2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "torture/torture.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "torture/rpc/rpc.h"
31 #include "torture/rpc/netlogon.h"
32 #include "../lib/crypto/crypto.h"
33 #include "libcli/auth/libcli_auth.h"
34 #include "librpc/gen_ndr/ndr_netlogon_c.h"
35 #include "librpc/gen_ndr/ndr_netlogon.h"
36 #include "librpc/gen_ndr/ndr_lsa_c.h"
37 #include "param/param.h"
38 #include "libcli/security/security.h"
40 #define TEST_MACHINE_NAME "torturetest"
42 static bool test_LogonUasLogon(struct torture_context *tctx,
43 struct dcerpc_pipe *p)
46 struct netr_LogonUasLogon r;
47 struct netr_UasInfo *info = NULL;
49 r.in.server_name = NULL;
50 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51 r.in.workstation = TEST_MACHINE_NAME;
54 status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
60 static bool test_LogonUasLogoff(struct torture_context *tctx,
61 struct dcerpc_pipe *p)
64 struct netr_LogonUasLogoff r;
65 struct netr_UasLogoffInfo info;
67 r.in.server_name = NULL;
68 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69 r.in.workstation = TEST_MACHINE_NAME;
72 status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
78 static bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79 struct cli_credentials *credentials,
80 struct creds_CredentialState **creds_out)
83 struct netr_ServerReqChallenge r;
84 struct netr_ServerAuthenticate a;
85 struct netr_Credential credentials1, credentials2, credentials3;
86 struct creds_CredentialState *creds;
87 const struct samr_Password *mach_password;
88 const char *machine_name;
90 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91 machine_name = cli_credentials_get_workstation(credentials);
93 torture_comment(tctx, "Testing ServerReqChallenge\n");
95 creds = talloc(tctx, struct creds_CredentialState);
96 torture_assert(tctx, creds != NULL, "memory allocation");
98 r.in.server_name = NULL;
99 r.in.computer_name = machine_name;
100 r.in.credentials = &credentials1;
101 r.out.return_credentials = &credentials2;
103 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
106 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
108 a.in.server_name = NULL;
109 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
110 a.in.secure_channel_type = SEC_CHAN_BDC;
111 a.in.computer_name = machine_name;
112 a.in.credentials = &credentials3;
113 a.out.return_credentials = &credentials3;
115 creds_client_init(creds, &credentials1, &credentials2,
116 mach_password, &credentials3,
119 torture_comment(tctx, "Testing ServerAuthenticate\n");
121 status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
123 /* This allows the tests to continue against the more fussy windows 2008 */
124 if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
125 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
126 credentials, SEC_CHAN_BDC, creds_out);
129 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
131 torture_assert(tctx, creds_client_check(creds, &credentials3),
132 "Credential chaining failed");
138 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
139 uint32_t negotiate_flags,
140 struct cli_credentials *machine_credentials,
142 struct creds_CredentialState **creds_out)
145 struct netr_ServerReqChallenge r;
146 struct netr_ServerAuthenticate2 a;
147 struct netr_Credential credentials1, credentials2, credentials3;
148 struct creds_CredentialState *creds;
149 const struct samr_Password *mach_password;
150 const char *machine_name;
151 const char *plain_pass;
153 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
154 machine_name = cli_credentials_get_workstation(machine_credentials);
156 torture_comment(tctx, "Testing ServerReqChallenge\n");
158 creds = talloc(tctx, struct creds_CredentialState);
159 torture_assert(tctx, creds != NULL, "memory allocation");
161 r.in.server_name = NULL;
162 r.in.computer_name = machine_name;
163 r.in.credentials = &credentials1;
164 r.out.return_credentials = &credentials2;
166 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
168 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
169 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
171 a.in.server_name = NULL;
172 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
173 a.in.secure_channel_type = sec_chan_type;
174 a.in.computer_name = machine_name;
175 a.in.negotiate_flags = &negotiate_flags;
176 a.out.negotiate_flags = &negotiate_flags;
177 a.in.credentials = &credentials3;
178 a.out.return_credentials = &credentials3;
180 creds_client_init(creds, &credentials1, &credentials2,
181 mach_password, &credentials3,
184 torture_comment(tctx, "Testing ServerAuthenticate2\n");
186 status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
187 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
189 torture_assert(tctx, creds_client_check(creds, &credentials3),
190 "Credential chaining failed");
192 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
199 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
200 uint32_t negotiate_flags,
201 struct cli_credentials *machine_credentials,
202 struct creds_CredentialState **creds_out)
205 struct netr_ServerReqChallenge r;
206 struct netr_ServerAuthenticate3 a;
207 struct netr_Credential credentials1, credentials2, credentials3;
208 struct creds_CredentialState *creds;
209 struct samr_Password mach_password;
211 const char *machine_name;
212 const char *plain_pass;
214 machine_name = cli_credentials_get_workstation(machine_credentials);
215 plain_pass = cli_credentials_get_password(machine_credentials);
217 torture_comment(tctx, "Testing ServerReqChallenge\n");
219 creds = talloc(tctx, struct creds_CredentialState);
220 torture_assert(tctx, creds != NULL, "memory allocation");
222 r.in.server_name = NULL;
223 r.in.computer_name = machine_name;
224 r.in.credentials = &credentials1;
225 r.out.return_credentials = &credentials2;
227 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
229 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
230 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
232 E_md4hash(plain_pass, mach_password.hash);
234 a.in.server_name = NULL;
235 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
236 a.in.secure_channel_type = SEC_CHAN_BDC;
237 a.in.computer_name = machine_name;
238 a.in.negotiate_flags = &negotiate_flags;
239 a.in.credentials = &credentials3;
240 a.out.return_credentials = &credentials3;
241 a.out.negotiate_flags = &negotiate_flags;
244 creds_client_init(creds, &credentials1, &credentials2,
245 &mach_password, &credentials3,
248 torture_comment(tctx, "Testing ServerAuthenticate3\n");
250 status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
251 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
252 torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed");
254 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
256 /* Prove that requesting a challenge again won't break it */
257 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
258 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
265 try a change password for our machine account
267 static bool test_SetPassword(struct torture_context *tctx,
268 struct dcerpc_pipe *p,
269 struct cli_credentials *machine_credentials)
272 struct netr_ServerPasswordSet r;
273 const char *password;
274 struct creds_CredentialState *creds;
275 struct netr_Authenticator credential, return_authenticator;
276 struct samr_Password new_password;
278 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
282 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
283 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
284 r.in.secure_channel_type = SEC_CHAN_BDC;
285 r.in.computer_name = TEST_MACHINE_NAME;
286 r.in.credential = &credential;
287 r.in.new_password = &new_password;
