2 Unix SMB/CIFS implementation.
3 test suite for lsa rpc lookup operations
5 Copyright (C) Volker Lendecke 2006
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #include "torture/torture.h"
24 #include "lib/events/events.h"
25 #include "libcli/security/proto.h"
26 #include "libnet/libnet_join.h"
27 #include "torture/rpc/rpc.h"
28 #include "librpc/gen_ndr/ndr_lsa_c.h"
29 #include "librpc/gen_ndr/ndr_security.h"
31 static BOOL open_policy(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p,
32 struct policy_handle **handle)
34 struct lsa_ObjectAttribute attr;
35 struct lsa_QosInfo qos;
36 struct lsa_OpenPolicy2 r;
39 *handle = talloc(mem_ctx, struct policy_handle);
45 qos.impersonation_level = 2;
47 qos.effective_only = 0;
51 attr.object_name = NULL;
56 r.in.system_name = "\\";
58 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
59 r.out.handle = *handle;
61 status = dcerpc_lsa_OpenPolicy2(p, mem_ctx, &r);
63 return NT_STATUS_IS_OK(status);
66 static BOOL get_domainsid(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p,
67 struct policy_handle *handle,
70 struct lsa_QueryInfoPolicy r;
73 r.in.level = LSA_POLICY_INFO_DOMAIN;
76 status = dcerpc_lsa_QueryInfoPolicy(p, mem_ctx, &r);
77 if (!NT_STATUS_IS_OK(status)) return False;
79 *sid = r.out.info->domain.sid;
83 static NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, uint16_t level,
84 struct dcerpc_pipe *p,
85 struct policy_handle *handle,
86 struct dom_sid **sids, uint32_t num_sids,
87 struct lsa_TransNameArray *names)
89 struct lsa_LookupSids r;
90 struct lsa_SidArray sidarray;
97 sidarray.num_sids = num_sids;
98 sidarray.sids = talloc_array(mem_ctx, struct lsa_SidPtr, num_sids);
100 for (i=0; i<num_sids; i++) {
101 sidarray.sids[i].sid = sids[i];
104 r.in.handle = handle;
105 r.in.sids = &sidarray;
110 r.out.count = &count;
112 return dcerpc_lsa_LookupSids(p, mem_ctx, &r);
115 static const char *sid_type_lookup(enum lsa_SidType r)
118 case SID_NAME_USE_NONE: return "SID_NAME_USE_NONE"; break;
119 case SID_NAME_USER: return "SID_NAME_USER"; break;
120 case SID_NAME_DOM_GRP: return "SID_NAME_DOM_GRP"; break;
121 case SID_NAME_DOMAIN: return "SID_NAME_DOMAIN"; break;
122 case SID_NAME_ALIAS: return "SID_NAME_ALIAS"; break;
123 case SID_NAME_WKN_GRP: return "SID_NAME_WKN_GRP"; break;
124 case SID_NAME_DELETED: return "SID_NAME_DELETED"; break;
125 case SID_NAME_INVALID: return "SID_NAME_INVALID"; break;
126 case SID_NAME_UNKNOWN: return "SID_NAME_UNKNOWN"; break;
128 return "Invalid sid type\n";
131 static BOOL test_lookupsids(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p,
132 struct policy_handle *handle,
133 struct dom_sid **sids, uint32_t num_sids,
134 int level, NTSTATUS expected_result,
135 enum lsa_SidType *types)
137 struct lsa_TransNameArray names;
142 status = lookup_sids(mem_ctx, level, p, handle, sids, num_sids,
144 if (!NT_STATUS_EQUAL(status, expected_result)) {
145 printf("For level %d expected %s, got %s\n",
146 level, nt_errstr(expected_result),
151 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK) &&
152 !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
156 for (i=0; i<num_sids; i++) {
157 if (names.names[i].sid_type != types[i]) {
158 printf("In level %d, for sid %s expected %s, "
160 dom_sid_string(mem_ctx, sids[i]),
161 sid_type_lookup(types[i]),
162 sid_type_lookup(names.names[i].sid_type));
169 static BOOL get_downleveltrust(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p,
170 struct policy_handle *handle,
171 struct dom_sid **sid)
173 struct lsa_EnumTrustDom r;
174 uint32_t resume_handle = 0;
175 struct lsa_DomainList domains;
179 r.in.handle = handle;
180 r.in.resume_handle = &resume_handle;
181 r.in.max_size = 1000;
182 r.out.domains = &domains;
183 r.out.resume_handle = &resume_handle;
185 status = dcerpc_lsa_EnumTrustDom(p, mem_ctx, &r);
187 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES)) {
188 printf("no trusts\n");
192 if (domains.count == 0) {
