This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "torture/torture.h"
#include "auth/auth.h"
-#include "dlinklist.h"
-#include "lib/crypto/crypto.h"
+#include "../lib/util/dlinklist.h"
+#include "../lib/crypto/crypto.h"
#include "system/time.h"
+#include "torture/rpc/rpc.h"
+#include "auth/gensec/schannel_proto.h"
+#include "auth/gensec/gensec.h"
+#include "libcli/auth/libcli_auth.h"
+#include "libcli/samsync/samsync.h"
+#include "libcli/security/security.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
+#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "param/param.h"
#define TEST_MACHINE_NAME "samsynctest"
#define TEST_WKSTA_MACHINE_NAME "samsynctest2"
try a netlogon SamLogon
*/
static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds,
+ struct netlogon_creds_CredentialState *creds,
const char *domain, const char *account_name,
const char *workstation,
struct samr_Password *lm_hash,
struct netr_LogonSamLogon r;
struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
+ union netr_LogonLevel logon;
+ union netr_Validation validation;
+ uint8_t authoritative;
ninfo.identity_info.domain_name.string = domain;
ninfo.identity_info.parameter_control = 0;
sizeof(ninfo.challenge));
if (nt_hash) {
ninfo.nt.length = 24;
- ninfo.nt.data = talloc_size(mem_ctx, 24);
+ ninfo.nt.data = talloc_array(mem_ctx, uint8_t, 24);
SMBOWFencrypt(nt_hash->hash, ninfo.challenge, ninfo.nt.data);
} else {
ninfo.nt.length = 0;
if (lm_hash) {
ninfo.lm.length = 24;
- ninfo.lm.data = talloc_size(mem_ctx, 24);
+ ninfo.lm.data = talloc_array(mem_ctx, uint8_t, 24);
SMBOWFencrypt(lm_hash->hash, ninfo.challenge, ninfo.lm.data);
} else {
ninfo.lm.length = 0;
ninfo.lm.data = NULL;
}
+ logon.network = &ninfo;
+
r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
- r.in.workstation = workstation;
+ r.in.computer_name = workstation;
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = 2;
- r.in.logon.network = &ninfo;
+ r.in.logon = &logon;
+ r.out.validation = &validation;
+ r.out.authoritative = &authoritative;
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.validation_level = 3;
status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
if (info3) {
- *info3 = r.out.validation.sam3;
+ *info3 = validation.sam3;
}
return status;
struct samsync_state {
/* we remember the sequence numbers so we can easily do a DatabaseDelta */
uint64_t seq_num[3];
- char *domain_name[2];
+ const char *domain_name[2];
struct samsync_secret *secrets;
struct samsync_trusted_domain *trusted_domains;
- struct creds_CredentialState *creds;
- struct creds_CredentialState *creds_netlogon_wksta;
+ struct netlogon_creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds_netlogon_wksta;
struct policy_handle *connect_handle;
struct policy_handle *domain_handle[2];
struct dom_sid *sid[2];
struct samsync_secret {
struct samsync_secret *prev, *next;
DATA_BLOB secret;
- char *name;
+ const char *name;
NTTIME mtime;
};
struct samsync_trusted_domain {
struct samsync_trusted_domain *prev, *next;
struct dom_sid *sid;
- char *name;
+ const char *name;
};
static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx,
struct samsync_state *samsync_state,
const char *domain,
- struct dom_sid **sid)
+ struct dom_sid **sid_p)
{
- struct samr_String name;
+ struct lsa_String name;
struct samr_OpenDomain o;
struct samr_LookupDomain l;
+ struct dom_sid2 *sid = NULL;
struct policy_handle *domain_handle = talloc(mem_ctx, struct policy_handle);
NTSTATUS nt_status;
name.string = domain;
l.in.connect_handle = samsync_state->connect_handle;
l.in.domain_name = &name;
+ l.out.sid = &sid;
nt_status = dcerpc_samr_LookupDomain(samsync_state->p_samr, mem_ctx, &l);
if (!NT_STATUS_IS_OK(nt_status)) {
o.in.connect_handle = samsync_state->connect_handle;
o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
- o.in.sid = l.out.sid;
+ o.in.sid = *l.out.sid;
o.out.domain_handle = domain_handle;
- if (sid) {
- *sid = l.out.sid;
+ if (sid_p) {
+ *sid_p = *l.out.sid;
}
nt_status = dcerpc_samr_OpenDomain(samsync_state->p_samr, mem_ctx, &o);
struct policy_handle *handle)
{
struct samr_QuerySecurity r;
+ struct sec_desc_buf *sdbuf = NULL;
NTSTATUS status;
r.in.handle = handle;
r.in.sec_info = 0x7;
+ r.out.sdbuf = &sdbuf;
status = dcerpc_samr_QuerySecurity(samsync_state->p_samr, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
return NULL;
}
- return r.out.sdbuf;
+ return sdbuf;
}
static struct sec_desc_buf *samsync_query_lsa_sec_desc(TALLOC_CTX *mem_ctx,
struct policy_handle *handle)
{
struct lsa_QuerySecurity r;
+ struct sec_desc_buf *sdbuf = NULL;
NTSTATUS status;
r.in.handle = handle;
r.in.sec_info = 0x7;
+ r.out.sdbuf = &sdbuf;
status = dcerpc_lsa_QuerySecurity(samsync_state->p_lsa, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
return NULL;
}
- return r.out.sdbuf;
+ return sdbuf;
}
#define TEST_UINT64_EQUAL(i1, i2) do {\
if (i1 != i2) {\
- printf("%s: uint64 mismatch: " #i1 ": 0x%08x%08x (%lld) != " #i2 ": 0x%08x%08x (%lld)\n", \
+ printf("%s: uint64 mismatch: " #i1 ": 0x%016llx (%lld) != " #i2 ": 0x%016llx (%lld)\n", \
__location__, \
- (uint32_t)(i1 >> 32), (uint32_t)(i1 & 0xFFFFFFFF), i1, \
- (uint32_t)(i2 >> 32), (uint32_t)(i2 & 0xFFFFFFFF), i2);\
- ret = False;\
+ (long long)i1, (long long)i1, \
+ (long long)i2, (long long)i2);\
+ ret = false;\
} \
} while (0)
#define TEST_INT_EQUAL(i1, i2) do {\
if (i1 != i2) {\
- printf("%s: integer mismatch: " #i1 ":%d != " #i2 ": %d\n", \
- __location__, i1, i2);\
- ret = False;\
+ printf("%s: integer mismatch: " #i1 ": 0x%08x (%d) != " #i2 ": 0x%08x (%d)\n", \
+ __location__, i1, i1, i2, i2); \
+ ret = false;\
} \
} while (0)
#define TEST_TIME_EQUAL(t1, t2) do {\
if (t1 != t2) {\
printf("%s: NTTIME mismatch: " #t1 ":%s != " #t2 ": %s\n", \
__location__, nt_time_string(mem_ctx, t1), nt_time_string(mem_ctx, t2));\
- ret = False;\
+ ret = false;\
} \
} while (0)
&& strcmp_safe(s1.string, s2.string) != 0) {\
printf("%s: string mismatch: " #s1 ":%s != " #s2 ": %s\n", \
__location__, s1.string, s2.string);\
- ret = False;\
+ ret = false;\
+ } \
+} while (0)
+
+#define TEST_BINARY_STRING_EQUAL(s1, s2) do {\
+ if (!((!s1.array || s1.array[0]=='\0') && (!s2.array || s2.array[0]=='\0')) \
+ && memcmp(s1.array, s2.array, s1.length * 2) != 0) {\
+ printf("%s: string mismatch: " #s1 ":%s != " #s2 ": %s\n", \
+ __location__, (const char *)s1.array, (const char *)s2.array);\
+ ret = false;\
} \
} while (0)
if (!dom_sid_equal(s1, s2)) {\
printf("%s: dom_sid mismatch: " #s1 ":%s != " #s2 ": %s\n", \
