2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
9 Copyright (C) Matthias Dieter Wallnöfer 2009-2010
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "lib/cmdline/popt_common.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
34 #include "libcli/security/security.h"
36 #include "lib/util/util_ldb.h"
38 #include "lib/replace/system/network.h"
39 #include "dsdb/samdb/samdb.h"
41 #define TEST_MACHINE_NAME "torturetest"
43 static bool test_netr_broken_binding_handle(struct torture_context *tctx,
44 struct dcerpc_pipe *p)
47 struct netr_DsRGetSiteName r;
48 const char *site = NULL;
49 struct dcerpc_binding_handle *b = p->binding_handle;
51 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s",
52 dcerpc_server_name(p));
56 "Testing netlogon request with correct binding handle: %s\n",
59 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
60 torture_assert_ntstatus_ok(tctx, status,
61 "Netlogon request with broken binding handle");
62 torture_assert_werr_ok(tctx, r.out.result,
63 "Netlogon request with broken binding handle");
65 if (torture_setting_bool(tctx, "samba3", false) ||
66 torture_setting_bool(tctx, "samba4", false)) {
68 "Skipping broken binding handle check against Samba");
71 r.in.computer_name = talloc_asprintf(tctx, "\\\\\\\\%s",
72 dcerpc_server_name(p));
75 "Testing netlogon request with broken binding handle: %s\n",
78 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
79 torture_assert_ntstatus_ok(tctx, status,
80 "Netlogon request with broken binding handle");
81 torture_assert_werr_equal(tctx, r.out.result,
82 WERR_INVALID_COMPUTERNAME,
83 "Netlogon request with broken binding handle");
85 r.in.computer_name = "\\\\\\\\THIS_IS_NOT_VALID";
88 "Testing netlogon request with broken binding handle: %s\n",
91 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
92 torture_assert_ntstatus_ok(tctx, status,
93 "Netlogon request with broken binding handle");
94 torture_assert_werr_equal(tctx, r.out.result,
95 WERR_INVALID_COMPUTERNAME,
96 "Netlogon request with broken binding handle");
101 static bool test_LogonUasLogon(struct torture_context *tctx,
102 struct dcerpc_pipe *p)
105 struct netr_LogonUasLogon r;
106 struct netr_UasInfo *info = NULL;
107 struct dcerpc_binding_handle *b = p->binding_handle;
109 r.in.server_name = NULL;
110 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
111 r.in.workstation = TEST_MACHINE_NAME;
114 status = dcerpc_netr_LogonUasLogon_r(b, tctx, &r);
115 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
120 static bool test_LogonUasLogoff(struct torture_context *tctx,
121 struct dcerpc_pipe *p)
124 struct netr_LogonUasLogoff r;
125 struct netr_UasLogoffInfo info;
126 struct dcerpc_binding_handle *b = p->binding_handle;
128 r.in.server_name = NULL;
129 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
130 r.in.workstation = TEST_MACHINE_NAME;
133 status = dcerpc_netr_LogonUasLogoff_r(b, tctx, &r);
134 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
139 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
140 struct cli_credentials *credentials,
141 struct netlogon_creds_CredentialState **creds_out)
143 struct netr_ServerReqChallenge r;
144 struct netr_ServerAuthenticate a;
145 struct netr_Credential credentials1, credentials2, credentials3;
146 struct netlogon_creds_CredentialState *creds;
147 const struct samr_Password *mach_password;
148 const char *machine_name;
149 struct dcerpc_binding_handle *b = p->binding_handle;
151 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
152 machine_name = cli_credentials_get_workstation(credentials);
154 torture_comment(tctx, "Testing ServerReqChallenge\n");
156 r.in.server_name = NULL;
157 r.in.computer_name = machine_name;
158 r.in.credentials = &credentials1;
159 r.out.return_credentials = &credentials2;
161 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
163 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
164 "ServerReqChallenge failed");
165 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
167 a.in.server_name = NULL;
168 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
169 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
170 a.in.computer_name = machine_name;
171 a.in.credentials = &credentials3;
172 a.out.return_credentials = &credentials3;
174 creds = netlogon_creds_client_init(tctx, a.in.account_name,
176 a.in.secure_channel_type,
177 &credentials1, &credentials2,
178 mach_password, &credentials3,
180 torture_assert(tctx, creds != NULL, "memory allocation");
183 torture_comment(tctx, "Testing ServerAuthenticate\n");
185 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate_r(b, tctx, &a),
186 "ServerAuthenticate failed");
188 /* This allows the tests to continue against the more fussy windows 2008 */
189 if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
190 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
192 cli_credentials_get_secure_channel_type(credentials),
196 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate");
198 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
199 "Credential chaining failed");
205 bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tctx,
206 uint32_t negotiate_flags,
207 struct cli_credentials *machine_credentials,
208 const char *computer_name,
209 enum netr_SchannelType sec_chan_type,
210 NTSTATUS expected_result,
211 struct netlogon_creds_CredentialState **creds_out)
213 struct netr_ServerReqChallenge r;
214 struct netr_ServerAuthenticate2 a;
215 struct netr_Credential credentials1, credentials2, credentials3;
216 struct netlogon_creds_CredentialState *creds;
217 const struct samr_Password *mach_password;
218 struct dcerpc_binding_handle *b = p->binding_handle;
219 const char *account_name = cli_credentials_get_username(machine_credentials);
221 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
223 torture_comment(tctx, "Testing ServerReqChallenge\n");
225 r.in.server_name = NULL;
226 r.in.computer_name = computer_name;
227 r.in.credentials = &credentials1;
228 r.out.return_credentials = &credentials2;
230 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
232 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
233 "ServerReqChallenge failed");
234 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
236 a.in.server_name = NULL;
237 a.in.account_name = account_name;
238 a.in.secure_channel_type = sec_chan_type;
239 a.in.computer_name = computer_name;
240 a.in.negotiate_flags = &negotiate_flags;
241 a.out.negotiate_flags = &negotiate_flags;
242 a.in.credentials = &credentials3;
243 a.out.return_credentials = &credentials3;
245 creds = netlogon_creds_client_init(tctx, a.in.account_name,
247 a.in.secure_channel_type,
248 &credentials1, &credentials2,
249 mach_password, &credentials3,
252 torture_assert(tctx, creds != NULL, "memory allocation");
254 torture_comment(tctx, "Testing ServerAuthenticate2\n");
256 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
257 "ServerAuthenticate2 failed");
258 torture_assert_ntstatus_equal(tctx, a.out.result, expected_result,
259 "ServerAuthenticate2 unexpected");
261 if (NT_STATUS_IS_OK(expected_result)) {
262 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
263 "Credential chaining failed");
265 torture_assert(tctx, !netlogon_creds_client_check(creds, &credentials3),
266 "Credential chaining passed unexptected");
269 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
275 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
276 uint32_t negotiate_flags,
277 struct cli_credentials *machine_credentials,
278 enum netr_SchannelType sec_chan_type,
279 struct netlogon_creds_CredentialState **creds_out)
281 const char *computer_name =
282 cli_credentials_get_workstation(machine_credentials);
284 return test_SetupCredentials2ex(p, tctx, negotiate_flags,
292 bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
293 uint32_t negotiate_flags,
294 struct cli_credentials *machine_credentials,
295 struct netlogon_creds_CredentialState **creds_out)
297 struct netr_ServerReqChallenge r;
298 struct netr_ServerAuthenticate3 a;
299 struct netr_Credential credentials1, credentials2, credentials3;
300 struct netlogon_creds_CredentialState *creds;
301 struct samr_Password mach_password;
303 const char *machine_name;
304 const char *plain_pass;
305 struct dcerpc_binding_handle *b = p->binding_handle;
307 machine_name = cli_credentials_get_workstation(machine_credentials);
308 plain_pass = cli_credentials_get_password(machine_credentials);
310 torture_comment(tctx, "Testing ServerReqChallenge\n");
312 r.in.server_name = NULL;
313 r.in.computer_name = machine_name;
314 r.in.credentials = &credentials1;
315 r.out.return_credentials = &credentials2;
317 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
319 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
320 "ServerReqChallenge failed");
321 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
323 E_md4hash(plain_pass, mach_password.hash);
325 a.in.server_name = NULL;
326 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
327 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
328 a.in.computer_name = machine_name;
329 a.in.negotiate_flags = &negotiate_flags;
330 a.in.credentials = &credentials3;
331 a.out.return_credentials = &credentials3;
332 a.out.negotiate_flags = &negotiate_flags;
335 creds = netlogon_creds_client_init(tctx, a.in.account_name,
337 a.in.secure_channel_type,
338 &credentials1, &credentials2,
339 &mach_password, &credentials3,
342 torture_assert(tctx, creds != NULL, "memory allocation");
344 torture_comment(tctx, "Testing ServerAuthenticate3\n");
346 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
347 "ServerAuthenticate3 failed");
348 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed");
349 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
351 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
353 /* Prove that requesting a challenge again won't break it */
354 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
355 "ServerReqChallenge failed");
356 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
362 bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
363 struct dcerpc_pipe *p,
364 struct cli_credentials *machine_credentials)
366 struct netr_ServerReqChallenge r;
367 struct netr_ServerAuthenticate3 a;
368 struct netr_Credential credentials1, credentials2, credentials3;
369 struct netlogon_creds_CredentialState *creds;
370 struct samr_Password mach_password;
372 const char *machine_name;
373 const char *plain_pass;
374 struct dcerpc_binding_handle *b = p->binding_handle;
375 uint32_t negotiate_flags = 0;
377 machine_name = cli_credentials_get_workstation(machine_credentials);
378 plain_pass = cli_credentials_get_password(machine_credentials);
380 torture_comment(tctx, "Testing ServerReqChallenge\n");
382 r.in.server_name = NULL;
383 r.in.computer_name = machine_name;
384 r.in.credentials = &credentials1;
385 r.out.return_credentials = &credentials2;
387 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
389 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
390 "ServerReqChallenge failed");
391 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
393 E_md4hash(plain_pass, mach_password.hash);
395 a.in.server_name = NULL;
396 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
397 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
398 a.in.computer_name = machine_name;
399 a.in.negotiate_flags = &negotiate_flags;
400 a.in.credentials = &credentials3;
401 a.out.return_credentials = &credentials3;
402 a.out.negotiate_flags = &negotiate_flags;
405 creds = netlogon_creds_client_init(tctx, a.in.account_name,
407 a.in.secure_channel_type,
408 &credentials1, &credentials2,
409 &mach_password, &credentials3,
412 torture_assert(tctx, creds != NULL, "memory allocation");
414 torture_comment(tctx, "Testing ServerAuthenticate3\n");
416 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
417 "ServerAuthenticate3 failed");
418 torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
420 negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
421 creds = netlogon_creds_client_init(tctx, a.in.account_name,
423 a.in.secure_channel_type,
424 &credentials1, &credentials2,
425 &mach_password, &credentials3,
428 torture_assert(tctx, creds != NULL, "memory allocation");
430 torture_comment(tctx, "Testing ServerAuthenticate3\n");
432 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
433 "ServerAuthenticate3 failed");
434 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 should succeed");
436 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
438 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
440 /* Prove that requesting a challenge again won't break it */
441 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
442 "ServerReqChallenge failed");
