC_SIGN;
1404
1405         status = dcerpc_pipe_connect_b(&samsync_state->p, &b,
1406                                        DCERPC_NETLOGON_UUID,
1407                                        DCERPC_NETLOGON_VERSION,
1408                                        lp_workgroup(),
1409                                        TEST_MACHINE_NAME,
1410                                        machine_password);
1411
1412         if (!NT_STATUS_IS_OK(status)) {
1413                 ret = False;
1414                 goto failed;
1415         }
1416
1417         status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state, mem_ctx, &samsync_state->creds);
1418         if (!NT_STATUS_IS_OK(status)) {
1419                 ret = False;
1420         }
1421
1422
1423
1424         status = dcerpc_parse_binding(mem_ctx, binding, &b_netlogon_wksta);
1425         if (!NT_STATUS_IS_OK(status)) {
1426                 printf("Bad binding string %s\n", binding);
1427                 ret = False;
1428                 goto failed;
1429         }
1430
1431         b_netlogon_wksta.flags &= ~DCERPC_AUTH_OPTIONS;
1432         b_netlogon_wksta.flags |= DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN;
1433
1434         status = dcerpc_pipe_connect_b(&samsync_state->p_netlogon_wksta, &b_netlogon_wksta,
1435                                        DCERPC_NETLOGON_UUID,
1436                                        DCERPC_NETLOGON_VERSION,
1437                                        lp_workgroup(),
1438                                        TEST_MACHINE_NAME2,
1439                                        machine_password2);
1440
1441         if (!NT_STATUS_IS_OK(status)) {
1442                 ret = False;
1443                 goto failed;
1444         }
1445
1446         status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
1447                                        mem_ctx, &samsync_state->creds_netlogon_wksta);
1448         if (!NT_STATUS_IS_OK(status)) {
1449                 printf("Failed to obtail schanel creds!\n");
1450                 ret = False;
1451         }
1452
1453         if (!test_DatabaseSync(samsync_state, mem_ctx)) {
1454                 printf("DatabaseSync failed\n");
1455                 ret = False;
1456         }
1457
1458         if (!test_DatabaseDeltas(samsync_state, mem_ctx)) {
1459                 printf("DatabaseDeltas failed\n");
1460                 ret = False;
1461         }
1462
1463         if (!test_DatabaseSync2(samsync_state->p, mem_ctx, samsync_state->creds)) {
1464                 printf("DatabaseSync2 failed\n");
1465                 ret = False;
1466         }
1467 failed:
1468         torture_rpc_close(samsync_state->p);
1469
1470         torture_leave_domain(join_ctx);
1471         torture_leave_domain(join_ctx2);
1472
1473         talloc_free(mem_ctx);
1474
1475         return ret;
1476 }