git.samba.org / obnox / samba / samba-obnox.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'master' of ssh://git.samba.org/data/git/samba into wspp-schema
[obnox/samba/samba-obnox.git] / source4 / torture / ldap / cldap.c
1 /* 
2    Unix SMB/CIFS mplementation.
3
4    test CLDAP operations
5    
6    Copyright (C) Andrew Tridgell 2005
7     
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20    
21 */
22
23 #include "includes.h"
24 #include "libcli/cldap/cldap.h"
25 #include "libcli/ldap/ldap.h"
26 #include "librpc/gen_ndr/ndr_nbt.h"
27 #include "librpc/gen_ndr/netlogon.h"
28 #include "torture/torture.h"
29 #include "lib/ldb/include/ldb.h"
30 #include "param/param.h"
31 #include "../lib/tsocket/tsocket.h"
32
33 #define CHECK_STATUS(status, correct) torture_assert_ntstatus_equal(tctx, status, correct, "incorrect status")
34
35 #define CHECK_VAL(v, correct) torture_assert_int_equal(tctx, (v), (correct), "incorrect value");
36
37 #define CHECK_STRING(v, correct) torture_assert_str_equal(tctx, v, correct, "incorrect value");
38 /*
39   test netlogon operations
40 */
41 static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest)
42 {
43         struct cldap_socket *cldap;
44         NTSTATUS status;
45         struct cldap_netlogon search, empty_search;
46         struct netlogon_samlogon_response n1;
47         struct GUID guid;
48         int i;
49         struct smb_iconv_convenience *iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
50         struct tsocket_address *dest_addr;
51         int ret;
52
53         ret = tsocket_address_inet_from_strings(tctx, "ip",
54                                                 dest,
55                                                 lp_cldap_port(tctx->lp_ctx),
56                                                 &dest_addr);
57
58         status = cldap_socket_init(tctx, NULL, NULL, dest_addr, &cldap);
59         CHECK_STATUS(status, NT_STATUS_OK);
60
61         ZERO_STRUCT(search);
62         search.in.dest_address = NULL;//dest;
63         search.in.dest_port = 0;//lp_cldap_port(tctx->lp_ctx);
64         search.in.acct_control = -1;
65         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
66         search.in.map_response = true;
67
68         empty_search = search;
69
70         printf("Trying without any attributes\n");
71         search = empty_search;
72         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
73         CHECK_STATUS(status, NT_STATUS_OK);
74
75         n1 = search.out.netlogon;
76
77         search.in.user         = "Administrator";
78         search.in.realm        = n1.data.nt5_ex.dns_domain;
79         search.in.host         = "__cldap_torture__";
80
81         printf("Scanning for netlogon levels\n");
82         for (i=0;i<256;i++) {
83                 search.in.version = i;
84                 printf("Trying netlogon level %d\n", i);
85                 status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
86                 CHECK_STATUS(status, NT_STATUS_OK);
87         }
88
89         printf("Scanning for netlogon level bits\n");
90         for (i=0;i<31;i++) {
91                 search.in.version = (1<<i);
92                 printf("Trying netlogon level 0x%x\n", i);
93                 status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
94                 CHECK_STATUS(status, NT_STATUS_OK);
95         }
96
97         search.in.version = NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_IP;
98
99         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
100         CHECK_STATUS(status, NT_STATUS_OK);
101
102         printf("Trying with User=NULL\n");
103
104         search.in.user = NULL;
105         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
106         CHECK_STATUS(status, NT_STATUS_OK);
107         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
108         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
109
110         printf("Trying with User=Administrator\n");
111
112         search.in.user = "Administrator";
113         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
114         CHECK_STATUS(status, NT_STATUS_OK);
115
116         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
117         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
118
119         search.in.version = NETLOGON_NT_VERSION_5;
120         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
121         CHECK_STATUS(status, NT_STATUS_OK);
122
123         printf("Trying with User=NULL\n");
124
125         search.in.user = NULL;
126         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
127         CHECK_STATUS(status, NT_STATUS_OK);
128         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
129         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE);
130
131         printf("Trying with User=Administrator\n");
132
133         search.in.user = "Administrator";
134         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
135         CHECK_STATUS(status, NT_STATUS_OK);
136
137         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
138         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN);
139