443 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
448 bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1,
449 struct torture_context *tctx,
450 struct cli_credentials *machine_credentials,
451 struct netlogon_creds_CredentialState *creds,
452 uint32_t additional_flags,
453 struct dcerpc_pipe **_p2)
456 struct dcerpc_binding *b2 = NULL;
457 struct dcerpc_pipe *p2 = NULL;
459 b2 = dcerpc_binding_dup(tctx, p1->binding);
460 torture_assert(tctx, b2 != NULL, "dcerpc_binding_dup");
461 dcerpc_binding_set_flags(b2,
462 DCERPC_SCHANNEL | additional_flags,
463 DCERPC_AUTH_OPTIONS);
465 cli_credentials_set_netlogon_creds(machine_credentials, creds);
466 status = dcerpc_pipe_connect_b(tctx, &p2, b2,
469 tctx->ev, tctx->lp_ctx);
470 cli_credentials_set_netlogon_creds(machine_credentials, NULL);
471 torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b schannel");
478 try a change password for our machine account
480 static bool test_SetPassword(struct torture_context *tctx,
481 struct dcerpc_pipe *p,
482 struct cli_credentials *machine_credentials)
484 struct netr_ServerPasswordSet r;
485 const char *password;
486 struct netlogon_creds_CredentialState *creds;
487 struct netr_Authenticator credential, return_authenticator;
488 struct samr_Password new_password;
489 struct dcerpc_binding_handle *b = p->binding_handle;
491 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
495 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
496 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
497 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
498 r.in.computer_name = TEST_MACHINE_NAME;
499 r.in.credential = &credential;
500 r.in.new_password = &new_password;
501 r.out.return_authenticator = &return_authenticator;
503 password = generate_random_password(tctx, 8, 255);
504 E_md4hash(password, new_password.hash);
506 netlogon_creds_des_encrypt(creds, &new_password);
508 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
509 torture_comment(tctx, "Changing machine account password to '%s'\n",
512 netlogon_creds_client_authenticator(creds, &credential);
514 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
515 "ServerPasswordSet failed");
516 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
518 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
519 torture_comment(tctx, "Credential chaining failed\n");
522 /* by changing the machine password twice we test the
523 credentials chaining fully, and we verify that the server
524 allows the password to be set to the same value twice in a
525 row (match win2k3) */
526 torture_comment(tctx,
527 "Testing a second ServerPasswordSet on machine account\n");
528 torture_comment(tctx,
529 "Changing machine account password to '%s' (same as previous run)\n", password);
531 netlogon_creds_client_authenticator(creds, &credential);
533 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
534 "ServerPasswordSet (2) failed");
535 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
537 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
538 torture_comment(tctx, "Credential chaining failed\n");
541 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
544 test_SetupCredentials(p, tctx, machine_credentials, &creds),
545 "ServerPasswordSet failed to actually change the password");
551 try a change password for our machine account
553 static bool test_SetPassword_flags(struct torture_context *tctx,
554 struct dcerpc_pipe *p1,
555 struct cli_credentials *machine_credentials,
556 uint32_t negotiate_flags)
558 struct netr_ServerPasswordSet r;
559 const char *password;
560 struct netlogon_creds_CredentialState *creds;
561 struct netr_Authenticator credential, return_authenticator;
562 struct samr_Password new_password;
563 struct dcerpc_pipe *p = NULL;
564 struct dcerpc_binding_handle *b = NULL;
566 if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
568 cli_credentials_get_secure_channel_type(machine_credentials),
572 if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
573 DCERPC_SIGN | DCERPC_SEAL, &p)) {
576 b = p->binding_handle;
578 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
579 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
580 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
581 r.in.computer_name = TEST_MACHINE_NAME;
582 r.in.credential = &credential;
583 r.in.new_password = &new_password;
584 r.out.return_authenticator = &return_authenticator;
586 password = generate_random_password(tctx, 8, 255);
587 E_md4hash(password, new_password.hash);
589 netlogon_creds_des_encrypt(creds, &new_password);
591 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
592 torture_comment(tctx, "Changing machine account password to '%s'\n",
595 netlogon_creds_client_authenticator(creds, &credential);
597 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
598 "ServerPasswordSet failed");
599 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
601 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
602 torture_comment(tctx, "Credential chaining failed\n");
605 /* by changing the machine password twice we test the
606 credentials chaining fully, and we verify that the server
607 allows the password to be set to the same value twice in a
608 row (match win2k3) */
609 torture_comment(tctx,
610 "Testing a second ServerPasswordSet on machine account\n");
611 torture_comment(tctx,
612 "Changing machine account password to '%s' (same as previous run)\n", password);
614 netlogon_creds_client_authenticator(creds, &credential);
616 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
617 "ServerPasswordSet (2) failed");
618 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
620 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
621 torture_comment(tctx, "Credential chaining failed\n");
624 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
627 test_SetupCredentials(p, tctx, machine_credentials, &creds),
628 "ServerPasswordSet failed to actually change the password");
635 generate a random password for password change tests
637 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
640 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
641 generate_random_buffer(password.data, password.length);
643 for (i=0; i < len; i++) {
644 if (((uint16_t *)password.data)[i] == 0) {
645 ((uint16_t *)password.data)[i] = 1;
653 try a change password for our machine account
655 static bool test_SetPassword2_with_flags(struct torture_context *tctx,
656 struct dcerpc_pipe *p1,
657 struct cli_credentials *machine_credentials,
660 struct netr_ServerPasswordSet2 r;
661 const char *password;
662 DATA_BLOB new_random_pass;
663 struct netlogon_creds_CredentialState *creds;
664 struct samr_CryptPassword password_buf;
665 struct samr_Password nt_hash;
666 struct netr_Authenticator credential, return_authenticator;
667 struct netr_CryptPassword new_password;
668 struct dcerpc_pipe *p = NULL;
669 struct dcerpc_binding_handle *b = NULL;
671 if (!test_SetupCredentials2(p1, tctx, flags, machine_credentials,
672 cli_credentials_get_secure_channel_type(machine_credentials),
676 if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
677 DCERPC_SIGN | DCERPC_SEAL, &p)) {
680 b = p->binding_handle;
682 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
683 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
684 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
685 r.in.computer_name = TEST_MACHINE_NAME;
686 r.in.credential = &credential;
687 r.in.new_password = &new_password;
688 r.out.return_authenticator = &return_authenticator;
690 password = generate_random_password(tctx, 8, 255);
691 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
692 if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
693 netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
695 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
698 memcpy(new_password.data, password_buf.data, 512);
699 new_password.length = IVAL(password_buf.data, 512);
701 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
702 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
704 netlogon_creds_client_authenticator(creds, &credential);
706 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
707 "ServerPasswordSet2 failed");
708 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
710 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
711 torture_comment(tctx, "Credential chaining failed\n");
714 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
716 if (!torture_setting_bool(tctx, "dangerous", false)) {
717 torture_comment(tctx,
718 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
720 /* by changing the machine password to ""
721 * we check if the server uses password restrictions
722 * for ServerPasswordSet2
723 * (win2k3 accepts "")
726 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
727 if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
728 netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
730 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
732 memcpy(new_password.data, password_buf.data, 512);
733 new_password.length = IVAL(password_buf.data, 512);
735 torture_comment(tctx,
736 "Testing ServerPasswordSet2 on machine account\n");
737 torture_comment(tctx,
738 "Changing machine account password to '%s'\n", password);
740 netlogon_creds_client_authenticator(creds, &credential);
742 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
743 "ServerPasswordSet2 failed");
744 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
746 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
747 torture_comment(tctx, "Credential chaining failed\n");
750 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
753 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
754 "ServerPasswordSet failed to actually change the password");
756 /* now try a random password */
757 password = generate_random_password(tctx, 8, 255);
758 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
759 if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
760 netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
762 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
764 memcpy(new_password.data, password_buf.data, 512);
765 new_password.length = IVAL(password_buf.data, 512);
767 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
768 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
770 netlogon_creds_client_authenticator(creds, &credential);
772 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
773 "ServerPasswordSet2 (2) failed");
774 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 (2) failed");
776 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
777 torture_comment(tctx, "Credential chaining failed\n");
780 /* by changing the machine password twice we test the
781 credentials chaining fully, and we verify that the server
782 allows the password to be set to the same value twice in a
783 row (match win2k3) */
784 torture_comment(tctx,
785 "Testing a second ServerPasswordSet2 on machine account\n");
786 torture_comment(tctx,
787 "Changing machine account password to '%s' (same as previous run)\n", password);
789 netlogon_creds_client_authenticator(creds, &credential);
791 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
792 "ServerPasswordSet (3) failed");
793 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
795 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
796 torture_comment(tctx, "Credential chaining failed\n");
799 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
801 torture_assert (tctx,
802 test_SetupCredentials(p, tctx, machine_credentials, &creds),
803 "ServerPasswordSet failed to actually change the password");
805 new_random_pass = netlogon_very_rand_pass(tctx, 128);
807 /* now try a random stream of bytes for a password */
808 set_pw_in_buffer(password_buf.data, &new_random_pass);
810 if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
811 netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
813 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
816 memcpy(new_password.data, password_buf.data, 512);
817 new_password.length = IVAL(password_buf.data, 512);
819 torture_comment(tctx,
820 "Testing a third ServerPasswordSet2 on machine account, with a completely random password\n");
822 netlogon_creds_client_authenticator(creds, &credential);
824 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
825 "ServerPasswordSet (3) failed");
826 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
828 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
829 torture_comment(tctx, "Credential chaining failed\n");
832 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
834 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
835 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
837 torture_assert (tctx,