288 r.out.return_authenticator = &return_authenticator;
290 password = generate_random_str(tctx, 8);
291 E_md4hash(password, new_password.hash);
293 creds_des_encrypt(creds, &new_password);
295 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
296 torture_comment(tctx, "Changing machine account password to '%s'\n",
299 creds_client_authenticator(creds, &credential);
301 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
302 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
304 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
305 torture_comment(tctx, "Credential chaining failed\n");
308 /* by changing the machine password twice we test the
309 credentials chaining fully, and we verify that the server
310 allows the password to be set to the same value twice in a
311 row (match win2k3) */
312 torture_comment(tctx,
313 "Testing a second ServerPasswordSet on machine account\n");
314 torture_comment(tctx,
315 "Changing machine account password to '%s' (same as previous run)\n", password);
317 creds_client_authenticator(creds, &credential);
319 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
320 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
322 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
323 torture_comment(tctx, "Credential chaining failed\n");
326 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
329 test_SetupCredentials(p, tctx, machine_credentials, &creds),
330 "ServerPasswordSet failed to actually change the password");
336 generate a random password for password change tests
338 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
341 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
342 generate_random_buffer(password.data, password.length);
344 for (i=0; i < len; i++) {
345 if (((uint16_t *)password.data)[i] == 0) {
346 ((uint16_t *)password.data)[i] = 1;
354 try a change password for our machine account
356 static bool test_SetPassword2(struct torture_context *tctx,
357 struct dcerpc_pipe *p,
358 struct cli_credentials *machine_credentials)
361 struct netr_ServerPasswordSet2 r;
362 const char *password;
363 DATA_BLOB new_random_pass;
364 struct creds_CredentialState *creds;
365 struct samr_CryptPassword password_buf;
366 struct samr_Password nt_hash;
367 struct netr_Authenticator credential, return_authenticator;
368 struct netr_CryptPassword new_password;
370 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
374 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
375 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
376 r.in.secure_channel_type = SEC_CHAN_BDC;
377 r.in.computer_name = TEST_MACHINE_NAME;
378 r.in.credential = &credential;
379 r.in.new_password = &new_password;
380 r.out.return_authenticator = &return_authenticator;
382 password = generate_random_str(tctx, 8);
383 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
384 creds_arcfour_crypt(creds, password_buf.data, 516);
386 memcpy(new_password.data, password_buf.data, 512);
387 new_password.length = IVAL(password_buf.data, 512);
389 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
390 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
392 creds_client_authenticator(creds, &credential);
394 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
395 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
397 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
398 torture_comment(tctx, "Credential chaining failed\n");
401 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
403 if (!torture_setting_bool(tctx, "dangerous", false)) {
404 torture_comment(tctx,
405 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
407 /* by changing the machine password to ""
408 * we check if the server uses password restrictions
409 * for ServerPasswordSet2
410 * (win2k3 accepts "")
413 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
414 creds_arcfour_crypt(creds, password_buf.data, 516);
416 memcpy(new_password.data, password_buf.data, 512);
417 new_password.length = IVAL(password_buf.data, 512);
419 torture_comment(tctx,
420 "Testing ServerPasswordSet2 on machine account\n");
421 torture_comment(tctx,
422 "Changing machine account password to '%s'\n", password);
424 creds_client_authenticator(creds, &credential);
426 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
427 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
429 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
430 torture_comment(tctx, "Credential chaining failed\n");
433 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
436 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
437 "ServerPasswordSet failed to actually change the password");
439 /* now try a random password */
440 password = generate_random_str(tctx, 8);
441 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
442 creds_arcfour_crypt(creds, password_buf.data, 516);
444 memcpy(new_password.data, password_buf.data, 512);
445 new_password.length = IVAL(password_buf.data, 512);
447 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
448 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
450 creds_client_authenticator(creds, &credential);
452 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
453 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
455 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
456 torture_comment(tctx, "Credential chaining failed\n");
459 /* by changing the machine password twice we test the
460 credentials chaining fully, and we verify that the server
461 allows the password to be set to the same value twice in a
462 row (match win2k3) */
463 torture_comment(tctx,
464 "Testing a second ServerPasswordSet2 on machine account\n");
465 torture_comment(tctx,
466 "Changing machine account password to '%s' (same as previous run)\n", password);
468 creds_client_authenticator(creds, &credential);
470 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
471 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
473 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
474 torture_comment(tctx, "Credential chaining failed\n");
477 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
479 torture_assert (tctx,
480 test_SetupCredentials(p, tctx, machine_credentials, &creds),
481 "ServerPasswordSet failed to actually change the password");
483 new_random_pass = netlogon_very_rand_pass(tctx, 128);
485 /* now try a random stream of bytes for a password */
486 set_pw_in_buffer(password_buf.data, &new_random_pass);
488 creds_arcfour_crypt(creds, password_buf.data, 516);
490 memcpy(new_password.data, password_buf.data, 512);
491 new_password.length = IVAL(password_buf.data, 512);
493 torture_comment(tctx,
494 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
496 creds_client_authenticator(creds, &credential);
498 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
499 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
501 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
502 torture_comment(tctx, "Credential chaining failed\n");
505 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
507 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
508 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
510 torture_assert (tctx,
511 test_SetupCredentials(p, tctx, machine_credentials, &creds),
512 "ServerPasswordSet failed to actually change the password");
517 static bool test_GetPassword(struct torture_context *tctx,
518 struct dcerpc_pipe *p,
519 struct cli_credentials *machine_credentials)
521 struct netr_ServerPasswordGet r;
522 struct creds_CredentialState *creds;
523 struct netr_Authenticator credential;
525 struct netr_Authenticator return_authenticator;
526 struct samr_Password password;
528 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
