2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
9 Copyright (C) Matthias Dieter Wallnöfer 2009-2010
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "lib/cmdline/popt_common.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
34 #include "libcli/security/security.h"
35 #include "lib/ldb/include/ldb.h"
36 #include "lib/util/util_ldb.h"
37 #include "lib/ldb_wrap.h"
38 #include "lib/replace/system/network.h"
39 #include "dsdb/samdb/samdb.h"
41 #define TEST_MACHINE_NAME "torturetest"
43 static bool test_LogonUasLogon(struct torture_context *tctx,
44 struct dcerpc_pipe *p)
47 struct netr_LogonUasLogon r;
48 struct netr_UasInfo *info = NULL;
49 struct dcerpc_binding_handle *b = p->binding_handle;
51 r.in.server_name = NULL;
52 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
53 r.in.workstation = TEST_MACHINE_NAME;
56 status = dcerpc_netr_LogonUasLogon_r(b, tctx, &r);
57 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
62 static bool test_LogonUasLogoff(struct torture_context *tctx,
63 struct dcerpc_pipe *p)
66 struct netr_LogonUasLogoff r;
67 struct netr_UasLogoffInfo info;
68 struct dcerpc_binding_handle *b = p->binding_handle;
70 r.in.server_name = NULL;
71 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
72 r.in.workstation = TEST_MACHINE_NAME;
75 status = dcerpc_netr_LogonUasLogoff_r(b, tctx, &r);
76 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
81 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
82 struct cli_credentials *credentials,
83 struct netlogon_creds_CredentialState **creds_out)
85 struct netr_ServerReqChallenge r;
86 struct netr_ServerAuthenticate a;
87 struct netr_Credential credentials1, credentials2, credentials3;
88 struct netlogon_creds_CredentialState *creds;
89 const struct samr_Password *mach_password;
90 const char *machine_name;
91 struct dcerpc_binding_handle *b = p->binding_handle;
93 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
94 machine_name = cli_credentials_get_workstation(credentials);
96 torture_comment(tctx, "Testing ServerReqChallenge\n");
98 r.in.server_name = NULL;
99 r.in.computer_name = machine_name;
100 r.in.credentials = &credentials1;
101 r.out.return_credentials = &credentials2;
103 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
106 "ServerReqChallenge failed");
107 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
109 a.in.server_name = NULL;
110 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
111 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
112 a.in.computer_name = machine_name;
113 a.in.credentials = &credentials3;
114 a.out.return_credentials = &credentials3;
116 creds = netlogon_creds_client_init(tctx, a.in.account_name,
118 &credentials1, &credentials2,
119 mach_password, &credentials3,
121 torture_assert(tctx, creds != NULL, "memory allocation");
124 torture_comment(tctx, "Testing ServerAuthenticate\n");
126 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate_r(b, tctx, &a),
127 "ServerAuthenticate failed");
129 /* This allows the tests to continue against the more fussy windows 2008 */
130 if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
131 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
133 cli_credentials_get_secure_channel_type(credentials),
137 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate");
139 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
140 "Credential chaining failed");
146 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
147 uint32_t negotiate_flags,
148 struct cli_credentials *machine_credentials,
150 struct netlogon_creds_CredentialState **creds_out)
152 struct netr_ServerReqChallenge r;
153 struct netr_ServerAuthenticate2 a;
154 struct netr_Credential credentials1, credentials2, credentials3;
155 struct netlogon_creds_CredentialState *creds;
156 const struct samr_Password *mach_password;
157 const char *machine_name;
158 struct dcerpc_binding_handle *b = p->binding_handle;
160 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
161 machine_name = cli_credentials_get_workstation(machine_credentials);
163 torture_comment(tctx, "Testing ServerReqChallenge\n");
166 r.in.server_name = NULL;
167 r.in.computer_name = machine_name;
168 r.in.credentials = &credentials1;
169 r.out.return_credentials = &credentials2;
171 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
173 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
174 "ServerReqChallenge failed");
175 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
177 a.in.server_name = NULL;
178 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
179 a.in.secure_channel_type = sec_chan_type;
180 a.in.computer_name = machine_name;
181 a.in.negotiate_flags = &negotiate_flags;
182 a.out.negotiate_flags = &negotiate_flags;
183 a.in.credentials = &credentials3;
184 a.out.return_credentials = &credentials3;
186 creds = netlogon_creds_client_init(tctx, a.in.account_name,
188 &credentials1, &credentials2,
189 mach_password, &credentials3,
192 torture_assert(tctx, creds != NULL, "memory allocation");
194 torture_comment(tctx, "Testing ServerAuthenticate2\n");
196 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
197 "ServerAuthenticate2 failed");
198 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate2 failed");
200 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
201 "Credential chaining failed");
203 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
210 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
211 uint32_t negotiate_flags,
212 struct cli_credentials *machine_credentials,
213 struct netlogon_creds_CredentialState **creds_out)
215 struct netr_ServerReqChallenge r;
216 struct netr_ServerAuthenticate3 a;
217 struct netr_Credential credentials1, credentials2, credentials3;
218 struct netlogon_creds_CredentialState *creds;
219 struct samr_Password mach_password;
221 const char *machine_name;
222 const char *plain_pass;
223 struct dcerpc_binding_handle *b = p->binding_handle;
225 machine_name = cli_credentials_get_workstation(machine_credentials);
226 plain_pass = cli_credentials_get_password(machine_credentials);
228 torture_comment(tctx, "Testing ServerReqChallenge\n");
230 r.in.server_name = NULL;
231 r.in.computer_name = machine_name;
232 r.in.credentials = &credentials1;
233 r.out.return_credentials = &credentials2;
235 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
237 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
238 "ServerReqChallenge failed");
239 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
241 E_md4hash(plain_pass, mach_password.hash);
243 a.in.server_name = NULL;
244 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
245 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
246 a.in.computer_name = machine_name;
247 a.in.negotiate_flags = &negotiate_flags;
248 a.in.credentials = &credentials3;
249 a.out.return_credentials = &credentials3;
250 a.out.negotiate_flags = &negotiate_flags;
253 creds = netlogon_creds_client_init(tctx, a.in.account_name,
255 &credentials1, &credentials2,
256 &mach_password, &credentials3,
259 torture_assert(tctx, creds != NULL, "memory allocation");
261 torture_comment(tctx, "Testing ServerAuthenticate3\n");
263 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
264 "ServerAuthenticate3 failed");
265 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed");
266 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
268 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
270 /* Prove that requesting a challenge again won't break it */
271 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
272 "ServerReqChallenge failed");
273 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
280 try a change password for our machine account
282 static bool test_SetPassword(struct torture_context *tctx,
283 struct dcerpc_pipe *p,
284 struct cli_credentials *machine_credentials)
286 struct netr_ServerPasswordSet r;
287 const char *password;
288 struct netlogon_creds_CredentialState *creds;
289 struct netr_Authenticator credential, return_authenticator;
290 struct samr_Password new_password;
291 struct dcerpc_binding_handle *b = p->binding_handle;
293 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
297 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
298 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
299 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
300 r.in.computer_name = TEST_MACHINE_NAME;
301 r.in.credential = &credential;
302 r.in.new_password = &new_password;
303 r.out.return_authenticator = &return_authenticator;
305 password = generate_random_password(tctx, 8, 255);
306 E_md4hash(password, new_password.hash);
308 netlogon_creds_des_encrypt(creds, &new_password);
310 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
311 torture_comment(tctx, "Changing machine account password to '%s'\n",
314 netlogon_creds_client_authenticator(creds, &credential);
316 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
317 "ServerPasswordSet failed");
318 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
320 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
321 torture_comment(tctx, "Credential chaining failed\n");
324 /* by changing the machine password twice we test the
325 credentials chaining fully, and we verify that the server
326 allows the password to be set to the same value twice in a
327 row (match win2k3) */
328 torture_comment(tctx,
329 "Testing a second ServerPasswordSet on machine account\n");
330 torture_comment(tctx,
331 "Changing machine account password to '%s' (same as previous run)\n", password);
333 netlogon_creds_client_authenticator(creds, &credential);
335 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
336 "ServerPasswordSet (2) failed");
337 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
339 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
340 torture_comment(tctx, "Credential chaining failed\n");
343 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
346 test_SetupCredentials(p, tctx, machine_credentials, &creds),
347 "ServerPasswordSet failed to actually change the password");
353 try a change password for our machine account
355 static bool test_SetPassword_flags(struct torture_context *tctx,
356 struct dcerpc_pipe *p,
357 struct cli_credentials *machine_credentials,
358 uint32_t negotiate_flags)
360 struct netr_ServerPasswordSet r;
361 const char *password;
362 struct netlogon_creds_CredentialState *creds;
363 struct netr_Authenticator credential, return_authenticator;
364 struct samr_Password new_password;
365 struct dcerpc_binding_handle *b = p->binding_handle;
367 if (!test_SetupCredentials2(p, tctx, negotiate_flags,
369 cli_credentials_get_secure_channel_type(machine_credentials),
374 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
375 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
376 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
377 r.in.computer_name = TEST_MACHINE_NAME;
378 r.in.credential = &credential;
379 r.in.new_password = &new_password;
380 r.out.return_authenticator = &return_authenticator;
382 password = generate_random_password(tctx, 8, 255);
383 E_md4hash(password, new_password.hash);
385 netlogon_creds_des_encrypt(creds, &new_password);
387 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
388 torture_comment(tctx, "Changing machine account password to '%s'\n",
391 netlogon_creds_client_authenticator(creds, &credential);
393 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
394 "ServerPasswordSet failed");
395 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
397 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
398 torture_comment(tctx, "Credential chaining failed\n");
401 /* by changing the machine password twice we test the
402 credentials chaining fully, and we verify that the server
403 allows the password to be set to the same value twice in a
404 row (match win2k3) */
405 torture_comment(tctx,
406 "Testing a second ServerPasswordSet on machine account\n");
407 torture_comment(tctx,
408 "Changing machine account password to '%s' (same as previous run)\n", password);
410 netlogon_creds_client_authenticator(creds, &credential);
412 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
