This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "torture/torture.h"
#include "auth/auth.h"
-#include "dlinklist.h"
-#include "lib/crypto/crypto.h"
+#include "../lib/util/dlinklist.h"
+#include "../lib/crypto/crypto.h"
#include "system/time.h"
+#include "torture/rpc/rpc.h"
+#include "auth/gensec/schannel_proto.h"
+#include "auth/gensec/gensec.h"
+#include "libcli/auth/libcli_auth.h"
+#include "libcli/security/security.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
+#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "param/param.h"
#define TEST_MACHINE_NAME "samsynctest"
#define TEST_WKSTA_MACHINE_NAME "samsynctest2"
sizeof(ninfo.challenge));
if (nt_hash) {
ninfo.nt.length = 24;
- ninfo.nt.data = talloc_size(mem_ctx, 24);
+ ninfo.nt.data = talloc_array(mem_ctx, uint8_t, 24);
SMBOWFencrypt(nt_hash->hash, ninfo.challenge, ninfo.nt.data);
} else {
ninfo.nt.length = 0;
if (lm_hash) {
ninfo.lm.length = 24;
- ninfo.lm.data = talloc_size(mem_ctx, 24);
+ ninfo.lm.data = talloc_array(mem_ctx, uint8_t, 24);
SMBOWFencrypt(lm_hash->hash, ninfo.challenge, ninfo.lm.data);
} else {
ninfo.lm.length = 0;
}
r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
- r.in.workstation = workstation;
+ r.in.computer_name = workstation;
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = 2;
struct samsync_state {
/* we remember the sequence numbers so we can easily do a DatabaseDelta */
uint64_t seq_num[3];
- char *domain_name[2];
+ const char *domain_name[2];
struct samsync_secret *secrets;
struct samsync_trusted_domain *trusted_domains;
struct creds_CredentialState *creds;
struct samsync_secret {
struct samsync_secret *prev, *next;
DATA_BLOB secret;
- char *name;
+ const char *name;
NTTIME mtime;
};
struct samsync_trusted_domain {
struct samsync_trusted_domain *prev, *next;
struct dom_sid *sid;
- char *name;
+ const char *name;
};
static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx,
#define TEST_UINT64_EQUAL(i1, i2) do {\
if (i1 != i2) {\
- printf("%s: uint64 mismatch: " #i1 ": 0x%08x%08x (%lld) != " #i2 ": 0x%08x%08x (%lld)\n", \
+ printf("%s: uint64 mismatch: " #i1 ": 0x%016llx (%lld) != " #i2 ": 0x%016llx (%lld)\n", \
__location__, \
- (uint32_t)(i1 >> 32), (uint32_t)(i1 & 0xFFFFFFFF), i1, \
- (uint32_t)(i2 >> 32), (uint32_t)(i2 & 0xFFFFFFFF), i2);\
- ret = False;\
+ (long long)i1, (long long)i1, \
+ (long long)i2, (long long)i2);\
+ ret = false;\
} \
} while (0)
#define TEST_INT_EQUAL(i1, i2) do {\
if (i1 != i2) {\
- printf("%s: integer mismatch: " #i1 ":%d != " #i2 ": %d\n", \
- __location__, i1, i2);\
- ret = False;\
+ printf("%s: integer mismatch: " #i1 ": 0x%08x (%d) != " #i2 ": 0x%08x (%d)\n", \
+ __location__, i1, i1, i2, i2); \
+ ret = false;\
} \
} while (0)
#define TEST_TIME_EQUAL(t1, t2) do {\
if (t1 != t2) {\
printf("%s: NTTIME mismatch: " #t1 ":%s != " #t2 ": %s\n", \
__location__, nt_time_string(mem_ctx, t1), nt_time_string(mem_ctx, t2));\
- ret = False;\
+ ret = false;\
} \
} while (0)
&& strcmp_safe(s1.string, s2.string) != 0) {\
printf("%s: string mismatch: " #s1 ":%s != " #s2 ": %s\n", \
__location__, s1.string, s2.string);\
- ret = False;\
+ ret = false;\
} \
} while (0)
if (!dom_sid_equal(s1, s2)) {\
printf("%s: dom_sid mismatch: " #s1 ":%s != " #s2 ": %s\n", \
__location__, dom_sid_string(mem_ctx, s1), dom_sid_string(mem_ctx, s2));\
- ret = False;\
+ ret = false;\
} \
} while (0)
handle); \
if (!sdbuf || !sdbuf->sd) { \
printf("Could not obtain security descriptor to match " #sd1 "\n");\
- ret = False; \
+ ret = false; \
} else {\
if (!security_descriptor_mask_equal(sd1.sd, sdbuf->sd, \
~SEC_DESC_SACL_PRESENT)) {\
printf("Security Descriptor Mismatch for %s:\n", #sd1);\
ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamSync", sd1.sd);\
ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamR", sdbuf->sd);\
- ret = False;\
+ ret = false;\
}\
}\
} while (0)
-static BOOL samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain;
uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13};
NTSTATUS nt_status;
int i;
- BOOL ret = True;
+ bool ret = true;
samsync_state->seq_num[database_id] =
domain->sequence_num;
break;
case SAM_DATABASE_PRIVS:
printf("DOMAIN entry on privs DB!\n");
- return False;
+ return false;
break;
}
if (strcasecmp_m(samsync_state->domain_name[database_id], domain->domain_name.string) != 0) {
printf("Domain has name varies!: %s != %s\n", samsync_state->domain_name[database_id],
domain->domain_name.string);
- return False;
+ return false;
}
}
}
if (samsync_state->domain_handle[database_id]) {
samsync_state->sid[database_id] = talloc_reference(samsync_state, dom_sid);
- talloc_reference(dom_sid, dom_sid->sub_auths);
}
printf("\tsequence_nums[%d/%s]=%llu\n",
database_id, domain->domain_name.string,
- samsync_state->seq_num[database_id]);
+ (long long)samsync_state->seq_num[database_id]);
for (i=0;i<ARRAY_SIZE(levels);i++) {
q[levels[i]].in.domain_handle = samsync_state->domain_handle[database_id];
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryDomainInfo level %u failed - %s\n",
q[levels[i]].in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
}
TEST_STRING_EQUAL(q[5].out.info->info5.domain_name, domain->domain_name);
- TEST_STRING_EQUAL(q[2].out.info->info2.comment, domain->comment);
- TEST_STRING_EQUAL(q[4].out.info->info4.comment, domain->comment);
- TEST_TIME_EQUAL(q[2].out.info->info2.force_logoff_time, domain->force_logoff_time);
+ TEST_STRING_EQUAL(q[2].out.info->general.oem_information, domain->oem_information);
+ TEST_STRING_EQUAL(q[4].out.info->oem.oem_information, domain->oem_information);
+ TEST_TIME_EQUAL(q[2].out.info->general.force_logoff_time, domain->force_logoff_time);
TEST_TIME_EQUAL(q[3].out.info->info3.force_logoff_time, domain->force_logoff_time);
TEST_TIME_EQUAL(q[1].out.info->info1.min_password_length, domain->min_password_length);
return ret;
}
-static BOOL samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_POLICY *policy = delta->delta_union.policy;
if (strcasecmp_m(samsync_state->domain_name[SAM_DATABASE_DOMAIN], policy->primary_domain_name.string) != 0) {
printf("PRIMARY domain has name varies between DOMAIN and POLICY!: %s != %s\n", samsync_state->domain_name[SAM_DATABASE_DOMAIN],
policy->primary_domain_name.string);
- return False;
+ return false;
}
}
if (!dom_sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
printf("Domain SID from POLICY (%s) does not match domain sid from SAMR (%s)\n",
dom_sid_string(mem_ctx, policy->sid), dom_sid_string(mem_ctx, samsync_state->sid[SAM_DATABASE_DOMAIN]));
- return False;
+ return false;
}
printf("\tsequence_nums[%d/PRIVS]=%llu\n",
database_id,
- samsync_state->seq_num[database_id]);
- return True;
+ (long long)samsync_state->seq_num[database_id]);
+ return true;
}
-static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
uint32_t rid = delta->delta_id_union.rid;
const char *domain = samsync_state->domain_name[database_id];
const char *username = user->account_name.string;
NTSTATUS nt_status;
- BOOL ret = True;
+ bool ret = true;
struct samr_OpenUser r;
struct samr_QueryUserInfo q;
struct samr_GetGroupsForUser getgroups;
if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
printf("SamSync needs domain information before the users\n");
- return False;
+ return false;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
nt_status = dcerpc_samr_OpenUser(samsync_state->p_samr, mem_ctx, &r);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
- return False;
+ return false;
}
q.in.user_handle = &user_handle;
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryUserInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
getgroups.in.user_handle = &user_handle;
if (!NT_STATUS_IS_OK(nt_status)) {
printf("GetGroupsForUser failed - %s\n",
nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &user_handle)) {