532 creds_client_authenticator(creds, &credential);
534 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
535 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
536 r.in.secure_channel_type = SEC_CHAN_BDC;
537 r.in.computer_name = TEST_MACHINE_NAME;
538 r.in.credential = &credential;
539 r.out.return_authenticator = &return_authenticator;
540 r.out.password = &password;
542 status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
543 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
548 static bool test_GetTrustPasswords(struct torture_context *tctx,
549 struct dcerpc_pipe *p,
550 struct cli_credentials *machine_credentials)
552 struct netr_ServerTrustPasswordsGet r;
553 struct creds_CredentialState *creds;
554 struct netr_Authenticator credential;
556 struct netr_Authenticator return_authenticator;
557 struct samr_Password password, password2;
559 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
563 creds_client_authenticator(creds, &credential);
565 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
566 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
567 r.in.secure_channel_type = SEC_CHAN_BDC;
568 r.in.computer_name = TEST_MACHINE_NAME;
569 r.in.credential = &credential;
570 r.out.return_authenticator = &return_authenticator;
571 r.out.password = &password;
572 r.out.password2 = &password2;
574 status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
575 torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
581 try a netlogon SamLogon
583 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
584 struct cli_credentials *credentials,
585 struct creds_CredentialState *creds)
588 struct netr_LogonSamLogon r;
589 struct netr_Authenticator auth, auth2;
590 union netr_LogonLevel logon;
591 union netr_Validation validation;
592 uint8_t authoritative;
593 struct netr_NetworkInfo ninfo;
594 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
596 int flags = CLI_CRED_NTLM_AUTH;
597 if (lp_client_lanman_auth(tctx->lp_ctx)) {
598 flags |= CLI_CRED_LANMAN_AUTH;
601 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
602 flags |= CLI_CRED_NTLMv2_AUTH;
605 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
606 &ninfo.identity_info.account_name.string,
607 &ninfo.identity_info.domain_name.string);
609 generate_random_buffer(ninfo.challenge,
610 sizeof(ninfo.challenge));
611 chal = data_blob_const(ninfo.challenge,
612 sizeof(ninfo.challenge));
614 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
615 cli_credentials_get_domain(credentials));
617 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
623 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
625 ninfo.lm.data = lm_resp.data;
626 ninfo.lm.length = lm_resp.length;
628 ninfo.nt.data = nt_resp.data;
629 ninfo.nt.length = nt_resp.length;
631 ninfo.identity_info.parameter_control = 0;
632 ninfo.identity_info.logon_id_low = 0;
633 ninfo.identity_info.logon_id_high = 0;
634 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
636 logon.network = &ninfo;
638 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
639 r.in.computer_name = cli_credentials_get_workstation(credentials);
640 r.in.credential = &auth;
641 r.in.return_authenticator = &auth2;
642 r.in.logon_level = 2;
644 r.out.validation = &validation;
645 r.out.authoritative = &authoritative;
647 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
651 creds_client_authenticator(creds, &auth);
653 r.in.validation_level = i;
655 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
656 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
658 torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
659 "Credential chaining failed");
662 r.in.credential = NULL;
666 r.in.validation_level = i;
668 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
670 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
671 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
672 "LogonSamLogon expected INVALID_PARAMETER");
680 try a netlogon SamLogon
682 static bool test_SamLogon(struct torture_context *tctx,
683 struct dcerpc_pipe *p,
684 struct cli_credentials *credentials)
686 struct creds_CredentialState *creds;
688 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
692 return test_netlogon_ops(p, tctx, credentials, creds);
695 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
696 static uint64_t sequence_nums[3];
699 try a netlogon DatabaseSync
701 static bool test_DatabaseSync(struct torture_context *tctx,
702 struct dcerpc_pipe *p,
703 struct cli_credentials *machine_credentials)
706 struct netr_DatabaseSync r;
707 struct creds_CredentialState *creds;
708 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
710 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
711 struct netr_Authenticator credential, return_authenticator;
713 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
717 ZERO_STRUCT(return_authenticator);
719 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
720 r.in.computername = TEST_MACHINE_NAME;
721 r.in.preferredmaximumlength = (uint32_t)-1;
722 r.in.return_authenticator = &return_authenticator;
723 r.out.delta_enum_array = &delta_enum_array;
724 r.out.return_authenticator = &return_authenticator;
726 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
728 uint32_t sync_context = 0;
730 r.in.database_id = database_ids[i];
731 r.in.sync_context = &sync_context;
732 r.out.sync_context = &sync_context;
734 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
737 creds_client_authenticator(creds, &credential);
739 r.in.credential = &credential;
741 status = dcerpc_netr_DatabaseSync(p, tctx, &r);
742 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
745 /* Native mode servers don't do this */
746 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
749 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
751 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
752 torture_comment(tctx, "Credential chaining failed\n");
755 if (delta_enum_array &&
756 delta_enum_array->num_deltas > 0 &&
757 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
758 delta_enum_array->delta_enum[0].delta_union.domain) {
759 sequence_nums[r.in.database_id] =
760 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
761 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
763 (unsigned long long)sequence_nums[r.in.database_id]);
765 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
773 try a netlogon DatabaseDeltas
775 static bool test_DatabaseDeltas(struct torture_context *tctx,
776 struct dcerpc_pipe *p,
777 struct cli_credentials *machine_credentials)
780 struct netr_DatabaseDeltas r;
781 struct creds_CredentialState *creds;
782 struct netr_Authenticator credential;
783 struct netr_Authenticator return_authenticator;
784 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
785 const uint32_t database_ids[] = {0, 1, 2};
788 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
792 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
793 r.in.computername = TEST_MACHINE_NAME;
794 r.in.preferredmaximumlength = (uint32_t)-1;
795 ZERO_STRUCT(r.in.return_authenticator);
796 r.out.return_authenticator = &return_authenticator;
797 r.out.delta_enum_array = &delta_enum_array;
799 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
800 r.in.database_id = database_ids[i];
801 r.in.sequence_num = &sequence_nums[r.in.database_id];
803 if (*r.in.sequence_num == 0) continue;
805 *r.in.sequence_num -= 1;
807 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
808 r.in.database_id, (unsigned long long)*r.in.sequence_num);
811 creds_client_authenticator(creds, &credential);
813 status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
814 if (NT_STATUS_EQUAL(status,
815 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
816 torture_comment(tctx, "not considering %s to be an error\n",