838 test_SetupCredentials(p, tctx, machine_credentials, &creds),
839 "ServerPasswordSet failed to actually change the password");
844 static bool test_SetPassword2(struct torture_context *tctx,
845 struct dcerpc_pipe *p,
846 struct cli_credentials *machine_credentials)
848 return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS);
851 static bool test_SetPassword2_AES(struct torture_context *tctx,
852 struct dcerpc_pipe *p,
853 struct cli_credentials *machine_credentials)
855 return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
858 static bool test_GetPassword(struct torture_context *tctx,
859 struct dcerpc_pipe *p,
860 struct cli_credentials *machine_credentials)
862 struct netr_ServerPasswordGet r;
863 struct netlogon_creds_CredentialState *creds;
864 struct netr_Authenticator credential;
866 struct netr_Authenticator return_authenticator;
867 struct samr_Password password;
868 struct dcerpc_binding_handle *b = p->binding_handle;
870 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
874 netlogon_creds_client_authenticator(creds, &credential);
876 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
877 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
878 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
879 r.in.computer_name = TEST_MACHINE_NAME;
880 r.in.credential = &credential;
881 r.out.return_authenticator = &return_authenticator;
882 r.out.password = &password;
884 status = dcerpc_netr_ServerPasswordGet_r(b, tctx, &r);
885 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
886 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordGet");
891 static bool test_GetTrustPasswords(struct torture_context *tctx,
892 struct dcerpc_pipe *p,
893 struct cli_credentials *machine_credentials)
895 struct netr_ServerTrustPasswordsGet r;
896 struct netlogon_creds_CredentialState *creds;
897 struct netr_Authenticator credential;
898 struct netr_Authenticator return_authenticator;
899 struct samr_Password password, password2;
900 struct dcerpc_binding_handle *b = p->binding_handle;
902 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
906 netlogon_creds_client_authenticator(creds, &credential);
908 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
909 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
910 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
911 r.in.computer_name = TEST_MACHINE_NAME;
912 r.in.credential = &credential;
913 r.out.return_authenticator = &return_authenticator;
914 r.out.new_owf_password = &password;
915 r.out.old_owf_password = &password2;
917 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerTrustPasswordsGet_r(b, tctx, &r),
918 "ServerTrustPasswordsGet failed");
919 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerTrustPasswordsGet failed");
925 try a netlogon SamLogon
927 static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context *tctx,
928 struct cli_credentials *credentials,
929 struct netlogon_creds_CredentialState *creds,
933 struct netr_LogonSamLogon r;
934 struct netr_Authenticator auth, auth2;
935 static const struct netr_Authenticator auth_zero;
936 union netr_LogonLevel logon;
937 union netr_Validation validation;
938 uint8_t authoritative;
939 struct netr_NetworkInfo ninfo;
940 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
942 struct dcerpc_binding_handle *b = p->binding_handle;
943 int flags = CLI_CRED_NTLM_AUTH;
944 if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
945 flags |= CLI_CRED_LANMAN_AUTH;
948 if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx) && !null_domain) {
949 flags |= CLI_CRED_NTLMv2_AUTH;
952 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
953 &ninfo.identity_info.account_name.string,
954 &ninfo.identity_info.domain_name.string);
957 ninfo.identity_info.domain_name.string = NULL;
960 generate_random_buffer(ninfo.challenge,
961 sizeof(ninfo.challenge));
962 chal = data_blob_const(ninfo.challenge,
963 sizeof(ninfo.challenge));
965 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
966 cli_credentials_get_domain(credentials));
968 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
971 NULL, /* server_timestamp */
975 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
977 ninfo.lm.data = lm_resp.data;
978 ninfo.lm.length = lm_resp.length;
980 ninfo.nt.data = nt_resp.data;
981 ninfo.nt.length = nt_resp.length;
983 ninfo.identity_info.parameter_control = 0;
984 ninfo.identity_info.logon_id_low = 0;
985 ninfo.identity_info.logon_id_high = 0;
986 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
988 logon.network = &ninfo;
990 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
991 r.in.computer_name = cli_credentials_get_workstation(credentials);
992 r.in.credential = &auth;
993 r.in.return_authenticator = &auth2;
994 r.in.logon_level = NetlogonNetworkInformation;
996 r.out.validation = &validation;
997 r.out.authoritative = &authoritative;
999 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
1001 for (i=2;i<=3;i++) {
1003 netlogon_creds_client_authenticator(creds, &auth);
1005 r.in.validation_level = i;
1007 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
1008 "LogonSamLogon failed");
1009 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
1011 torture_assert(tctx, netlogon_creds_client_check(creds,
1012 &r.out.return_authenticator->cred),
1013 "Credential chaining failed");
1014 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
1015 "LogonSamLogon invalid *r.out.authoritative");
1018 /* this makes sure we get the unmarshalling right for invalid levels */
1019 for (i=52;i<53;i++) {
1021 /* the authenticator should be ignored by the server */
1022 generate_random_buffer((uint8_t *) &auth, sizeof(auth));
1024 r.in.validation_level = i;
1026 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
1027 "LogonSamLogon failed");
1028 torture_assert_ntstatus_equal(tctx, r.out.result,
1029 NT_STATUS_INVALID_INFO_CLASS,
1030 "LogonSamLogon failed");
1032 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
1033 "LogonSamLogon invalid *r.out.authoritative");
1034 torture_assert(tctx,
1035 memcmp(&auth2, &auth_zero, sizeof(auth2)) == 0,
1036 "Return authenticator non zero");
1039 for (i=2;i<=3;i++) {
1041 netlogon_creds_client_authenticator(creds, &auth);
1043 r.in.validation_level = i;
1045 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
1046 "LogonSamLogon failed");
1047 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
1049 torture_assert(tctx, netlogon_creds_client_check(creds,
1050 &r.out.return_authenticator->cred),
1051 "Credential chaining failed");
1052 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
1053 "LogonSamLogon invalid *r.out.authoritative");
1056 r.in.logon_level = 52;
1058 for (i=2;i<=3;i++) {
1060 /* the authenticator should be ignored by the server */
1061 generate_random_buffer((uint8_t *) &auth, sizeof(auth));
1063 r.in.validation_level = i;
1065 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
1067 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
1068 "LogonSamLogon failed");
1069 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
1070 "LogonSamLogon expected INVALID_PARAMETER");
1072 torture_assert(tctx,
1073 memcmp(&auth2, &auth_zero, sizeof(auth2)) == 0,
1074 "Return authenticator non zero");
1075 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
1076 "LogonSamLogon invalid *r.out.authoritative");
1079 r.in.credential = NULL;
1081 for (i=2;i<=3;i++) {
1084 r.in.validation_level = i;
1086 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
1088 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
1089 "LogonSamLogon failed");
1090 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
1091 "LogonSamLogon expected INVALID_PARAMETER");
1093 torture_assert(tctx,
1094 memcmp(&auth2, &auth_zero, sizeof(auth2)) == 0,
1095 "Return authenticator non zero");
1096 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
1097 "LogonSamLogon invalid *r.out.authoritative");
1100 r.in.logon_level = NetlogonNetworkInformation;
1101 r.in.credential = &auth;
1103 for (i=2;i<=3;i++) {
1105 netlogon_creds_client_authenticator(creds, &auth);
1107 r.in.validation_level = i;
1109 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
1110 "LogonSamLogon failed");
1111 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
1113 torture_assert(tctx, netlogon_creds_client_check(creds,
1114 &r.out.return_authenticator->cred),
1115 "Credential chaining failed");
1116 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
1117 "LogonSamLogon invalid *r.out.authoritative");
1123 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
1124 struct cli_credentials *credentials,
1125 struct netlogon_creds_CredentialState *creds)
1127 return test_netlogon_ops_args(p, tctx, credentials, creds, false);
1131 try a netlogon GetCapabilities
1133 bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *tctx,
1134 struct cli_credentials *credentials,
1135 struct netlogon_creds_CredentialState *creds)
1138 struct netr_LogonGetCapabilities r;
1139 union netr_Capabilities capabilities;
1140 struct netr_Authenticator auth, return_auth;
1141 struct netlogon_creds_CredentialState tmp_creds;
1142 struct dcerpc_binding_handle *b = p->binding_handle;
1144 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1145 r.in.computer_name = cli_credentials_get_workstation(credentials);
1146 r.in.credential = &auth;
1147 r.in.return_authenticator = &return_auth;
1148 r.in.query_level = 1;
1149 r.out.capabilities = &capabilities;
1150 r.out.return_authenticator = &return_auth;
1152 torture_comment(tctx, "Testing LogonGetCapabilities\n");
1154 ZERO_STRUCT(return_auth);
1157 * we need to operate on a temporary copy of creds
1158 * because dcerpc_netr_LogonGetCapabilities was
1159 * dcerpc_netr_DummyFunction and returns NT_STATUS_NOT_IMPLEMENTED
1160 * without looking a the authenticator.
1163 netlogon_creds_client_authenticator(&tmp_creds, &auth);
1165 status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
1166 torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities failed");
1167 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
1173 torture_assert(tctx, netlogon_creds_client_check(creds,
1174 &r.out.return_authenticator->cred),
1175 "Credential chaining failed");
1177 torture_assert_int_equal(tctx, creds->negotiate_flags,
1178 capabilities.server_capabilities,
1185 try a netlogon SamLogon
1187 static bool test_SamLogon(struct torture_context *tctx,
1188 struct dcerpc_pipe *p,
1189 struct cli_credentials *credentials)
1191 struct netlogon_creds_CredentialState *creds;
1193 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
1197 return test_netlogon_ops(p, tctx, credentials, creds);
1200 static bool test_invalidAuthenticate2(struct torture_context *tctx,
1201 struct dcerpc_pipe *p,
1202 struct cli_credentials *credentials)
1204 struct netlogon_creds_CredentialState *creds;
1205 uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
1207 torture_comment(tctx, "Testing invalidAuthenticate2\n");
1209 if (!test_SetupCredentials2(p, tctx, flags,
1211 cli_credentials_get_secure_channel_type(credentials),
1216 if (!test_SetupCredentials2ex(p, tctx, flags,
1219 cli_credentials_get_secure_channel_type(credentials),
1220 STATUS_BUFFER_OVERFLOW,
1225 if (!test_SetupCredentials2ex(p, tctx, flags,
1228 cli_credentials_get_secure_channel_type(credentials),
1237 static bool test_ServerReqChallengeGlobal(struct torture_context *tctx,
1238 struct dcerpc_pipe *p1,
1239 struct cli_credentials *machine_credentials)
1241 uint32_t flags = NETLOGON_NEG_AUTH2_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
1242 struct netr_ServerReqChallenge r;
1243 struct netr_ServerAuthenticate3 a;
1244 struct netr_Credential credentials1, credentials2, credentials3;
1245 struct netlogon_creds_CredentialState *creds;
1246 struct samr_Password mach_password;
1248 const char *machine_name;
1249 const char *plain_pass;
1250 struct dcerpc_binding_handle *b1 = p1->binding_handle;
1251 struct dcerpc_pipe *p2 = NULL;
1252 struct dcerpc_binding_handle *b2 = NULL;
1254 machine_name = cli_credentials_get_workstation(machine_credentials);
1255 plain_pass = cli_credentials_get_password(machine_credentials);
1257 torture_comment(tctx, "Testing ServerReqChallenge on b1\n");
1259 torture_assert_ntstatus_ok(tctx,
1260 dcerpc_pipe_connect_b(tctx, &p2, p1->binding,
1261 &ndr_table_netlogon,
1262 machine_credentials,
1263 tctx->ev, tctx->lp_ctx),
1264 "dcerpc_pipe_connect_b failed");
1265 b2 = p2->binding_handle;
1267 r.in.server_name = NULL;
1268 r.in.computer_name = machine_name;
1269 r.in.credentials = &credentials1;
1270 r.out.return_credentials = &credentials2;
1272 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
1274 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r),