printf("samr_handle_Close failed - %s\n",
nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
if (!ret) {
- return False;
+ return false;
}
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryUserInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
TEST_STRING_EQUAL(q.out.info->info21.account_name, user->account_name);
if (memcmp(q.out.info->info21.logon_hours.bits, user->logon_hours.bits,
q.out.info->info21.logon_hours.units_per_week/8) != 0) {
printf("Logon hours mismatch\n");
- ret = False;
+ ret = false;
}
}
TEST_TIME_EQUAL(q.out.info->info21.acct_expiry,
user->acct_expiry);
- TEST_INT_EQUAL(q.out.info->info21.acct_flags, user->acct_flags);
+ TEST_INT_EQUAL((q.out.info->info21.acct_flags & ~ACB_PW_EXPIRED), user->acct_flags);
+ if (user->acct_flags & ACB_PWNOEXP) {
+ if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) {
+ printf("ACB flags mismatch: both expired and no expiry!\n");
+ ret = false;
+ }
+ if (q.out.info->info21.force_password_change != (NTTIME)0x7FFFFFFFFFFFFFFFULL) {
+ printf("ACB flags mismatch: no password expiry, but force password change 0x%016llx (%lld) != 0x%016llx (%lld)\n",
+ (unsigned long long)q.out.info->info21.force_password_change,
+ (unsigned long long)q.out.info->info21.force_password_change,
+ (unsigned long long)0x7FFFFFFFFFFFFFFFULL, (unsigned long long)0x7FFFFFFFFFFFFFFFULL
+ );
+ ret = false;
+ }
+ }
+
TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present);
TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present);
TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired);
if (user->user_private_info.SensitiveData) {
DATA_BLOB data;
struct netr_USER_KEYS keys;
+ enum ndr_err_code ndr_err;
data.data = user->user_private_info.SensitiveData;
data.length = user->user_private_info.DataLength;
creds_arcfour_crypt(samsync_state->creds, data.data, data.length);
- nt_status = ndr_pull_struct_blob(&data, mem_ctx, &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
- if (NT_STATUS_IS_OK(nt_status)) {
+ ndr_err = ndr_pull_struct_blob(&data, mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
if (keys.keys.keys2.lmpassword.length == 16) {
sam_rid_crypt(rid, keys.keys.keys2.lmpassword.pwd.hash, lm_hash.hash, 0);
lm_hash_p = &lm_hash;
#if 0
dump_data(0, data.data, data.length);
#endif
- return False;
+ return false;
}
}
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
if (user->acct_flags & ACB_DISABLED) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_WSTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_SVRTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_DOMTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_DOMTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
if (user->acct_flags & ACB_AUTOLOCK) {
- return True;
+ return true;
+ }
+ } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) {
+ if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) {
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
if (!lm_hash_p && !nt_hash_p) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE)) {
/* We would need to know the server's current time to test this properly */
- return True;
+ return true;
} else if (NT_STATUS_IS_OK(nt_status)) {
TEST_INT_EQUAL(user->rid, info3->base.rid);
TEST_INT_EQUAL(user->primary_gid, info3->base.primary_gid);
TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon);
TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry);
TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change);
+ TEST_TIME_EQUAL(q.out.info->info21.force_password_change, info3->base.force_password_change);
/* Does the concept of a logoff time ever really
* exist? (not in any sensible way, according to the
if (getgroups.out.rids->count == info3->base.groups.count) {
int i, j;
int count = getgroups.out.rids->count;
- BOOL *matched = talloc_zero_array(mem_ctx, BOOL, getgroups.out.rids->count);
+ bool *matched = talloc_zero_array(mem_ctx, bool, getgroups.out.rids->count);