820 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
823 torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
825 if (!creds_client_check(creds, &return_authenticator.cred)) {
826 torture_comment(tctx, "Credential chaining failed\n");
829 (*r.in.sequence_num)++;
830 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
836 static bool test_DatabaseRedo(struct torture_context *tctx,
837 struct dcerpc_pipe *p,
838 struct cli_credentials *machine_credentials)
841 struct netr_DatabaseRedo r;
842 struct creds_CredentialState *creds;
843 struct netr_Authenticator credential;
844 struct netr_Authenticator return_authenticator;
845 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
846 struct netr_ChangeLogEntry e;
847 struct dom_sid null_sid, *sid;
850 ZERO_STRUCT(null_sid);
852 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
863 NTSTATUS expected_error;
864 uint32_t expected_num_results;
865 uint8_t expected_delta_type_1;
866 uint8_t expected_delta_type_2;
870 /* SAM_DATABASE_DOMAIN */
875 .db_index = SAM_DATABASE_DOMAIN,
876 .delta_type = NETR_DELTA_MODIFY_COUNT,
879 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
880 .expected_num_results = 0,
881 .comment = "NETR_DELTA_MODIFY_COUNT"
886 .db_index = SAM_DATABASE_DOMAIN,
890 .expected_error = NT_STATUS_OK,
891 .expected_num_results = 1,
892 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
893 .comment = "NULL DELTA"
898 .db_index = SAM_DATABASE_DOMAIN,
899 .delta_type = NETR_DELTA_DOMAIN,
902 .expected_error = NT_STATUS_OK,
903 .expected_num_results = 1,
904 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
905 .comment = "NETR_DELTA_DOMAIN"
908 .rid = DOMAIN_RID_ADMINISTRATOR,
910 .db_index = SAM_DATABASE_DOMAIN,
911 .delta_type = NETR_DELTA_USER,
914 .expected_error = NT_STATUS_OK,
915 .expected_num_results = 1,
916 .expected_delta_type_1 = NETR_DELTA_USER,
917 .comment = "NETR_DELTA_USER by rid 500"
920 .rid = DOMAIN_RID_GUEST,
922 .db_index = SAM_DATABASE_DOMAIN,
923 .delta_type = NETR_DELTA_USER,
926 .expected_error = NT_STATUS_OK,
927 .expected_num_results = 1,
928 .expected_delta_type_1 = NETR_DELTA_USER,
929 .comment = "NETR_DELTA_USER by rid 501"
933 .flags = NETR_CHANGELOG_SID_INCLUDED,
934 .db_index = SAM_DATABASE_DOMAIN,
935 .delta_type = NETR_DELTA_USER,
938 .expected_error = NT_STATUS_OK,
939 .expected_num_results = 1,
940 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
941 .comment = "NETR_DELTA_USER by sid and flags"
945 .flags = NETR_CHANGELOG_SID_INCLUDED,
946 .db_index = SAM_DATABASE_DOMAIN,
947 .delta_type = NETR_DELTA_USER,
950 .expected_error = NT_STATUS_OK,
951 .expected_num_results = 1,
952 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
953 .comment = "NETR_DELTA_USER by null_sid and flags"
957 .flags = NETR_CHANGELOG_NAME_INCLUDED,
958 .db_index = SAM_DATABASE_DOMAIN,
959 .delta_type = NETR_DELTA_USER,
961 .name = "administrator",
962 .expected_error = NT_STATUS_OK,
963 .expected_num_results = 1,
964 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
965 .comment = "NETR_DELTA_USER by name 'administrator'"
968 .rid = DOMAIN_RID_ADMINS,
970 .db_index = SAM_DATABASE_DOMAIN,
971 .delta_type = NETR_DELTA_GROUP,
974 .expected_error = NT_STATUS_OK,
975 .expected_num_results = 2,
976 .expected_delta_type_1 = NETR_DELTA_GROUP,
977 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
978 .comment = "NETR_DELTA_GROUP by rid 512"
981 .rid = DOMAIN_RID_ADMINS,
983 .db_index = SAM_DATABASE_DOMAIN,
984 .delta_type = NETR_DELTA_GROUP_MEMBER,
987 .expected_error = NT_STATUS_OK,
988 .expected_num_results = 2,
989 .expected_delta_type_1 = NETR_DELTA_GROUP,
990 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
991 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
995 /* SAM_DATABASE_BUILTIN */
1000 .db_index = SAM_DATABASE_BUILTIN,
1001 .delta_type = NETR_DELTA_MODIFY_COUNT,
1004 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1005 .expected_num_results = 0,
1006 .comment = "NETR_DELTA_MODIFY_COUNT"
1011 .db_index = SAM_DATABASE_BUILTIN,
1012 .delta_type = NETR_DELTA_DOMAIN,
1015 .expected_error = NT_STATUS_OK,
1016 .expected_num_results = 1,
1017 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1018 .comment = "NETR_DELTA_DOMAIN"
1021 .rid = DOMAIN_RID_ADMINISTRATOR,
1023 .db_index = SAM_DATABASE_BUILTIN,
1024 .delta_type = NETR_DELTA_USER,
1027 .expected_error = NT_STATUS_OK,
1028 .expected_num_results = 1,
1029 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1030 .comment = "NETR_DELTA_USER by rid 500"
1035 .db_index = SAM_DATABASE_BUILTIN,
1036 .delta_type = NETR_DELTA_USER,
1039 .expected_error = NT_STATUS_OK,
1040 .expected_num_results = 1,
1041 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1042 .comment = "NETR_DELTA_USER"
1047 .db_index = SAM_DATABASE_BUILTIN,
1048 .delta_type = NETR_DELTA_ALIAS,
1051 .expected_error = NT_STATUS_OK,
1052 .expected_num_results = 2,
1053 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1054 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1055 .comment = "NETR_DELTA_ALIAS by rid 544"
1060 .db_index = SAM_DATABASE_BUILTIN,
1061 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1064 .expected_error = NT_STATUS_OK,
1065 .expected_num_results = 2,
1066 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1067 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1068 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1073 .db_index = SAM_DATABASE_BUILTIN,
1077 .expected_error = NT_STATUS_OK,
1078 .expected_num_results = 1,
1079 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1080 .comment = "NULL DELTA by rid 544"
1084 .flags = NETR_CHANGELOG_SID_INCLUDED,
1085 .db_index = SAM_DATABASE_BUILTIN,
1087 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1089 .expected_error = NT_STATUS_OK,
1090 .expected_num_results = 1,
1091 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1092 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1096 .flags = NETR_CHANGELOG_SID_INCLUDED,
1097 .db_index = SAM_DATABASE_BUILTIN,
1098 .delta_type = NETR_DELTA_ALIAS,
1099 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1101 .expected_error = NT_STATUS_OK,
1102 .expected_num_results = 2,
1103 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1104 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1105 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1109 .flags = NETR_CHANGELOG_SID_INCLUDED,
1110 .db_index = SAM_DATABASE_BUILTIN,
1111 .delta_type = NETR_DELTA_ALIAS,
1112 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1114 .expected_error = NT_STATUS_OK,
1115 .expected_num_results = 1,
1116 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1117 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1120 /* SAM_DATABASE_PRIVS */
1125 .db_index = SAM_DATABASE_PRIVS,
1129 .expected_error = NT_STATUS_ACCESS_DENIED,
1130 .expected_num_results = 0,
1131 .comment = "NULL DELTA"
1136 .db_index = SAM_DATABASE_PRIVS,
1137 .delta_type = NETR_DELTA_MODIFY_COUNT,
1140 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1141 .expected_num_results = 0,
1142 .comment = "NETR_DELTA_MODIFY_COUNT"
1147 .db_index = SAM_DATABASE_PRIVS,
1148 .delta_type = NETR_DELTA_POLICY,
1151 .expected_error = NT_STATUS_OK,
1152 .expected_num_results = 1,
1153 .expected_delta_type_1 = NETR_DELTA_POLICY,
1154 .comment = "NETR_DELTA_POLICY"
1158 .flags = NETR_CHANGELOG_SID_INCLUDED,
1159 .db_index = SAM_DATABASE_PRIVS,
1160 .delta_type = NETR_DELTA_POLICY,
1163 .expected_error = NT_STATUS_OK,
1164 .expected_num_results = 1,
1165 .expected_delta_type_1 = NETR_DELTA_POLICY,
1166 .comment = "NETR_DELTA_POLICY by null sid and flags"
1170 .flags = NETR_CHANGELOG_SID_INCLUDED,
1171 .db_index = SAM_DATABASE_PRIVS,
