This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "auth/auth.h"
#include "lib/crypto/crypto.h"
#include "lib/cmdline/popt_common.h"
+#include "torture/rpc/rpc.h"
+#include "auth/gensec/schannel_proto.h"
+#include "libcli/auth/libcli_auth.h"
#define TEST_MACHINE_NAME "samlogontest"
#define TEST_USER_NAME "samlogontestuser"
struct netr_Authenticator auth, auth2;
struct creds_CredentialState *creds;
NTSTATUS expected_error;
+ BOOL old_password; /* Allow an old password to be accepted or rejected without error, as well as session key bugs */
DATA_BLOB chall;
};
status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r);
if (!r->out.return_authenticator ||
!creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) {
- printf("Credential chaining failed\n");
+ d_printf("Credential chaining failed\n");
}
if (!NT_STATUS_IS_OK(status)) {
if (error_string) {
status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags);
if (!r_flags->out.return_authenticator ||
!creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) {
- printf("Credential chaining failed\n");
+ d_printf("Credential chaining failed\n");
}
if (!NT_STATUS_IS_OK(status)) {
if (error_string) {
break;
}
break;
+ default:
+ /* can't happen */
+ return NT_STATUS_INVALID_PARAMETER;
}
if (!base) {
- printf("No user info returned from 'successful' SamLogon*() call!\n");
+ d_printf("No user info returned from 'successful' SamLogon*() call!\n");
return NT_STATUS_INVALID_PARAMETER;
}
if (break_which == NO_NT && !lm_good) {
return True;
}
+ /* for 'old' passwords, we allow the server to be OK or wrong password */
+ if (samlogon_state->old_password) {
+ return True;
+ }
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
- }
-
- if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT));
+ } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return False;
if (memcmp(lm_hash, lm_key,
sizeof(lm_key)) != 0) {
- printf("LM Key does not match expectations!\n");
- printf("lm_key:\n");
+ d_printf("LM Key does not match expectations!\n");
+ d_printf("lm_key:\n");
dump_data(1, lm_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lm_hash, 8);
pass = False;
}
if (memcmp(lm_key_expected, user_session_key,
16) != 0) {
*error_string = strdup("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
- printf("user_session_key:\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, sizeof(user_session_key));
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lm_key_expected, sizeof(lm_key_expected));
pass = False;
}
if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
*error_string = strdup("NT Session Key does not match expectations!\n");
- printf("user_session_key:\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, session_key.data, session_key.length);
pass = False;
}
user_session_key,
error_string);
- if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) {
+ /* for 'old' passwords, we allow the server to be OK or wrong password */
+ if (samlogon_state->old_password) {
+ return True;
+ }
+ return False;
+ } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return False;
if (lm_good) {
if (memcmp(lm_hash, lm_key,
sizeof(lm_key)) != 0) {
- printf("LM Key does not match expectations!\n");
- printf("lm_key:\n");
+ d_printf("LM Key does not match expectations!\n");
+ d_printf("lm_key:\n");
dump_data(1, lm_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lm_hash, 8);
pass = False;
}
} else {
if (memcmp(session_key.data, lm_key,
sizeof(lm_key)) != 0) {
- printf("LM Key does not match expectations (first 8 session key)!\n");
- printf("lm_key:\n");
+ d_printf("LM Key does not match expectations (first 8 session key)!\n");
+ d_printf("lm_key:\n");
dump_data(1, lm_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, session_key.data, 8);
pass = False;
}
memset(lm_key_expected+8, '\0', 8);
if (memcmp(lm_key_expected, user_session_key,
16) != 0) {
- printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
- printf("user_session_key:\n");
+ d_printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, sizeof(user_session_key));
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lm_key_expected, sizeof(lm_key_expected));
pass = False;
}
user_session_key,
error_string);
- if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) {
+ /* for 'old' passwords, we allow the server to be OK or wrong password */