413 "ServerPasswordSet (2) failed");
414 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
416 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
417 torture_comment(tctx, "Credential chaining failed\n");
420 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
423 test_SetupCredentials(p, tctx, machine_credentials, &creds),
424 "ServerPasswordSet failed to actually change the password");
431 generate a random password for password change tests
433 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
436 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
437 generate_random_buffer(password.data, password.length);
439 for (i=0; i < len; i++) {
440 if (((uint16_t *)password.data)[i] == 0) {
441 ((uint16_t *)password.data)[i] = 1;
449 try a change password for our machine account
451 static bool test_SetPassword2(struct torture_context *tctx,
452 struct dcerpc_pipe *p,
453 struct cli_credentials *machine_credentials)
455 struct netr_ServerPasswordSet2 r;
456 const char *password;
457 DATA_BLOB new_random_pass;
458 struct netlogon_creds_CredentialState *creds;
459 struct samr_CryptPassword password_buf;
460 struct samr_Password nt_hash;
461 struct netr_Authenticator credential, return_authenticator;
462 struct netr_CryptPassword new_password;
463 struct dcerpc_binding_handle *b = p->binding_handle;
465 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
469 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
470 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
471 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
472 r.in.computer_name = TEST_MACHINE_NAME;
473 r.in.credential = &credential;
474 r.in.new_password = &new_password;
475 r.out.return_authenticator = &return_authenticator;
477 password = generate_random_password(tctx, 8, 255);
478 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
479 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
481 memcpy(new_password.data, password_buf.data, 512);
482 new_password.length = IVAL(password_buf.data, 512);
484 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
485 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
487 netlogon_creds_client_authenticator(creds, &credential);
489 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
490 "ServerPasswordSet2 failed");
491 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
493 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
494 torture_comment(tctx, "Credential chaining failed\n");
497 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
499 if (!torture_setting_bool(tctx, "dangerous", false)) {
500 torture_comment(tctx,
501 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
503 /* by changing the machine password to ""
504 * we check if the server uses password restrictions
505 * for ServerPasswordSet2
506 * (win2k3 accepts "")
509 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
510 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
512 memcpy(new_password.data, password_buf.data, 512);
513 new_password.length = IVAL(password_buf.data, 512);
515 torture_comment(tctx,
516 "Testing ServerPasswordSet2 on machine account\n");
517 torture_comment(tctx,
518 "Changing machine account password to '%s'\n", password);
520 netlogon_creds_client_authenticator(creds, &credential);
522 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
523 "ServerPasswordSet2 failed");
524 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
526 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
527 torture_comment(tctx, "Credential chaining failed\n");
530 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
533 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
534 "ServerPasswordSet failed to actually change the password");
536 /* now try a random password */
537 password = generate_random_password(tctx, 8, 255);
538 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
539 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
541 memcpy(new_password.data, password_buf.data, 512);
542 new_password.length = IVAL(password_buf.data, 512);
544 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
545 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
547 netlogon_creds_client_authenticator(creds, &credential);
549 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
550 "ServerPasswordSet2 (2) failed");
551 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 (2) failed");
553 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
554 torture_comment(tctx, "Credential chaining failed\n");
557 /* by changing the machine password twice we test the
558 credentials chaining fully, and we verify that the server
559 allows the password to be set to the same value twice in a
560 row (match win2k3) */
561 torture_comment(tctx,
562 "Testing a second ServerPasswordSet2 on machine account\n");
563 torture_comment(tctx,
564 "Changing machine account password to '%s' (same as previous run)\n", password);
566 netlogon_creds_client_authenticator(creds, &credential);
568 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
569 "ServerPasswordSet (3) failed");
570 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
572 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
573 torture_comment(tctx, "Credential chaining failed\n");
576 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
578 torture_assert (tctx,
579 test_SetupCredentials(p, tctx, machine_credentials, &creds),
580 "ServerPasswordSet failed to actually change the password");
582 new_random_pass = netlogon_very_rand_pass(tctx, 128);
584 /* now try a random stream of bytes for a password */
585 set_pw_in_buffer(password_buf.data, &new_random_pass);
587 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
589 memcpy(new_password.data, password_buf.data, 512);
590 new_password.length = IVAL(password_buf.data, 512);
592 torture_comment(tctx,
593 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
595 netlogon_creds_client_authenticator(creds, &credential);
597 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
598 "ServerPasswordSet (3) failed");
599 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
601 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
602 torture_comment(tctx, "Credential chaining failed\n");
605 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
607 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
608 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
610 torture_assert (tctx,
611 test_SetupCredentials(p, tctx, machine_credentials, &creds),
612 "ServerPasswordSet failed to actually change the password");
617 static bool test_GetPassword(struct torture_context *tctx,
618 struct dcerpc_pipe *p,
619 struct cli_credentials *machine_credentials)
621 struct netr_ServerPasswordGet r;
622 struct netlogon_creds_CredentialState *creds;
623 struct netr_Authenticator credential;
625 struct netr_Authenticator return_authenticator;
626 struct samr_Password password;
627 struct dcerpc_binding_handle *b = p->binding_handle;
629 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
633 netlogon_creds_client_authenticator(creds, &credential);
635 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
636 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
637 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
638 r.in.computer_name = TEST_MACHINE_NAME;
639 r.in.credential = &credential;
640 r.out.return_authenticator = &return_authenticator;
641 r.out.password = &password;
643 status = dcerpc_netr_ServerPasswordGet_r(b, tctx, &r);
644 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
649 static bool test_GetTrustPasswords(struct torture_context *tctx,
650 struct dcerpc_pipe *p,
651 struct cli_credentials *machine_credentials)
653 struct netr_ServerTrustPasswordsGet r;
654 struct netlogon_creds_CredentialState *creds;
655 struct netr_Authenticator credential;
656 struct netr_Authenticator return_authenticator;
657 struct samr_Password password, password2;
658 struct dcerpc_binding_handle *b = p->binding_handle;
660 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
664 netlogon_creds_client_authenticator(creds, &credential);
666 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
667 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
668 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
669 r.in.computer_name = TEST_MACHINE_NAME;
670 r.in.credential = &credential;
671 r.out.return_authenticator = &return_authenticator;
672 r.out.password = &password;
673 r.out.password2 = &password2;
675 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerTrustPasswordsGet_r(b, tctx, &r),
676 "ServerTrustPasswordsGet failed");
677 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerTrustPasswordsGet failed");
683 try a netlogon SamLogon
685 static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context *tctx,
686 struct cli_credentials *credentials,
687 struct netlogon_creds_CredentialState *creds,
691 struct netr_LogonSamLogon r;
692 struct netr_Authenticator auth, auth2;
693 union netr_LogonLevel logon;
694 union netr_Validation validation;
695 uint8_t authoritative;
696 struct netr_NetworkInfo ninfo;
697 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
699 struct dcerpc_binding_handle *b = p->binding_handle;
700 int flags = CLI_CRED_NTLM_AUTH;
701 if (lp_client_lanman_auth(tctx->lp_ctx)) {
702 flags |= CLI_CRED_LANMAN_AUTH;
705 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
706 flags |= CLI_CRED_NTLMv2_AUTH;
709 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
710 &ninfo.identity_info.account_name.string,
711 &ninfo.identity_info.domain_name.string);
714 ninfo.identity_info.domain_name.string = NULL;
717 generate_random_buffer(ninfo.challenge,
718 sizeof(ninfo.challenge));
719 chal = data_blob_const(ninfo.challenge,
720 sizeof(ninfo.challenge));
722 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
723 cli_credentials_get_domain(credentials));
725 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
731 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
733 ninfo.lm.data = lm_resp.data;
734 ninfo.lm.length = lm_resp.length;
736 ninfo.nt.data = nt_resp.data;
737 ninfo.nt.length = nt_resp.length;
739 ninfo.identity_info.parameter_control = 0;
740 ninfo.identity_info.logon_id_low = 0;
741 ninfo.identity_info.logon_id_high = 0;
742 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
744 logon.network = &ninfo;
746 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
747 r.in.computer_name = cli_credentials_get_workstation(credentials);
748 r.in.credential = &auth;
749 r.in.return_authenticator = &auth2;
750 r.in.logon_level = 2;
752 r.out.validation = &validation;
753 r.out.authoritative = &authoritative;
755 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
759 netlogon_creds_client_authenticator(creds, &auth);
761 r.in.validation_level = i;
763 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
764 "LogonSamLogon failed");
765 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
767 torture_assert(tctx, netlogon_creds_client_check(creds,
768 &r.out.return_authenticator->cred),
769 "Credential chaining failed");
772 r.in.credential = NULL;
776 r.in.validation_level = i;
778 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
780 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
781 "LogonSamLogon failed");
782 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
783 "LogonSamLogon expected INVALID_PARAMETER");
790 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
791 struct cli_credentials *credentials,
792 struct netlogon_creds_CredentialState *creds)
794 return test_netlogon_ops_args(p, tctx, credentials, creds, false);
798 try a netlogon SamLogon
800 static bool test_SamLogon(struct torture_context *tctx,
801 struct dcerpc_pipe *p,
802 struct cli_credentials *credentials)
804 struct netlogon_creds_CredentialState *creds;
806 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
810 return test_netlogon_ops(p, tctx, credentials, creds);
813 static bool test_SamLogon_NULL_domain(struct torture_context *tctx,
814 struct dcerpc_pipe *p,
815 struct cli_credentials *credentials)
817 struct netlogon_creds_CredentialState *creds;