1172 .delta_type = NETR_DELTA_POLICY,
1173 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1175 .expected_error = NT_STATUS_OK,
1176 .expected_num_results = 1,
1177 .expected_delta_type_1 = NETR_DELTA_POLICY,
1178 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1181 .rid = DOMAIN_RID_ADMINISTRATOR,
1183 .db_index = SAM_DATABASE_PRIVS,
1184 .delta_type = NETR_DELTA_ACCOUNT,
1187 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1188 .expected_num_results = 0,
1189 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1193 .flags = NETR_CHANGELOG_SID_INCLUDED,
1194 .db_index = SAM_DATABASE_PRIVS,
1195 .delta_type = NETR_DELTA_ACCOUNT,
1196 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1198 .expected_error = NT_STATUS_OK,
1199 .expected_num_results = 1,
1200 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1201 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1205 .flags = NETR_CHANGELOG_SID_INCLUDED |
1206 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1207 .db_index = SAM_DATABASE_PRIVS,
1208 .delta_type = NETR_DELTA_ACCOUNT,
1209 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1211 .expected_error = NT_STATUS_OK,
1212 .expected_num_results = 1,
1213 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1214 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1218 .flags = NETR_CHANGELOG_SID_INCLUDED |
1219 NETR_CHANGELOG_NAME_INCLUDED,
1220 .db_index = SAM_DATABASE_PRIVS,
1221 .delta_type = NETR_DELTA_ACCOUNT,
1222 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1224 .expected_error = NT_STATUS_INVALID_PARAMETER,
1225 .expected_num_results = 0,
1226 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1229 .rid = DOMAIN_RID_ADMINISTRATOR,
1230 .flags = NETR_CHANGELOG_SID_INCLUDED,
1231 .db_index = SAM_DATABASE_PRIVS,
1232 .delta_type = NETR_DELTA_ACCOUNT,
1235 .expected_error = NT_STATUS_OK,
1236 .expected_num_results = 1,
1237 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1238 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1242 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1243 .db_index = SAM_DATABASE_PRIVS,
1244 .delta_type = NETR_DELTA_SECRET,
1246 .name = "IsurelydontexistIhope",
1247 .expected_error = NT_STATUS_OK,
1248 .expected_num_results = 1,
1249 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1250 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1254 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1255 .db_index = SAM_DATABASE_PRIVS,
1256 .delta_type = NETR_DELTA_SECRET,
1258 .name = "G$BCKUPKEY_P",
1259 .expected_error = NT_STATUS_OK,
1260 .expected_num_results = 1,
1261 .expected_delta_type_1 = NETR_DELTA_SECRET,
1262 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1266 ZERO_STRUCT(return_authenticator);
1268 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1269 r.in.computername = TEST_MACHINE_NAME;
1270 r.in.return_authenticator = &return_authenticator;
1271 r.out.return_authenticator = &return_authenticator;
1272 r.out.delta_enum_array = &delta_enum_array;
1274 for (d=0; d<3; d++) {
1276 const char *database;
1283 database = "BUILTIN";
1292 torture_comment(tctx, "Testing DatabaseRedo\n");
1294 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1298 for (i=0;i<ARRAY_SIZE(changes);i++) {
1300 if (d != changes[i].db_index) {
1304 creds_client_authenticator(creds, &credential);
1306 r.in.credential = &credential;
1308 e.serial_number1 = 0;
1309 e.serial_number2 = 0;
1310 e.object_rid = changes[i].rid;
1311 e.flags = changes[i].flags;
1312 e.db_index = changes[i].db_index;
1313 e.delta_type = changes[i].delta_type;
1315 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1316 case NETR_CHANGELOG_SID_INCLUDED:
1317 e.object.object_sid = changes[i].sid;
1319 case NETR_CHANGELOG_NAME_INCLUDED:
1320 e.object.object_name = changes[i].name;
1326 r.in.change_log_entry = e;
1328 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1329 database, changes[i].comment);
1331 status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1332 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1336 torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1337 if (delta_enum_array) {
1338 torture_assert_int_equal(tctx,
1339 delta_enum_array->num_deltas,
1340 changes[i].expected_num_results,
1341 changes[i].comment);
1342 if (delta_enum_array->num_deltas > 0) {
1343 torture_assert_int_equal(tctx,
1344 delta_enum_array->delta_enum[0].delta_type,
1345 changes[i].expected_delta_type_1,
1346 changes[i].comment);
1348 if (delta_enum_array->num_deltas > 1) {
1349 torture_assert_int_equal(tctx,
1350 delta_enum_array->delta_enum[1].delta_type,
1351 changes[i].expected_delta_type_2,
1352 changes[i].comment);
1356 if (!creds_client_check(creds, &return_authenticator.cred)) {
1357 torture_comment(tctx, "Credential chaining failed\n");
1358 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1370 try a netlogon AccountDeltas
1372 static bool test_AccountDeltas(struct torture_context *tctx,
1373 struct dcerpc_pipe *p,
1374 struct cli_credentials *machine_credentials)
1377 struct netr_AccountDeltas r;
1378 struct creds_CredentialState *creds;
1380 struct netr_AccountBuffer buffer;
1381 uint32_t count_returned = 0;
1382 uint32_t total_entries = 0;
1383 struct netr_UAS_INFO_0 recordid;
1384 struct netr_Authenticator return_authenticator;
1386 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1390 ZERO_STRUCT(return_authenticator);
1392 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1393 r.in.computername = TEST_MACHINE_NAME;
1394 r.in.return_authenticator = &return_authenticator;
1395 creds_client_authenticator(creds, &r.in.credential);
1396 ZERO_STRUCT(r.in.uas);
1399 r.in.buffersize=100;
1400 r.out.buffer = &buffer;
1401 r.out.count_returned = &count_returned;
1402 r.out.total_entries = &total_entries;
1403 r.out.recordid = &recordid;
1404 r.out.return_authenticator = &return_authenticator;
1406 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1407 status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1408 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1414 try a netlogon AccountSync
1416 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1417 struct cli_credentials *machine_credentials)
1420 struct netr_AccountSync r;
1421 struct creds_CredentialState *creds;
1423 struct netr_AccountBuffer buffer;
1424 uint32_t count_returned = 0;
1425 uint32_t total_entries = 0;
1426 uint32_t next_reference = 0;
1427 struct netr_UAS_INFO_0 recordid;
1428 struct netr_Authenticator return_authenticator;
1430 ZERO_STRUCT(recordid);
1431 ZERO_STRUCT(return_authenticator);
1433 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1437 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1438 r.in.computername = TEST_MACHINE_NAME;
1439 r.in.return_authenticator = &return_authenticator;
1440 creds_client_authenticator(creds, &r.in.credential);
1441 r.in.recordid = &recordid;
1444 r.in.buffersize=100;
1445 r.out.buffer = &buffer;
1446 r.out.count_returned = &count_returned;
1447 r.out.total_entries = &total_entries;
1448 r.out.next_reference = &next_reference;
1449 r.out.recordid = &recordid;
1450 r.out.return_authenticator = &return_authenticator;
1452 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1453 status = dcerpc_netr_AccountSync(p, tctx, &r);
1454 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1460 try a netlogon GetDcName
1462 static bool test_GetDcName(struct torture_context *tctx,
1463 struct dcerpc_pipe *p)
1466 struct netr_GetDcName r;
1467 const char *dcname = NULL;
1469 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1470 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1471 r.out.dcname = &dcname;
1473 status = dcerpc_netr_GetDcName(p, tctx, &r);