+ if (samlogon_state->old_password) {
+ return True;
+ }
+ return False;
+ } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return False;
if (memcmp(lm_hash, lm_key,
sizeof(lm_key)) != 0) {
- printf("LM Key does not match expectations!\n");
- printf("lm_key:\n");
+ d_printf("LM Key does not match expectations!\n");
+ d_printf("lm_key:\n");
dump_data(1, lm_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lm_hash, 8);
pass = False;
}
if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
- printf("NT Session Key does not match expectations!\n");
- printf("user_session_key:\n");
+ d_printf("NT Session Key does not match expectations!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, session_key.data, session_key.length);
pass = False;
}
data_blob_free(&ntlmv2_response);
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
+ if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) {
+ /* for 'old' passwords, we allow the server to be OK or wrong password */
+ if (samlogon_state->old_password) {
+ return True;
+ }
return break_which == BREAK_BOTH;
- }
-
- if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT));
+ } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return False;
case NO_NT:
if (memcmp(lmv2_session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
- printf("USER (LMv2) Session Key does not match expectations!\n");
- printf("user_session_key:\n");
+ d_printf("USER (LMv2) Session Key does not match expectations!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lmv2_session_key.data, ntlmv2_session_key.length);
pass = False;
}
if (memcmp(lmv2_session_key.data, lm_session_key,
sizeof(lm_session_key)) != 0) {
- printf("LM (LMv2) Session Key does not match expectations!\n");
- printf("lm_session_key:\n");
+ d_printf("LM (LMv2) Session Key does not match expectations!\n");
+ d_printf("lm_session_key:\n");
dump_data(1, lm_session_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lmv2_session_key.data, 8);
pass = False;
}
sizeof(user_session_key)) != 0) {
if (memcmp(lmv2_session_key.data, user_session_key,
sizeof(user_session_key)) == 0) {
- printf("USER (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n");
- printf("user_session_key:\n");
+ d_printf("USER (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, ntlmv2_session_key.data, ntlmv2_session_key.length);
pass = False;
} else {
- printf("USER (NTLMv2) Session Key does not match expectations!\n");
- printf("user_session_key:\n");
+ d_printf("USER (NTLMv2) Session Key does not match expectations!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, ntlmv2_session_key.data, ntlmv2_session_key.length);
pass = False;
}
sizeof(lm_session_key)) != 0) {
if (memcmp(lmv2_session_key.data, lm_session_key,
sizeof(lm_session_key)) == 0) {
- printf("LM (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n");
- printf("user_session_key:\n");
+ d_printf("LM (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n");
+ d_printf("user_session_key:\n");
dump_data(1, lm_session_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, ntlmv2_session_key.data, 8);
pass = False;
} else {
- printf("LM (NTLMv2) Session Key does not match expectations!\n");
- printf("lm_session_key:\n");
+ d_printf("LM (NTLMv2) Session Key does not match expectations!\n");
+ d_printf("lm_session_key:\n");
dump_data(1, lm_session_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, ntlmv2_session_key.data, 8);
pass = False;
}
if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) {
+ /* for 'old' passwords, we allow the server to be OK or wrong password */
+ if (samlogon_state->old_password) {
+ return True;
+ }
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
- }
-
- if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
+ } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return False;
case NO_NT:
if (memcmp(lmv2_session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
- printf("USER (LMv2) Session Key does not match expectations!\n");
- printf("user_session_key:\n");
+ d_printf("USER (LMv2) Session Key does not match expectations!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lmv2_session_key.data, ntlmv2_session_key.length);
pass = False;
}
if (memcmp(lmv2_session_key.data, lm_session_key,
sizeof(lm_session_key)) != 0) {