1275 "ServerReqChallenge failed on b1");
1276 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed on b1");
1278 E_md4hash(plain_pass, mach_password.hash);
1280 a.in.server_name = NULL;
1281 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
1282 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
1283 a.in.computer_name = machine_name;
1284 a.in.negotiate_flags = &flags;
1285 a.in.credentials = &credentials3;
1286 a.out.return_credentials = &credentials3;
1287 a.out.negotiate_flags = &flags;
1290 creds = netlogon_creds_client_init(tctx, a.in.account_name,
1292 a.in.secure_channel_type,
1293 &credentials1, &credentials2,
1294 &mach_password, &credentials3,
1297 torture_assert(tctx, creds != NULL, "memory allocation");
1299 torture_comment(tctx, "Testing ServerAuthenticate3 on b2\n");
1301 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b2, tctx, &a),
1302 "ServerAuthenticate3 failed on b2");
1303 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed on b2");
1304 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
1309 static bool test_SamLogon_NULL_domain(struct torture_context *tctx,
1310 struct dcerpc_pipe *p,
1311 struct cli_credentials *credentials)
1313 struct netlogon_creds_CredentialState *creds;
1315 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
1319 return test_netlogon_ops_args(p, tctx, credentials, creds, true);
1322 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
1323 static uint64_t sequence_nums[3];
1326 try a netlogon DatabaseSync
1328 static bool test_DatabaseSync(struct torture_context *tctx,
1329 struct dcerpc_pipe *p,
1330 struct cli_credentials *machine_credentials)
1332 struct netr_DatabaseSync r;
1333 struct netlogon_creds_CredentialState *creds;
1334 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
1336 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1337 struct netr_Authenticator credential, return_authenticator;
1338 struct dcerpc_binding_handle *b = p->binding_handle;
1340 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1344 ZERO_STRUCT(return_authenticator);
1346 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1347 r.in.computername = TEST_MACHINE_NAME;
1348 r.in.preferredmaximumlength = (uint32_t)-1;
1349 r.in.return_authenticator = &return_authenticator;
1350 r.out.delta_enum_array = &delta_enum_array;
1351 r.out.return_authenticator = &return_authenticator;
1353 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1355 uint32_t sync_context = 0;
1357 r.in.database_id = database_ids[i];
1358 r.in.sync_context = &sync_context;
1359 r.out.sync_context = &sync_context;
1361 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
1364 netlogon_creds_client_authenticator(creds, &credential);
1366 r.in.credential = &credential;
1368 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync_r(b, tctx, &r),
1369 "DatabaseSync failed");
1370 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
1373 /* Native mode servers don't do this */
1374 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1377 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync");
1379 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
1380 torture_comment(tctx, "Credential chaining failed\n");
1383 if (delta_enum_array &&
1384 delta_enum_array->num_deltas > 0 &&
1385 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
1386 delta_enum_array->delta_enum[0].delta_union.domain) {
1387 sequence_nums[r.in.database_id] =
1388 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
1389 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
1391 (unsigned long long)sequence_nums[r.in.database_id]);
1393 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
1401 try a netlogon DatabaseDeltas
1403 static bool test_DatabaseDeltas(struct torture_context *tctx,
1404 struct dcerpc_pipe *p,
1405 struct cli_credentials *machine_credentials)
1407 struct netr_DatabaseDeltas r;
1408 struct netlogon_creds_CredentialState *creds;
1409 struct netr_Authenticator credential;
1410 struct netr_Authenticator return_authenticator;
1411 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1412 const uint32_t database_ids[] = {0, 1, 2};
1414 struct dcerpc_binding_handle *b = p->binding_handle;
1416 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1420 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1421 r.in.computername = TEST_MACHINE_NAME;
1422 r.in.preferredmaximumlength = (uint32_t)-1;
1423 ZERO_STRUCT(r.in.return_authenticator);
1424 r.out.return_authenticator = &return_authenticator;
1425 r.out.delta_enum_array = &delta_enum_array;
1427 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1428 r.in.database_id = database_ids[i];
1429 r.in.sequence_num = &sequence_nums[r.in.database_id];
1431 if (*r.in.sequence_num == 0) continue;
1433 *r.in.sequence_num -= 1;
1435 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
1436 r.in.database_id, (unsigned long long)*r.in.sequence_num);
1439 netlogon_creds_client_authenticator(creds, &credential);
1441 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseDeltas_r(b, tctx, &r),
1442 "DatabaseDeltas failed");
1443 if (NT_STATUS_EQUAL(r.out.result,
1444 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
1445 torture_comment(tctx, "not considering %s to be an error\n",
1446 nt_errstr(r.out.result));
1449 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
1452 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseDeltas");
1454 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1455 torture_comment(tctx, "Credential chaining failed\n");
1458 (*r.in.sequence_num)++;
1459 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
1465 static bool test_DatabaseRedo(struct torture_context *tctx,
1466 struct dcerpc_pipe *p,
1467 struct cli_credentials *machine_credentials)
1469 struct netr_DatabaseRedo r;
1470 struct netlogon_creds_CredentialState *creds;
1471 struct netr_Authenticator credential;
1472 struct netr_Authenticator return_authenticator;
1473 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1474 struct netr_ChangeLogEntry e;
1475 struct dom_sid null_sid, *sid;
1477 struct dcerpc_binding_handle *b = p->binding_handle;
1479 ZERO_STRUCT(null_sid);
1481 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
1492 NTSTATUS expected_error;
1493 uint32_t expected_num_results;
1494 uint8_t expected_delta_type_1;
1495 uint8_t expected_delta_type_2;
1496 const char *comment;
1499 /* SAM_DATABASE_DOMAIN */
1504 .db_index = SAM_DATABASE_DOMAIN,
1505 .delta_type = NETR_DELTA_MODIFY_COUNT,
1508 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1509 .expected_num_results = 0,
1510 .comment = "NETR_DELTA_MODIFY_COUNT"
1515 .db_index = SAM_DATABASE_DOMAIN,
1519 .expected_error = NT_STATUS_OK,
1520 .expected_num_results = 1,
1521 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1522 .comment = "NULL DELTA"
1527 .db_index = SAM_DATABASE_DOMAIN,
1528 .delta_type = NETR_DELTA_DOMAIN,
1531 .expected_error = NT_STATUS_OK,
1532 .expected_num_results = 1,
1533 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1534 .comment = "NETR_DELTA_DOMAIN"
1537 .rid = DOMAIN_RID_ADMINISTRATOR,
1539 .db_index = SAM_DATABASE_DOMAIN,
1540 .delta_type = NETR_DELTA_USER,
1543 .expected_error = NT_STATUS_OK,
1544 .expected_num_results = 1,
1545 .expected_delta_type_1 = NETR_DELTA_USER,
1546 .comment = "NETR_DELTA_USER by rid 500"
1549 .rid = DOMAIN_RID_GUEST,
1551 .db_index = SAM_DATABASE_DOMAIN,
1552 .delta_type = NETR_DELTA_USER,
1555 .expected_error = NT_STATUS_OK,
1556 .expected_num_results = 1,
1557 .expected_delta_type_1 = NETR_DELTA_USER,
1558 .comment = "NETR_DELTA_USER by rid 501"
1562 .flags = NETR_CHANGELOG_SID_INCLUDED,
1563 .db_index = SAM_DATABASE_DOMAIN,
1564 .delta_type = NETR_DELTA_USER,
1567 .expected_error = NT_STATUS_OK,
1568 .expected_num_results = 1,
1569 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1570 .comment = "NETR_DELTA_USER by sid and flags"
1574 .flags = NETR_CHANGELOG_SID_INCLUDED,
1575 .db_index = SAM_DATABASE_DOMAIN,
1576 .delta_type = NETR_DELTA_USER,
1579 .expected_error = NT_STATUS_OK,
1580 .expected_num_results = 1,
1581 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1582 .comment = "NETR_DELTA_USER by null_sid and flags"
1586 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1587 .db_index = SAM_DATABASE_DOMAIN,
1588 .delta_type = NETR_DELTA_USER,
1590 .name = "administrator",
1591 .expected_error = NT_STATUS_OK,
1592 .expected_num_results = 1,
1593 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1594 .comment = "NETR_DELTA_USER by name 'administrator'"
1597 .rid = DOMAIN_RID_ADMINS,
1599 .db_index = SAM_DATABASE_DOMAIN,
1600 .delta_type = NETR_DELTA_GROUP,
1603 .expected_error = NT_STATUS_OK,
1604 .expected_num_results = 2,
1605 .expected_delta_type_1 = NETR_DELTA_GROUP,
1606 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1607 .comment = "NETR_DELTA_GROUP by rid 512"
1610 .rid = DOMAIN_RID_ADMINS,
1612 .db_index = SAM_DATABASE_DOMAIN,
1613 .delta_type = NETR_DELTA_GROUP_MEMBER,
1616 .expected_error = NT_STATUS_OK,
1617 .expected_num_results = 2,
1618 .expected_delta_type_1 = NETR_DELTA_GROUP,
1619 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1620 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
1624 /* SAM_DATABASE_BUILTIN */
1629 .db_index = SAM_DATABASE_BUILTIN,
1630 .delta_type = NETR_DELTA_MODIFY_COUNT,
1633 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1634 .expected_num_results = 0,
1635 .comment = "NETR_DELTA_MODIFY_COUNT"
1640 .db_index = SAM_DATABASE_BUILTIN,
1641 .delta_type = NETR_DELTA_DOMAIN,
1644 .expected_error = NT_STATUS_OK,
1645 .expected_num_results = 1,
1646 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1647 .comment = "NETR_DELTA_DOMAIN"
1650 .rid = DOMAIN_RID_ADMINISTRATOR,
1652 .db_index = SAM_DATABASE_BUILTIN,
1653 .delta_type = NETR_DELTA_USER,
1656 .expected_error = NT_STATUS_OK,
1657 .expected_num_results = 1,
1658 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1659 .comment = "NETR_DELTA_USER by rid 500"
1664 .db_index = SAM_DATABASE_BUILTIN,
1665 .delta_type = NETR_DELTA_USER,
1668 .expected_error = NT_STATUS_OK,
1669 .expected_num_results = 1,
1670 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1671 .comment = "NETR_DELTA_USER"
1676 .db_index = SAM_DATABASE_BUILTIN,
1677 .delta_type = NETR_DELTA_ALIAS,
1680 .expected_error = NT_STATUS_OK,
1681 .expected_num_results = 2,
1682 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1683 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1684 .comment = "NETR_DELTA_ALIAS by rid 544"
1689 .db_index = SAM_DATABASE_BUILTIN,
1690 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1693 .expected_error = NT_STATUS_OK,
1694 .expected_num_results = 2,
1695 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1696 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1697 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1702 .db_index = SAM_DATABASE_BUILTIN,
1706 .expected_error = NT_STATUS_OK,
1707 .expected_num_results = 1,
1708 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1709 .comment = "NULL DELTA by rid 544"
1713 .flags = NETR_CHANGELOG_SID_INCLUDED,
1714 .db_index = SAM_DATABASE_BUILTIN,
1716 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1718 .expected_error = NT_STATUS_OK,
1719 .expected_num_results = 1,
1720 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1721 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1725 .flags = NETR_CHANGELOG_SID_INCLUDED,
1726 .db_index = SAM_DATABASE_BUILTIN,
1727 .delta_type = NETR_DELTA_ALIAS,
1728 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1730 .expected_error = NT_STATUS_OK,
1731 .expected_num_results = 2,
1732 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1733 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1734 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1738 .flags = NETR_CHANGELOG_SID_INCLUDED,
1739 .db_index = SAM_DATABASE_BUILTIN,
1740 .delta_type = NETR_DELTA_ALIAS,
1741 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1743 .expected_error = NT_STATUS_OK,
1744 .expected_num_results = 1,
1745 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1746 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1749 /* SAM_DATABASE_PRIVS */
1754 .db_index = SAM_DATABASE_PRIVS,
1758 .expected_error = NT_STATUS_ACCESS_DENIED,
1759 .expected_num_results = 0,
1760 .comment = "NULL DELTA"
1765 .db_index = SAM_DATABASE_PRIVS,
1766 .delta_type = NETR_DELTA_MODIFY_COUNT,
1769 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1770 .expected_num_results = 0,
1771 .comment = "NETR_DELTA_MODIFY_COUNT"
1776 .db_index = SAM_DATABASE_PRIVS,
1777 .delta_type = NETR_DELTA_POLICY,
1780 .expected_error = NT_STATUS_OK,
1781 .expected_num_results = 1,
1782 .expected_delta_type_1 = NETR_DELTA_POLICY,