1474 torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1475 torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1477 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1483 try a netlogon LogonControl
1485 static bool test_LogonControl(struct torture_context *tctx,
1486 struct dcerpc_pipe *p)
1489 struct netr_LogonControl r;
1490 union netr_CONTROL_QUERY_INFORMATION info;
1493 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1494 r.in.function_code = 1;
1500 torture_comment(tctx, "Testing LogonControl level %d\n", i);
1502 status = dcerpc_netr_LogonControl(p, tctx, &r);
1503 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1511 try a netlogon GetAnyDCName
1513 static bool test_GetAnyDCName(struct torture_context *tctx,
1514 struct dcerpc_pipe *p)
1517 struct netr_GetAnyDCName r;
1518 const char *dcname = NULL;
1520 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1521 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1522 r.out.dcname = &dcname;
1524 status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1525 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1526 torture_assert_werr_ok(tctx, r.out.result, "GetAnyDCName");
1529 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1537 try a netlogon LogonControl2
1539 static bool test_LogonControl2(struct torture_context *tctx,
1540 struct dcerpc_pipe *p)
1543 struct netr_LogonControl2 r;
1544 union netr_CONTROL_DATA_INFORMATION data;
1545 union netr_CONTROL_QUERY_INFORMATION query;
1548 data.domain = lp_workgroup(tctx->lp_ctx);
1550 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1552 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1554 r.out.query = &query;
1559 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1560 i, r.in.function_code);
1562 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1563 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1566 data.domain = lp_workgroup(tctx->lp_ctx);
1568 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1574 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1575 i, r.in.function_code);
1577 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1578 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1581 data.domain = lp_workgroup(tctx->lp_ctx);
1583 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1589 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1590 i, r.in.function_code);
1592 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1593 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1596 data.debug_level = ~0;
1598 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1604 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1605 i, r.in.function_code);
1607 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1608 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1615 try a netlogon DatabaseSync2
1617 static bool test_DatabaseSync2(struct torture_context *tctx,
1618 struct dcerpc_pipe *p,
1619 struct cli_credentials *machine_credentials)
1622 struct netr_DatabaseSync2 r;
1623 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1624 struct netr_Authenticator return_authenticator, credential;
1626 struct creds_CredentialState *creds;
1627 const uint32_t database_ids[] = {0, 1, 2};
1630 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1631 machine_credentials,
1632 SEC_CHAN_BDC, &creds)) {
1636 ZERO_STRUCT(return_authenticator);
1638 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1639 r.in.computername = TEST_MACHINE_NAME;
1640 r.in.preferredmaximumlength = (uint32_t)-1;
1641 r.in.return_authenticator = &return_authenticator;
1642 r.out.return_authenticator = &return_authenticator;
1643 r.out.delta_enum_array = &delta_enum_array;
1645 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1647 uint32_t sync_context = 0;
1649 r.in.database_id = database_ids[i];
1650 r.in.sync_context = &sync_context;
1651 r.out.sync_context = &sync_context;
1652 r.in.restart_state = 0;
1654 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1657 creds_client_authenticator(creds, &credential);
1659 r.in.credential = &credential;
1661 status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1662 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1665 /* Native mode servers don't do this */
1666 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1670 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1672 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
1673 torture_comment(tctx, "Credential chaining failed\n");
1676 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1684 try a netlogon LogonControl2Ex
1686 static bool test_LogonControl2Ex(struct torture_context *tctx,
1687 struct dcerpc_pipe *p)
1690 struct netr_LogonControl2Ex r;
1691 union netr_CONTROL_QUERY_INFORMATION query;
1694 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1696 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1697 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1698 r.out.query = &query;
1703 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1704 i, r.in.function_code);
1706 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1707 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1710 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1711 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1716 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1717 i, r.in.function_code);
1719 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1720 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1723 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1724 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1729 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1730 i, r.in.function_code);
1732 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1733 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1736 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1737 r.in.data.debug_level = ~0;
1742 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1743 i, r.in.function_code);
1745 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1746 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1752 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
1753 struct dcerpc_pipe *p, const char *trusted_domain_name)
1756 struct netr_DsRGetForestTrustInformation r;
1757 struct lsa_ForestTrustInformation info, *info_ptr;
1761 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1762 r.in.trusted_domain_name = trusted_domain_name;
1764 r.out.forest_trust_info = &info_ptr;
1766 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1768 status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1769 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1770 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1776 try a netlogon netr_DsrEnumerateDomainTrusts
1778 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
1779 struct dcerpc_pipe *p)
1782 struct netr_DsrEnumerateDomainTrusts r;
1783 struct netr_DomainTrustList trusts;
1786 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1787 r.in.trust_flags = 0x3f;
1788 r.out.trusts = &trusts;
1790 status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
1791 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
1792 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
1794 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
1795 * will show non-forest trusts and all UPN suffixes of the own forest
1796 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
1798 if (r.out.trusts->count) {
1799 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
1804 for (i=0; i<r.out.trusts->count; i++) {
1806 /* get info for transitive forest trusts */
1808 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1809 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
1810 r.out.trusts->array[i].dns_name)) {