- printf("LM (LMv2) Session Key does not match expectations!\n");
- printf("lm_session_key:\n");
+ d_printf("LM (LMv2) Session Key does not match expectations!\n");
+ d_printf("lm_session_key:\n");
dump_data(1, lm_session_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lmv2_session_key.data, 8);
pass = False;
}
case BREAK_LM:
if (memcmp(ntlm_session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
- printf("USER (NTLMv2) Session Key does not match expectations!\n");
- printf("user_session_key:\n");
+ d_printf("USER (NTLMv2) Session Key does not match expectations!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, ntlm_session_key.data, ntlm_session_key.length);
pass = False;
}
if (lm_good) {
if (memcmp(lm_hash, lm_session_key,
sizeof(lm_session_key)) != 0) {
- printf("LM Session Key does not match expectations!\n");
- printf("lm_session_key:\n");
+ d_printf("LM Session Key does not match expectations!\n");
+ d_printf("lm_session_key:\n");
dump_data(1, lm_session_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lm_hash, 8);
pass = False;
}
} else {
- static const char zeros[8];
+ static const uint8_t zeros[8];
if (memcmp(zeros, lm_session_key,
sizeof(lm_session_key)) != 0) {
- printf("LM Session Key does not match expectations (zeros)!\n");
- printf("lm_session_key:\n");
+ d_printf("LM Session Key does not match expectations (zeros)!\n");
+ d_printf("lm_session_key:\n");
dump_data(1, lm_session_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, zeros, 8);
pass = False;
}
default:
if (memcmp(ntlm_session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
- printf("USER (NTLMv2) Session Key does not match expectations!\n");
- printf("user_session_key:\n");
+ d_printf("USER (NTLMv2) Session Key does not match expectations!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, ntlm_session_key.data, ntlm_session_key.length);
pass = False;
}
if (memcmp(ntlm_session_key.data, lm_session_key,
sizeof(lm_session_key)) != 0) {
- printf("LM (NTLMv2) Session Key does not match expectations!\n");
- printf("lm_session_key:\n");
+ d_printf("LM (NTLMv2) Session Key does not match expectations!\n");
+ d_printf("lm_session_key:\n");
dump_data(1, lm_session_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, ntlm_session_key.data, 8);
pass = False;
}
user_session_key,
error_string);
- if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) {
+ /* for 'old' passwords, we allow the server to be OK or wrong password */
+ if (samlogon_state->old_password) {
+ return True;
+ }
+ return False;
+ } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return False;
if (lm_good) {
if (memcmp(lm_hash, lm_key,
sizeof(lm_key)) != 0) {
- printf("LM Key does not match expectations!\n");
- printf("lm_key:\n");
+ d_printf("LM Key does not match expectations!\n");
+ d_printf("lm_key:\n");
dump_data(1, lm_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, lm_hash, 8);
pass = False;
}
} else {
- static const char zeros[8];
+ static const uint8_t zeros[8];
if (memcmp(zeros, lm_key,
sizeof(lm_key)) != 0) {
- printf("LM Session Key does not match expectations (zeros)!\n");
- printf("lm_key:\n");
+ d_printf("LM Session Key does not match expectations (zeros)!\n");
+ d_printf("lm_key:\n");
dump_data(1, lm_key, 8);
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, zeros, 8);
pass = False;
}
}
if (memcmp(nt_key, user_session_key, 16) != 0) {
- printf("NT Session Key does not match expectations (should be NT Key)!\n");
- printf("user_session_key:\n");
+ d_printf("NT Session Key does not match expectations (should be NT Key)!\n");
+ d_printf("user_session_key:\n");
dump_data(1, user_session_key, sizeof(user_session_key));
- printf("expected:\n");
+ d_printf("expected:\n");
dump_data(1, nt_key, sizeof(nt_key));
pass = False;
}
error_string);
if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) {
+ /* for 'old' passwords, we allow the server to be OK or wrong password */
+ if (samlogon_state->old_password) {
+ return True;
+ }
/* for 'long' passwords, the LM password is invalid */
if (break_which == NO_NT && !lm_good) {
return True;
}
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
- }
-
- if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT));
+ } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return False;
const char *comment,