819 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
823 return test_netlogon_ops_args(p, tctx, credentials, creds, true);
826 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
827 static uint64_t sequence_nums[3];
830 try a netlogon DatabaseSync
832 static bool test_DatabaseSync(struct torture_context *tctx,
833 struct dcerpc_pipe *p,
834 struct cli_credentials *machine_credentials)
836 struct netr_DatabaseSync r;
837 struct netlogon_creds_CredentialState *creds;
838 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
840 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
841 struct netr_Authenticator credential, return_authenticator;
842 struct dcerpc_binding_handle *b = p->binding_handle;
844 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
848 ZERO_STRUCT(return_authenticator);
850 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
851 r.in.computername = TEST_MACHINE_NAME;
852 r.in.preferredmaximumlength = (uint32_t)-1;
853 r.in.return_authenticator = &return_authenticator;
854 r.out.delta_enum_array = &delta_enum_array;
855 r.out.return_authenticator = &return_authenticator;
857 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
859 uint32_t sync_context = 0;
861 r.in.database_id = database_ids[i];
862 r.in.sync_context = &sync_context;
863 r.out.sync_context = &sync_context;
865 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
868 netlogon_creds_client_authenticator(creds, &credential);
870 r.in.credential = &credential;
872 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync_r(b, tctx, &r),
873 "DatabaseSync failed");
874 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
877 /* Native mode servers don't do this */
878 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
881 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync");
883 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
884 torture_comment(tctx, "Credential chaining failed\n");
887 if (delta_enum_array &&
888 delta_enum_array->num_deltas > 0 &&
889 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
890 delta_enum_array->delta_enum[0].delta_union.domain) {
891 sequence_nums[r.in.database_id] =
892 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
893 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
895 (unsigned long long)sequence_nums[r.in.database_id]);
897 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
905 try a netlogon DatabaseDeltas
907 static bool test_DatabaseDeltas(struct torture_context *tctx,
908 struct dcerpc_pipe *p,
909 struct cli_credentials *machine_credentials)
911 struct netr_DatabaseDeltas r;
912 struct netlogon_creds_CredentialState *creds;
913 struct netr_Authenticator credential;
914 struct netr_Authenticator return_authenticator;
915 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
916 const uint32_t database_ids[] = {0, 1, 2};
918 struct dcerpc_binding_handle *b = p->binding_handle;
920 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
924 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
925 r.in.computername = TEST_MACHINE_NAME;
926 r.in.preferredmaximumlength = (uint32_t)-1;
927 ZERO_STRUCT(r.in.return_authenticator);
928 r.out.return_authenticator = &return_authenticator;
929 r.out.delta_enum_array = &delta_enum_array;
931 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
932 r.in.database_id = database_ids[i];
933 r.in.sequence_num = &sequence_nums[r.in.database_id];
935 if (*r.in.sequence_num == 0) continue;
937 *r.in.sequence_num -= 1;
939 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
940 r.in.database_id, (unsigned long long)*r.in.sequence_num);
943 netlogon_creds_client_authenticator(creds, &credential);
945 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseDeltas_r(b, tctx, &r),
946 "DatabaseDeltas failed");
947 if (NT_STATUS_EQUAL(r.out.result,
948 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
949 torture_comment(tctx, "not considering %s to be an error\n",
950 nt_errstr(r.out.result));
953 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
956 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseDeltas");
958 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
959 torture_comment(tctx, "Credential chaining failed\n");
962 (*r.in.sequence_num)++;
963 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
969 static bool test_DatabaseRedo(struct torture_context *tctx,
970 struct dcerpc_pipe *p,
971 struct cli_credentials *machine_credentials)
973 struct netr_DatabaseRedo r;
974 struct netlogon_creds_CredentialState *creds;
975 struct netr_Authenticator credential;
976 struct netr_Authenticator return_authenticator;
977 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
978 struct netr_ChangeLogEntry e;
979 struct dom_sid null_sid, *sid;
981 struct dcerpc_binding_handle *b = p->binding_handle;
983 ZERO_STRUCT(null_sid);
985 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
996 NTSTATUS expected_error;
997 uint32_t expected_num_results;
998 uint8_t expected_delta_type_1;
999 uint8_t expected_delta_type_2;
1000 const char *comment;
1003 /* SAM_DATABASE_DOMAIN */
1008 .db_index = SAM_DATABASE_DOMAIN,
1009 .delta_type = NETR_DELTA_MODIFY_COUNT,
1012 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1013 .expected_num_results = 0,
1014 .comment = "NETR_DELTA_MODIFY_COUNT"
1019 .db_index = SAM_DATABASE_DOMAIN,
1023 .expected_error = NT_STATUS_OK,
1024 .expected_num_results = 1,
1025 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1026 .comment = "NULL DELTA"
1031 .db_index = SAM_DATABASE_DOMAIN,
1032 .delta_type = NETR_DELTA_DOMAIN,
1035 .expected_error = NT_STATUS_OK,
1036 .expected_num_results = 1,
1037 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1038 .comment = "NETR_DELTA_DOMAIN"
1041 .rid = DOMAIN_RID_ADMINISTRATOR,
1043 .db_index = SAM_DATABASE_DOMAIN,
1044 .delta_type = NETR_DELTA_USER,
1047 .expected_error = NT_STATUS_OK,
1048 .expected_num_results = 1,
1049 .expected_delta_type_1 = NETR_DELTA_USER,
1050 .comment = "NETR_DELTA_USER by rid 500"
1053 .rid = DOMAIN_RID_GUEST,
1055 .db_index = SAM_DATABASE_DOMAIN,
1056 .delta_type = NETR_DELTA_USER,
1059 .expected_error = NT_STATUS_OK,
1060 .expected_num_results = 1,
1061 .expected_delta_type_1 = NETR_DELTA_USER,
1062 .comment = "NETR_DELTA_USER by rid 501"
1066 .flags = NETR_CHANGELOG_SID_INCLUDED,
1067 .db_index = SAM_DATABASE_DOMAIN,
1068 .delta_type = NETR_DELTA_USER,
1071 .expected_error = NT_STATUS_OK,
1072 .expected_num_results = 1,
1073 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1074 .comment = "NETR_DELTA_USER by sid and flags"
1078 .flags = NETR_CHANGELOG_SID_INCLUDED,
1079 .db_index = SAM_DATABASE_DOMAIN,
1080 .delta_type = NETR_DELTA_USER,
1083 .expected_error = NT_STATUS_OK,
1084 .expected_num_results = 1,
1085 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1086 .comment = "NETR_DELTA_USER by null_sid and flags"
1090 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1091 .db_index = SAM_DATABASE_DOMAIN,
1092 .delta_type = NETR_DELTA_USER,
1094 .name = "administrator",
1095 .expected_error = NT_STATUS_OK,
1096 .expected_num_results = 1,
1097 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1098 .comment = "NETR_DELTA_USER by name 'administrator'"
1101 .rid = DOMAIN_RID_ADMINS,
1103 .db_index = SAM_DATABASE_DOMAIN,
1104 .delta_type = NETR_DELTA_GROUP,
1107 .expected_error = NT_STATUS_OK,
1108 .expected_num_results = 2,
1109 .expected_delta_type_1 = NETR_DELTA_GROUP,
1110 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1111 .comment = "NETR_DELTA_GROUP by rid 512"
1114 .rid = DOMAIN_RID_ADMINS,
1116 .db_index = SAM_DATABASE_DOMAIN,
1117 .delta_type = NETR_DELTA_GROUP_MEMBER,
1120 .expected_error = NT_STATUS_OK,
1121 .expected_num_results = 2,
1122 .expected_delta_type_1 = NETR_DELTA_GROUP,
1123 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1124 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
1128 /* SAM_DATABASE_BUILTIN */
1133 .db_index = SAM_DATABASE_BUILTIN,
1134 .delta_type = NETR_DELTA_MODIFY_COUNT,
1137 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1138 .expected_num_results = 0,
1139 .comment = "NETR_DELTA_MODIFY_COUNT"
1144 .db_index = SAM_DATABASE_BUILTIN,
1145 .delta_type = NETR_DELTA_DOMAIN,
1148 .expected_error = NT_STATUS_OK,
1149 .expected_num_results = 1,
1150 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1151 .comment = "NETR_DELTA_DOMAIN"
1154 .rid = DOMAIN_RID_ADMINISTRATOR,
1156 .db_index = SAM_DATABASE_BUILTIN,
1157 .delta_type = NETR_DELTA_USER,
1160 .expected_error = NT_STATUS_OK,
1161 .expected_num_results = 1,
1162 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1163 .comment = "NETR_DELTA_USER by rid 500"
1168 .db_index = SAM_DATABASE_BUILTIN,
1169 .delta_type = NETR_DELTA_USER,
1172 .expected_error = NT_STATUS_OK,
1173 .expected_num_results = 1,
1174 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1175 .comment = "NETR_DELTA_USER"
1180 .db_index = SAM_DATABASE_BUILTIN,
1181 .delta_type = NETR_DELTA_ALIAS,
1184 .expected_error = NT_STATUS_OK,
1185 .expected_num_results = 2,
1186 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1187 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1188 .comment = "NETR_DELTA_ALIAS by rid 544"
1193 .db_index = SAM_DATABASE_BUILTIN,
1194 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1197 .expected_error = NT_STATUS_OK,
1198 .expected_num_results = 2,
1199 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1200 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1201 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1206 .db_index = SAM_DATABASE_BUILTIN,
1210 .expected_error = NT_STATUS_OK,
1211 .expected_num_results = 1,
1212 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1213 .comment = "NULL DELTA by rid 544"
1217 .flags = NETR_CHANGELOG_SID_INCLUDED,
1218 .db_index = SAM_DATABASE_BUILTIN,
1220 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1222 .expected_error = NT_STATUS_OK,
1223 .expected_num_results = 1,
1224 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1225 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1229 .flags = NETR_CHANGELOG_SID_INCLUDED,
1230 .db_index = SAM_DATABASE_BUILTIN,
1231 .delta_type = NETR_DELTA_ALIAS,
1232 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1234 .expected_error = NT_STATUS_OK,
1235 .expected_num_results = 2,
1236 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1237 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1238 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1242 .flags = NETR_CHANGELOG_SID_INCLUDED,
1243 .db_index = SAM_DATABASE_BUILTIN,
1244 .delta_type = NETR_DELTA_ALIAS,
1245 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1247 .expected_error = NT_STATUS_OK,
1248 .expected_num_results = 1,
1249 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1250 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1253 /* SAM_DATABASE_PRIVS */
1258 .db_index = SAM_DATABASE_PRIVS,
1262 .expected_error = NT_STATUS_ACCESS_DENIED,
1263 .expected_num_results = 0,
1264 .comment = "NULL DELTA"
1269 .db_index = SAM_DATABASE_PRIVS,
1270 .delta_type = NETR_DELTA_MODIFY_COUNT,
1273 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1274 .expected_num_results = 0,
1275 .comment = "NETR_DELTA_MODIFY_COUNT"
1280 .db_index = SAM_DATABASE_PRIVS,
1281 .delta_type = NETR_DELTA_POLICY,
1284 .expected_error = NT_STATUS_OK,
1285 .expected_num_results = 1,
1286 .expected_delta_type_1 = NETR_DELTA_POLICY,
1287 .comment = "NETR_DELTA_POLICY"
1291 .flags = NETR_CHANGELOG_SID_INCLUDED,
1292 .db_index = SAM_DATABASE_PRIVS,
1293 .delta_type = NETR_DELTA_POLICY,
1296 .expected_error = NT_STATUS_OK,
1297 .expected_num_results = 1,
1298 .expected_delta_type_1 = NETR_DELTA_POLICY,
1299 .comment = "NETR_DELTA_POLICY by null sid and flags"
1303 .flags = NETR_CHANGELOG_SID_INCLUDED,
1304 .db_index = SAM_DATABASE_PRIVS,
1305 .delta_type = NETR_DELTA_POLICY,
1306 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1308 .expected_error = NT_STATUS_OK,
1309 .expected_num_results = 1,
1310 .expected_delta_type_1 = NETR_DELTA_POLICY,
1311 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1314 .rid = DOMAIN_RID_ADMINISTRATOR,