1819 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
1820 struct dcerpc_pipe *p)
1823 struct netr_NetrEnumerateTrustedDomains r;
1824 struct netr_Blob trusted_domains_blob;
1826 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1827 r.out.trusted_domains_blob = &trusted_domains_blob;
1829 status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
1830 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
1831 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
1836 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
1837 struct dcerpc_pipe *p)
1840 struct netr_NetrEnumerateTrustedDomainsEx r;
1841 struct netr_DomainTrustList dom_trust_list;
1843 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1844 r.out.dom_trust_list = &dom_trust_list;
1846 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
1847 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
1848 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
1854 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
1855 const char *computer_name,
1856 const char *expected_site)
1859 struct netr_DsRGetSiteName r;
1860 const char *site = NULL;
1862 if (torture_setting_bool(tctx, "samba4", false))
1863 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
1865 r.in.computer_name = computer_name;
1867 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
1869 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1870 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1871 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
1872 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
1874 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
1875 torture_comment(tctx,
1876 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
1878 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1879 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1880 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
1886 try a netlogon netr_DsRGetDCName
1888 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
1889 struct dcerpc_pipe *p)
1892 struct netr_DsRGetDCName r;
1893 struct netr_DsRGetDCNameInfo *info = NULL;
1895 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1896 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1897 r.in.domain_guid = NULL;
1898 r.in.site_guid = NULL;
1899 r.in.flags = DS_RETURN_DNS_NAME;
1902 status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
1903 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
1904 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
1905 return test_netr_DsRGetSiteName(p, tctx,
1907 info->dc_site_name);
1911 try a netlogon netr_DsRGetDCNameEx
1913 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
1914 struct dcerpc_pipe *p)
1917 struct netr_DsRGetDCNameEx r;
1918 struct netr_DsRGetDCNameInfo *info = NULL;
1920 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1921 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1922 r.in.domain_guid = NULL;
1923 r.in.site_name = NULL;
1924 r.in.flags = DS_RETURN_DNS_NAME;
1927 status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
1928 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
1929 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
1931 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1932 info->dc_site_name);
1936 try a netlogon netr_DsRGetDCNameEx2
1938 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
1939 struct dcerpc_pipe *p)
1942 struct netr_DsRGetDCNameEx2 r;
1943 struct netr_DsRGetDCNameInfo *info = NULL;
1945 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1946 r.in.client_account = NULL;
1947 r.in.mask = 0x00000000;
1948 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1949 r.in.domain_guid = NULL;
1950 r.in.site_name = NULL;
1951 r.in.flags = DS_RETURN_DNS_NAME;
1954 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
1956 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1957 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1958 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1960 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
1961 r.in.client_account = TEST_MACHINE_NAME"$";
1962 r.in.mask = ACB_SVRTRUST;
1963 r.in.flags = DS_RETURN_FLAT_NAME;
1966 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1967 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1968 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1969 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1970 info->dc_site_name);
1973 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
1974 struct dcerpc_pipe *p)
1977 struct netr_DsrGetDcSiteCoverageW r;
1978 struct DcSitesCtr *ctr = NULL;
1980 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1983 status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
1984 torture_assert_ntstatus_ok(tctx, status, "failed");
1985 torture_assert_werr_ok(tctx, r.out.result, "failed");
1990 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
1991 struct dcerpc_pipe *p)
1994 struct netr_DsRAddressToSitenamesW r;
1995 struct netr_DsRAddress addr;
1996 struct netr_DsRAddressToSitenamesWCtr *ctr;
1998 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2001 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2003 addr.buffer[0] = 2; /* AF_INET */
2004 addr.buffer[4] = 127;
2009 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2011 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2012 r.in.addresses[0] = addr;
2015 status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2016 torture_assert_ntstatus_ok(tctx, status, "failed");
2017 torture_assert_werr_ok(tctx, r.out.result, "failed");
2022 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2023 struct dcerpc_pipe *p)
2026 struct netr_DsRAddressToSitenamesExW r;
2027 struct netr_DsRAddress addr;
2028 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2030 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2033 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2035 addr.buffer[0] = 2; /* AF_INET */
2036 addr.buffer[4] = 127;
2041 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2043 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2044 r.in.addresses[0] = addr;
2047 status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2048 torture_assert_ntstatus_ok(tctx, status, "failed");
2049 torture_assert_werr_ok(tctx, r.out.result, "failed");
2054 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2055 struct dcerpc_pipe *p,
2056 struct cli_credentials *machine_credentials)
2059 struct netr_ServerGetTrustInfo r;
2061 struct netr_Authenticator a;
2062 struct netr_Authenticator return_authenticator;
2063 struct samr_Password new_owf_password;
2064 struct samr_Password old_owf_password;
2065 struct netr_TrustInfo *trust_info;
2067 struct creds_CredentialState *creds;
2069 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2070 machine_credentials, &creds)) {
2074 creds_client_authenticator(creds, &a);
2076 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2077 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2078 r.in.secure_channel_type = SEC_CHAN_BDC;
2079 r.in.computer_name = TEST_MACHINE_NAME;
2080 r.in.credential = &a;
2082 r.out.return_authenticator = &return_authenticator;
2083 r.out.new_owf_password = &new_owf_password;
2084 r.out.old_owf_password = &old_owf_password;
2085 r.out.trust_info = &trust_info;
2087 status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
2088 torture_assert_ntstatus_ok(tctx, status, "failed");
2089 torture_assert(tctx, creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2095 static bool test_GetDomainInfo(struct torture_context *tctx,
2096 struct dcerpc_pipe *p,
2097 struct cli_credentials *machine_credentials)
2100 struct netr_LogonGetDomainInfo r;
2101 struct netr_DomainQuery1 q1;
2102 struct netr_Authenticator a;
2103 struct creds_CredentialState *creds;