140         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
141
142         printf("Trying with a GUID\n");
143         search.in.realm       = NULL;
144         search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
145         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
146         CHECK_STATUS(status, NT_STATUS_OK);
147         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
148         CHECK_STRING(GUID_string(tctx, &search.out.netlogon.data.nt5_ex.domain_uuid), search.in.domain_guid);
149
150         printf("Trying with a incorrect GUID\n");
151         guid = GUID_random();
152         search.in.user        = NULL;
153         search.in.domain_guid = GUID_string(tctx, &guid);
154         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
155         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
156
157         printf("Trying with a AAC\n");
158         search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST;
159         search.in.realm = n1.data.nt5_ex.dns_domain;
160         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
161         CHECK_STATUS(status, NT_STATUS_OK);
162         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
163         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
164
165         printf("Trying with a zero AAC\n");
166         search.in.acct_control = 0x0;
167         search.in.realm = n1.data.nt5_ex.dns_domain;
168         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
169         CHECK_STATUS(status, NT_STATUS_OK);
170         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
171         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
172
173         printf("Trying with a zero AAC and user=Administrator\n");
174         search.in.acct_control = 0x0;
175         search.in.user = "Administrator";
176         search.in.realm = n1.data.nt5_ex.dns_domain;
177         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
178         CHECK_STATUS(status, NT_STATUS_OK);
179         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
180         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "Administrator");
181
182         printf("Trying with a bad AAC\n");
183         search.in.user = NULL;
184         search.in.acct_control = 0xFF00FF00;
185         search.in.realm = n1.data.nt5_ex.dns_domain;
186         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
187         CHECK_STATUS(status, NT_STATUS_OK);
188         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
189         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
190
191         printf("Trying with a user only\n");
192         search = empty_search;
193         search.in.user = "Administrator";
194         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
195         CHECK_STATUS(status, NT_STATUS_OK);
196         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
197         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
198
199         printf("Trying with just a bad username\n");
200         search.in.user = "___no_such_user___";
201         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
202         CHECK_STATUS(status, NT_STATUS_OK);
203         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
204         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
205         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
206
207         printf("Trying with just a bad domain\n");
208         search = empty_search;
209         search.in.realm = "___no_such_domain___";
210         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
211         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
212
213         printf("Trying with a incorrect domain and correct guid\n");
214         search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
215         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
216         CHECK_STATUS(status, NT_STATUS_OK);
217         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
218         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
219         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
220
221         printf("Trying with a incorrect domain and incorrect guid\n");
222         search.in.domain_guid = GUID_string(tctx, &guid);
223         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
224         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
225         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
226         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
227         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
228
229         printf("Trying with a incorrect GUID and correct domain\n");
230         search.in.domain_guid = GUID_string(tctx, &guid);
231         search.in.realm = n1.data.nt5_ex.dns_domain;
232         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
233         CHECK_STATUS(status, NT_STATUS_OK);
234         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
235         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
236         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
237
238         return true;
239 }
240
241 /*