__location__, dom_sid_string(mem_ctx, s1), dom_sid_string(mem_ctx, s2));\
- ret = False;\
+ ret = false;\
} \
} while (0)
handle); \
if (!sdbuf || !sdbuf->sd) { \
printf("Could not obtain security descriptor to match " #sd1 "\n");\
- ret = False; \
+ ret = false; \
} else {\
if (!security_descriptor_mask_equal(sd1.sd, sdbuf->sd, \
~SEC_DESC_SACL_PRESENT)) {\
printf("Security Descriptor Mismatch for %s:\n", #sd1);\
ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamSync", sd1.sd);\
ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamR", sdbuf->sd);\
- ret = False;\
+ ret = false;\
}\
}\
} while (0)
-static BOOL samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain;
struct dom_sid *dom_sid;
struct samr_QueryDomainInfo q[14]; /* q[0] will be unused simple for clarity */
+ union samr_DomainInfo *info[14];
uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13};
NTSTATUS nt_status;
int i;
- BOOL ret = True;
+ bool ret = true;
samsync_state->seq_num[database_id] =
domain->sequence_num;
case SAM_DATABASE_DOMAIN:
break;
case SAM_DATABASE_BUILTIN:
- if (StrCaseCmp("BUILTIN", domain->domain_name.string) != 0) {
+ if (strcasecmp_m("BUILTIN", domain->domain_name.string) != 0) {
printf("BUILTIN domain has different name: %s\n", domain->domain_name.string);
}
break;
case SAM_DATABASE_PRIVS:
printf("DOMAIN entry on privs DB!\n");
- return False;
+ return false;
break;
}
samsync_state->domain_name[database_id] =
talloc_reference(samsync_state, domain->domain_name.string);
} else {
- if (StrCaseCmp(samsync_state->domain_name[database_id], domain->domain_name.string) != 0) {
+ if (strcasecmp_m(samsync_state->domain_name[database_id], domain->domain_name.string) != 0) {
printf("Domain has name varies!: %s != %s\n", samsync_state->domain_name[database_id],
domain->domain_name.string);
- return False;
+ return false;
}
}
}
if (samsync_state->domain_handle[database_id]) {
samsync_state->sid[database_id] = talloc_reference(samsync_state, dom_sid);
- talloc_reference(dom_sid, dom_sid->sub_auths);
}
printf("\tsequence_nums[%d/%s]=%llu\n",
database_id, domain->domain_name.string,
- samsync_state->seq_num[database_id]);
+ (long long)samsync_state->seq_num[database_id]);
for (i=0;i<ARRAY_SIZE(levels);i++) {
+
q[levels[i]].in.domain_handle = samsync_state->domain_handle[database_id];
q[levels[i]].in.level = levels[i];
+ q[levels[i]].out.info = &info[levels[i]];
nt_status = dcerpc_samr_QueryDomainInfo(samsync_state->p_samr, mem_ctx, &q[levels[i]]);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryDomainInfo level %u failed - %s\n",
q[levels[i]].in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
}
- TEST_STRING_EQUAL(q[5].out.info->info5.domain_name, domain->domain_name);
+ TEST_STRING_EQUAL(info[5]->info5.domain_name, domain->domain_name);
- TEST_STRING_EQUAL(q[2].out.info->info2.comment, domain->comment);
- TEST_STRING_EQUAL(q[4].out.info->info4.comment, domain->comment);
- TEST_TIME_EQUAL(q[2].out.info->info2.force_logoff_time, domain->force_logoff_time);
- TEST_TIME_EQUAL(q[3].out.info->info3.force_logoff_time, domain->force_logoff_time);
+ TEST_STRING_EQUAL(info[2]->general.oem_information, domain->oem_information);
+ TEST_STRING_EQUAL(info[4]->oem.oem_information, domain->oem_information);
+ TEST_TIME_EQUAL(info[2]->general.force_logoff_time, domain->force_logoff_time);
+ TEST_TIME_EQUAL(info[3]->info3.force_logoff_time, domain->force_logoff_time);
- TEST_TIME_EQUAL(q[1].out.info->info1.min_password_length, domain->min_password_length);
- TEST_TIME_EQUAL(q[1].out.info->info1.password_history_length, domain->password_history_length);
- TEST_TIME_EQUAL(q[1].out.info->info1.max_password_age, domain->max_password_age);
- TEST_TIME_EQUAL(q[1].out.info->info1.min_password_age, domain->min_password_age);
+ TEST_TIME_EQUAL(info[1]->info1.min_password_length, domain->min_password_length);
+ TEST_TIME_EQUAL(info[1]->info1.password_history_length, domain->password_history_length);
+ TEST_TIME_EQUAL(info[1]->info1.max_password_age, domain->max_password_age);
+ TEST_TIME_EQUAL(info[1]->info1.min_password_age, domain->min_password_age);
- TEST_UINT64_EQUAL(q[8].out.info->info8.sequence_num,
+ TEST_UINT64_EQUAL(info[8]->info8.sequence_num,
domain->sequence_num);
- TEST_TIME_EQUAL(q[8].out.info->info8.domain_create_time,
+ TEST_TIME_EQUAL(info[8]->info8.domain_create_time,
domain->domain_create_time);
- TEST_TIME_EQUAL(q[13].out.info->info13.domain_create_time,
+ TEST_TIME_EQUAL(info[13]->info13.domain_create_time,
domain->domain_create_time);
TEST_SEC_DESC_EQUAL(domain->sdbuf, samr, samsync_state->domain_handle[database_id]);
return ret;
}
-static BOOL samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_POLICY *policy = delta->delta_union.policy;
samsync_state->domain_name[SAM_DATABASE_DOMAIN] =
talloc_reference(samsync_state, policy->primary_domain_name.string);
} else {
- if (StrCaseCmp(samsync_state->domain_name[SAM_DATABASE_DOMAIN], policy->primary_domain_name.string) != 0) {
+ if (strcasecmp_m(samsync_state->domain_name[SAM_DATABASE_DOMAIN], policy->primary_domain_name.string) != 0) {
printf("PRIMARY domain has name varies between DOMAIN and POLICY!: %s != %s\n", samsync_state->domain_name[SAM_DATABASE_DOMAIN],
policy->primary_domain_name.string);
- return False;
+ return false;
}
}
if (!dom_sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
printf("Domain SID from POLICY (%s) does not match domain sid from SAMR (%s)\n",
dom_sid_string(mem_ctx, policy->sid), dom_sid_string(mem_ctx, samsync_state->sid[SAM_DATABASE_DOMAIN]));
- return False;
+ return false;
}
printf("\tsequence_nums[%d/PRIVS]=%llu\n",
database_id,
- samsync_state->seq_num[database_id]);
- return True;
+ (long long)samsync_state->seq_num[database_id]);
+ return true;
}
-static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
uint32_t rid = delta->delta_id_union.rid;
const char *domain = samsync_state->domain_name[database_id];
const char *username = user->account_name.string;
NTSTATUS nt_status;
- BOOL ret = True;
+ bool ret = true;
struct samr_OpenUser r;
struct samr_QueryUserInfo q;
+ union samr_UserInfo *info;
struct policy_handle user_handle;
struct samr_GetGroupsForUser getgroups;
+ struct samr_RidWithAttributeArray *rids;
+
if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
printf("SamSync needs domain information before the users\n");
- return False;
+ return false;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
nt_status = dcerpc_samr_OpenUser(samsync_state->p_samr, mem_ctx, &r);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