for (i = 0; i < count; i++) {
for (j = 0; j < count; j++) {
info3->base.groups.rids[j].rid)
&& (getgroups.out.rids->rids[i].attributes ==
info3->base.groups.rids[j].attributes)) {
- matched[i] = True;
+ matched[i] = true;
}
}
}
for (i = 0; i < getgroups.out.rids->count; i++) {
- if (matched[i] == False) {
- ret = False;
+ if (matched[i] == false) {
+ ret = false;
printf("Could not find group RID %u found in getgroups in NETLOGON reply\n",
getgroups.out.rids->rids[i].rid);
}
} else {
printf("Could not validate password for user %s\\%s: %s\n",
domain, username, nt_errstr(nt_status));
- return False;
+ return false;
}
- return False;
+ return false;
}
-static BOOL samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
uint32_t rid = delta->delta_id_union.rid;
struct netr_DELTA_ALIAS *alias = delta->delta_union.alias;
NTSTATUS nt_status;
- BOOL ret = True;
+ bool ret = true;
struct samr_OpenAlias r;
struct samr_QueryAliasInfo q;
if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
printf("SamSync needs domain information before the users\n");
- return False;
+ return false;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
nt_status = dcerpc_samr_OpenAlias(samsync_state->p_samr, mem_ctx, &r);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
- return False;
+ return false;
}
q.in.alias_handle = &alias_handle;
nt_status = dcerpc_samr_QueryAliasInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &alias_handle)) {
- return False;
+ return false;
}
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryAliasInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
TEST_STRING_EQUAL(q.out.info->all.name, alias->alias_name);
return ret;
}
-static BOOL samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
uint32_t rid = delta->delta_id_union.rid;
struct netr_DELTA_GROUP *group = delta->delta_union.group;
NTSTATUS nt_status;
- BOOL ret = True;
+ bool ret = true;
struct samr_OpenGroup r;
struct samr_QueryGroupInfo q;
if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
printf("SamSync needs domain information before the users\n");
- return False;
+ return false;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
nt_status = dcerpc_samr_OpenGroup(samsync_state->p_samr, mem_ctx, &r);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
- return False;
+ return false;
}
q.in.group_handle = &group_handle;
nt_status = dcerpc_samr_QueryGroupInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &group_handle)) {
- return False;
+ return false;
}
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryGroupInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
TEST_STRING_EQUAL(q.out.info->all.name, group->group_name);
return ret;
}
-static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
struct lsa_DATA_BUF_PTR bufp2;
NTTIME new_mtime;
NTTIME old_mtime;
- BOOL ret = True;
+ bool ret = true;
DATA_BLOB lsa_blob1, lsa_blob_out, session_key;
NTSTATUS status;
status = dcerpc_lsa_OpenSecret(samsync_state->p_lsa, mem_ctx, &o);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenSecret failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
/*
status = dcerpc_fetch_session_key(samsync_state->p_lsa, &session_key);
if (!NT_STATUS_IS_OK(status)) {
printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
status = dcerpc_lsa_QuerySecret(samsync_state->p_lsa, mem_ctx, &q);
if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
/* some things are just off limits */
- return True;
+ return true;
} else if (!NT_STATUS_IS_OK(status)) {
printf("QuerySecret failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
if (q.out.old_val->buf == NULL) {
status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to decrypt secrets OLD blob: %s\n", nt_errstr(status));
- return False;
+ return false;
}
if (!q.out.old_mtime) {
printf("OLD mtime not available on LSA for secret %s\n", old->name);
- ret = False;
+ ret = false;