1783 .comment = "NETR_DELTA_POLICY"
1787 .flags = NETR_CHANGELOG_SID_INCLUDED,
1788 .db_index = SAM_DATABASE_PRIVS,
1789 .delta_type = NETR_DELTA_POLICY,
1792 .expected_error = NT_STATUS_OK,
1793 .expected_num_results = 1,
1794 .expected_delta_type_1 = NETR_DELTA_POLICY,
1795 .comment = "NETR_DELTA_POLICY by null sid and flags"
1799 .flags = NETR_CHANGELOG_SID_INCLUDED,
1800 .db_index = SAM_DATABASE_PRIVS,
1801 .delta_type = NETR_DELTA_POLICY,
1802 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1804 .expected_error = NT_STATUS_OK,
1805 .expected_num_results = 1,
1806 .expected_delta_type_1 = NETR_DELTA_POLICY,
1807 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1810 .rid = DOMAIN_RID_ADMINISTRATOR,
1812 .db_index = SAM_DATABASE_PRIVS,
1813 .delta_type = NETR_DELTA_ACCOUNT,
1816 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1817 .expected_num_results = 0,
1818 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1822 .flags = NETR_CHANGELOG_SID_INCLUDED,
1823 .db_index = SAM_DATABASE_PRIVS,
1824 .delta_type = NETR_DELTA_ACCOUNT,
1825 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1827 .expected_error = NT_STATUS_OK,
1828 .expected_num_results = 1,
1829 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1830 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1834 .flags = NETR_CHANGELOG_SID_INCLUDED |
1835 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1836 .db_index = SAM_DATABASE_PRIVS,
1837 .delta_type = NETR_DELTA_ACCOUNT,
1838 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1840 .expected_error = NT_STATUS_OK,
1841 .expected_num_results = 1,
1842 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1843 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1847 .flags = NETR_CHANGELOG_SID_INCLUDED |
1848 NETR_CHANGELOG_NAME_INCLUDED,
1849 .db_index = SAM_DATABASE_PRIVS,
1850 .delta_type = NETR_DELTA_ACCOUNT,
1851 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1853 .expected_error = NT_STATUS_INVALID_PARAMETER,
1854 .expected_num_results = 0,
1855 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1858 .rid = DOMAIN_RID_ADMINISTRATOR,
1859 .flags = NETR_CHANGELOG_SID_INCLUDED,
1860 .db_index = SAM_DATABASE_PRIVS,
1861 .delta_type = NETR_DELTA_ACCOUNT,
1864 .expected_error = NT_STATUS_OK,
1865 .expected_num_results = 1,
1866 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1867 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1871 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1872 .db_index = SAM_DATABASE_PRIVS,
1873 .delta_type = NETR_DELTA_SECRET,
1875 .name = "IsurelydontexistIhope",
1876 .expected_error = NT_STATUS_OK,
1877 .expected_num_results = 1,
1878 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1879 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1883 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1884 .db_index = SAM_DATABASE_PRIVS,
1885 .delta_type = NETR_DELTA_SECRET,
1887 .name = "G$BCKUPKEY_P",
1888 .expected_error = NT_STATUS_OK,
1889 .expected_num_results = 1,
1890 .expected_delta_type_1 = NETR_DELTA_SECRET,
1891 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1895 ZERO_STRUCT(return_authenticator);
1897 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1898 r.in.computername = TEST_MACHINE_NAME;
1899 r.in.return_authenticator = &return_authenticator;
1900 r.out.return_authenticator = &return_authenticator;
1901 r.out.delta_enum_array = &delta_enum_array;
1903 for (d=0; d<3; d++) {
1904 const char *database = NULL;
1911 database = "BUILTIN";
1920 torture_comment(tctx, "Testing DatabaseRedo\n");
1922 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1926 for (i=0;i<ARRAY_SIZE(changes);i++) {
1928 if (d != changes[i].db_index) {
1932 netlogon_creds_client_authenticator(creds, &credential);
1934 r.in.credential = &credential;
1936 e.serial_number1 = 0;
1937 e.serial_number2 = 0;
1938 e.object_rid = changes[i].rid;
1939 e.flags = changes[i].flags;
1940 e.db_index = changes[i].db_index;
1941 e.delta_type = changes[i].delta_type;
1943 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1944 case NETR_CHANGELOG_SID_INCLUDED:
1945 e.object.object_sid = changes[i].sid;
1947 case NETR_CHANGELOG_NAME_INCLUDED:
1948 e.object.object_name = changes[i].name;
1954 r.in.change_log_entry = e;
1956 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1957 database, changes[i].comment);
1959 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseRedo_r(b, tctx, &r),
1960 "DatabaseRedo failed");
1961 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1965 torture_assert_ntstatus_equal(tctx, r.out.result, changes[i].expected_error, changes[i].comment);
1966 if (delta_enum_array) {
1967 torture_assert_int_equal(tctx,
1968 delta_enum_array->num_deltas,
1969 changes[i].expected_num_results,
1970 changes[i].comment);
1971 if (delta_enum_array->num_deltas > 0) {
1972 torture_assert_int_equal(tctx,
1973 delta_enum_array->delta_enum[0].delta_type,
1974 changes[i].expected_delta_type_1,
1975 changes[i].comment);
1977 if (delta_enum_array->num_deltas > 1) {
1978 torture_assert_int_equal(tctx,
1979 delta_enum_array->delta_enum[1].delta_type,
1980 changes[i].expected_delta_type_2,
1981 changes[i].comment);
1985 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1986 torture_comment(tctx, "Credential chaining failed\n");
1987 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1999 try a netlogon AccountDeltas
2001 static bool test_AccountDeltas(struct torture_context *tctx,
2002 struct dcerpc_pipe *p,
2003 struct cli_credentials *machine_credentials)
2005 struct netr_AccountDeltas r;
2006 struct netlogon_creds_CredentialState *creds;
2008 struct netr_AccountBuffer buffer;
2009 uint32_t count_returned = 0;
2010 uint32_t total_entries = 0;
2011 struct netr_UAS_INFO_0 recordid;
2012 struct netr_Authenticator return_authenticator;
2013 struct dcerpc_binding_handle *b = p->binding_handle;
2015 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
2019 ZERO_STRUCT(return_authenticator);
2021 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2022 r.in.computername = TEST_MACHINE_NAME;
2023 r.in.return_authenticator = &return_authenticator;
2024 netlogon_creds_client_authenticator(creds, &r.in.credential);
2025 ZERO_STRUCT(r.in.uas);
2028 r.in.buffersize=100;
2029 r.out.buffer = &buffer;
2030 r.out.count_returned = &count_returned;
2031 r.out.total_entries = &total_entries;
2032 r.out.recordid = &recordid;
2033 r.out.return_authenticator = &return_authenticator;
2035 /* w2k3 returns "NOT IMPLEMENTED" for this call */
2036 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountDeltas_r(b, tctx, &r),
2037 "AccountDeltas failed");
2038 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
2044 try a netlogon AccountSync
2046 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
2047 struct cli_credentials *machine_credentials)
2049 struct netr_AccountSync r;
2050 struct netlogon_creds_CredentialState *creds;
2052 struct netr_AccountBuffer buffer;
2053 uint32_t count_returned = 0;
2054 uint32_t total_entries = 0;
2055 uint32_t next_reference = 0;
2056 struct netr_UAS_INFO_0 recordid;
2057 struct netr_Authenticator return_authenticator;
2058 struct dcerpc_binding_handle *b = p->binding_handle;
2060 ZERO_STRUCT(recordid);
2061 ZERO_STRUCT(return_authenticator);
2063 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
2067 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2068 r.in.computername = TEST_MACHINE_NAME;
2069 r.in.return_authenticator = &return_authenticator;
2070 netlogon_creds_client_authenticator(creds, &r.in.credential);
2071 r.in.recordid = &recordid;
2074 r.in.buffersize=100;
2075 r.out.buffer = &buffer;
2076 r.out.count_returned = &count_returned;
2077 r.out.total_entries = &total_entries;
2078 r.out.next_reference = &next_reference;
2079 r.out.recordid = &recordid;
2080 r.out.return_authenticator = &return_authenticator;
2082 /* w2k3 returns "NOT IMPLEMENTED" for this call */
2083 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountSync_r(b, tctx, &r),
2084 "AccountSync failed");
2085 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
2091 try a netlogon GetDcName
2093 static bool test_GetDcName(struct torture_context *tctx,
2094 struct dcerpc_pipe *p)
2096 struct netr_GetDcName r;
2097 const char *dcname = NULL;
2098 struct dcerpc_binding_handle *b = p->binding_handle;
2100 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2101 r.in.domainname = lpcfg_workgroup(tctx->lp_ctx);
2102 r.out.dcname = &dcname;
2104 torture_assert_ntstatus_ok(tctx, dcerpc_netr_GetDcName_r(b, tctx, &r),
2105 "GetDcName failed");
2106 torture_assert_werr_ok(tctx, r.out.result, "GetDcName failed");
2108 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
2113 static const char *function_code_str(TALLOC_CTX *mem_ctx,
2114 enum netr_LogonControlCode function_code)
2116 switch (function_code) {
2117 case NETLOGON_CONTROL_QUERY:
2118 return "NETLOGON_CONTROL_QUERY";
2119 case NETLOGON_CONTROL_REPLICATE:
2120 return "NETLOGON_CONTROL_REPLICATE";
2121 case NETLOGON_CONTROL_SYNCHRONIZE:
2122 return "NETLOGON_CONTROL_SYNCHRONIZE";
2123 case NETLOGON_CONTROL_PDC_REPLICATE:
2124 return "NETLOGON_CONTROL_PDC_REPLICATE";
2125 case NETLOGON_CONTROL_REDISCOVER:
2126 return "NETLOGON_CONTROL_REDISCOVER";
2127 case NETLOGON_CONTROL_TC_QUERY:
2128 return "NETLOGON_CONTROL_TC_QUERY";
2129 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
2130 return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
2131 case NETLOGON_CONTROL_FIND_USER:
2132 return "NETLOGON_CONTROL_FIND_USER";
2133 case NETLOGON_CONTROL_CHANGE_PASSWORD:
2134 return "NETLOGON_CONTROL_CHANGE_PASSWORD";
2135 case NETLOGON_CONTROL_TC_VERIFY:
2136 return "NETLOGON_CONTROL_TC_VERIFY";
2137 case NETLOGON_CONTROL_FORCE_DNS_REG:
2138 return "NETLOGON_CONTROL_FORCE_DNS_REG";
2139 case NETLOGON_CONTROL_QUERY_DNS_REG:
2140 return "NETLOGON_CONTROL_QUERY_DNS_REG";
2141 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
2142 return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
2143 case NETLOGON_CONTROL_TRUNCATE_LOG:
2144 return "NETLOGON_CONTROL_TRUNCATE_LOG";
2145 case NETLOGON_CONTROL_SET_DBFLAG:
2146 return "NETLOGON_CONTROL_SET_DBFLAG";
2147 case NETLOGON_CONTROL_BREAKPOINT:
2148 return "NETLOGON_CONTROL_BREAKPOINT";
2150 return talloc_asprintf(mem_ctx, "unknown function code: %d",
2157 try a netlogon LogonControl
2159 static bool test_LogonControl(struct torture_context *tctx,
2160 struct dcerpc_pipe *p,
2161 struct cli_credentials *machine_credentials)
2165 struct netr_LogonControl r;
2166 union netr_CONTROL_QUERY_INFORMATION query;
2168 enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
2169 struct dcerpc_binding_handle *b = p->binding_handle;
2171 uint32_t function_codes[] = {
2172 NETLOGON_CONTROL_QUERY,
2173 NETLOGON_CONTROL_REPLICATE,
2174 NETLOGON_CONTROL_SYNCHRONIZE,
2175 NETLOGON_CONTROL_PDC_REPLICATE,
2176 NETLOGON_CONTROL_REDISCOVER,
2177 NETLOGON_CONTROL_TC_QUERY,
2178 NETLOGON_CONTROL_TRANSPORT_NOTIFY,
2179 NETLOGON_CONTROL_FIND_USER,
2180 NETLOGON_CONTROL_CHANGE_PASSWORD,
2181 NETLOGON_CONTROL_TC_VERIFY,
2182 NETLOGON_CONTROL_FORCE_DNS_REG,
2183 NETLOGON_CONTROL_QUERY_DNS_REG,
2184 NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
2185 NETLOGON_CONTROL_TRUNCATE_LOG,
2186 NETLOGON_CONTROL_SET_DBFLAG,
2187 NETLOGON_CONTROL_BREAKPOINT
2190 if (machine_credentials) {
2191 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2194 torture_comment(tctx, "Testing LogonControl with secure channel type: %d\n",
2195 secure_channel_type);
2197 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2198 r.in.function_code = 1;
2199 r.out.query = &query;
2201 for (f=0;f<ARRAY_SIZE(function_codes); f++) {
2204 r.in.function_code = function_codes[f];
2207 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
2208 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2210 status = dcerpc_netr_LogonControl_r(b, tctx, &r);
2211 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2213 switch (r.in.level) {
2215 switch (r.in.function_code) {
2216 case NETLOGON_CONTROL_REPLICATE:
2217 case NETLOGON_CONTROL_SYNCHRONIZE:
2218 case NETLOGON_CONTROL_PDC_REPLICATE:
2219 case NETLOGON_CONTROL_BREAKPOINT:
2220 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
2221 if ((secure_channel_type == SEC_CHAN_BDC) ||
2222 (secure_channel_type == SEC_CHAN_WKSTA)) {
2223 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
2224 "LogonControl returned unexpected error code");
2226 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
2227 "LogonControl returned unexpected error code");
2231 case NETLOGON_CONTROL_REDISCOVER:
2232 case NETLOGON_CONTROL_TC_QUERY:
2233 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
2234 case NETLOGON_CONTROL_FIND_USER:
2235 case NETLOGON_CONTROL_CHANGE_PASSWORD:
2236 case NETLOGON_CONTROL_TC_VERIFY:
2237 case NETLOGON_CONTROL_FORCE_DNS_REG:
2238 case NETLOGON_CONTROL_QUERY_DNS_REG:
2239 case NETLOGON_CONTROL_SET_DBFLAG:
2240 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
2241 "LogonControl returned unexpected error code");
2243 case NETLOGON_CONTROL_TRUNCATE_LOG:
2244 if ((secure_channel_type == SEC_CHAN_BDC) ||
2245 (secure_channel_type == SEC_CHAN_WKSTA)) {
2246 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
2247 "LogonControl returned unexpected error code");
2248 } else if (!W_ERROR_EQUAL(r.out.result, WERR_NOT_SUPPORTED)) {
2249 torture_assert_werr_ok(tctx, r.out.result,
2250 "LogonControl returned unexpected result");
2254 torture_assert_werr_ok(tctx, r.out.result,
2255 "LogonControl returned unexpected result");
2260 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
2261 "LogonControl returned unexpected error code");
2264 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL,
2265 "LogonControl returned unexpected error code");
2272 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
2273 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2274 status = dcerpc_netr_LogonControl_r(b, tctx, &r);
2275 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2276 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL, "LogonControl");
2283 try a netlogon GetAnyDCName
2285 static bool test_GetAnyDCName(struct torture_context *tctx,
2286 struct dcerpc_pipe *p)
2289 struct netr_GetAnyDCName r;
2290 const char *dcname = NULL;
2291 struct dcerpc_binding_handle *b = p->binding_handle;
2293 r.in.domainname = lpcfg_workgroup(tctx->lp_ctx);
2294 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2295 r.out.dcname = &dcname;
2297 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
2298 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2299 if ((!W_ERROR_IS_OK(r.out.result)) &&
2300 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
2305 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
2308 r.in.domainname = NULL;
2310 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
2311 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2312 if ((!W_ERROR_IS_OK(r.out.result)) &&
2313 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
2317 r.in.domainname = "";
2319 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
2320 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2321 if ((!W_ERROR_IS_OK(r.out.result)) &&
2322 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
2331 try a netlogon LogonControl2
2333 static bool test_LogonControl2(struct torture_context *tctx,
2334 struct dcerpc_pipe *p,
2335 struct cli_credentials *machine_credentials)
2339 struct netr_LogonControl2 r;
2340 union netr_CONTROL_DATA_INFORMATION data;
2341 union netr_CONTROL_QUERY_INFORMATION query;
2342 enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
2344 struct dcerpc_binding_handle *b = p->binding_handle;
2346 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2348 if (machine_credentials) {
2349 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2352 torture_comment(tctx, "Testing LogonControl2 with secure channel type: %d\n",
2353 secure_channel_type);
2355 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2357 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
2359 r.out.query = &query;
2364 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2365 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2367 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2368 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2371 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2373 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
2379 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2380 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2382 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2383 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2386 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2388 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
2394 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2395 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2397 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2398 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2401 data.debug_level = ~0;
2403 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2409 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2410 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2412 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2413 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2417 r.in.function_code = 52;
2420 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2421 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2423 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2424 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2425 switch (secure_channel_type) {
2427 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, "LogonControl2");
2430 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED, "LogonControl2");
2433 data.debug_level = ~0;
2435 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2439 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2440 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2442 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2443 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2444 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL, "LogonControl2");
2450 try a netlogon DatabaseSync2
2452 static bool test_DatabaseSync2(struct torture_context *tctx,
2453 struct dcerpc_pipe *p,
2454 struct cli_credentials *machine_credentials)
2456 struct netr_DatabaseSync2 r;
2457 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
2458 struct netr_Authenticator return_authenticator, credential;
2460 struct netlogon_creds_CredentialState *creds;
2461 const uint32_t database_ids[] = {0, 1, 2};
2463 struct dcerpc_binding_handle *b = p->binding_handle;
2465 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
2466 machine_credentials,
2467 cli_credentials_get_secure_channel_type(machine_credentials),
2472 ZERO_STRUCT(return_authenticator);
2474 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2475 r.in.computername = TEST_MACHINE_NAME;
2476 r.in.preferredmaximumlength = (uint32_t)-1;
2477 r.in.return_authenticator = &return_authenticator;
2478 r.out.return_authenticator = &return_authenticator;
2479 r.out.delta_enum_array = &delta_enum_array;
2481 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
2483 uint32_t sync_context = 0;
2485 r.in.database_id = database_ids[i];
2486 r.in.sync_context = &sync_context;
2487 r.out.sync_context = &sync_context;
2488 r.in.restart_state = 0;
2490 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
2493 netlogon_creds_client_authenticator(creds, &credential);
2495 r.in.credential = &credential;
2497 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync2_r(b, tctx, &r),
2498 "DatabaseSync2 failed");
2499 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
2502 /* Native mode servers don't do this */
2503 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
2507 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync2");
2509 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
2510 torture_comment(tctx, "Credential chaining failed\n");
2513 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
2521 try a netlogon LogonControl2Ex
2523 static bool test_LogonControl2Ex(struct torture_context *tctx,
2524 struct dcerpc_pipe *p,
2525 struct cli_credentials *machine_credentials)
2529 struct netr_LogonControl2Ex r;
2530 union netr_CONTROL_DATA_INFORMATION data;
2531 union netr_CONTROL_QUERY_INFORMATION query;
2532 enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
2534 struct dcerpc_binding_handle *b = p->binding_handle;
2536 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2538 if (machine_credentials) {
2539 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2542 torture_comment(tctx, "Testing LogonControl2Ex with secure channel type: %d\n",
2543 secure_channel_type);
2545 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2547 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
2549 r.out.query = &query;
2554 torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
2555 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2557 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2558 torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
2561 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2563 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
2569 torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
2570 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2572 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2573 torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
2576 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2578 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
2584 torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
2585 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2587 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2588 torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
2591 data.debug_level = ~0;
2593 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2599 torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
2600 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2602 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2603 torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
2607 r.in.function_code = 52;
2610 torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
2611 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2613 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2614 torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
2615 switch (secure_channel_type) {
2617 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, "LogonControl2Ex");
2620 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED, "LogonControl2Ex");
2623 data.debug_level = ~0;
2625 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2629 torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
2630 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2632 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2633 torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
2634 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL, "LogonControl2Ex");
2639 static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
2640 struct dcerpc_pipe *p1,
2641 struct cli_credentials *machine_credentials)
2643 struct netr_GetForestTrustInformation r;
2644 struct netlogon_creds_CredentialState *creds;
2645 struct netr_Authenticator a;
2646 struct netr_Authenticator return_authenticator;
2647 struct lsa_ForestTrustInformation *forest_trust_info;
2648 struct dcerpc_pipe *p = NULL;
2649 struct dcerpc_binding_handle *b = NULL;
2651 if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2652 machine_credentials, &creds)) {
2655 if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
2656 DCERPC_SIGN | DCERPC_SEAL, &p)) {
2659 b = p->binding_handle;
2661 netlogon_creds_client_authenticator(creds, &a);
2663 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2664 r.in.computer_name = TEST_MACHINE_NAME;
2665 r.in.credential = &a;
2667 r.out.return_authenticator = &return_authenticator;
2668 r.out.forest_trust_info = &forest_trust_info;
2670 torture_assert_ntstatus_ok(tctx,
2671 dcerpc_netr_GetForestTrustInformation_r(b, tctx, &r),
2672 "netr_GetForestTrustInformation failed");
2673 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
2674 torture_comment(tctx, "not considering NT_STATUS_NOT_IMPLEMENTED as an error\n");
2676 torture_assert_ntstatus_ok(tctx, r.out.result,
2677 "netr_GetForestTrustInformation failed");
2680 torture_assert(tctx,
2681 netlogon_creds_client_check(creds, &return_authenticator.cred),
2682 "Credential chaining failed");
2687 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
2688 struct dcerpc_pipe *p, const char *trusted_domain_name)
2691 struct netr_DsRGetForestTrustInformation r;
2692 struct lsa_ForestTrustInformation info, *info_ptr;
2693 struct dcerpc_binding_handle *b = p->binding_handle;
2697 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2698 r.in.trusted_domain_name = trusted_domain_name;
2700 r.out.forest_trust_info = &info_ptr;
2702 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
2704 status = dcerpc_netr_DsRGetForestTrustInformation_r(b, tctx, &r);
2705 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
2706 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
2712 try a netlogon netr_DsrEnumerateDomainTrusts
2714 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
2715 struct dcerpc_pipe *p)
2718 struct netr_DsrEnumerateDomainTrusts r;
2719 struct netr_DomainTrustList trusts;