- return False;
+ return false;
}
q.in.user_handle = &user_handle;
q.in.level = 21;
+ q.out.info = &info;
TEST_SEC_DESC_EQUAL(user->sdbuf, samr, &user_handle);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryUserInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
getgroups.in.user_handle = &user_handle;
+ getgroups.out.rids = &rids;
nt_status = dcerpc_samr_GetGroupsForUser(samsync_state->p_samr, mem_ctx, &getgroups);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("GetGroupsForUser failed - %s\n",
nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &user_handle)) {
printf("samr_handle_Close failed - %s\n",
nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
if (!ret) {
- return False;
+ return false;
}
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryUserInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
- TEST_STRING_EQUAL(q.out.info->info21.account_name, user->account_name);
- TEST_STRING_EQUAL(q.out.info->info21.full_name, user->full_name);
- TEST_INT_EQUAL(q.out.info->info21.rid, user->rid);
- TEST_INT_EQUAL(q.out.info->info21.primary_gid, user->primary_gid);
- TEST_STRING_EQUAL(q.out.info->info21.home_directory, user->home_directory);
- TEST_STRING_EQUAL(q.out.info->info21.home_drive, user->home_drive);
- TEST_STRING_EQUAL(q.out.info->info21.logon_script, user->logon_script);
- TEST_STRING_EQUAL(q.out.info->info21.description, user->description);
- TEST_STRING_EQUAL(q.out.info->info21.workstations, user->workstations);
+ TEST_STRING_EQUAL(info->info21.account_name, user->account_name);
+ TEST_STRING_EQUAL(info->info21.full_name, user->full_name);
+ TEST_INT_EQUAL(info->info21.rid, user->rid);
+ TEST_INT_EQUAL(info->info21.primary_gid, user->primary_gid);
+ TEST_STRING_EQUAL(info->info21.home_directory, user->home_directory);
+ TEST_STRING_EQUAL(info->info21.home_drive, user->home_drive);
+ TEST_STRING_EQUAL(info->info21.logon_script, user->logon_script);
+ TEST_STRING_EQUAL(info->info21.description, user->description);
+ TEST_STRING_EQUAL(info->info21.workstations, user->workstations);
- TEST_TIME_EQUAL(q.out.info->info21.last_logon, user->last_logon);
- TEST_TIME_EQUAL(q.out.info->info21.last_logoff, user->last_logoff);
+ TEST_TIME_EQUAL(info->info21.last_logon, user->last_logon);
+ TEST_TIME_EQUAL(info->info21.last_logoff, user->last_logoff);
- TEST_INT_EQUAL(q.out.info->info21.logon_hours.units_per_week,
+ TEST_INT_EQUAL(info->info21.logon_hours.units_per_week,
user->logon_hours.units_per_week);
if (ret) {
- if (memcmp(q.out.info->info21.logon_hours.bits, user->logon_hours.bits,
- q.out.info->info21.logon_hours.units_per_week/8) != 0) {
+ if (memcmp(info->info21.logon_hours.bits, user->logon_hours.bits,
+ info->info21.logon_hours.units_per_week/8) != 0) {
printf("Logon hours mismatch\n");
- ret = False;
+ ret = false;
}
}
- TEST_INT_EQUAL(q.out.info->info21.bad_password_count,
+ TEST_INT_EQUAL(info->info21.bad_password_count,
user->bad_password_count);
- TEST_INT_EQUAL(q.out.info->info21.logon_count,
+ TEST_INT_EQUAL(info->info21.logon_count,
user->logon_count);
- TEST_TIME_EQUAL(q.out.info->info21.last_password_change,
+ TEST_TIME_EQUAL(info->info21.last_password_change,
user->last_password_change);
- TEST_TIME_EQUAL(q.out.info->info21.acct_expiry,
+ TEST_TIME_EQUAL(info->info21.acct_expiry,
user->acct_expiry);
- TEST_INT_EQUAL(q.out.info->info21.acct_flags, user->acct_flags);
- TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present);
- TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present);
- TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired);
+ TEST_INT_EQUAL((info->info21.acct_flags & ~ACB_PW_EXPIRED), user->acct_flags);
+ if (user->acct_flags & ACB_PWNOEXP) {
+ if (info->info21.acct_flags & ACB_PW_EXPIRED) {
+ printf("ACB flags mismatch: both expired and no expiry!\n");
+ ret = false;
+ }
+ if (info->info21.force_password_change != (NTTIME)0x7FFFFFFFFFFFFFFFULL) {
+ printf("ACB flags mismatch: no password expiry, but force password change 0x%016llx (%lld) != 0x%016llx (%lld)\n",
+ (unsigned long long)info->info21.force_password_change,
+ (unsigned long long)info->info21.force_password_change,
+ (unsigned long long)0x7FFFFFFFFFFFFFFFULL, (unsigned long long)0x7FFFFFFFFFFFFFFFULL
+ );
+ ret = false;
+ }
+ }
+
+ TEST_INT_EQUAL(info->info21.nt_password_set, user->nt_password_present);
+ TEST_INT_EQUAL(info->info21.lm_password_set, user->lm_password_present);
+ TEST_INT_EQUAL(info->info21.password_expired, user->password_expired);
- TEST_STRING_EQUAL(q.out.info->info21.comment, user->comment);
- TEST_STRING_EQUAL(q.out.info->info21.parameters, user->parameters);
+ TEST_STRING_EQUAL(info->info21.comment, user->comment);
+ TEST_BINARY_STRING_EQUAL(info->info21.parameters, user->parameters);
- TEST_INT_EQUAL(q.out.info->info21.country_code, user->country_code);
- TEST_INT_EQUAL(q.out.info->info21.code_page, user->code_page);
+ TEST_INT_EQUAL(info->info21.country_code, user->country_code);
+ TEST_INT_EQUAL(info->info21.code_page, user->code_page);
- TEST_STRING_EQUAL(q.out.info->info21.profile_path, user->profile_path);
+ TEST_STRING_EQUAL(info->info21.profile_path, user->profile_path);
if (user->lm_password_present) {
- sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0);
lm_hash_p = &lm_hash;
}
if (user->nt_password_present) {
- sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0);
nt_hash_p = &nt_hash;
}
if (user->user_private_info.SensitiveData) {
DATA_BLOB data;
struct netr_USER_KEYS keys;
+ enum ndr_err_code ndr_err;
data.data = user->user_private_info.SensitiveData;
data.length = user->user_private_info.DataLength;
- creds_arcfour_crypt(samsync_state->creds, data.data, data.length);
- nt_status = ndr_pull_struct_blob(&data, mem_ctx, &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
- if (NT_STATUS_IS_OK(nt_status)) {
+ ndr_err = ndr_pull_struct_blob(&data, mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
if (keys.keys.keys2.lmpassword.length == 16) {
- sam_rid_crypt(rid, keys.keys.keys2.lmpassword.pwd.hash, lm_hash.hash, 0);
lm_hash_p = &lm_hash;
}
if (keys.keys.keys2.ntpassword.length == 16) {
- sam_rid_crypt(rid, keys.keys.keys2.ntpassword.pwd.hash, nt_hash.hash, 0);
nt_hash_p = &nt_hash;
}
} else {
#if 0
dump_data(0, data.data, data.length);
#endif
- return False;
+ return false;
}
}
+ if (nt_hash_p) {
+ DATA_BLOB nt_hash_blob = data_blob_const(nt_hash_p, 16);
+ DEBUG(100,("ACCOUNT [%s\\%-25s] NTHASH %s\n", samsync_state->domain_name[0], username, data_blob_hex_string(mem_ctx, &nt_hash_blob)));