}
if (old->mtime != *q.out.old_mtime) {
printf("OLD mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
old->name, nt_time_string(mem_ctx, old->mtime),
nt_time_string(mem_ctx, *q.out.old_mtime));
- ret = False;
+ ret = false;
}
if (old->secret.length != lsa_blob_out.length) {
printf("Returned secret %s doesn't match: %d != %d\n",
old->name, (int)old->secret.length, (int)lsa_blob_out.length);
- ret = False;
+ ret = false;
} else if (memcmp(lsa_blob_out.data,
old->secret.data, old->secret.length) != 0) {
printf("Returned secret %s doesn't match: \n",
dump_data(1, old->secret.data, old->secret.length);
DEBUG(1, ("LSA Secret:\n"));
dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
- ret = False;
+ ret = false;
}
}
status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to decrypt secrets OLD blob\n");
- return False;
+ return false;
}
if (!q.out.new_mtime) {
printf("NEW mtime not available on LSA for secret %s\n", new->name);
- ret = False;
+ ret = false;
}
if (new->mtime != *q.out.new_mtime) {
printf("NEW mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
new->name, nt_time_string(mem_ctx, new->mtime),
nt_time_string(mem_ctx, *q.out.new_mtime));
- ret = False;
+ ret = false;
}
if (new->secret.length != lsa_blob_out.length) {
printf("Returned secret %s doesn't match: %d != %d\n",
new->name, (int)new->secret.length, (int)lsa_blob_out.length);
- ret = False;
+ ret = false;
} else if (memcmp(lsa_blob_out.data,
new->secret.data, new->secret.length) != 0) {
printf("Returned secret %s doesn't match: \n",
dump_data(1, new->secret.data, new->secret.length);
DEBUG(1, ("LSA Secret:\n"));
dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
- ret = False;
+ ret = false;
}
}
return ret;
}
-static BOOL samsync_handle_trusted_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_trusted_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
NTSTATUS status;
- BOOL ret = True;
+ bool ret = true;
struct netr_DELTA_TRUSTED_DOMAIN *trusted_domain = delta->delta_union.trusted_domain;
struct dom_sid *dom_sid = delta->delta_id_union.sid;
status = dcerpc_lsa_OpenTrustedDomain(samsync_state->p_lsa, mem_ctx, &t);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
for (i=0; i< ARRAY_SIZE(levels); i++) {
}
printf("QueryInfoTrustedDomain level %d failed - %s\n",
levels[i], nt_errstr(status));
- return False;
+ return false;
}
info[levels[i]] = q.out.info;
}
return ret;
}
-static BOOL samsync_handle_account(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_account(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
NTSTATUS status;
- BOOL ret = True;
+ bool ret = true;
struct netr_DELTA_ACCOUNT *account = delta->delta_union.account;
struct dom_sid *dom_sid = delta->delta_id_union.sid;
int i, j;
- BOOL *found_priv_in_lsa;
+ bool *found_priv_in_lsa;
a.in.handle = samsync_state->lsa_handle;
a.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
status = dcerpc_lsa_OpenAccount(samsync_state->p_lsa, mem_ctx, &a);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
TEST_SEC_DESC_EQUAL(account->sdbuf, lsa, &acct_handle);
- found_priv_in_lsa = talloc_zero_array(mem_ctx, BOOL, account->privilege_entries);
+ found_priv_in_lsa = talloc_zero_array(mem_ctx, bool, account->privilege_entries);
e.in.handle = &acct_handle;
status = dcerpc_lsa_EnumPrivsAccount(samsync_state->p_lsa, mem_ctx, &e);
if (!NT_STATUS_IS_OK(status)) {
printf("EnumPrivsAccount failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
if ((account->privilege_entries && !e.out.privs)) {
printf("Account %s has privileges in SamSync, but not LSA\n",
dom_sid_string(mem_ctx, dom_sid));
- return False;
+ return false;
}
if (!account->privilege_entries && e.out.privs && e.out.privs->count) {
printf("Account %s has privileges in LSA, but not SamSync\n",
dom_sid_string(mem_ctx, dom_sid));
- return False;
+ return false;
}
TEST_INT_EQUAL(account->privilege_entries, e.out.privs->count);