242   test cldap netlogon server type flags
243 */
244 static bool test_cldap_netlogon_flags(struct torture_context *tctx,
245         const char *dest)
246 {
247         struct cldap_socket *cldap;
248         NTSTATUS status;
249         struct cldap_netlogon search;
250         struct netlogon_samlogon_response n1;
251         uint32_t server_type;
252         struct smb_iconv_convenience *iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
253
254         status = cldap_socket_init(tctx, NULL, NULL, NULL, &cldap);
255         CHECK_STATUS(status, NT_STATUS_OK);
256
257         printf("Printing out netlogon server type flags: %s\n", dest);
258
259         ZERO_STRUCT(search);
260         search.in.dest_address = dest;
261         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
262         search.in.acct_control = -1;
263         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
264         search.in.map_response = true;
265
266         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
267         CHECK_STATUS(status, NT_STATUS_OK);
268
269         n1 = search.out.netlogon;
270         if (n1.ntver == NETLOGON_NT_VERSION_5)
271                 server_type = n1.data.nt5.server_type;
272         else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
273                 server_type = n1.data.nt5_ex.server_type;       
274
275         printf("The word is: %i\n", server_type);
276         if (server_type & NBT_SERVER_PDC)
277                 printf("NBT_SERVER_PDC ");
278         if (server_type & NBT_SERVER_GC)
279                 printf("NBT_SERVER_GC ");
280         if (server_type & NBT_SERVER_LDAP)
281                 printf("NBT_SERVER_LDAP ");
282         if (server_type & NBT_SERVER_DS)
283                 printf("NBT_SERVER_DS ");
284         if (server_type & NBT_SERVER_KDC)
285                 printf("NBT_SERVER_KDC ");
286         if (server_type & NBT_SERVER_TIMESERV)
287                 printf("NBT_SERVER_TIMESERV ");
288         if (server_type & NBT_SERVER_CLOSEST)
289                 printf("NBT_SERVER_CLOSEST ");
290         if (server_type & NBT_SERVER_WRITABLE)
291                 printf("NBT_SERVER_WRITABLE ");
292         if (server_type & NBT_SERVER_GOOD_TIMESERV)
293                 printf("NBT_SERVER_GOOD_TIMESERV ");
294         if (server_type & NBT_SERVER_NDNC)
295                 printf("NBT_SERVER_NDNC ");
296         if (server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6)
297                 printf("NBT_SERVER_SELECT_SECRET_DOMAIN_6");
298         if (server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6)
299                 printf("NBT_SERVER_FULL_SECRET_DOMAIN_6");
300         if (server_type & DS_DNS_CONTROLLER)
301                 printf("DS_DNS_CONTROLLER ");
302         if (server_type & DS_DNS_DOMAIN)
303                 printf("DS_DNS_DOMAIN ");
304         if (server_type & DS_DNS_FOREST)
305                 printf("DS_DNS_FOREST ");
306
307         printf("\n");
308
309         return true;
310 }
311
312 /*
313   convert a ldap result message to a ldb message. This allows us to
314   use the convenient ldif dump routines in ldb to print out cldap
315   search results
316 */
317 static struct ldb_message *ldap_msg_to_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct ldap_SearchResEntry *res)
318 {
319         struct ldb_message *msg;
320
321         msg = ldb_msg_new(mem_ctx);
322         msg->dn = ldb_dn_new(msg, ldb, res->dn);
323         msg->num_elements = res->num_attributes;
324         msg->elements = talloc_steal(msg, res->attributes);
325         return msg;
326 }
327
328 /*
329   dump a set of cldap results
330 */
331 static void cldap_dump_results(struct cldap_search *search)
332 {
333         struct ldb_ldif ldif;
334         struct ldb_context *ldb;
335
336         if (!search || !(search->out.response)) {
337                 return;
338         }
339
340         /* we need a ldb context to use ldb_ldif_write_file() */
341         ldb = ldb_init(NULL, NULL);
342
343         ZERO_STRUCT(ldif);
344         ldif.msg = ldap_msg_to_ldb(ldb, ldb, search->out.response);
345
346         ldb_ldif_write_file(ldb, stdout, &ldif);
347
348         talloc_free(ldb);
349 }
350
351
352 /*
353   test cldap netlogon server type flag "NBT_SERVER_DS_DNS_FOREST"
354 */
355 static bool test_cldap_netlogon_flag_ds_dns_forest(struct torture_context *tctx,
356         const char *dest)
357 {
358         struct cldap_socket *cldap;
359         NTSTATUS status;
360         struct cldap_netlogon search;
361         uint32_t server_type;
362         struct netlogon_samlogon_response n1;
363         struct smb_iconv_convenience *iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
364
365         bool result = true;
366
367         status = cldap_socket_init(tctx, NULL, NULL, NULL, &cldap);
368         CHECK_STATUS(status, NT_STATUS_OK);
369
370         printf("Testing netlogon server type flag NBT_SERVER_DS_DNS_FOREST: ");
371
372         ZERO_STRUCT(search);
373         search.in.dest_address = dest;
374         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
375         search.in.acct_control = -1;