+ }
+ if (lm_hash_p) {
+ DATA_BLOB lm_hash_blob = data_blob_const(lm_hash_p, 16);
+ DEBUG(100,("ACCOUNT [%s\\%-25s] LMHASH %s\n", samsync_state->domain_name[0], username, data_blob_hex_string(mem_ctx, &lm_hash_blob)));
+ }
+
nt_status = test_SamLogon(samsync_state->p_netlogon_wksta, mem_ctx, samsync_state->creds_netlogon_wksta,
domain,
username,
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
if (user->acct_flags & ACB_DISABLED) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_WSTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_SVRTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_DOMTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
if (user->acct_flags & ACB_DOMTRUST) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
if (user->acct_flags & ACB_AUTOLOCK) {
- return True;
+ return true;
+ }
+ } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) {
+ if (info->info21.acct_flags & ACB_PW_EXPIRED) {
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
if (!lm_hash_p && !nt_hash_p) {
- return True;
+ return true;
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE)) {
/* We would need to know the server's current time to test this properly */
- return True;
+ return true;
} else if (NT_STATUS_IS_OK(nt_status)) {
TEST_INT_EQUAL(user->rid, info3->base.rid);
TEST_INT_EQUAL(user->primary_gid, info3->base.primary_gid);
TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon);
TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry);
TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change);
+ TEST_TIME_EQUAL(info->info21.force_password_change, info3->base.force_password_change);
/* Does the concept of a logoff time ever really
* exist? (not in any sensible way, according to the
TEST_TIME_EQUAL(user->last_logoff, info3->base.last_logoff);
}
- TEST_INT_EQUAL(getgroups.out.rids->count, info3->base.groups.count);
- if (getgroups.out.rids->count == info3->base.groups.count) {
+ TEST_INT_EQUAL(rids->count, info3->base.groups.count);
+ if (rids->count == info3->base.groups.count) {
int i, j;
- int count = getgroups.out.rids->count;
- BOOL *matched = talloc_zero_array(mem_ctx, BOOL, getgroups.out.rids->count);
+ int count = rids->count;
+ bool *matched = talloc_zero_array(mem_ctx, bool, rids->count);
for (i = 0; i < count; i++) {
for (j = 0; j < count; j++) {
- if ((getgroups.out.rids->rids[i].rid ==
+ if ((rids->rids[i].rid ==
info3->base.groups.rids[j].rid)
- && (getgroups.out.rids->rids[i].type ==
- info3->base.groups.rids[j].type)) {
- matched[i] = True;
+ && (rids->rids[i].attributes ==
+ info3->base.groups.rids[j].attributes)) {
+ matched[i] = true;
}
}
}
- for (i = 0; i < getgroups.out.rids->count; i++) {
- if (matched[i] == False) {
- ret = False;
+ for (i = 0; i < rids->count; i++) {
+ if (matched[i] == false) {
+ ret = false;
printf("Could not find group RID %u found in getgroups in NETLOGON reply\n",
- getgroups.out.rids->rids[i].rid);
+ rids->rids[i].rid);
}
}
}
} else {
printf("Could not validate password for user %s\\%s: %s\n",
domain, username, nt_errstr(nt_status));
- return False;
+ return false;
}
- return False;
+ return false;
}
-static BOOL samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
uint32_t rid = delta->delta_id_union.rid;
struct netr_DELTA_ALIAS *alias = delta->delta_union.alias;
NTSTATUS nt_status;
- BOOL ret = True;
+ bool ret = true;
struct samr_OpenAlias r;
struct samr_QueryAliasInfo q;
+ union samr_AliasInfo *info;
struct policy_handle alias_handle;
if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
printf("SamSync needs domain information before the users\n");
- return False;
+ return false;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
nt_status = dcerpc_samr_OpenAlias(samsync_state->p_samr, mem_ctx, &r);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
- return False;
+ return false;
}
q.in.alias_handle = &alias_handle;
q.in.level = 1;
+ q.out.info = &info;
TEST_SEC_DESC_EQUAL(alias->sdbuf, samr, &alias_handle);
nt_status = dcerpc_samr_QueryAliasInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &alias_handle)) {
- return False;
+ return false;
}
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryAliasInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
- TEST_STRING_EQUAL(q.out.info->all.name, alias->alias_name);
- TEST_STRING_EQUAL(q.out.info->all.description, alias->description);
+ TEST_STRING_EQUAL(info->all.name, alias->alias_name);
+ TEST_STRING_EQUAL(info->all.description, alias->description);
return ret;
}
-static BOOL samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
uint32_t rid = delta->delta_id_union.rid;
struct netr_DELTA_GROUP *group = delta->delta_union.group;
NTSTATUS nt_status;
- BOOL ret = True;
+ bool ret = true;
struct samr_OpenGroup r;
struct samr_QueryGroupInfo q;
+ union samr_GroupInfo *info;
struct policy_handle group_handle;
if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
printf("SamSync needs domain information before the users\n");
- return False;
+ return false;
}
r.in.domain_handle = samsync_state->domain_handle[database_id];
nt_status = dcerpc_samr_OpenGroup(samsync_state->p_samr, mem_ctx, &r);
if (!NT_STATUS_IS_OK(nt_status)) {
printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
- return False;
+ return false;
}
q.in.group_handle = &group_handle;
q.in.level = 1;
+ q.out.info = &info;
TEST_SEC_DESC_EQUAL(group->sdbuf, samr, &group_handle);
nt_status = dcerpc_samr_QueryGroupInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &group_handle)) {
- return False;
+ return false;
}
if (!NT_STATUS_IS_OK(nt_status)) {
printf("QueryGroupInfo level %u failed - %s\n",
q.in.level, nt_errstr(nt_status));
- return False;
+ return false;
}
- TEST_STRING_EQUAL(q.out.info->all.name, group->group_name);
- TEST_INT_EQUAL(q.out.info->all.attributes, group->attributes);
- TEST_STRING_EQUAL(q.out.info->all.description, group->description);
+ TEST_STRING_EQUAL(info->all.name, group->group_name);
+ TEST_INT_EQUAL(info->all.attributes, group->attributes);
+ TEST_STRING_EQUAL(info->all.description, group->description);
return ret;
}
-static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
const char *name = delta->delta_id_union.name;
- struct samsync_secret *new = talloc(samsync_state, struct samsync_secret);
+ struct samsync_secret *nsec = talloc(samsync_state, struct samsync_secret);
struct samsync_secret *old = talloc(mem_ctx, struct samsync_secret);
struct lsa_QuerySecret q;