status = dcerpc_lsa_LookupPrivName(samsync_state->p_lsa, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
if (!r.out.name) {
printf("\nLookupPrivName failed to return a name\n");
- return False;
+ return false;
}
for (j=0;j<account->privilege_entries; j++) {
if (strcmp(r.out.name->string, account->privilege_name[j].string) == 0) {
- found_priv_in_lsa[j] = True;
+ found_priv_in_lsa[j] = true;
break;
}
}
if (!found_priv_in_lsa[j]) {
printf("Privilage %s on account %s not found in LSA\n", account->privilege_name[j].string,
dom_sid_string(mem_ctx, dom_sid));
- ret = False;
+ ret = false;
}
}
return ret;
/*
try a netlogon DatabaseSync
*/
-static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
- TALLOC_CTX *mem_ctx)
+static bool test_DatabaseSync(struct torture_context *tctx,
+ struct samsync_state *samsync_state,
+ TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
TALLOC_CTX *loop_ctx, *delta_ctx, *trustdom_ctx;
struct netr_DatabaseSync r;
const enum netr_SamDatabaseID database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
int i, d;
- BOOL ret = True;
+ bool ret = true;
struct samsync_trusted_domain *t;
struct samsync_secret *s;
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
printf("DatabaseSync - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
break;
}
if (!samsync_handle_domain(delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_DOMAIN\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_GROUP:
if (!samsync_handle_group(delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_USER\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_USER:
- if (!samsync_handle_user(delta_ctx, samsync_state,
+ if (!samsync_handle_user(tctx, delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_USER\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_ALIAS:
if (!samsync_handle_alias(delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_ALIAS\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_POLICY:
if (!samsync_handle_policy(delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_POLICY\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_TRUSTED_DOMAIN:
if (!samsync_handle_trusted_domain(delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_TRUSTED_DOMAIN\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_ACCOUNT:
if (!samsync_handle_account(delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_ACCOUNT\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_SECRET:
if (!samsync_handle_secret(delta_ctx, samsync_state,
r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_SECRET\n");
- ret = False;
+ ret = false;
}
break;
+ case NETR_DELTA_GROUP_MEMBER:
+ case NETR_DELTA_ALIAS_MEMBER:
+ /* These are harder to cross-check, and we expect them */
+ break;
+ case NETR_DELTA_DELETE_GROUP:
+ case NETR_DELTA_RENAME_GROUP:
+ case NETR_DELTA_DELETE_USER:
+ case NETR_DELTA_RENAME_USER:
+ case NETR_DELTA_DELETE_ALIAS:
+ case NETR_DELTA_RENAME_ALIAS:
+ case NETR_DELTA_DELETE_TRUST:
+ case NETR_DELTA_DELETE_ACCOUNT:
+ case NETR_DELTA_DELETE_SECRET:
+ case NETR_DELTA_DELETE_GROUP2:
+ case NETR_DELTA_DELETE_USER2:
+ case NETR_DELTA_MODIFY_COUNT:
+ default:
+ printf("Uxpected delta type %d\n", r.out.delta_enum_array->delta_enum[d].delta_type);
+ ret = false;
+ break;
}
talloc_free(delta_ctx);
}
domain = samsync_state->domain_name[SAM_DATABASE_DOMAIN];
if (!domain) {
printf("Never got a DOMAIN object in samsync!\n");
- return False;
+ return false;
}
trustdom_ctx = talloc_named(mem_ctx, 0, "test_DatabaseSync Trusted domains context");
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n",
t->name, nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
/* break it */
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
printf("Verifiction of trust password to %s: should have failed (wrong password), instead: %s\n",
t->name, nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
break;
/*