1316 .db_index = SAM_DATABASE_PRIVS,
1317 .delta_type = NETR_DELTA_ACCOUNT,
1320 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1321 .expected_num_results = 0,
1322 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1326 .flags = NETR_CHANGELOG_SID_INCLUDED,
1327 .db_index = SAM_DATABASE_PRIVS,
1328 .delta_type = NETR_DELTA_ACCOUNT,
1329 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1331 .expected_error = NT_STATUS_OK,
1332 .expected_num_results = 1,
1333 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1334 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1338 .flags = NETR_CHANGELOG_SID_INCLUDED |
1339 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1340 .db_index = SAM_DATABASE_PRIVS,
1341 .delta_type = NETR_DELTA_ACCOUNT,
1342 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1344 .expected_error = NT_STATUS_OK,
1345 .expected_num_results = 1,
1346 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1347 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1351 .flags = NETR_CHANGELOG_SID_INCLUDED |
1352 NETR_CHANGELOG_NAME_INCLUDED,
1353 .db_index = SAM_DATABASE_PRIVS,
1354 .delta_type = NETR_DELTA_ACCOUNT,
1355 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1357 .expected_error = NT_STATUS_INVALID_PARAMETER,
1358 .expected_num_results = 0,
1359 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1362 .rid = DOMAIN_RID_ADMINISTRATOR,
1363 .flags = NETR_CHANGELOG_SID_INCLUDED,
1364 .db_index = SAM_DATABASE_PRIVS,
1365 .delta_type = NETR_DELTA_ACCOUNT,
1368 .expected_error = NT_STATUS_OK,
1369 .expected_num_results = 1,
1370 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1371 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1375 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1376 .db_index = SAM_DATABASE_PRIVS,
1377 .delta_type = NETR_DELTA_SECRET,
1379 .name = "IsurelydontexistIhope",
1380 .expected_error = NT_STATUS_OK,
1381 .expected_num_results = 1,
1382 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1383 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1387 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1388 .db_index = SAM_DATABASE_PRIVS,
1389 .delta_type = NETR_DELTA_SECRET,
1391 .name = "G$BCKUPKEY_P",
1392 .expected_error = NT_STATUS_OK,
1393 .expected_num_results = 1,
1394 .expected_delta_type_1 = NETR_DELTA_SECRET,
1395 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1399 ZERO_STRUCT(return_authenticator);
1401 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1402 r.in.computername = TEST_MACHINE_NAME;
1403 r.in.return_authenticator = &return_authenticator;
1404 r.out.return_authenticator = &return_authenticator;
1405 r.out.delta_enum_array = &delta_enum_array;
1407 for (d=0; d<3; d++) {
1408 const char *database = NULL;
1415 database = "BUILTIN";
1424 torture_comment(tctx, "Testing DatabaseRedo\n");
1426 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1430 for (i=0;i<ARRAY_SIZE(changes);i++) {
1432 if (d != changes[i].db_index) {
1436 netlogon_creds_client_authenticator(creds, &credential);
1438 r.in.credential = &credential;
1440 e.serial_number1 = 0;
1441 e.serial_number2 = 0;
1442 e.object_rid = changes[i].rid;
1443 e.flags = changes[i].flags;
1444 e.db_index = changes[i].db_index;
1445 e.delta_type = changes[i].delta_type;
1447 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1448 case NETR_CHANGELOG_SID_INCLUDED:
1449 e.object.object_sid = changes[i].sid;
1451 case NETR_CHANGELOG_NAME_INCLUDED:
1452 e.object.object_name = changes[i].name;
1458 r.in.change_log_entry = e;
1460 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1461 database, changes[i].comment);
1463 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseRedo_r(b, tctx, &r),
1464 "DatabaseRedo failed");
1465 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1469 torture_assert_ntstatus_equal(tctx, r.out.result, changes[i].expected_error, changes[i].comment);
1470 if (delta_enum_array) {
1471 torture_assert_int_equal(tctx,
1472 delta_enum_array->num_deltas,
1473 changes[i].expected_num_results,
1474 changes[i].comment);
1475 if (delta_enum_array->num_deltas > 0) {
1476 torture_assert_int_equal(tctx,
1477 delta_enum_array->delta_enum[0].delta_type,
1478 changes[i].expected_delta_type_1,
1479 changes[i].comment);
1481 if (delta_enum_array->num_deltas > 1) {
1482 torture_assert_int_equal(tctx,
1483 delta_enum_array->delta_enum[1].delta_type,
1484 changes[i].expected_delta_type_2,
1485 changes[i].comment);
1489 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1490 torture_comment(tctx, "Credential chaining failed\n");
1491 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1503 try a netlogon AccountDeltas
1505 static bool test_AccountDeltas(struct torture_context *tctx,
1506 struct dcerpc_pipe *p,
1507 struct cli_credentials *machine_credentials)
1509 struct netr_AccountDeltas r;
1510 struct netlogon_creds_CredentialState *creds;
1512 struct netr_AccountBuffer buffer;
1513 uint32_t count_returned = 0;
1514 uint32_t total_entries = 0;
1515 struct netr_UAS_INFO_0 recordid;
1516 struct netr_Authenticator return_authenticator;
1517 struct dcerpc_binding_handle *b = p->binding_handle;
1519 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1523 ZERO_STRUCT(return_authenticator);
1525 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1526 r.in.computername = TEST_MACHINE_NAME;
1527 r.in.return_authenticator = &return_authenticator;
1528 netlogon_creds_client_authenticator(creds, &r.in.credential);
1529 ZERO_STRUCT(r.in.uas);
1532 r.in.buffersize=100;
1533 r.out.buffer = &buffer;
1534 r.out.count_returned = &count_returned;
1535 r.out.total_entries = &total_entries;
1536 r.out.recordid = &recordid;
1537 r.out.return_authenticator = &return_authenticator;
1539 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1540 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountDeltas_r(b, tctx, &r),
1541 "AccountDeltas failed");
1542 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1548 try a netlogon AccountSync
1550 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1551 struct cli_credentials *machine_credentials)
1553 struct netr_AccountSync r;
1554 struct netlogon_creds_CredentialState *creds;
1556 struct netr_AccountBuffer buffer;
1557 uint32_t count_returned = 0;
1558 uint32_t total_entries = 0;
1559 uint32_t next_reference = 0;
1560 struct netr_UAS_INFO_0 recordid;
1561 struct netr_Authenticator return_authenticator;
1562 struct dcerpc_binding_handle *b = p->binding_handle;
1564 ZERO_STRUCT(recordid);
1565 ZERO_STRUCT(return_authenticator);
1567 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1571 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1572 r.in.computername = TEST_MACHINE_NAME;
1573 r.in.return_authenticator = &return_authenticator;
1574 netlogon_creds_client_authenticator(creds, &r.in.credential);
1575 r.in.recordid = &recordid;
1578 r.in.buffersize=100;
1579 r.out.buffer = &buffer;
1580 r.out.count_returned = &count_returned;
1581 r.out.total_entries = &total_entries;
1582 r.out.next_reference = &next_reference;
1583 r.out.recordid = &recordid;
1584 r.out.return_authenticator = &return_authenticator;
1586 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1587 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountSync_r(b, tctx, &r),
1588 "AccountSync failed");
1589 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1595 try a netlogon GetDcName
1597 static bool test_GetDcName(struct torture_context *tctx,
1598 struct dcerpc_pipe *p)
1600 struct netr_GetDcName r;
1601 const char *dcname = NULL;
1602 struct dcerpc_binding_handle *b = p->binding_handle;
1604 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1605 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1606 r.out.dcname = &dcname;
1608 torture_assert_ntstatus_ok(tctx, dcerpc_netr_GetDcName_r(b, tctx, &r),
1609 "GetDcName failed");
1610 torture_assert_werr_ok(tctx, r.out.result, "GetDcName failed");
1612 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1617 static const char *function_code_str(TALLOC_CTX *mem_ctx,
1618 enum netr_LogonControlCode function_code)
1620 switch (function_code) {
1621 case NETLOGON_CONTROL_QUERY:
1622 return "NETLOGON_CONTROL_QUERY";
1623 case NETLOGON_CONTROL_REPLICATE:
1624 return "NETLOGON_CONTROL_REPLICATE";
1625 case NETLOGON_CONTROL_SYNCHRONIZE:
1626 return "NETLOGON_CONTROL_SYNCHRONIZE";
1627 case NETLOGON_CONTROL_PDC_REPLICATE:
1628 return "NETLOGON_CONTROL_PDC_REPLICATE";
1629 case NETLOGON_CONTROL_REDISCOVER:
1630 return "NETLOGON_CONTROL_REDISCOVER";
1631 case NETLOGON_CONTROL_TC_QUERY:
1632 return "NETLOGON_CONTROL_TC_QUERY";
1633 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1634 return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
1635 case NETLOGON_CONTROL_FIND_USER:
1636 return "NETLOGON_CONTROL_FIND_USER";
1637 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1638 return "NETLOGON_CONTROL_CHANGE_PASSWORD";
1639 case NETLOGON_CONTROL_TC_VERIFY:
1640 return "NETLOGON_CONTROL_TC_VERIFY";
1641 case NETLOGON_CONTROL_FORCE_DNS_REG:
1642 return "NETLOGON_CONTROL_FORCE_DNS_REG";
1643 case NETLOGON_CONTROL_QUERY_DNS_REG:
1644 return "NETLOGON_CONTROL_QUERY_DNS_REG";
1645 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1646 return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
1647 case NETLOGON_CONTROL_TRUNCATE_LOG:
1648 return "NETLOGON_CONTROL_TRUNCATE_LOG";
1649 case NETLOGON_CONTROL_SET_DBFLAG:
1650 return "NETLOGON_CONTROL_SET_DBFLAG";
1651 case NETLOGON_CONTROL_BREAKPOINT:
1652 return "NETLOGON_CONTROL_BREAKPOINT";
1654 return talloc_asprintf(mem_ctx, "unknown function code: %d",
1661 try a netlogon LogonControl
1663 static bool test_LogonControl(struct torture_context *tctx,
1664 struct dcerpc_pipe *p,
1665 struct cli_credentials *machine_credentials)
1669 struct netr_LogonControl r;
1670 union netr_CONTROL_QUERY_INFORMATION query;
1672 enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
1673 struct dcerpc_binding_handle *b = p->binding_handle;
1675 uint32_t function_codes[] = {
1676 NETLOGON_CONTROL_QUERY,
1677 NETLOGON_CONTROL_REPLICATE,
1678 NETLOGON_CONTROL_SYNCHRONIZE,
1679 NETLOGON_CONTROL_PDC_REPLICATE,
1680 NETLOGON_CONTROL_REDISCOVER,
1681 NETLOGON_CONTROL_TC_QUERY,
1682 NETLOGON_CONTROL_TRANSPORT_NOTIFY,
1683 NETLOGON_CONTROL_FIND_USER,
1684 NETLOGON_CONTROL_CHANGE_PASSWORD,
1685 NETLOGON_CONTROL_TC_VERIFY,
1686 NETLOGON_CONTROL_FORCE_DNS_REG,
1687 NETLOGON_CONTROL_QUERY_DNS_REG,
1688 NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
1689 NETLOGON_CONTROL_TRUNCATE_LOG,
1690 NETLOGON_CONTROL_SET_DBFLAG,
1691 NETLOGON_CONTROL_BREAKPOINT
1694 if (machine_credentials) {
1695 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
1698 torture_comment(tctx, "Testing LogonControl with secure channel type: %d\n",
1699 secure_channel_type);
1701 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1702 r.in.function_code = 1;
1703 r.out.query = &query;
1705 for (f=0;f<ARRAY_SIZE(function_codes); f++) {
1708 r.in.function_code = function_codes[f];
1711 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
1712 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1714 status = dcerpc_netr_LogonControl_r(b, tctx, &r);
1715 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1717 switch (r.in.level) {
1719 switch (r.in.function_code) {
1720 case NETLOGON_CONTROL_REPLICATE:
1721 case NETLOGON_CONTROL_SYNCHRONIZE:
1722 case NETLOGON_CONTROL_PDC_REPLICATE:
1723 case NETLOGON_CONTROL_BREAKPOINT:
1724 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1725 if ((secure_channel_type == SEC_CHAN_BDC) ||
1726 (secure_channel_type == SEC_CHAN_WKSTA)) {
1727 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1728 "LogonControl returned unexpected error code");
1730 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1731 "LogonControl returned unexpected error code");
1735 case NETLOGON_CONTROL_REDISCOVER:
1736 case NETLOGON_CONTROL_TC_QUERY:
1737 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1738 case NETLOGON_CONTROL_FIND_USER:
1739 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1740 case NETLOGON_CONTROL_TC_VERIFY:
1741 case NETLOGON_CONTROL_FORCE_DNS_REG:
1742 case NETLOGON_CONTROL_QUERY_DNS_REG:
1743 case NETLOGON_CONTROL_SET_DBFLAG:
1744 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1745 "LogonControl returned unexpected error code");
1747 case NETLOGON_CONTROL_TRUNCATE_LOG:
1748 if ((secure_channel_type == SEC_CHAN_BDC) ||
1749 (secure_channel_type == SEC_CHAN_WKSTA)) {
1750 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1751 "LogonControl returned unexpected error code");
1753 torture_assert_werr_ok(tctx, r.out.result,
1754 "LogonControl returned unexpected result");
1758 torture_assert_werr_ok(tctx, r.out.result,
1759 "LogonControl returned unexpected result");
1764 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1765 "LogonControl returned unexpected error code");
1768 torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL,
1769 "LogonControl returned unexpected error code");
1780 try a netlogon GetAnyDCName
1782 static bool test_GetAnyDCName(struct torture_context *tctx,
1783 struct dcerpc_pipe *p)
1786 struct netr_GetAnyDCName r;
1787 const char *dcname = NULL;
1788 struct dcerpc_binding_handle *b = p->binding_handle;
1790 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1791 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1792 r.out.dcname = &dcname;
1794 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1795 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1796 if ((!W_ERROR_IS_OK(r.out.result)) &&
1797 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1802 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1805 r.in.domainname = NULL;
1807 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1808 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1809 if ((!W_ERROR_IS_OK(r.out.result)) &&
1810 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1814 r.in.domainname = "";
1816 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1817 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1818 if ((!W_ERROR_IS_OK(r.out.result)) &&
1819 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1828 try a netlogon LogonControl2
1830 static bool test_LogonControl2(struct torture_context *tctx,
1831 struct dcerpc_pipe *p,
1832 struct cli_credentials *machine_credentials)
1836 struct netr_LogonControl2 r;
1837 union netr_CONTROL_DATA_INFORMATION data;
1838 union netr_CONTROL_QUERY_INFORMATION query;
1840 struct dcerpc_binding_handle *b = p->binding_handle;
1842 data.domain = lp_workgroup(tctx->lp_ctx);
1844 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1846 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1848 r.out.query = &query;
1853 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1854 i, r.in.function_code);
1856 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1857 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1860 data.domain = lp_workgroup(tctx->lp_ctx);
1862 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1868 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1869 i, r.in.function_code);
1871 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1872 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1875 data.domain = lp_workgroup(tctx->lp_ctx);
1877 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1883 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1884 i, r.in.function_code);
1886 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1887 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1890 data.debug_level = ~0;
1892 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1898 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1899 i, r.in.function_code);
1901 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1902 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1909 try a netlogon DatabaseSync2
1911 static bool test_DatabaseSync2(struct torture_context *tctx,
1912 struct dcerpc_pipe *p,
1913 struct cli_credentials *machine_credentials)
1915 struct netr_DatabaseSync2 r;
1916 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1917 struct netr_Authenticator return_authenticator, credential;
1919 struct netlogon_creds_CredentialState *creds;
1920 const uint32_t database_ids[] = {0, 1, 2};
1922 struct dcerpc_binding_handle *b = p->binding_handle;
1924 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1925 machine_credentials,
1926 cli_credentials_get_secure_channel_type(machine_credentials),
1931 ZERO_STRUCT(return_authenticator);
1933 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1934 r.in.computername = TEST_MACHINE_NAME;
1935 r.in.preferredmaximumlength = (uint32_t)-1;
1936 r.in.return_authenticator = &return_authenticator;
1937 r.out.return_authenticator = &return_authenticator;
1938 r.out.delta_enum_array = &delta_enum_array;
1940 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1942 uint32_t sync_context = 0;
1944 r.in.database_id = database_ids[i];
1945 r.in.sync_context = &sync_context;
1946 r.out.sync_context = &sync_context;
1947 r.in.restart_state = 0;
1949 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1952 netlogon_creds_client_authenticator(creds, &credential);
1954 r.in.credential = &credential;
1956 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync2_r(b, tctx, &r),
1957 "DatabaseSync2 failed");
1958 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
1961 /* Native mode servers don't do this */
1962 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1966 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync2");
1968 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
1969 torture_comment(tctx, "Credential chaining failed\n");
1972 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
1980 try a netlogon LogonControl2Ex
1982 static bool test_LogonControl2Ex(struct torture_context *tctx,
1983 struct dcerpc_pipe *p,
1984 struct cli_credentials *machine_credentials)
1988 struct netr_LogonControl2Ex r;
1989 union netr_CONTROL_DATA_INFORMATION data;
1990 union netr_CONTROL_QUERY_INFORMATION query;
1992 struct dcerpc_binding_handle *b = p->binding_handle;
1994 data.domain = lp_workgroup(tctx->lp_ctx);
1996 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1998 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
2000 r.out.query = &query;
2005 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2006 i, r.in.function_code);
2008 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2009 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2012 data.domain = lp_workgroup(tctx->lp_ctx);
2014 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
2020 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2021 i, r.in.function_code);
2023 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2024 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2027 data.domain = lp_workgroup(tctx->lp_ctx);
2029 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
2035 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2036 i, r.in.function_code);
2038 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2039 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2042 data.debug_level = ~0;
2044 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2050 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2051 i, r.in.function_code);
2053 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2054 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2060 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
2061 struct dcerpc_pipe *p, const char *trusted_domain_name)
2064 struct netr_DsRGetForestTrustInformation r;
2065 struct lsa_ForestTrustInformation info, *info_ptr;
2066 struct dcerpc_binding_handle *b = p->binding_handle;
2070 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2071 r.in.trusted_domain_name = trusted_domain_name;
2073 r.out.forest_trust_info = &info_ptr;
2075 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
2077 status = dcerpc_netr_DsRGetForestTrustInformation_r(b, tctx, &r);
2078 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
2079 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
2085 try a netlogon netr_DsrEnumerateDomainTrusts
2087 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
2088 struct dcerpc_pipe *p)
2091 struct netr_DsrEnumerateDomainTrusts r;
2092 struct netr_DomainTrustList trusts;
2094 struct dcerpc_binding_handle *b = p->binding_handle;
2096 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2097 r.in.trust_flags = 0x3f;
2098 r.out.trusts = &trusts;
2100 status = dcerpc_netr_DsrEnumerateDomainTrusts_r(b, tctx, &r);
2101 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
2102 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
2104 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
2105 * will show non-forest trusts and all UPN suffixes of the own forest
2106 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
2108 if (r.out.trusts->count) {
2109 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
2114 for (i=0; i<r.out.trusts->count; i++) {
2116 /* get info for transitive forest trusts */
2118 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
2119 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
2120 r.out.trusts->array[i].dns_name)) {
2129 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
2130 struct dcerpc_pipe *p)
2133 struct netr_NetrEnumerateTrustedDomains r;
2134 struct netr_Blob trusted_domains_blob;
2135 struct dcerpc_binding_handle *b = p->binding_handle;
2137 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2138 r.out.trusted_domains_blob = &trusted_domains_blob;
2140 status = dcerpc_netr_NetrEnumerateTrustedDomains_r(b, tctx, &r);
2141 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
2142 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
2147 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
2148 struct dcerpc_pipe *p)
2151 struct netr_NetrEnumerateTrustedDomainsEx r;
2152 struct netr_DomainTrustList dom_trust_list;
2153 struct dcerpc_binding_handle *b = p->binding_handle;
2155 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2156 r.out.dom_trust_list = &dom_trust_list;
2158 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx_r(b, tctx, &r);
2159 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
2160 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
2166 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
2167 const char *computer_name,
2168 const char *expected_site)
2171 struct netr_DsRGetSiteName r;
2172 const char *site = NULL;
2173 struct dcerpc_binding_handle *b = p->binding_handle;
2175 r.in.computer_name = computer_name;
2177 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
2179 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
2180 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2181 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
2182 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
2184 if (torture_setting_bool(tctx, "samba4", false))
2185 torture_skip(tctx, "skipping computer name check against Samba4");
2187 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
2188 torture_comment(tctx,
2189 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
2191 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
2192 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2193 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
2199 try a netlogon netr_DsRGetDCName
2201 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
2202 struct dcerpc_pipe *p)
2205 struct netr_DsRGetDCName r;
2206 struct netr_DsRGetDCNameInfo *info = NULL;
2207 struct dcerpc_binding_handle *b = p->binding_handle;
2209 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2210 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2211 r.in.domain_guid = NULL;
2212 r.in.site_guid = NULL;
2213 r.in.flags = DS_RETURN_DNS_NAME;
2216 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2217 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2218 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2220 r.in.domain_name = lp_workgroup(tctx->lp_ctx);
2222 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2223 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2224 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2226 return test_netr_DsRGetSiteName(p, tctx,