struct lsa_OpenSecret o;
struct policy_handle sec_handle;
struct lsa_DATA_BUF_PTR bufp1;
struct lsa_DATA_BUF_PTR bufp2;
- NTTIME new_mtime;
+ NTTIME nsec_mtime;
NTTIME old_mtime;
- BOOL ret = True;
+ bool ret = true;
DATA_BLOB lsa_blob1, lsa_blob_out, session_key;
NTSTATUS status;
- creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data,
- secret->current_cipher.maxlen);
-
- creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data,
- secret->old_cipher.maxlen);
+ nsec->name = talloc_reference(nsec, name);
+ nsec->secret = data_blob_talloc(nsec, secret->current_cipher.cipher_data, secret->current_cipher.maxlen);
+ nsec->mtime = secret->current_cipher_set_time;
- new->name = talloc_reference(new, name);
- new->secret = data_blob_talloc(new, secret->current_cipher.cipher_data, secret->current_cipher.maxlen);
- new->mtime = secret->current_cipher_set_time;
-
- new = talloc_reference(samsync_state, new);
- DLIST_ADD(samsync_state->secrets, new);
+ nsec = talloc_reference(samsync_state, nsec);
+ DLIST_ADD(samsync_state->secrets, nsec);
old->name = talloc_reference(old, name);
old->secret = data_blob_const(secret->old_cipher.cipher_data, secret->old_cipher.maxlen);
status = dcerpc_lsa_OpenSecret(samsync_state->p_lsa, mem_ctx, &o);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenSecret failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
/*
status = dcerpc_fetch_session_key(samsync_state->p_lsa, &session_key);
if (!NT_STATUS_IS_OK(status)) {
printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
- ZERO_STRUCT(new_mtime);
+ ZERO_STRUCT(nsec_mtime);
ZERO_STRUCT(old_mtime);
/* fetch the secret back again */
q.in.sec_handle = &sec_handle;
q.in.new_val = &bufp1;
- q.in.new_mtime = &new_mtime;
+ q.in.new_mtime = &nsec_mtime;
q.in.old_val = &bufp2;
q.in.old_mtime = &old_mtime;
status = dcerpc_lsa_QuerySecret(samsync_state->p_lsa, mem_ctx, &q);
if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
/* some things are just off limits */
- return True;
+ return true;
} else if (!NT_STATUS_IS_OK(status)) {
printf("QuerySecret failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
if (q.out.old_val->buf == NULL) {
status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to decrypt secrets OLD blob: %s\n", nt_errstr(status));
- return False;
+ return false;
}
if (!q.out.old_mtime) {
printf("OLD mtime not available on LSA for secret %s\n", old->name);
- ret = False;
+ ret = false;
}
if (old->mtime != *q.out.old_mtime) {
printf("OLD mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
old->name, nt_time_string(mem_ctx, old->mtime),
nt_time_string(mem_ctx, *q.out.old_mtime));
- ret = False;
+ ret = false;
}
if (old->secret.length != lsa_blob_out.length) {
printf("Returned secret %s doesn't match: %d != %d\n",
- old->name, old->secret.length, lsa_blob_out.length);
- ret = False;
+ old->name, (int)old->secret.length, (int)lsa_blob_out.length);
+ ret = false;
} else if (memcmp(lsa_blob_out.data,
old->secret.data, old->secret.length) != 0) {
printf("Returned secret %s doesn't match: \n",
dump_data(1, old->secret.data, old->secret.length);
DEBUG(1, ("LSA Secret:\n"));
dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
- ret = False;
+ ret = false;
}
}
status = sess_decrypt_blob(mem_ctx, &lsa_blob1, &session_key, &lsa_blob_out);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to decrypt secrets OLD blob\n");
- return False;
+ return false;
}
if (!q.out.new_mtime) {
- printf("NEW mtime not available on LSA for secret %s\n", new->name);
- ret = False;
+ printf("NEW mtime not available on LSA for secret %s\n", nsec->name);
+ ret = false;
}
- if (new->mtime != *q.out.new_mtime) {
+ if (nsec->mtime != *q.out.new_mtime) {
printf("NEW mtime on secret %s does not match between SAMSYNC (%s) and LSA (%s)\n",
- new->name, nt_time_string(mem_ctx, new->mtime),
+ nsec->name, nt_time_string(mem_ctx, nsec->mtime),
nt_time_string(mem_ctx, *q.out.new_mtime));
- ret = False;
+ ret = false;
}
- if (new->secret.length != lsa_blob_out.length) {
+ if (nsec->secret.length != lsa_blob_out.length) {
printf("Returned secret %s doesn't match: %d != %d\n",
- new->name, new->secret.length, lsa_blob_out.length);
- ret = False;
+ nsec->name, (int)nsec->secret.length, (int)lsa_blob_out.length);
+ ret = false;
} else if (memcmp(lsa_blob_out.data,
- new->secret.data, new->secret.length) != 0) {
+ nsec->secret.data, nsec->secret.length) != 0) {
printf("Returned secret %s doesn't match: \n",
- new->name);
+ nsec->name);
DEBUG(1, ("SamSync Secret:\n"));
- dump_data(1, new->secret.data, new->secret.length);
+ dump_data(1, nsec->secret.data, nsec->secret.length);
DEBUG(1, ("LSA Secret:\n"));
dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
- ret = False;
+ ret = false;
}
}
return ret;
}
-static BOOL samsync_handle_trusted_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_trusted_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
NTSTATUS status;
- BOOL ret = True;
+ bool ret = true;
struct netr_DELTA_TRUSTED_DOMAIN *trusted_domain = delta->delta_union.trusted_domain;
struct dom_sid *dom_sid = delta->delta_id_union.sid;
- struct samsync_trusted_domain *new = talloc(samsync_state, struct samsync_trusted_domain);
+ struct samsync_trusted_domain *ndom = talloc(samsync_state, struct samsync_trusted_domain);
struct lsa_OpenTrustedDomain t;
struct policy_handle trustdom_handle;
struct lsa_QueryTrustedDomainInfo q;
union lsa_TrustedDomainInfo *info[9];
+ union lsa_TrustedDomainInfo *_info = NULL;
int levels [] = {1, 3, 8};
int i;
- new->name = talloc_reference(new, trusted_domain->domain_name.string);
- new->sid = talloc_reference(new, dom_sid);
+ ndom->name = talloc_reference(ndom, trusted_domain->domain_name.string);
+ ndom->sid = talloc_reference(ndom, dom_sid);
t.in.handle = samsync_state->lsa_handle;
t.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
status = dcerpc_lsa_OpenTrustedDomain(samsync_state->p_lsa, mem_ctx, &t);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
for (i=0; i< ARRAY_SIZE(levels); i++) {
q.in.trustdom_handle = &trustdom_handle;
q.in.level = levels[i];
+ q.out.info = &_info;
status = dcerpc_lsa_QueryTrustedDomainInfo(samsync_state->p_lsa, mem_ctx, &q);
if (!NT_STATUS_IS_OK(status)) {
if (q.in.level == 8 && NT_STATUS_EQUAL(status,NT_STATUS_INVALID_PARAMETER)) {
}
printf("QueryInfoTrustedDomain level %d failed - %s\n",
levels[i], nt_errstr(status));
- return False;
+ return false;
}
- info[levels[i]] = q.out.info;
+ info[levels[i]] = _info;
}
if (info[8]) {