try a netlogon DatabaseDeltas
*/
-static BOOL test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX *mem_ctx)
+static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
TALLOC_CTX *loop_ctx;
struct netr_DatabaseDeltas r;
const uint32_t database_ids[] = {0, 1, 2};
int i;
- BOOL ret = True;
+ bool ret = true;
r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(samsync_state->p));
r.in.computername = TEST_MACHINE_NAME;
printf("Testing DatabaseDeltas of id %d at %llu\n",
- r.in.database_id, r.in.sequence_num);
+ r.in.database_id, (long long)r.in.sequence_num);
do {
loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseDeltas loop context");
!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) &&
!NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
printf("DatabaseDeltas - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
}
if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator.cred)) {
/*
try a netlogon DatabaseSync2
*/
-static BOOL test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
+static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_DatabaseSync2 r;
const uint32_t database_ids[] = {0, 1, 2};
int i;
- BOOL ret = True;
+ bool ret = true;
r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
r.in.computername = TEST_MACHINE_NAME;
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
printf("DatabaseSync2 - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
}
if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
-BOOL torture_rpc_samsync(void)
+bool torture_rpc_samsync(struct torture_context *torture)
{
NTSTATUS status;
TALLOC_CTX *mem_ctx;
- BOOL ret = True;
+ bool ret = true;
struct test_join *join_ctx;
struct test_join *join_ctx2;
struct test_join *user_ctx;
const char *machine_password;
const char *wksta_machine_password;
- const char *binding = lp_parm_string(-1, "torture", "binding");
struct dcerpc_binding *b;
struct dcerpc_binding *b_netlogon_wksta;
struct samr_Connect c;
mem_ctx = talloc_init("torture_rpc_netlogon");
test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME);
- join_ctx = torture_create_testuser(test_machine_account, lp_workgroup(), ACB_SVRTRUST,
+ join_ctx = torture_create_testuser(torture, test_machine_account,
+ lp_workgroup(torture->lp_ctx), ACB_SVRTRUST,
&machine_password);
if (!join_ctx) {
talloc_free(mem_ctx);
printf("Failed to join as BDC\n");
- return False;
+ return false;
}
test_wksta_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_WKSTA_MACHINE_NAME);
- join_ctx2 = torture_create_testuser(test_wksta_machine_account, lp_workgroup(), ACB_WSTRUST,
- &wksta_machine_password);
+ join_ctx2 = torture_create_testuser(torture, test_wksta_machine_account, lp_workgroup(torture->lp_ctx), ACB_WSTRUST, &wksta_machine_password);
if (!join_ctx2) {
talloc_free(mem_ctx);
printf("Failed to join as member\n");
- return False;
+ return false;
}
- user_ctx = torture_create_testuser(TEST_USER_NAME,
- lp_workgroup(),
+ user_ctx = torture_create_testuser(torture, TEST_USER_NAME,
+ lp_workgroup(torture->lp_ctx),
ACB_NORMAL, NULL);
if (!user_ctx) {
talloc_free(mem_ctx);
printf("Failed to create test account\n");
- return False;
+ return false;
}
samsync_state = talloc_zero(mem_ctx, struct samsync_state);
status = dcerpc_samr_Connect(samsync_state->p_samr, mem_ctx, &c);
if (!NT_STATUS_IS_OK(status)) {
printf("samr_Connect failed\n");
- ret = False;
+ ret = false;
goto failed;
}
- domain_policy = samsync_open_domain(mem_ctx, samsync_state, lp_workgroup(), NULL);
+ domain_policy = samsync_open_domain(mem_ctx, samsync_state, lp_workgroup(torture->lp_ctx), NULL);
if (!domain_policy) {
printf("samrsync_open_domain failed\n");
- ret = False;
+ ret = false;
goto failed;
}
s.in.level = 4;
s.in.info = talloc(mem_ctx, union samr_DomainInfo);
- s.in.info->info4.comment.string
+ s.in.info->oem.oem_information.string
= talloc_asprintf(mem_ctx,
"Tortured by Samba4: %s",
timestring(mem_ctx, time(NULL)));