2228 info->dc_site_name);
2232 try a netlogon netr_DsRGetDCNameEx
2234 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
2235 struct dcerpc_pipe *p)
2238 struct netr_DsRGetDCNameEx r;
2239 struct netr_DsRGetDCNameInfo *info = NULL;
2240 struct dcerpc_binding_handle *b = p->binding_handle;
2242 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2243 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2244 r.in.domain_guid = NULL;
2245 r.in.site_name = NULL;
2246 r.in.flags = DS_RETURN_DNS_NAME;
2249 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2250 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2251 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2253 r.in.domain_name = lp_workgroup(tctx->lp_ctx);
2255 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2256 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2257 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2259 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2260 info->dc_site_name);
2264 try a netlogon netr_DsRGetDCNameEx2
2266 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
2267 struct dcerpc_pipe *p)
2270 struct netr_DsRGetDCNameEx2 r;
2271 struct netr_DsRGetDCNameInfo *info = NULL;
2272 struct dcerpc_binding_handle *b = p->binding_handle;
2274 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2275 r.in.client_account = NULL;
2276 r.in.mask = 0x00000000;
2277 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2278 r.in.domain_guid = NULL;
2279 r.in.site_name = NULL;
2280 r.in.flags = DS_RETURN_DNS_NAME;
2283 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
2285 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2286 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2287 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2289 r.in.domain_name = lp_workgroup(tctx->lp_ctx);
2291 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2292 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2293 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2295 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client account\n");
2296 r.in.client_account = TEST_MACHINE_NAME"$";
2297 r.in.mask = ACB_SVRTRUST;
2298 r.in.flags = DS_RETURN_FLAT_NAME;
2301 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2302 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2303 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2305 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2306 info->dc_site_name);
2309 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
2310 struct dcerpc_pipe *p)
2313 struct netr_DsrGetDcSiteCoverageW r;
2314 struct DcSitesCtr *ctr = NULL;
2315 struct dcerpc_binding_handle *b = p->binding_handle;
2317 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2320 status = dcerpc_netr_DsrGetDcSiteCoverageW_r(b, tctx, &r);
2321 torture_assert_ntstatus_ok(tctx, status, "failed");
2322 torture_assert_werr_ok(tctx, r.out.result, "failed");
2327 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
2328 struct dcerpc_pipe *p)
2331 struct ldb_context *sam_ctx = NULL;
2333 struct netr_DsRAddressToSitenamesW r;
2334 struct netr_DsRAddress addrs[6];
2335 struct sockaddr_in *addr;
2336 struct sockaddr_in6 *addr6;
2337 struct netr_DsRAddressToSitenamesWCtr *ctr;
2338 struct dcerpc_binding_handle *b = p->binding_handle;
2342 torture_comment(tctx, "This does only pass with the default site\n");
2344 /* We won't double-check this when we are over 'local' transports */
2345 if (dcerpc_server_name(p)) {
2346 /* Set up connection to SAMDB on DC */
2347 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2348 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2350 cmdline_credentials,
2353 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2356 /* First try valid IP addresses */
2358 addrs[0].size = sizeof(struct sockaddr_in);
2359 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
2360 addr = (struct sockaddr_in *) addrs[0].buffer;
2361 addr->sin_family = AF_INET;
2362 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2363 torture_assert(tctx, ret > 0, "inet_pton failed");
2365 addrs[1].size = sizeof(struct sockaddr_in);
2366 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
2367 addr = (struct sockaddr_in *) addrs[1].buffer;
2368 addr->sin_family = AF_INET;
2369 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2370 torture_assert(tctx, ret > 0, "inet_pton failed");
2372 addrs[2].size = sizeof(struct sockaddr_in);
2373 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
2374 addr = (struct sockaddr_in *) addrs[2].buffer;
2375 addr->sin_family = AF_INET;
2376 ret = inet_pton(AF_INET, "255.255.255.255",
2377 &((struct sockaddr_in *)addrs[2].buffer)->sin_addr);
2378 torture_assert(tctx, ret > 0, "inet_pton failed");
2380 addrs[3].size = sizeof(struct sockaddr_in6);
2381 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2382 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
2383 addr6->sin6_family = AF_INET6;
2384 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
2385 torture_assert(tctx, ret > 0, "inet_pton failed");
2387 addrs[4].size = sizeof(struct sockaddr_in6);
2388 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2389 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
2390 addr6->sin6_family = AF_INET6;
2391 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
2392 torture_assert(tctx, ret > 0, "inet_pton failed");
2394 addrs[5].size = sizeof(struct sockaddr_in6);
2395 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2396 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
2397 addr6->sin6_family = AF_INET6;
2398 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
2399 torture_assert(tctx, ret > 0, "inet_pton failed");
2401 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2403 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2405 r.in.addresses = addrs;
2408 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2409 torture_assert_ntstatus_ok(tctx, status, "failed");
2410 torture_assert_werr_ok(tctx, r.out.result, "failed");
2412 if (sam_ctx != NULL) {
2413 for (i = 0; i < 3; i++) {
2414 torture_assert_casestr_equal(tctx,
2415 ctr->sitename[i].string,
2416 samdb_server_site_name(sam_ctx, tctx),
2417 "didn't return default site");
2419 for (i = 3; i < 6; i++) {
2420 /* Windows returns "NULL" for the sitename if it isn't IPv6 configured
2421 torture_assert_casestr_equal(tctx,
2422 ctr->sitename[i].string,
2423 samdb_server_site_name(sam_ctx, tctx),
2424 "didn't return default site");
2429 /* Now try invalid ones (too short buffers) */
2439 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2440 torture_assert_ntstatus_ok(tctx, status, "failed");
2441 torture_assert_werr_ok(tctx, r.out.result, "failed");
2443 for (i = 0; i < 6; i++) {
2444 torture_assert(tctx, ctr->sitename[i].string == NULL,
2445 "sitename should be null");
2448 /* Now try invalid ones (wrong address types) */
2451 addrs[0].buffer[0] = AF_UNSPEC;
2453 addrs[1].buffer[0] = AF_LOCAL;
2455 addrs[2].buffer[0] = AF_UNIX;
2458 addrs[3].buffer[0] = AF_FILE;
2460 addrs[4].buffer[0] = AF_AX25;
2462 addrs[5].buffer[0] = AF_IPX;
2464 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2465 torture_assert_ntstatus_ok(tctx, status, "failed");
2466 torture_assert_werr_ok(tctx, r.out.result, "failed");
2468 for (i = 0; i < 6; i++) {
2469 torture_assert(tctx, ctr->sitename[i].string == NULL,
2470 "sitename should be null");
2476 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2477 struct dcerpc_pipe *p)
2480 struct ldb_context *sam_ctx = NULL;
2482 struct netr_DsRAddressToSitenamesExW r;
2483 struct netr_DsRAddress addrs[6];
2484 struct sockaddr_in *addr;
2485 struct sockaddr_in6 *addr6;
2486 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2487 struct dcerpc_binding_handle *b = p->binding_handle;
2491 torture_comment(tctx, "This does pass with the default site\n");
2493 /* We won't double-check this when we are over 'local' transports */
2494 if (dcerpc_server_name(p)) {
2495 /* Set up connection to SAMDB on DC */
2496 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2497 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2499 cmdline_credentials,
2502 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2505 /* First try valid IP addresses */
2507 addrs[0].size = sizeof(struct sockaddr_in);
2508 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
2509 addr = (struct sockaddr_in *) addrs[0].buffer;
2510 addr->sin_family = AF_INET;
2511 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2512 torture_assert(tctx, ret > 0, "inet_pton failed");
2514 addrs[1].size = sizeof(struct sockaddr_in);
2515 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
2516 addr = (struct sockaddr_in *) addrs[1].buffer;
2517 addr->sin_family = AF_INET;
2518 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2519 torture_assert(tctx, ret > 0, "inet_pton failed");
2521 addrs[2].size = sizeof(struct sockaddr_in);
2522 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
2523 addr = (struct sockaddr_in *) addrs[2].buffer;
2524 addr->sin_family = AF_INET;
2525 ret = inet_pton(AF_INET, "255.255.255.255",
2526 &((struct sockaddr_in *)addrs[2].buffer)->sin_addr);
2527 torture_assert(tctx, ret > 0, "inet_pton failed");
2529 addrs[3].size = sizeof(struct sockaddr_in6);
2530 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2531 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
2532 addr6->sin6_family = AF_INET6;
2533 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
2534 torture_assert(tctx, ret > 0, "inet_pton failed");
2536 addrs[4].size = sizeof(struct sockaddr_in6);
2537 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2538 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
2539 addr6->sin6_family = AF_INET6;
2540 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
2541 torture_assert(tctx, ret > 0, "inet_pton failed");
2543 addrs[5].size = sizeof(struct sockaddr_in6);
2544 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2545 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
2546 addr6->sin6_family = AF_INET6;
2547 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
2548 torture_assert(tctx, ret > 0, "inet_pton failed");
2550 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2552 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2554 r.in.addresses = addrs;
2557 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2558 torture_assert_ntstatus_ok(tctx, status, "failed");
2559 torture_assert_werr_ok(tctx, r.out.result, "failed");
2561 if (sam_ctx != NULL) {
2562 for (i = 0; i < 3; i++) {
2563 torture_assert_casestr_equal(tctx,
2564 ctr->sitename[i].string,
2565 samdb_server_site_name(sam_ctx, tctx),
2566 "didn't return default site");
2567 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2568 "subnet should be null");
2570 for (i = 3; i < 6; i++) {
2571 /* Windows returns "NULL" for the sitename if it isn't IPv6 configured
2572 torture_assert_casestr_equal(tctx,
2573 ctr->sitename[i].string,
2574 samdb_server_site_name(sam_ctx, tctx),
2575 "didn't return default site");
2577 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2578 "subnet should be null");
2582 /* Now try invalid ones (too short buffers) */
2592 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2593 torture_assert_ntstatus_ok(tctx, status, "failed");
2594 torture_assert_werr_ok(tctx, r.out.result, "failed");
2596 for (i = 0; i < 6; i++) {
2597 torture_assert(tctx, ctr->sitename[i].string == NULL,
2598 "sitename should be null");
2599 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2600 "subnet should be null");
2604 addrs[0].buffer[0] = AF_UNSPEC;
2606 addrs[1].buffer[0] = AF_LOCAL;
2608 addrs[2].buffer[0] = AF_UNIX;
2611 addrs[3].buffer[0] = AF_FILE;
2613 addrs[4].buffer[0] = AF_AX25;
2615 addrs[5].buffer[0] = AF_IPX;
2617 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2618 torture_assert_ntstatus_ok(tctx, status, "failed");
2619 torture_assert_werr_ok(tctx, r.out.result, "failed");
2621 for (i = 0; i < 6; i++) {
2622 torture_assert(tctx, ctr->sitename[i].string == NULL,
2623 "sitename should be null");
2624 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2625 "subnet should be null");