const char *account_domain, const char *account_name,
const char *plain_pass, uint32_t parameter_control,
- NTSTATUS expected_error,
+ NTSTATUS expected_error, BOOL old_password,
int n_subtests)
{
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_SamLogon function-level context");
DCERPC_NETR_LOGONSAMLOGONWITHFLAGS };
struct samlogon_state samlogon_state;
- printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n");
+ d_printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n");
samlogon_state.comment = comment;
samlogon_state.account_name = account_name;
samlogon_state.expected_error = expected_error;
samlogon_state.chall = data_blob_talloc(fn_ctx, NULL, 8);
samlogon_state.parameter_control = parameter_control;
+ samlogon_state.old_password = old_password;
generate_random_buffer(samlogon_state.chall.data, 8);
samlogon_state.r_flags.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p));
- samlogon_state.r_flags.in.workstation = TEST_MACHINE_NAME;
+ samlogon_state.r_flags.in.computer_name = TEST_MACHINE_NAME;
samlogon_state.r_flags.in.credential = &samlogon_state.auth;
samlogon_state.r_flags.in.return_authenticator = &samlogon_state.auth2;
samlogon_state.r_flags.in.flags = 0;
samlogon_state.r_ex.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p));
- samlogon_state.r_ex.in.workstation = TEST_MACHINE_NAME;
+ samlogon_state.r_ex.in.computer_name = TEST_MACHINE_NAME;
samlogon_state.r_ex.in.flags = 0;
samlogon_state.r.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p));
- samlogon_state.r.in.workstation = TEST_MACHINE_NAME;
+ samlogon_state.r.in.computer_name = TEST_MACHINE_NAME;
samlogon_state.r.in.credential = &samlogon_state.auth;
samlogon_state.r.in.return_authenticator = &samlogon_state.auth2;
samlogon_state.r_flags.in.validation_level = validation_levels[v];
samlogon_state.r_flags.in.logon_level = logon_levels[l];
if (!test_table[i].fn(&samlogon_state, &error_string)) {
- printf("Testing '%s' [%s]\\[%s] '%s' at validation level %d, logon level %d, function %d: \n",
+ d_printf("Testing '%s' [%s]\\[%s] '%s' at validation level %d, logon level %d, function %d: \n",
samlogon_state.comment,
samlogon_state.account_domain,
samlogon_state.account_name,
logon_levels[l], function_levels[f]);
if (test_table[i].expect_fail) {
- printf(" failed (expected, test incomplete): %s\n", error_string);
+ d_printf(" failed (expected, test incomplete): %s\n", error_string);
} else {
- printf(" failed: %s\n", error_string);
+ d_printf(" failed: %s\n", error_string);
ret = False;
}
SAFE_FREE(error_string);
const char *comment,
const char *workstation_name,
const char *account_domain, const char *account_name,
- const char *plain_pass, NTSTATUS expected_error)
+ const char *plain_pass, uint32_t parameter_control,
+ NTSTATUS expected_error)
{
NTSTATUS status;
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
creds_client_authenticator(creds, &a);
r.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p));
- r.in.workstation = TEST_MACHINE_NAME;
+ r.in.computer_name = TEST_MACHINE_NAME;
r.in.credential = &a;
r.in.return_authenticator = &ra;
r.in.logon_level = 5;
r.in.flags = 0;
pinfo.identity_info.domain_name.string = account_domain;
- pinfo.identity_info.parameter_control = 0;
+ pinfo.identity_info.parameter_control = parameter_control;
pinfo.identity_info.logon_id_low = 0;
pinfo.identity_info.logon_id_high = 0;
pinfo.identity_info.account_name.string = account_name;
creds_des_encrypt(creds, &pinfo.ntpassword);
}
- printf("Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment);
+ d_printf("Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment);
status = dcerpc_netr_LogonSamLogonWithFlags(p, fn_ctx, &r);
if (!r.out.return_authenticator
|| !creds_client_check(creds, &r.out.return_authenticator->cred)) {
- printf("Credential chaining failed\n");
+ d_printf("Credential chaining failed\n");
talloc_free(fn_ctx);
return False;
}
talloc_free(fn_ctx);
if (!NT_STATUS_EQUAL(expected_error, status)) {
- printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - expected %s got %s\n",
+ d_printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - expected %s got %s\n",
account_domain, account_name, nt_errstr(expected_error), nt_errstr(status));
return False;
}
-BOOL torture_rpc_samlogon(void)
+BOOL torture_rpc_samlogon(struct torture_context *torture)