2721 struct dcerpc_binding_handle *b = p->binding_handle;
2723 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2724 r.in.trust_flags = 0x3f;
2725 r.out.trusts = &trusts;
2727 status = dcerpc_netr_DsrEnumerateDomainTrusts_r(b, tctx, &r);
2728 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
2729 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
2731 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
2732 * will show non-forest trusts and all UPN suffixes of the own forest
2733 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
2735 if (r.out.trusts->count) {
2736 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
2741 for (i=0; i<r.out.trusts->count; i++) {
2743 /* get info for transitive forest trusts */
2745 if (r.out.trusts->array[i].trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
2746 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
2747 r.out.trusts->array[i].dns_name)) {
2756 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
2757 struct dcerpc_pipe *p)
2760 struct netr_NetrEnumerateTrustedDomains r;
2761 struct netr_Blob trusted_domains_blob;
2762 struct dcerpc_binding_handle *b = p->binding_handle;
2764 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2765 r.out.trusted_domains_blob = &trusted_domains_blob;
2767 status = dcerpc_netr_NetrEnumerateTrustedDomains_r(b, tctx, &r);
2768 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
2769 torture_assert_ntstatus_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
2774 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
2775 struct dcerpc_pipe *p)
2778 struct netr_NetrEnumerateTrustedDomainsEx r;
2779 struct netr_DomainTrustList dom_trust_list;
2780 struct dcerpc_binding_handle *b = p->binding_handle;
2782 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2783 r.out.dom_trust_list = &dom_trust_list;
2785 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx_r(b, tctx, &r);
2786 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
2787 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
2793 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
2794 const char *computer_name,
2795 const char *expected_site)
2798 struct netr_DsRGetSiteName r;
2799 const char *site = NULL;
2800 struct dcerpc_binding_handle *b = p->binding_handle;
2802 r.in.computer_name = computer_name;
2804 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
2806 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
2807 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2808 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
2809 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
2815 try a netlogon netr_DsRGetDCName
2817 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
2818 struct dcerpc_pipe *p)
2821 struct netr_DsRGetDCName r;
2822 struct netr_DsRGetDCNameInfo *info = NULL;
2823 struct dcerpc_binding_handle *b = p->binding_handle;
2825 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2826 r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
2827 r.in.domain_guid = NULL;
2828 r.in.site_guid = NULL;
2829 r.in.flags = DS_RETURN_DNS_NAME;
2832 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2833 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2834 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2836 torture_assert_int_equal(tctx,
2837 (info->dc_flags & (DS_DNS_CONTROLLER)),
2840 torture_assert_int_equal(tctx,
2841 (info->dc_flags & (DS_DNS_DOMAIN)),
2844 torture_assert_int_equal(tctx,
2845 (info->dc_flags & (DS_DNS_FOREST_ROOT)),
2849 r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
2852 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2853 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2854 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2856 torture_assert_int_equal(tctx,
2857 (info->dc_flags & (DS_DNS_CONTROLLER)), 0,
2859 torture_assert_int_equal(tctx,
2860 (info->dc_flags & (DS_DNS_DOMAIN)), 0,
2862 torture_assert_int_equal(tctx,
2863 (info->dc_flags & (DS_DNS_FOREST_ROOT)),
2867 if (strcasecmp(info->dc_site_name, info->client_site_name) == 0) {
2868 torture_assert_int_equal(tctx,
2869 (info->dc_flags & (DS_SERVER_CLOSEST)),
2874 return test_netr_DsRGetSiteName(p, tctx,
2876 info->dc_site_name);
2880 try a netlogon netr_DsRGetDCNameEx
2882 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
2883 struct dcerpc_pipe *p)
2886 struct netr_DsRGetDCNameEx r;
2887 struct netr_DsRGetDCNameInfo *info = NULL;
2888 struct dcerpc_binding_handle *b = p->binding_handle;
2890 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2891 r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
2892 r.in.domain_guid = NULL;
2893 r.in.site_name = NULL;
2894 r.in.flags = DS_RETURN_DNS_NAME;
2897 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2898 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2899 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2901 torture_assert_int_equal(tctx,
2902 (info->dc_flags & (DS_DNS_CONTROLLER)),
2905 torture_assert_int_equal(tctx,
2906 (info->dc_flags & (DS_DNS_DOMAIN)),
2909 torture_assert_int_equal(tctx,
2910 (info->dc_flags & (DS_DNS_FOREST_ROOT)),
2914 r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
2917 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2918 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2919 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2921 torture_assert_int_equal(tctx,
2922 (info->dc_flags & (DS_DNS_CONTROLLER)), 0,
2924 torture_assert_int_equal(tctx,
2925 (info->dc_flags & (DS_DNS_DOMAIN)), 0,
2927 torture_assert_int_equal(tctx,
2928 (info->dc_flags & (DS_DNS_FOREST_ROOT)),
2932 if (strcasecmp(info->dc_site_name, info->client_site_name) == 0) {
2933 torture_assert_int_equal(tctx,
2934 (info->dc_flags & (DS_SERVER_CLOSEST)),
2939 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2940 info->dc_site_name);
2944 try a netlogon netr_DsRGetDCNameEx2
2946 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
2947 struct dcerpc_pipe *p)
2950 struct netr_DsRGetDCNameEx2 r;
2951 struct netr_DsRGetDCNameInfo *info = NULL;
2952 struct dcerpc_binding_handle *b = p->binding_handle;
2954 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with no inputs\n");
2956 r.in.flags = DS_RETURN_DNS_NAME;
2959 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2960 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2961 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2963 torture_assert_int_equal(tctx,
2964 (info->dc_flags & (DS_DNS_CONTROLLER)),
2967 torture_assert_int_equal(tctx,
2968 (info->dc_flags & (DS_DNS_DOMAIN)),
2971 torture_assert_int_equal(tctx,
2972 (info->dc_flags & (DS_DNS_FOREST_ROOT)),
2976 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2977 r.in.client_account = NULL;
2978 r.in.mask = 0x00000000;
2979 r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
2980 r.in.domain_guid = NULL;
2981 r.in.site_name = NULL;
2982 r.in.flags = DS_RETURN_DNS_NAME;
2985 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
2987 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2988 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2989 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2991 r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
2994 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2995 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2996 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2998 torture_assert_int_equal(tctx,
2999 (info->dc_flags & (DS_DNS_CONTROLLER)), 0,
3001 torture_assert_int_equal(tctx,
3002 (info->dc_flags & (DS_DNS_DOMAIN)), 0,
3004 torture_assert_int_equal(tctx,
3005 (info->dc_flags & (DS_DNS_FOREST_ROOT)),
3009 if (strcasecmp(info->dc_site_name, info->client_site_name) == 0) {
3010 torture_assert_int_equal(tctx,
3011 (info->dc_flags & (DS_SERVER_CLOSEST)),
3016 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client account\n");
3017 r.in.client_account = TEST_MACHINE_NAME"$";
3018 r.in.mask = ACB_SVRTRUST;
3019 r.in.flags = DS_RETURN_FLAT_NAME;
3022 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
3023 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
3024 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
3026 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
3027 info->dc_site_name);
3030 /* This is a substitution for "samdb_server_site_name" which relies on the
3031 * correct "lp_ctx" and therefore can't be used here. */
3032 static const char *server_site_name(struct torture_context *tctx,
3033 struct ldb_context *ldb)
3035 TALLOC_CTX *tmp_ctx;
3036 struct ldb_dn *dn, *server_dn;
3037 const struct ldb_val *site_name_val;
3038 const char *server_dn_str, *site_name;
3040 tmp_ctx = talloc_new(ldb);
3041 if (tmp_ctx == NULL) {
3045 dn = ldb_dn_new(tmp_ctx, ldb, "");
3050 server_dn_str = samdb_search_string(ldb, tmp_ctx, dn, "serverName",
3052 if (server_dn_str == NULL) {
3056 server_dn = ldb_dn_new(tmp_ctx, ldb, server_dn_str);
3057 if (server_dn == NULL) {
3061 /* CN=<Server name>, CN=Servers, CN=<Site name>, CN=Sites, ... */
3062 site_name_val = ldb_dn_get_component_val(server_dn, 2);
3063 if (site_name_val == NULL) {
3067 site_name = (const char *) site_name_val->data;
3069 talloc_steal(tctx, site_name);
3070 talloc_free(tmp_ctx);
3075 talloc_free(tmp_ctx);
3079 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
3080 struct dcerpc_pipe *p)
3083 struct ldb_context *sam_ctx = NULL;
3085 struct netr_DsrGetDcSiteCoverageW r;
3086 struct DcSitesCtr *ctr = NULL;
3087 struct dcerpc_binding_handle *b = p->binding_handle;
3089 torture_comment(tctx, "This does only pass with the default site\n");
3091 /* We won't double-check this when we are over 'local' transports */
3092 if (dcerpc_server_name(p)) {
3093 /* Set up connection to SAMDB on DC */
3094 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
3095 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
3097 cmdline_credentials,
3100 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
3103 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3106 status = dcerpc_netr_DsrGetDcSiteCoverageW_r(b, tctx, &r);
3107 torture_assert_ntstatus_ok(tctx, status, "failed");
3108 torture_assert_werr_ok(tctx, r.out.result, "failed");
3110 torture_assert(tctx, ctr->num_sites == 1,
3111 "we should per default only get the default site");
3112 if (sam_ctx != NULL) {
3113 torture_assert_casestr_equal(tctx, ctr->sites[0].string,
3114 server_site_name(tctx, sam_ctx),
3115 "didn't return default site");
3121 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
3122 struct dcerpc_pipe *p)
3125 struct ldb_context *sam_ctx = NULL;
3127 struct netr_DsRAddressToSitenamesW r;
3128 struct netr_DsRAddress addrs[6];
3129 struct sockaddr_in *addr;
3131 struct sockaddr_in6 *addr6;
3133 struct netr_DsRAddressToSitenamesWCtr *ctr;
3134 struct dcerpc_binding_handle *b = p->binding_handle;
3138 torture_comment(tctx, "This does only pass with the default site\n");
3140 /* We won't double-check this when we are over 'local' transports */
3141 if (dcerpc_server_name(p)) {
3142 /* Set up connection to SAMDB on DC */
3143 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
3144 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
3146 cmdline_credentials,
3149 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
3152 /* First try valid IP addresses */
3154 addrs[0].size = sizeof(struct sockaddr_in);
3155 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
3156 addr = (struct sockaddr_in *) addrs[0].buffer;
3157 addrs[0].buffer[0] = AF_INET;
3158 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
3159 torture_assert(tctx, ret > 0, "inet_pton failed");
3161 addrs[1].size = sizeof(struct sockaddr_in);
3162 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
3163 addr = (struct sockaddr_in *) addrs[1].buffer;
3164 addrs[1].buffer[0] = AF_INET;
3165 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
3166 torture_assert(tctx, ret > 0, "inet_pton failed");
3168 addrs[2].size = sizeof(struct sockaddr_in);
3169 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
3170 addr = (struct sockaddr_in *) addrs[2].buffer;
3171 addrs[2].buffer[0] = AF_INET;
3172 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
3173 torture_assert(tctx, ret > 0, "inet_pton failed");
3176 addrs[3].size = sizeof(struct sockaddr_in6);
3177 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
3178 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
3179 addrs[3].buffer[0] = AF_INET6;
3180 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
3181 torture_assert(tctx, ret > 0, "inet_pton failed");
3183 addrs[4].size = sizeof(struct sockaddr_in6);
3184 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
3185 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
3186 addrs[4].buffer[0] = AF_INET6;