We would like to do this, but it is NOT_SUPPORTED on win2k3
TEST_SEC_DESC_EQUAL(trusted_domain->sdbuf, lsa, &trustdom_handle);
*/
- new = talloc_reference(samsync_state, new);
- DLIST_ADD(samsync_state->trusted_domains, new);
+ ndom = talloc_reference(samsync_state, ndom);
+ DLIST_ADD(samsync_state->trusted_domains, ndom);
return ret;
}
-static BOOL samsync_handle_account(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
+static bool samsync_handle_account(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
NTSTATUS status;
- BOOL ret = True;
+ bool ret = true;
struct netr_DELTA_ACCOUNT *account = delta->delta_union.account;
struct dom_sid *dom_sid = delta->delta_id_union.sid;
struct lsa_OpenAccount a;
struct policy_handle acct_handle;
struct lsa_EnumPrivsAccount e;
+ struct lsa_PrivilegeSet *privs = NULL;
struct lsa_LookupPrivName r;
int i, j;
- BOOL *found_priv_in_lsa;
+ bool *found_priv_in_lsa;
a.in.handle = samsync_state->lsa_handle;
a.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
status = dcerpc_lsa_OpenAccount(samsync_state->p_lsa, mem_ctx, &a);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
TEST_SEC_DESC_EQUAL(account->sdbuf, lsa, &acct_handle);
- found_priv_in_lsa = talloc_zero_array(mem_ctx, BOOL, account->privilege_entries);
+ found_priv_in_lsa = talloc_zero_array(mem_ctx, bool, account->privilege_entries);
e.in.handle = &acct_handle;
+ e.out.privs = &privs;
status = dcerpc_lsa_EnumPrivsAccount(samsync_state->p_lsa, mem_ctx, &e);
if (!NT_STATUS_IS_OK(status)) {
printf("EnumPrivsAccount failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
- if ((account->privilege_entries && !e.out.privs)) {
- printf("Account %s has privilages in SamSync, but not LSA\n",
+ if ((account->privilege_entries && !privs)) {
+ printf("Account %s has privileges in SamSync, but not LSA\n",
dom_sid_string(mem_ctx, dom_sid));
- return False;
+ return false;
}
- if (!account->privilege_entries && e.out.privs && e.out.privs->count) {
- printf("Account %s has privilages in LSA, but not SamSync\n",
+ if (!account->privilege_entries && privs && privs->count) {
+ printf("Account %s has privileges in LSA, but not SamSync\n",
dom_sid_string(mem_ctx, dom_sid));
- return False;
+ return false;
}
- TEST_INT_EQUAL(account->privilege_entries, e.out.privs->count);
+ TEST_INT_EQUAL(account->privilege_entries, privs->count);
- for (i=0;i< e.out.privs->count; i++) {
+ for (i=0;i< privs->count; i++) {
+
+ struct lsa_StringLarge *name = NULL;
+
r.in.handle = samsync_state->lsa_handle;
- r.in.luid = &e.out.privs->set[i].luid;
+ r.in.luid = &privs->set[i].luid;
+ r.out.name = &name;
status = dcerpc_lsa_LookupPrivName(samsync_state->p_lsa, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
- return False;
+ return false;
}
if (!r.out.name) {
printf("\nLookupPrivName failed to return a name\n");
- return False;
+ return false;
}
for (j=0;j<account->privilege_entries; j++) {
- if (strcmp(r.out.name->string, account->privilege_name[j].string) == 0) {
- found_priv_in_lsa[j] = True;
+ if (strcmp(name->string, account->privilege_name[j].string) == 0) {
+ found_priv_in_lsa[j] = true;
break;
}
}
if (!found_priv_in_lsa[j]) {
printf("Privilage %s on account %s not found in LSA\n", account->privilege_name[j].string,
dom_sid_string(mem_ctx, dom_sid));
- ret = False;
+ ret = false;
}
}
return ret;
/*
try a netlogon DatabaseSync
*/
-static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
- TALLOC_CTX *mem_ctx)
+static bool test_DatabaseSync(struct torture_context *tctx,
+ struct samsync_state *samsync_state,
+ TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
TALLOC_CTX *loop_ctx, *delta_ctx, *trustdom_ctx;
struct netr_DatabaseSync r;
const enum netr_SamDatabaseID database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
int i, d;
- BOOL ret = True;
+ bool ret = true;
struct samsync_trusted_domain *t;
struct samsync_secret *s;
+ struct netr_Authenticator return_authenticator, credential;
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
const char *domain, *username;
+ ZERO_STRUCT(return_authenticator);
+
r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(samsync_state->p));
r.in.computername = TEST_MACHINE_NAME;
r.in.preferredmaximumlength = (uint32_t)-1;
- ZERO_STRUCT(r.in.return_authenticator);
+ r.in.return_authenticator = &return_authenticator;
+ r.out.return_authenticator = &return_authenticator;
+ r.out.delta_enum_array = &delta_enum_array;
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
- r.in.sync_context = 0;
+
+ uint32_t sync_context = 0;
+
r.in.database_id = database_ids[i];
+ r.in.sync_context = &sync_context;
+ r.out.sync_context = &sync_context;
printf("Testing DatabaseSync of id %d\n", r.in.database_id);
do {
loop_ctx = talloc_named(mem_ctx, 0, "DatabaseSync loop context");
- creds_client_authenticator(samsync_state->creds, &r.in.credential);
+ netlogon_creds_client_authenticator(samsync_state->creds, &credential);
+
+ r.in.credential = &credential;
status = dcerpc_netr_DatabaseSync(samsync_state->p, loop_ctx, &r);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
printf("DatabaseSync - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
break;
}
- if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator.cred)) {
+ if (!netlogon_creds_client_check(samsync_state->creds, &r.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
r.in.sync_context = r.out.sync_context;
- for (d=0; d < r.out.delta_enum_array->num_deltas; d++) {
+ for (d=0; d < delta_enum_array->num_deltas; d++) {
delta_ctx = talloc_named(loop_ctx, 0, "DatabaseSync delta context");
- switch (r.out.delta_enum_array->delta_enum[d].delta_type) {
+
+ if (!NT_STATUS_IS_OK(samsync_fix_delta(delta_ctx, samsync_state->creds,
+ r.in.database_id,
+ &delta_enum_array->delta_enum[d]))) {
+ printf("Failed to decrypt delta\n");
+ ret = false;
+ }
+
+ switch (delta_enum_array->delta_enum[d].delta_type) {
case NETR_DELTA_DOMAIN:
if (!samsync_handle_domain(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_DOMAIN\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_GROUP:
if (!samsync_handle_group(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_USER\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_USER:
- if (!samsync_handle_user(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ if (!samsync_handle_user(tctx, delta_ctx, samsync_state,
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_USER\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_ALIAS:
if (!samsync_handle_alias(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_ALIAS\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_POLICY:
if (!samsync_handle_policy(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_POLICY\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_TRUSTED_DOMAIN:
if (!samsync_handle_trusted_domain(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_TRUSTED_DOMAIN\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_ACCOUNT:
if (!samsync_handle_account(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_ACCOUNT\n");
- ret = False;
+ ret = false;
}
break;
case NETR_DELTA_SECRET:
if (!samsync_handle_secret(delta_ctx, samsync_state,
- r.in.database_id, &r.out.delta_enum_array->delta_enum[d])) {
+ r.in.database_id, &delta_enum_array->delta_enum[d])) {
printf("Failed to handle DELTA_SECRET\n");
- ret = False;
+ ret = false;
}
break;
+ case NETR_DELTA_GROUP_MEMBER:
+ case NETR_DELTA_ALIAS_MEMBER:
+ /* These are harder to cross-check, and we expect them */
+ break;
+ case NETR_DELTA_DELETE_GROUP:
+ case NETR_DELTA_RENAME_GROUP:
+ case NETR_DELTA_DELETE_USER:
+ case NETR_DELTA_RENAME_USER:
+ case NETR_DELTA_DELETE_ALIAS:
+ case NETR_DELTA_RENAME_ALIAS:
+ case NETR_DELTA_DELETE_TRUST:
+ case NETR_DELTA_DELETE_ACCOUNT:
+ case NETR_DELTA_DELETE_SECRET:
+ case NETR_DELTA_DELETE_GROUP2:
+ case NETR_DELTA_DELETE_USER2:
+ case NETR_DELTA_MODIFY_COUNT:
+ default:
+ printf("Uxpected delta type %d\n", delta_enum_array->delta_enum[d].delta_type);
+ ret = false;
+ break;
}
talloc_free(delta_ctx);
}
domain = samsync_state->domain_name[SAM_DATABASE_DOMAIN];
if (!domain) {
printf("Never got a DOMAIN object in samsync!\n");
- return False;
+ return false;
}
trustdom_ctx = talloc_named(mem_ctx, 0, "test_DatabaseSync Trusted domains context");
for (t=samsync_state->trusted_domains; t; t=t->next) {
char *secret_name = talloc_asprintf(trustdom_ctx, "G$$%s", t->name);
for (s=samsync_state->secrets; s; s=s->next) {
- if (StrCaseCmp(s->name, secret_name) == 0) {
+ if (strcasecmp_m(s->name, secret_name) == 0) {
NTSTATUS nt_status;
struct samr_Password nt_hash;
mdfour(nt_hash.hash, s->secret.data, s->secret.length);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n",
t->name, nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
/* break it */
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
printf("Verifiction of trust password to %s: should have failed (wrong password), instead: %s\n",
t->name, nt_errstr(nt_status));
- ret = False;
+ ret = false;
}
break;
/*
try a netlogon DatabaseDeltas
*/
-static BOOL test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX *mem_ctx)
+static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX *mem_ctx)
{
NTSTATUS status;
TALLOC_CTX *loop_ctx;
struct netr_DatabaseDeltas r;
+ struct netr_Authenticator credential;
+ struct netr_Authenticator return_authenticator;
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
const uint32_t database_ids[] = {0, 1, 2};
int i;
- BOOL ret = True;
+ bool ret = true;
+
+ ZERO_STRUCT(return_authenticator);
r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(samsync_state->p));
r.in.computername = TEST_MACHINE_NAME;
+ r.in.credential = &credential;
r.in.preferredmaximumlength = (uint32_t)-1;
- ZERO_STRUCT(r.in.return_authenticator);
+ r.in.return_authenticator = &return_authenticator;
+ r.out.return_authenticator = &return_authenticator;
+ r.out.delta_enum_array = &delta_enum_array;
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
+
+ uint64_t seq_num = samsync_state->seq_num[i];
+
r.in.database_id = database_ids[i];
- r.in.sequence_num = samsync_state->seq_num[i];
+ r.in.sequence_num = &seq_num;
+ r.out.sequence_num = &seq_num;
- if (r.in.sequence_num == 0) continue;
+ if (seq_num == 0) continue;
/* this shows that the bdc doesn't need to do a single call for
* each seqnumber, and the pdc doesn't need to know about old values
* -- metze
*/
- r.in.sequence_num -= 10;
-
+ seq_num -= 10;
printf("Testing DatabaseDeltas of id %d at %llu\n",
- r.in.database_id, r.in.sequence_num);
+ r.in.database_id, (long long)seq_num);
do {
loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseDeltas loop context");
- creds_client_authenticator(samsync_state->creds, &r.in.credential);
+ netlogon_creds_client_authenticator(samsync_state->creds, &credential);
status = dcerpc_netr_DatabaseDeltas(samsync_state->p, loop_ctx, &r);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) &&
!NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
printf("DatabaseDeltas - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
}
- if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator.cred)) {
+ if (!netlogon_creds_client_check(samsync_state->creds, &return_authenticator.cred)) {
printf("Credential chaining failed\n");
}
- r.in.sequence_num++;
+ seq_num++;
talloc_free(loop_ctx);
} while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
}
/*
try a netlogon DatabaseSync2
*/
-static BOOL test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds)
+static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
+ struct netlogon_creds_CredentialState *creds)
{
NTSTATUS status;
TALLOC_CTX *loop_ctx;
struct netr_DatabaseSync2 r;
const uint32_t database_ids[] = {0, 1, 2};
int i;
- BOOL ret = True;
+ bool ret = true;
+ struct netr_Authenticator return_authenticator, credential;
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+
+ ZERO_STRUCT(return_authenticator);
r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
r.in.computername = TEST_MACHINE_NAME;
r.in.preferredmaximumlength = (uint32_t)-1;
- ZERO_STRUCT(r.in.return_authenticator);
+ r.in.return_authenticator = &return_authenticator;
+ r.out.return_authenticator = &return_authenticator;
+ r.out.delta_enum_array = &delta_enum_array;
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
- r.in.sync_context = 0;
+
+ uint32_t sync_context = 0;
+
r.in.database_id = database_ids[i];
+ r.in.sync_context = &sync_context;
+ r.out.sync_context = &sync_context;
r.in.restart_state = 0;
printf("Testing DatabaseSync2 of id %d\n", r.in.database_id);
do {
loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseSync2 loop context");
- creds_client_authenticator(creds, &r.in.credential);
+ netlogon_creds_client_authenticator(creds, &credential);
+
+ r.in.credential = &credential;
status = dcerpc_netr_DatabaseSync2(p, loop_ctx, &r);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
printf("DatabaseSync2 - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
}
- if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