2631 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2632 struct dcerpc_pipe *p,
2633 struct cli_credentials *machine_credentials)
2635 struct netr_ServerGetTrustInfo r;
2637 struct netr_Authenticator a;
2638 struct netr_Authenticator return_authenticator;
2639 struct samr_Password new_owf_password;
2640 struct samr_Password old_owf_password;
2641 struct netr_TrustInfo *trust_info;
2643 struct netlogon_creds_CredentialState *creds;
2644 struct dcerpc_binding_handle *b = p->binding_handle;
2646 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2647 machine_credentials, &creds)) {
2651 netlogon_creds_client_authenticator(creds, &a);
2653 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2654 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2655 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2656 r.in.computer_name = TEST_MACHINE_NAME;
2657 r.in.credential = &a;
2659 r.out.return_authenticator = &return_authenticator;
2660 r.out.new_owf_password = &new_owf_password;
2661 r.out.old_owf_password = &old_owf_password;
2662 r.out.trust_info = &trust_info;
2664 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerGetTrustInfo_r(b, tctx, &r),
2665 "ServerGetTrustInfo failed");
2666 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerGetTrustInfo failed");
2667 torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2673 static bool test_GetDomainInfo(struct torture_context *tctx,
2674 struct dcerpc_pipe *p,
2675 struct cli_credentials *machine_credentials)
2677 struct netr_LogonGetDomainInfo r;
2678 struct netr_WorkstationInformation q1;
2679 struct netr_Authenticator a;
2680 struct netlogon_creds_CredentialState *creds;
2681 struct netr_OsVersion os;
2682 union netr_WorkstationInfo query;
2683 union netr_DomainInfo info;
2684 const char* const attrs[] = { "dNSHostName", "operatingSystem",
2685 "operatingSystemServicePack", "operatingSystemVersion",
2686 "servicePrincipalName", NULL };
2688 struct ldb_context *sam_ctx = NULL;
2689 struct ldb_message **res;
2690 struct ldb_message_element *spn_el;
2693 const char *old_dnsname = NULL;
2697 struct dcerpc_binding_handle *b = p->binding_handle;
2699 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2701 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2702 machine_credentials, &creds)) {
2706 /* We won't double-check this when we are over 'local' transports */
2707 if (dcerpc_server_name(p)) {
2708 /* Set up connection to SAMDB on DC */
2709 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2710 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2712 cmdline_credentials,
2715 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2718 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
2719 netlogon_creds_client_authenticator(creds, &a);
2722 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2723 r.in.computer_name = TEST_MACHINE_NAME;
2724 r.in.credential = &a;
2726 r.in.return_authenticator = &a;
2727 r.in.query = &query;
2728 r.out.return_authenticator = &a;
2732 os.os.MajorVersion = 123;
2733 os.os.MinorVersion = 456;
2734 os.os.BuildNumber = 789;
2735 os.os.CSDVersion = "Service Pack 10";
2736 os.os.ServicePackMajor = 10;
2737 os.os.ServicePackMinor = 1;
2738 os.os.SuiteMask = NETR_VER_SUITE_SINGLEUSERTS;
2739 os.os.ProductType = NETR_VER_NT_SERVER;
2742 version_str = talloc_asprintf(tctx, "%d.%d (%d)", os.os.MajorVersion,
2743 os.os.MinorVersion, os.os.BuildNumber);
2746 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
2747 lp_dnsdomain(tctx->lp_ctx));
2748 q1.sitename = "Default-First-Site-Name";
2749 q1.os_version.os = &os;
2750 q1.os_name.string = talloc_asprintf(tctx,
2751 "Tortured by Samba4 RPC-NETLOGON: %s",
2752 timestring(tctx, time(NULL)));
2754 /* The workstation handles the "servicePrincipalName" and DNS hostname
2756 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2758 query.workstation_info = &q1;
2761 /* Gets back the old DNS hostname in AD */
2762 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2763 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2765 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL);
2767 /* Gets back the "servicePrincipalName"s in AD */
2768 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2769 if (spn_el != NULL) {
2770 for (i=0; i < spn_el->num_values; i++) {
2771 spns = talloc_realloc(tctx, spns, char *, i + 1);
2772 spns[i] = (char *) spn_el->values[i].data;
2778 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
2779 "LogonGetDomainInfo failed");
2780 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
2781 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2786 /* AD workstation infos entry check */
2787 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2788 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2789 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2790 torture_assert_str_equal(tctx,
2791 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2792 q1.os_name.string, "'operatingSystem' wrong!");
2793 torture_assert_str_equal(tctx,
2794 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL),
2795 os.os.CSDVersion, "'operatingSystemServicePack' wrong!");
2796 torture_assert_str_equal(tctx,
2797 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
2798 version_str, "'operatingSystemVersion' wrong!");
2800 if (old_dnsname != NULL) {
2801 /* If before a DNS hostname was set then it should remain
2802 the same in combination with the "servicePrincipalName"s.
2803 The DNS hostname should also be returned by our
2804 "LogonGetDomainInfo" call (in the domain info structure). */
2806 torture_assert_str_equal(tctx,
2807 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2808 old_dnsname, "'DNS hostname' was not set!");
2810 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2811 torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)),
2812 "'servicePrincipalName's not set!");
2813 torture_assert(tctx, spn_el->num_values == num_spns,
2814 "'servicePrincipalName's incorrect!");
2815 for (i=0; (i < spn_el->num_values) && (i < num_spns); i++)
2816 torture_assert_str_equal(tctx,
2817 (char *) spn_el->values[i].data,
2818 spns[i], "'servicePrincipalName's incorrect!");
2820 torture_assert_str_equal(tctx,
2821 info.domain_info->dns_hostname.string,
2823 "Out 'DNS hostname' doesn't match the old one!");
2825 /* If no DNS hostname was set then also now none should be set,
2826 the "servicePrincipalName"s should remain empty and no DNS
2827 hostname should be returned by our "LogonGetDomainInfo"
2828 call (in the domain info structure). */
2830 torture_assert(tctx,
2831 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL,
2832 "'DNS hostname' was set!");
2834 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2835 torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)),
2836 "'servicePrincipalName's were set!");
2838 torture_assert(tctx,
2839 info.domain_info->dns_hostname.string == NULL,
2840 "Out 'DNS host name' was set!");
2844 /* Checks "workstation flags" */
2845 torture_assert(tctx,
2846 info.domain_info->workstation_flags
2847 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2848 "Out 'workstation flags' don't match!");
2851 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname doesn't work)\n");
2852 netlogon_creds_client_authenticator(creds, &a);
2854 /* Wipe out the osVersion, and prove which values still 'stick' */
2855 q1.os_version.os = NULL;
2857 /* Change also the DNS hostname to test differences in behaviour */
2858 talloc_free(discard_const_p(char, q1.dns_hostname));
2859 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
2860 lp_dnsdomain(tctx->lp_ctx));
2862 /* The workstation handles the "servicePrincipalName" and DNS hostname
2864 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2866 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
2867 "LogonGetDomainInfo failed");
2868 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
2870 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2875 /* AD workstation infos entry check */
2876 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2877 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2878 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2880 torture_assert_str_equal(tctx,
2881 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2882 q1.os_name.string, "'operatingSystem' should stick!");
2883 torture_assert(tctx,
2884 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
2885 "'operatingSystemServicePack' shouldn't stick!");
2886 torture_assert(tctx,
2887 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
2888 "'operatingSystemVersion' shouldn't stick!");
2890 /* The DNS host name shouldn't have been updated by the server */
2892 torture_assert_str_equal(tctx,
2893 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2894 old_dnsname, "'DNS host name' did change!");
2896 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
2897 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
2899 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2900 torture_assert(tctx, spn_el != NULL,
2901 "There should exist 'servicePrincipalName's in AD!");
2902 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
2903 for (i=0; i < spn_el->num_values; i++)
2904 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
2906 torture_assert(tctx, i != spn_el->num_values,
2907 "'servicePrincipalName' HOST/<Netbios name> not found!");
2908 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
2909 for (i=0; i < spn_el->num_values; i++)
2910 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
2912 torture_assert(tctx, i != spn_el->num_values,
2913 "'servicePrincipalName' HOST/<FQDN name> not found!");
2915 /* Check that the out DNS hostname was set properly */
2916 torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string,
2917 old_dnsname, "Out 'DNS hostname' doesn't match the old one!");
2920 /* Checks "workstation flags" */
2921 torture_assert(tctx,
2922 info.domain_info->workstation_flags == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2923 "Out 'workstation flags' don't match!");
2926 /* Now try the same but the workstation flags set to 0 */
2928 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 3rd call (variation of DNS hostname doesn't work)\n");
2929 netlogon_creds_client_authenticator(creds, &a);
2931 /* Change also the DNS hostname to test differences in behaviour */
2932 talloc_free(discard_const_p(char, q1.dns_hostname));
2933 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
2934 lp_dnsdomain(tctx->lp_ctx));
2936 /* Wipe out the osVersion, and prove which values still 'stick' */
2937 q1.os_version.os = NULL;
2939 /* Let the DC handle the "servicePrincipalName" and DNS hostname
2941 q1.workstation_flags = 0;
2943 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
2944 "LogonGetDomainInfo failed");
2945 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
2946 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2951 /* AD workstation infos entry check */
2952 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2953 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2954 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2956 torture_assert_str_equal(tctx,
2957 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2958 q1.os_name.string, "'operatingSystem' should stick!");
2959 torture_assert(tctx,
2960 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
2961 "'operatingSystemServicePack' shouldn't stick!");
2962 torture_assert(tctx,
2963 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
2964 "'operatingSystemVersion' shouldn't stick!");
2966 /* The DNS host name shouldn't have been updated by the server */
2968 torture_assert_str_equal(tctx,
2969 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2970 old_dnsname, "'DNS host name' did change!");
2972 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
2973 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
2975 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2976 torture_assert(tctx, spn_el != NULL,
2977 "There should exist 'servicePrincipalName's in AD!");
2978 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
2979 for (i=0; i < spn_el->num_values; i++)