{
NTSTATUS status;
struct dcerpc_pipe *p;
BOOL ret = True;
struct test_join *join_ctx;
struct test_join *user_ctx;
- const char *user_password;
+ char *user_password;
const char *old_user_password;
char *test_machine_account;
- const char *binding = lp_parm_string(-1, "torture", "binding");
+ const char *binding = torture_setting_string(torture, "binding", NULL);
const char *userdomain;
int i;
int ci;
join_ctx = torture_join_domain(TEST_MACHINE_NAME, ACB_WSTRUST,
&machine_credentials);
if (!join_ctx) {
- printf("Failed to join as Workstation\n");
+ d_printf("Failed to join as Workstation\n");
return False;
}
- userdomain = lp_parm_string(-1, "torture", "userdomain");
- if (!userdomain) {
- userdomain = lp_workgroup();
- }
+ userdomain = torture_setting_string(torture, "userdomain", lp_workgroup());
user_ctx = torture_create_testuser(TEST_USER_NAME,
userdomain,
ACB_NORMAL,
- &user_password);
+ (const char **)&user_password);
if (!user_ctx) {
- printf("Failed to join as Workstation\n");
+ d_printf("Failed to join as Workstation\n");
return False;
}
old_user_password = user_password;
test_ChangePasswordUser3(torture_join_samr_pipe(user_ctx), mem_ctx,
- TEST_USER_NAME, 16 /* > 14 */, &user_password);
+ TEST_USER_NAME, 16 /* > 14 */, &user_password,
+ NULL, 0, False);
status = dcerpc_parse_binding(mem_ctx, binding, &b);
if (!NT_STATUS_IS_OK(status)) {
- printf("Bad binding string %s\n", binding);
+ d_printf("Bad binding string %s\n", binding);
ret = False;
goto failed;
}
b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
status = dcerpc_pipe_connect_b(mem_ctx, &p, b,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
+ &dcerpc_table_netlogon,
machine_credentials, NULL);
if (!NT_STATUS_IS_OK(status)) {
- printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status));
+ d_printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status));
ret = False;
goto failed;
}
NTSTATUS expected_interactive_error;
NTSTATUS expected_network_error;
uint32_t parameter_control;
+ BOOL old_password; /* Allow an old password to be accepted or rejected without error, as well as session key bugs */
} usercreds[] = {
{
.comment = "domain\\user",
cli_credentials_get_domain(cmdline_credentials)
),
.password = cli_credentials_get_password(cmdline_credentials),
- .network_login = False,
+ .network_login = False, /* works for some things, but not NTLMv2. Odd */
.expected_interactive_error = NT_STATUS_OK,
.expected_network_error = NT_STATUS_OK
},
cli_credentials_get_domain(machine_credentials)
),
.password = cli_credentials_get_password(machine_credentials),
- .network_login = False,
+ .network_login = False, /* works for some things, but not NTLMv2. Odd */
.expected_interactive_error = NT_STATUS_NO_SUCH_USER,
.parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
},
TEST_USER_NAME,
userdomain),
.password = user_password,
- .network_login = False,
+ .network_login = False, /* works for some things, but not NTLMv2. Odd */
.expected_interactive_error = NT_STATUS_OK,
.expected_network_error = NT_STATUS_OK
},
.password = old_user_password,
.network_login = True,
.expected_interactive_error = NT_STATUS_WRONG_PASSWORD,
- .expected_network_error = NT_STATUS_OK
+ .expected_network_error = NT_STATUS_OK,
+ .old_password = True
}
};
usercreds[ci].domain,
usercreds[ci].username,
usercreds[ci].password,
+ usercreds[ci].parameter_control,
usercreds[ci].expected_interactive_error)) {
ret = False;
}
usercreds[ci].password,
usercreds[ci].parameter_control,
usercreds[ci].expected_network_error,
+ usercreds[ci].old_password,
0)) {
ret = False;
}
* session key encryption) */
for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
+ /* TODO: Somehow we lost setting up the different credential flags here! */
+
if (!test_InteractiveLogon(p, mem_ctx, creds,
usercreds[0].comment,
TEST_MACHINE_NAME,
usercreds[0].domain,
usercreds[0].username,
usercreds[0].password,
+ usercreds[0].parameter_control,
usercreds[0].expected_interactive_error)) {
ret = False;
}
- if (usercreds[ci].network_login) {
+ if (usercreds[0].network_login) {
if (!test_SamLogon(p, mem_ctx, creds,
usercreds[0].comment,
usercreds[0].domain,
usercreds[0].password,
usercreds[0].parameter_control,
usercreds[0].expected_network_error,
+ usercreds[0].old_password,
1)) {
ret = False;
}