2104 union netr_DomainInfo info;
2106 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2107 machine_credentials, &creds)) {
2113 creds_client_authenticator(creds, &a);
2115 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2116 r.in.computer_name = TEST_MACHINE_NAME;
2118 r.in.credential = &a;
2119 r.in.return_authenticator = &a;
2120 r.out.return_authenticator = &a;
2123 r.in.query.query1 = &q1;
2126 /* this should really be the fully qualified name */
2127 q1.workstation_domain = TEST_MACHINE_NAME;
2128 q1.workstation_site = "Default-First-Site-Name";
2129 q1.blob2.length = 0;
2131 q1.blob2.data = NULL;
2132 q1.product.string = "product string";
2134 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2136 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2137 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2138 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2140 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n");
2141 creds_client_authenticator(creds, &a);
2143 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2144 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2145 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2151 static void async_callback(struct rpc_request *req)
2153 int *counter = (int *)req->async.private_data;
2154 if (NT_STATUS_IS_OK(req->status)) {
2159 static bool test_GetDomainInfo_async(struct torture_context *tctx,
2160 struct dcerpc_pipe *p,
2161 struct cli_credentials *machine_credentials)
2164 struct netr_LogonGetDomainInfo r;
2165 struct netr_DomainQuery1 q1;
2166 struct netr_Authenticator a;
2167 #define ASYNC_COUNT 100
2168 struct creds_CredentialState *creds;
2169 struct creds_CredentialState *creds_async[ASYNC_COUNT];
2170 struct rpc_request *req[ASYNC_COUNT];
2172 int *async_counter = talloc(tctx, int);
2173 union netr_DomainInfo info;
2175 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2176 machine_credentials, &creds)) {
2181 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2182 r.in.computer_name = TEST_MACHINE_NAME;
2184 r.in.credential = &a;
2185 r.in.return_authenticator = &a;
2186 r.out.return_authenticator = &a;
2189 r.in.query.query1 = &q1;
2192 /* this should really be the fully qualified name */
2193 q1.workstation_domain = TEST_MACHINE_NAME;
2194 q1.workstation_site = "Default-First-Site-Name";
2195 q1.blob2.length = 0;
2197 q1.blob2.data = NULL;
2198 q1.product.string = "product string";
2200 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2204 for (i=0;i<ASYNC_COUNT;i++) {
2205 creds_client_authenticator(creds, &a);
2207 creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2208 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2210 req[i]->async.callback = async_callback;
2211 req[i]->async.private_data = async_counter;
2213 /* even with this flush per request a w2k3 server seems to
2214 clag with multiple outstanding requests. bleergh. */
2215 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
2216 "event_loop_once failed");
2219 for (i=0;i<ASYNC_COUNT;i++) {
2220 status = dcerpc_ndr_request_recv(req[i]);
2222 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2223 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
2225 torture_assert(tctx, creds_client_check(creds_async[i], &a.cred),
2226 "Credential chaining failed at async");
2229 torture_comment(tctx,
2230 "Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
2232 torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
2237 static bool test_ManyGetDCName(struct torture_context *tctx,
2238 struct dcerpc_pipe *p)
2241 struct dcerpc_pipe *p2;
2242 struct lsa_ObjectAttribute attr;
2243 struct lsa_QosInfo qos;
2244 struct lsa_OpenPolicy2 o;
2245 struct policy_handle lsa_handle;
2246 struct lsa_DomainList domains;
2248 struct lsa_EnumTrustDom t;
2249 uint32_t resume_handle = 0;
2250 struct netr_GetAnyDCName d;
2251 const char *dcname = NULL;
2255 if (p->conn->transport.transport != NCACN_NP) {
2259 torture_comment(tctx, "Torturing GetDCName\n");
2261 status = dcerpc_secondary_connection(p, &p2, p->binding);
2262 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2264 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2265 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2268 qos.impersonation_level = 2;
2269 qos.context_mode = 1;
2270 qos.effective_only = 0;
2273 attr.root_dir = NULL;
2274 attr.object_name = NULL;
2275 attr.attributes = 0;
2276 attr.sec_desc = NULL;
2277 attr.sec_qos = &qos;
2279 o.in.system_name = "\\";
2281 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2282 o.out.handle = &lsa_handle;
2284 status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2285 torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2287 t.in.handle = &lsa_handle;
2288 t.in.resume_handle = &resume_handle;
2289 t.in.max_size = 1000;
2290 t.out.domains = &domains;
2291 t.out.resume_handle = &resume_handle;
2293 status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2295 if ((!NT_STATUS_IS_OK(status) &&
2296 (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2297 torture_fail(tctx, "Could not list domains");
2301 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2302 dcerpc_server_name(p));
2303 d.out.dcname = &dcname;
2305 for (i=0; i<domains.count * 4; i++) {
2306 struct lsa_DomainInfo *info =
2307 &domains.domains[rand()%domains.count];
2309 d.in.domainname = info->name.string;
2311 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2312 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2314 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2315 dcname ? dcname : "unknown");
2321 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2323 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2324 struct torture_rpc_tcase *tcase;
2325 struct torture_test *test;
2327 tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "netlogon",
2328 &ndr_table_netlogon, TEST_MACHINE_NAME);
2330 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2331 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2332 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2333 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2334 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2335 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2336 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2337 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2338 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2339 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2340 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2341 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2342 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2343 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2344 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2345 torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
2346 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2347 torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
2348 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2349 torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2350 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2351 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2352 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2353 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2354 test->dangerous = true;
2355 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2356 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2357 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2358 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2359 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2360 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
2361 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);