376         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
377         search.in.map_response = true;
378
379         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
380         CHECK_STATUS(status, NT_STATUS_OK);
381
382         n1 = search.out.netlogon;
383         if (n1.ntver == NETLOGON_NT_VERSION_5)
384                 server_type = n1.data.nt5.server_type;
385         else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
386                 server_type = n1.data.nt5_ex.server_type;
387
388         if (server_type & DS_DNS_FOREST) {
389                 struct cldap_search search2;
390                 const char *attrs[] = { "defaultNamingContext", "rootDomainNamingContext", 
391                         NULL };
392                 struct ldb_context *ldb;
393                 struct ldb_message *msg;
394
395                 /* Trying to fetch the attributes "defaultNamingContext" and
396                    "rootDomainNamingContext" */
397                 ZERO_STRUCT(search2);
398                 search2.in.dest_address = dest;
399                 search2.in.dest_port = lp_cldap_port(tctx->lp_ctx);
400                 search2.in.timeout = 10;
401                 search2.in.retries = 3;
402                 search2.in.filter = "(objectclass=*)";
403                 search2.in.attributes = attrs;
404
405                 status = cldap_search(cldap, tctx, &search2);
406                 CHECK_STATUS(status, NT_STATUS_OK);
407
408                 ldb = ldb_init(NULL, NULL);
409
410                 msg = ldap_msg_to_ldb(ldb, ldb, search2.out.response);
411
412                 /* Try to compare the two attributes */
413                 if (ldb_msg_element_compare(ldb_msg_find_element(msg, attrs[0]),
414                         ldb_msg_find_element(msg, attrs[1])))
415                         result = false;
416
417                 talloc_free(ldb);
418         }
419
420         if (result)
421                 printf("passed\n");
422         else
423                 printf("failed\n");
424
425         return result;
426 }
427
428 /*
429   test generic cldap operations
430 */
431 static bool test_cldap_generic(struct torture_context *tctx, const char *dest)
432 {
433         struct cldap_socket *cldap;
434         NTSTATUS status;
435         struct cldap_search search;
436         const char *attrs1[] = { "currentTime", "highestCommittedUSN", NULL };
437         const char *attrs2[] = { "currentTime", "highestCommittedUSN", "netlogon", NULL };
438         const char *attrs3[] = { "netlogon", NULL };
439
440         status = cldap_socket_init(tctx, NULL, NULL, NULL, &cldap);
441         CHECK_STATUS(status, NT_STATUS_OK);
442
443         ZERO_STRUCT(search);
444         search.in.dest_address = dest;
445         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
446         search.in.timeout = 10;
447         search.in.retries = 3;
448
449         status = cldap_search(cldap, tctx, &search);
450         CHECK_STATUS(status, NT_STATUS_OK);
451
452         printf("fetching whole rootDSE\n");
453         search.in.filter = "(objectclass=*)";
454         search.in.attributes = NULL;
455
456         status = cldap_search(cldap, tctx, &search);
457         CHECK_STATUS(status, NT_STATUS_OK);
458
459         if (DEBUGLVL(3)) cldap_dump_results(&search);
460
461         printf("fetching currentTime and USN\n");
462         search.in.filter = "(objectclass=*)";
463         search.in.attributes = attrs1;
464
465         status = cldap_search(cldap, tctx, &search);
466         CHECK_STATUS(status, NT_STATUS_OK);
467         
468         if (DEBUGLVL(3)) cldap_dump_results(&search);
469
470         printf("Testing currentTime, USN and netlogon\n");
471         search.in.filter = "(objectclass=*)";
472         search.in.attributes = attrs2;
473
474         status = cldap_search(cldap, tctx, &search);
475         CHECK_STATUS(status, NT_STATUS_OK);
476
477         if (DEBUGLVL(3)) cldap_dump_results(&search);
478
479         printf("Testing objectClass=* and netlogon\n");
480         search.in.filter = "(objectclass2=*)";
481         search.in.attributes = attrs3;
482
483         status = cldap_search(cldap, tctx, &search);
484         CHECK_STATUS(status, NT_STATUS_OK);
485
486         if (DEBUGLVL(3)) cldap_dump_results(&search);
487
488         printf("Testing a false expression\n");
489         search.in.filter = "(&(objectclass=*)(highestCommittedUSN=2))";
490         search.in.attributes = attrs1;
491
492         status = cldap_search(cldap, tctx, &search);
493         CHECK_STATUS(status, NT_STATUS_OK);
494
495         if (DEBUGLVL(3)) cldap_dump_results(&search);   
496
497         return true;    
498 }
499
500 bool torture_cldap(struct torture_context *torture)
501 {
502         bool ret = true;
503         const char *host = torture_setting_string(torture, "host", NULL);
504
505         ret &= test_cldap_netlogon(torture, host);
506         ret &= test_cldap_netlogon_flags(torture, host);
507         ret &= test_cldap_netlogon_flag_ds_dns_forest(torture, host);
508         ret &= test_cldap_generic(torture, host);
509
510         return ret;
511 }
512
Michael's Samba GIT