193 printf("no trusts\n");
197 for (i=0; i<domains.count; i++) {
198 struct lsa_QueryTrustedDomainInfoBySid q;
200 if (domains.domains[i].sid == NULL)
203 q.in.handle = handle;
204 q.in.dom_sid = domains.domains[i].sid;
206 status = dcerpc_lsa_QueryTrustedDomainInfoBySid(p, mem_ctx, &q);
207 if (!NT_STATUS_IS_OK(status)) continue;
209 if ((q.out.info->info_ex.trust_direction & 2) &&
210 (q.out.info->info_ex.trust_type == 1)) {
211 *sid = domains.domains[i].sid;
216 printf("I need a AD DC with an outgoing trust to NT4\n");
222 BOOL torture_rpc_lsa_lookup(void)
225 struct dcerpc_pipe *p;
228 struct policy_handle *handle;
229 struct dom_sid *dom_sid;
230 struct dom_sid *trusted_sid;
231 struct dom_sid *sids[NUM_SIDS];
233 mem_ctx = talloc_init("torture_rpc_lsa");
235 status = torture_rpc_connection(mem_ctx, &p, &dcerpc_table_lsarpc);
236 if (!NT_STATUS_IS_OK(status)) {
241 ret &= open_policy(mem_ctx, p, &handle);
244 ret &= get_domainsid(mem_ctx, p, handle, &dom_sid);
247 ret &= get_downleveltrust(mem_ctx, p, handle, &trusted_sid);
250 printf("domain sid: %s\n", dom_sid_string(mem_ctx, dom_sid));
252 sids[0] = dom_sid_parse_talloc(mem_ctx, "S-1-1-0");
253 sids[1] = dom_sid_parse_talloc(mem_ctx, "S-1-5-4");
254 sids[2] = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
255 sids[3] = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-545");
256 sids[4] = dom_sid_dup(mem_ctx, dom_sid);
257 sids[5] = dom_sid_add_rid(mem_ctx, dom_sid, 512);
258 sids[6] = dom_sid_dup(mem_ctx, trusted_sid);
259 sids[7] = dom_sid_add_rid(mem_ctx, trusted_sid, 512);
261 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 0,
262 NT_STATUS_INVALID_PARAMETER, NULL);
265 enum lsa_SidType types[NUM_SIDS] =
266 { SID_NAME_WKN_GRP, SID_NAME_WKN_GRP, SID_NAME_DOMAIN,
267 SID_NAME_ALIAS, SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
268 SID_NAME_DOMAIN, SID_NAME_DOM_GRP };
270 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 1,
271 NT_STATUS_OK, types);
275 enum lsa_SidType types[NUM_SIDS] =
276 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
277 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
278 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
279 SID_NAME_DOMAIN, SID_NAME_DOM_GRP };
280 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 2,
281 STATUS_SOME_UNMAPPED, types);
285 enum lsa_SidType types[NUM_SIDS] =
286 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
287 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
288 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
289 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN };
290 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 3,
291 STATUS_SOME_UNMAPPED, types);
295 enum lsa_SidType types[NUM_SIDS] =
296 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
297 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
298 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
299 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN };
300 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 4,
301 STATUS_SOME_UNMAPPED, types);
304 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 5,
305 NT_STATUS_NONE_MAPPED, NULL);
308 enum lsa_SidType types[NUM_SIDS] =
309 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
310 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
311 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
312 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN };
313 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 6,
314 STATUS_SOME_UNMAPPED, types);
317 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 7,
318 NT_STATUS_INVALID_PARAMETER, NULL);
319 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 8,
320 NT_STATUS_INVALID_PARAMETER, NULL);
321 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 9,
322 NT_STATUS_INVALID_PARAMETER, NULL);
323 ret &= test_lookupsids(mem_ctx, p, handle, sids, NUM_SIDS, 10,
324 NT_STATUS_INVALID_PARAMETER, NULL);
327 talloc_free(mem_ctx);