- r.in.sync_context = r.out.sync_context;
talloc_free(loop_ctx);
} while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
}
-BOOL torture_rpc_samsync(void)
+bool torture_rpc_samsync(struct torture_context *torture)
{
NTSTATUS status;
TALLOC_CTX *mem_ctx;
- BOOL ret = True;
+ bool ret = true;
struct test_join *join_ctx;
struct test_join *join_ctx2;
struct test_join *user_ctx;
const char *machine_password;
const char *wksta_machine_password;
- const char *binding = lp_parm_string(-1, "torture", "binding");
struct dcerpc_binding *b;
struct dcerpc_binding *b_netlogon_wksta;
struct samr_Connect c;
mem_ctx = talloc_init("torture_rpc_netlogon");
test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME);
- join_ctx = torture_create_testuser(test_machine_account, lp_workgroup(), ACB_SVRTRUST,
+ join_ctx = torture_create_testuser(torture, test_machine_account,
+ lp_workgroup(torture->lp_ctx), ACB_SVRTRUST,
&machine_password);
if (!join_ctx) {
talloc_free(mem_ctx);
printf("Failed to join as BDC\n");
- return False;
+ return false;
}
test_wksta_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_WKSTA_MACHINE_NAME);
- join_ctx2 = torture_create_testuser(test_wksta_machine_account, lp_workgroup(), ACB_WSTRUST,
- &wksta_machine_password);
+ join_ctx2 = torture_create_testuser(torture, test_wksta_machine_account, lp_workgroup(torture->lp_ctx), ACB_WSTRUST, &wksta_machine_password);
if (!join_ctx2) {
talloc_free(mem_ctx);
printf("Failed to join as member\n");
- return False;
+ return false;
}
- user_ctx = torture_create_testuser(TEST_USER_NAME,
- lp_workgroup(),
+ user_ctx = torture_create_testuser(torture, TEST_USER_NAME,
+ lp_workgroup(torture->lp_ctx),
ACB_NORMAL, NULL);
if (!user_ctx) {
talloc_free(mem_ctx);
printf("Failed to create test account\n");
- return False;
+ return false;
}
samsync_state = talloc_zero(mem_ctx, struct samsync_state);
status = dcerpc_samr_Connect(samsync_state->p_samr, mem_ctx, &c);
if (!NT_STATUS_IS_OK(status)) {
printf("samr_Connect failed\n");
- ret = False;
+ ret = false;
goto failed;
}
- domain_policy = samsync_open_domain(mem_ctx, samsync_state, lp_workgroup(), NULL);
+ domain_policy = samsync_open_domain(mem_ctx, samsync_state, lp_workgroup(torture->lp_ctx), NULL);
if (!domain_policy) {
printf("samrsync_open_domain failed\n");
- ret = False;
+ ret = false;
goto failed;
}
s.in.level = 4;
s.in.info = talloc(mem_ctx, union samr_DomainInfo);
- s.in.info->info4.comment.string
+ s.in.info->oem.oem_information.string
= talloc_asprintf(mem_ctx,
"Tortured by Samba4: %s",
timestring(mem_ctx, time(NULL)));
status = dcerpc_samr_SetDomainInfo(samsync_state->p_samr, mem_ctx, &s);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, domain_policy)) {
- ret = False;
+ ret = false;
goto failed;
}
if (!NT_STATUS_IS_OK(status)) {
printf("SetDomainInfo level %u failed - %s\n",
s.in.level, nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
- status = torture_rpc_connection(samsync_state,
+ status = torture_rpc_connection(torture,
&samsync_state->p_lsa,
- DCERPC_LSARPC_NAME,
- DCERPC_LSARPC_UUID,
- DCERPC_LSARPC_VERSION);
+ &ndr_table_lsarpc);
if (!NT_STATUS_IS_OK(status)) {
- ret = False;
+ ret = false;
goto failed;
}
status = dcerpc_lsa_OpenPolicy2(samsync_state->p_lsa, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
- status = dcerpc_parse_binding(mem_ctx, binding, &b);
+ status = torture_rpc_binding(torture, &b);
if (!NT_STATUS_IS_OK(status)) {
- printf("Bad binding string %s\n", binding);
- ret = False;
+ ret = false;
goto failed;
}
credentials = cli_credentials_init(mem_ctx);
cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
- cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED);
+ cli_credentials_set_domain(credentials, lp_workgroup(torture->lp_ctx), CRED_SPECIFIED);
cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED);
cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED);
cli_credentials_set_secure_channel_type(credentials,
status = dcerpc_pipe_connect_b(samsync_state,
&samsync_state->p, b,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- credentials);
+ &ndr_table_netlogon,
+ credentials, torture->ev, torture->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to connect to server as a BDC: %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
samsync_state, &samsync_state->creds);
if (!NT_STATUS_IS_OK(status)) {
- ret = False;
+ ret = false;
}
- status = dcerpc_parse_binding(mem_ctx, binding, &b_netlogon_wksta);
+ status = torture_rpc_binding(torture, &b_netlogon_wksta);
if (!NT_STATUS_IS_OK(status)) {
- printf("Bad binding string %s\n", binding);
- ret = False;
+ ret = false;
goto failed;
}
credentials_wksta = cli_credentials_init(mem_ctx);
cli_credentials_set_workstation(credentials_wksta, TEST_WKSTA_MACHINE_NAME, CRED_SPECIFIED);
- cli_credentials_set_domain(credentials_wksta, lp_workgroup(), CRED_SPECIFIED);
+ cli_credentials_set_domain(credentials_wksta, lp_workgroup(torture->lp_ctx), CRED_SPECIFIED);
cli_credentials_set_username(credentials_wksta, test_wksta_machine_account, CRED_SPECIFIED);
cli_credentials_set_password(credentials_wksta, wksta_machine_password, CRED_SPECIFIED);
cli_credentials_set_secure_channel_type(credentials_wksta,
status = dcerpc_pipe_connect_b(samsync_state,
&samsync_state->p_netlogon_wksta,
b_netlogon_wksta,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- credentials_wksta);
+ &ndr_table_netlogon,
+ credentials_wksta, torture->ev, torture->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to connect to server as a Workstation: %s\n", nt_errstr(status));
- ret = False;
+ ret = false;
goto failed;
}
samsync_state, &samsync_state->creds_netlogon_wksta);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to obtail schanel creds!\n");
- ret = False;
+ ret = false;
}
- if (!test_DatabaseSync(samsync_state, mem_ctx)) {
+ if (!test_DatabaseSync(torture, samsync_state, mem_ctx)) {
printf("DatabaseSync failed\n");
- ret = False;
+ ret = false;
}
if (!test_DatabaseDeltas(samsync_state, mem_ctx)) {
printf("DatabaseDeltas failed\n");
- ret = False;
+ ret = false;
}
if (!test_DatabaseSync2(samsync_state->p, mem_ctx, samsync_state->creds)) {
printf("DatabaseSync2 failed\n");
- ret = False;
+ ret = false;
}
failed:
- torture_leave_domain(join_ctx);
- torture_leave_domain(join_ctx2);
- torture_leave_domain(user_ctx);
+ torture_leave_domain(torture, join_ctx);
+ torture_leave_domain(torture, join_ctx2);
+ torture_leave_domain(torture, user_ctx);
talloc_free(mem_ctx);