status = dcerpc_samr_SetDomainInfo(samsync_state->p_samr, mem_ctx, &s);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, domain_policy)) {
- ret = False;
+ ret = false;
goto failed;
}
if (!NT_STATUS_IS_OK(status)) {
printf("SetDomainInfo level %u failed - %s\n",
s.in.level, nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
- status = torture_rpc_connection(samsync_state,
+ status = torture_rpc_connection(torture,
&samsync_state->p_lsa,
- DCERPC_LSARPC_NAME,
- DCERPC_LSARPC_UUID,
- DCERPC_LSARPC_VERSION);
+ &ndr_table_lsarpc);
if (!NT_STATUS_IS_OK(status)) {
- ret = False;
+ ret = false;
goto failed;
}
status = dcerpc_lsa_OpenPolicy2(samsync_state->p_lsa, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
- status = dcerpc_parse_binding(mem_ctx, binding, &b);
+ status = torture_rpc_binding(torture, &b);
if (!NT_STATUS_IS_OK(status)) {
- printf("Bad binding string %s\n", binding);
- ret = False;
+ ret = false;
goto failed;
}
credentials = cli_credentials_init(mem_ctx);
cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
- cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED);
+ cli_credentials_set_domain(credentials, lp_workgroup(torture->lp_ctx), CRED_SPECIFIED);
cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED);
cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED);
cli_credentials_set_secure_channel_type(credentials,
status = dcerpc_pipe_connect_b(samsync_state,
&samsync_state->p, b,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- credentials, NULL);
+ &ndr_table_netlogon,
+ credentials, torture->ev, torture->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to connect to server as a BDC: %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
samsync_state, &samsync_state->creds);
if (!NT_STATUS_IS_OK(status)) {
- ret = False;
+ ret = false;
}
- status = dcerpc_parse_binding(mem_ctx, binding, &b_netlogon_wksta);
+ status = torture_rpc_binding(torture, &b_netlogon_wksta);
if (!NT_STATUS_IS_OK(status)) {
- printf("Bad binding string %s\n", binding);
- ret = False;
+ ret = false;
goto failed;
}
credentials_wksta = cli_credentials_init(mem_ctx);
cli_credentials_set_workstation(credentials_wksta, TEST_WKSTA_MACHINE_NAME, CRED_SPECIFIED);
- cli_credentials_set_domain(credentials_wksta, lp_workgroup(), CRED_SPECIFIED);
+ cli_credentials_set_domain(credentials_wksta, lp_workgroup(torture->lp_ctx), CRED_SPECIFIED);
cli_credentials_set_username(credentials_wksta, test_wksta_machine_account, CRED_SPECIFIED);
cli_credentials_set_password(credentials_wksta, wksta_machine_password, CRED_SPECIFIED);
cli_credentials_set_secure_channel_type(credentials_wksta,
status = dcerpc_pipe_connect_b(samsync_state,
&samsync_state->p_netlogon_wksta,
b_netlogon_wksta,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- credentials_wksta, NULL);
+ &ndr_table_netlogon,
+ credentials_wksta, torture->ev, torture->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to connect to server as a Workstation: %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
samsync_state, &samsync_state->creds_netlogon_wksta);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to obtail schanel creds!\n");
- ret = False;
+ ret = false;
}
- if (!test_DatabaseSync(samsync_state, mem_ctx)) {
+ if (!test_DatabaseSync(torture, samsync_state, mem_ctx)) {
printf("DatabaseSync failed\n");
- ret = False;
+ ret = false;
}
if (!test_DatabaseDeltas(samsync_state, mem_ctx)) {
printf("DatabaseDeltas failed\n");
- ret = False;
+ ret = false;
}
if (!test_DatabaseSync2(samsync_state->p, mem_ctx, samsync_state->creds)) {
printf("DatabaseSync2 failed\n");
- ret = False;
+ ret = false;
}
failed:
- torture_leave_domain(join_ctx);
- torture_leave_domain(join_ctx2);
- torture_leave_domain(user_ctx);
+ torture_leave_domain(torture, join_ctx);
+ torture_leave_domain(torture, join_ctx2);
+ torture_leave_domain(torture, user_ctx);
talloc_free(mem_ctx);