2980 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
2982 torture_assert(tctx, i != spn_el->num_values,
2983 "'servicePrincipalName' HOST/<Netbios name> not found!");
2984 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
2985 for (i=0; i < spn_el->num_values; i++)
2986 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
2988 torture_assert(tctx, i != spn_el->num_values,
2989 "'servicePrincipalName' HOST/<FQDN name> not found!");
2991 /* Here the server gives us NULL as the out DNS hostname */
2992 torture_assert(tctx, info.domain_info->dns_hostname.string == NULL,
2993 "Out 'DNS hostname' should be NULL!");
2996 /* Checks "workstation flags" */
2997 torture_assert(tctx,
2998 info.domain_info->workstation_flags == 0,
2999 "Out 'workstation flags' don't match!");
3002 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 4th call (verification of DNS hostname and check for trusted domains)\n");
3003 netlogon_creds_client_authenticator(creds, &a);
3005 /* Put the DNS hostname back */
3006 talloc_free(discard_const_p(char, q1.dns_hostname));
3007 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3008 lp_dnsdomain(tctx->lp_ctx));
3010 /* The workstation handles the "servicePrincipalName" and DNS hostname
3012 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3014 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3015 "LogonGetDomainInfo failed");
3016 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3017 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3021 /* Now the in/out DNS hostnames should be the same */
3022 torture_assert_str_equal(tctx,
3023 info.domain_info->dns_hostname.string,
3024 query.workstation_info->dns_hostname,
3025 "In/Out 'DNS hostnames' don't match!");
3027 /* Checks "workstation flags" */
3028 torture_assert(tctx,
3029 info.domain_info->workstation_flags
3030 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3031 "Out 'workstation flags' don't match!");
3033 /* Checks for trusted domains */
3034 torture_assert(tctx,
3035 (info.domain_info->trusted_domain_count != 0)
3036 && (info.domain_info->trusted_domains != NULL),
3037 "Trusted domains have been requested!");
3040 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 5th call (check for trusted domains)\n");
3041 netlogon_creds_client_authenticator(creds, &a);
3043 /* The workstation handles the "servicePrincipalName" and DNS hostname
3044 updates and requests inbound trusts */
3045 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
3046 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS;
3048 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3049 "LogonGetDomainInfo failed");
3050 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3051 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3055 /* Checks "workstation flags" */
3056 torture_assert(tctx,
3057 info.domain_info->workstation_flags
3058 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
3059 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
3060 "Out 'workstation flags' don't match!");
3062 /* Checks for trusted domains */
3063 torture_assert(tctx,
3064 (info.domain_info->trusted_domain_count != 0)
3065 && (info.domain_info->trusted_domains != NULL),
3066 "Trusted domains have been requested!");
3071 static bool test_GetDomainInfo_async(struct torture_context *tctx,
3072 struct dcerpc_pipe *p,
3073 struct cli_credentials *machine_credentials)
3076 struct netr_LogonGetDomainInfo r;
3077 struct netr_WorkstationInformation q1;
3078 struct netr_Authenticator a;
3079 #define ASYNC_COUNT 100
3080 struct netlogon_creds_CredentialState *creds;
3081 struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
3082 struct tevent_req *req[ASYNC_COUNT];
3084 union netr_WorkstationInfo query;
3085 union netr_DomainInfo info;
3087 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
3089 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
3090 machine_credentials, &creds)) {
3095 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3096 r.in.computer_name = TEST_MACHINE_NAME;
3097 r.in.credential = &a;
3099 r.in.return_authenticator = &a;
3100 r.in.query = &query;
3101 r.out.return_authenticator = &a;
3105 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3106 lp_dnsdomain(tctx->lp_ctx));
3107 q1.sitename = "Default-First-Site-Name";
3108 q1.os_name.string = "UNIX/Linux or similar";
3110 query.workstation_info = &q1;
3112 for (i=0;i<ASYNC_COUNT;i++) {
3113 netlogon_creds_client_authenticator(creds, &a);
3115 creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
3116 req[i] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx, tctx->ev, p->binding_handle, &r);
3118 /* even with this flush per request a w2k3 server seems to
3119 clag with multiple outstanding requests. bleergh. */
3120 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
3121 "event_loop_once failed");
3124 for (i=0;i<ASYNC_COUNT;i++) {
3125 torture_assert_int_equal(tctx, tevent_req_poll(req[i], tctx->ev), true,
3126 "tevent_req_poll() failed");
3128 status = dcerpc_netr_LogonGetDomainInfo_r_recv(req[i], tctx);
3130 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
3131 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
3133 torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred),
3134 "Credential chaining failed at async");
3137 torture_comment(tctx,
3138 "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT);
3143 static bool test_ManyGetDCName(struct torture_context *tctx,
3144 struct dcerpc_pipe *p)
3147 struct dcerpc_pipe *p2;
3148 struct lsa_ObjectAttribute attr;
3149 struct lsa_QosInfo qos;
3150 struct lsa_OpenPolicy2 o;
3151 struct policy_handle lsa_handle;
3152 struct lsa_DomainList domains;
3154 struct lsa_EnumTrustDom t;
3155 uint32_t resume_handle = 0;
3156 struct netr_GetAnyDCName d;
3157 const char *dcname = NULL;
3158 struct dcerpc_binding_handle *b = p->binding_handle;
3159 struct dcerpc_binding_handle *b2;
3163 if (p->conn->transport.transport != NCACN_NP) {
3167 torture_comment(tctx, "Torturing GetDCName\n");
3169 status = dcerpc_secondary_connection(p, &p2, p->binding);
3170 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
3172 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
3173 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
3174 b2 = p2->binding_handle;
3177 qos.impersonation_level = 2;
3178 qos.context_mode = 1;
3179 qos.effective_only = 0;
3182 attr.root_dir = NULL;
3183 attr.object_name = NULL;
3184 attr.attributes = 0;
3185 attr.sec_desc = NULL;
3186 attr.sec_qos = &qos;
3188 o.in.system_name = "\\";
3190 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3191 o.out.handle = &lsa_handle;
3193 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b2, tctx, &o),
3194 "OpenPolicy2 failed");
3195 torture_assert_ntstatus_ok(tctx, o.out.result, "OpenPolicy2 failed");
3197 t.in.handle = &lsa_handle;
3198 t.in.resume_handle = &resume_handle;
3199 t.in.max_size = 1000;
3200 t.out.domains = &domains;
3201 t.out.resume_handle = &resume_handle;
3203 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b2, tctx, &t),
3204 "EnumTrustDom failed");
3206 if ((!NT_STATUS_IS_OK(t.out.result) &&
3207 (!NT_STATUS_EQUAL(t.out.result, NT_STATUS_NO_MORE_ENTRIES))))
3208 torture_fail(tctx, "Could not list domains");
3212 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
3213 dcerpc_server_name(p));
3214 d.out.dcname = &dcname;
3216 for (i=0; i<domains.count * 4; i++) {
3217 struct lsa_DomainInfo *info =
3218 &domains.domains[rand()%domains.count];
3220 d.in.domainname = info->name.string;
3222 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &d);
3223 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
3225 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
3226 dcname ? dcname : "unknown");
3232 static bool test_SetPassword_with_flags(struct torture_context *tctx,
3233 struct dcerpc_pipe *p,
3234 struct cli_credentials *machine_credentials)
3236 uint32_t flags[] = { 0, NETLOGON_NEG_STRONG_KEYS };
3237 struct netlogon_creds_CredentialState *creds;
3240 if (!test_SetupCredentials2(p, tctx, 0,
3241 machine_credentials,
3242 cli_credentials_get_secure_channel_type(machine_credentials),
3244 torture_skip(tctx, "DC does not support negotiation of 64bit session keys");
3247 for (i=0; i < ARRAY_SIZE(flags); i++) {
3248 torture_assert(tctx,
3249 test_SetPassword_flags(tctx, p, machine_credentials, flags[i]),
3250 talloc_asprintf(tctx, "failed to test SetPassword negotiating with 0x%08x flags", flags[i]));
3256 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
3258 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
3259 struct torture_rpc_tcase *tcase;
3260 struct torture_test *test;
3262 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3263 &ndr_table_netlogon, TEST_MACHINE_NAME);
3265 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
3266 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
3267 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
3268 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
3269 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
3270 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
3271 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
3272 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
3273 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
3274 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
3275 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
3276 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
3277 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
3278 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
3279 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
3280 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
3281 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
3282 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
3283 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
3284 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
3285 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
3286 test->dangerous = true;
3287 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
3288 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
3289 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
3290 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
3291 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
3292 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
3293 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
3298 struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
3300 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-S3");
3301 struct torture_rpc_tcase *tcase;
3303 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3304 &ndr_table_netlogon, TEST_MACHINE_NAME);
3306 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
3307 torture_rpc_tcase_add_test_creds(tcase, "SamLogon_NULL_domain", test_SamLogon_NULL_domain);
3308 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
3309 torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
3310 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
3311 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
3316 struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
3318 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-ADMIN");
3319 struct torture_rpc_tcase *tcase;
3321 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3322 &ndr_table_netlogon, TEST_MACHINE_NAME);
3323 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3324 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3325 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
3327 tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon",
3328 &ndr_table_netlogon, TEST_MACHINE_NAME);
3329 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3330 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3331 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
3333 tcase = torture_suite_add_rpc_iface_tcase(suite, "netlogon",
3334 &ndr_table_netlogon);
3335 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3336 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3337 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
git.samba.org / amitay / samba.git / blob