3187 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
3188 torture_assert(tctx, ret > 0, "inet_pton failed");
3190 addrs[5].size = sizeof(struct sockaddr_in6);
3191 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
3192 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
3193 addrs[5].buffer[0] = AF_INET6;
3194 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
3195 torture_assert(tctx, ret > 0, "inet_pton failed");
3197 /* the test cases are repeated to have exactly 6. This is for
3198 * compatibility with IPv4-only machines */
3199 addrs[3].size = sizeof(struct sockaddr_in);
3200 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
3201 addr = (struct sockaddr_in *) addrs[3].buffer;
3202 addrs[3].buffer[0] = AF_INET;
3203 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
3204 torture_assert(tctx, ret > 0, "inet_pton failed");
3206 addrs[4].size = sizeof(struct sockaddr_in);
3207 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
3208 addr = (struct sockaddr_in *) addrs[4].buffer;
3209 addrs[4].buffer[0] = AF_INET;
3210 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
3211 torture_assert(tctx, ret > 0, "inet_pton failed");
3213 addrs[5].size = sizeof(struct sockaddr_in);
3214 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
3215 addr = (struct sockaddr_in *) addrs[5].buffer;
3216 addrs[5].buffer[0] = AF_INET;
3217 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
3218 torture_assert(tctx, ret > 0, "inet_pton failed");
3221 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
3223 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3225 r.in.addresses = addrs;
3228 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
3229 torture_assert_ntstatus_ok(tctx, status, "failed");
3230 torture_assert_werr_ok(tctx, r.out.result, "failed");
3232 if (sam_ctx != NULL) {
3233 for (i = 0; i < 3; i++) {
3234 torture_assert_casestr_equal(tctx,
3235 ctr->sitename[i].string,
3236 server_site_name(tctx, sam_ctx),
3237 "didn't return default site");
3239 for (i = 3; i < 6; i++) {
3240 /* Windows returns "NULL" for the sitename if it isn't
3241 * IPv6 configured */
3242 if (torture_setting_bool(tctx, "samba4", false)) {
3243 torture_assert_casestr_equal(tctx,
3244 ctr->sitename[i].string,
3245 server_site_name(tctx, sam_ctx),
3246 "didn't return default site");
3251 /* Now try invalid ones (too short buffers) */
3261 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
3262 torture_assert_ntstatus_ok(tctx, status, "failed");
3263 torture_assert_werr_ok(tctx, r.out.result, "failed");
3265 for (i = 0; i < 6; i++) {
3266 torture_assert(tctx, ctr->sitename[i].string == NULL,
3267 "sitename should be null");
3270 /* Now try invalid ones (wrong address types) */
3273 addrs[0].buffer[0] = AF_UNSPEC;
3275 addrs[1].buffer[0] = AF_UNIX; /* AF_LOCAL = AF_UNIX */
3277 addrs[2].buffer[0] = AF_UNIX;
3280 addrs[3].buffer[0] = 250;
3282 addrs[4].buffer[0] = 251;
3284 addrs[5].buffer[0] = 252;
3286 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
3287 torture_assert_ntstatus_ok(tctx, status, "failed");
3288 torture_assert_werr_ok(tctx, r.out.result, "failed");
3290 for (i = 0; i < 6; i++) {
3291 torture_assert(tctx, ctr->sitename[i].string == NULL,
3292 "sitename should be null");
3298 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
3299 struct dcerpc_pipe *p)
3302 struct ldb_context *sam_ctx = NULL;
3304 struct netr_DsRAddressToSitenamesExW r;
3305 struct netr_DsRAddress addrs[6];
3306 struct sockaddr_in *addr;
3308 struct sockaddr_in6 *addr6;
3310 struct netr_DsRAddressToSitenamesExWCtr *ctr;
3311 struct dcerpc_binding_handle *b = p->binding_handle;
3315 torture_comment(tctx, "This does pass with the default site\n");
3317 /* We won't double-check this when we are over 'local' transports */
3318 if (dcerpc_server_name(p)) {
3319 /* Set up connection to SAMDB on DC */
3320 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
3321 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
3323 cmdline_credentials,
3326 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
3329 /* First try valid IP addresses */
3331 addrs[0].size = sizeof(struct sockaddr_in);
3332 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
3333 addr = (struct sockaddr_in *) addrs[0].buffer;
3334 addrs[0].buffer[0] = AF_INET;
3335 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
3336 torture_assert(tctx, ret > 0, "inet_pton failed");
3338 addrs[1].size = sizeof(struct sockaddr_in);
3339 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
3340 addr = (struct sockaddr_in *) addrs[1].buffer;
3341 addrs[1].buffer[0] = AF_INET;
3342 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
3343 torture_assert(tctx, ret > 0, "inet_pton failed");
3345 addrs[2].size = sizeof(struct sockaddr_in);
3346 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
3347 addr = (struct sockaddr_in *) addrs[2].buffer;
3348 addrs[2].buffer[0] = AF_INET;
3349 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
3350 torture_assert(tctx, ret > 0, "inet_pton failed");
3353 addrs[3].size = sizeof(struct sockaddr_in6);
3354 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
3355 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
3356 addrs[3].buffer[0] = AF_INET6;
3357 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
3358 torture_assert(tctx, ret > 0, "inet_pton failed");
3360 addrs[4].size = sizeof(struct sockaddr_in6);
3361 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
3362 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
3363 addrs[4].buffer[0] = AF_INET6;
3364 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
3365 torture_assert(tctx, ret > 0, "inet_pton failed");
3367 addrs[5].size = sizeof(struct sockaddr_in6);
3368 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
3369 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
3370 addrs[5].buffer[0] = AF_INET6;
3371 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
3372 torture_assert(tctx, ret > 0, "inet_pton failed");
3374 /* the test cases are repeated to have exactly 6. This is for
3375 * compatibility with IPv4-only machines */
3376 addrs[3].size = sizeof(struct sockaddr_in);
3377 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
3378 addr = (struct sockaddr_in *) addrs[3].buffer;
3379 addrs[3].buffer[0] = AF_INET;
3380 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
3381 torture_assert(tctx, ret > 0, "inet_pton failed");
3383 addrs[4].size = sizeof(struct sockaddr_in);
3384 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
3385 addr = (struct sockaddr_in *) addrs[4].buffer;
3386 addrs[4].buffer[0] = AF_INET;
3387 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
3388 torture_assert(tctx, ret > 0, "inet_pton failed");
3390 addrs[5].size = sizeof(struct sockaddr_in);
3391 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
3392 addr = (struct sockaddr_in *) addrs[5].buffer;
3393 addrs[5].buffer[0] = AF_INET;
3394 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
3395 torture_assert(tctx, ret > 0, "inet_pton failed");
3398 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
3400 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3402 r.in.addresses = addrs;
3405 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
3406 torture_assert_ntstatus_ok(tctx, status, "failed");
3407 torture_assert_werr_ok(tctx, r.out.result, "failed");
3409 if (sam_ctx != NULL) {
3410 for (i = 0; i < 3; i++) {
3411 torture_assert_casestr_equal(tctx,
3412 ctr->sitename[i].string,
3413 server_site_name(tctx, sam_ctx),
3414 "didn't return default site");
3415 torture_assert(tctx, ctr->subnetname[i].string == NULL,
3416 "subnet should be null");
3418 for (i = 3; i < 6; i++) {
3419 /* Windows returns "NULL" for the sitename if it isn't
3420 * IPv6 configured */
3421 if (torture_setting_bool(tctx, "samba4", false)) {
3422 torture_assert_casestr_equal(tctx,
3423 ctr->sitename[i].string,
3424 server_site_name(tctx, sam_ctx),
3425 "didn't return default site");
3427 torture_assert(tctx, ctr->subnetname[i].string == NULL,
3428 "subnet should be null");
3432 /* Now try invalid ones (too short buffers) */
3442 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
3443 torture_assert_ntstatus_ok(tctx, status, "failed");
3444 torture_assert_werr_ok(tctx, r.out.result, "failed");
3446 for (i = 0; i < 6; i++) {
3447 torture_assert(tctx, ctr->sitename[i].string == NULL,
3448 "sitename should be null");
3449 torture_assert(tctx, ctr->subnetname[i].string == NULL,
3450 "subnet should be null");
3454 addrs[0].buffer[0] = AF_UNSPEC;
3456 addrs[1].buffer[0] = AF_UNIX; /* AF_LOCAL = AF_UNIX */
3458 addrs[2].buffer[0] = AF_UNIX;
3461 addrs[3].buffer[0] = 250;
3463 addrs[4].buffer[0] = 251;
3465 addrs[5].buffer[0] = 252;
3467 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
3468 torture_assert_ntstatus_ok(tctx, status, "failed");
3469 torture_assert_werr_ok(tctx, r.out.result, "failed");
3471 for (i = 0; i < 6; i++) {
3472 torture_assert(tctx, ctr->sitename[i].string == NULL,
3473 "sitename should be null");
3474 torture_assert(tctx, ctr->subnetname[i].string == NULL,
3475 "subnet should be null");
3481 static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx,
3482 struct dcerpc_pipe *p1,
3483 struct cli_credentials *machine_credentials,
3484 uint32_t negotiate_flags)
3486 struct netr_ServerGetTrustInfo r;
3488 struct netr_Authenticator a;
3489 struct netr_Authenticator return_authenticator;
3490 struct samr_Password new_owf_password;
3491 struct samr_Password old_owf_password;
3492 struct netr_TrustInfo *trust_info;
3494 struct netlogon_creds_CredentialState *creds;
3495 struct dcerpc_pipe *p = NULL;
3496 struct dcerpc_binding_handle *b = NULL;
3498 struct samr_Password nt_hash;
3500 if (!test_SetupCredentials3(p1, tctx, negotiate_flags,
3501 machine_credentials, &creds)) {
3504 if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
3505 DCERPC_SIGN | DCERPC_SEAL, &p)) {
3508 b = p->binding_handle;
3510 netlogon_creds_client_authenticator(creds, &a);
3512 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3513 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
3514 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
3515 r.in.computer_name = TEST_MACHINE_NAME;
3516 r.in.credential = &a;
3518 r.out.return_authenticator = &return_authenticator;
3519 r.out.new_owf_password = &new_owf_password;
3520 r.out.old_owf_password = &old_owf_password;
3521 r.out.trust_info = &trust_info;
3523 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerGetTrustInfo_r(b, tctx, &r),
3524 "ServerGetTrustInfo failed");
3525 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerGetTrustInfo failed");
3526 torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
3528 E_md4hash(cli_credentials_get_password(machine_credentials), nt_hash.hash);
3530 netlogon_creds_des_decrypt(creds, &new_owf_password);
3532 dump_data(1, new_owf_password.hash, 16);
3533 dump_data(1, nt_hash.hash, 16);
3535 torture_assert_mem_equal(tctx, new_owf_password.hash, nt_hash.hash, 16,
3536 "received unexpected owf password\n");
3541 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
3542 struct dcerpc_pipe *p,
3543 struct cli_credentials *machine_credentials)
3545 return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials,
3546 NETLOGON_NEG_AUTH2_ADS_FLAGS);
3549 static bool test_netr_ServerGetTrustInfo_AES(struct torture_context *tctx,
3550 struct dcerpc_pipe *p,
3551 struct cli_credentials *machine_credentials)
3553 return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials,
3554 NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
3557 static bool test_GetDomainInfo(struct torture_context *tctx,
3558 struct dcerpc_pipe *p1,
3559 struct cli_credentials *machine_credentials)
3561 struct netr_LogonGetDomainInfo r;
3562 struct netr_WorkstationInformation q1;
3563 struct netr_Authenticator a;
3564 struct netlogon_creds_CredentialState *creds;
3565 struct netr_OsVersion os;
3566 union netr_WorkstationInfo query;
3567 union netr_DomainInfo info;
3568 const char* const attrs[] = { "dNSHostName", "operatingSystem",
3569 "operatingSystemServicePack", "operatingSystemVersion",
3570 "servicePrincipalName", NULL };
3572 struct ldb_context *sam_ctx = NULL;
3573 struct ldb_message **res;
3574 struct ldb_message_element *spn_el;
3577 const char *old_dnsname = NULL;
3581 struct dcerpc_pipe *p = NULL;
3582 struct dcerpc_binding_handle *b = NULL;
3584 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
3586 if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
3587 machine_credentials, &creds)) {
3590 if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
3591 DCERPC_SIGN | DCERPC_SEAL, &p)) {
3594 b = p->binding_handle;
3596 /* We won't double-check this when we are over 'local' transports */
3597 if (dcerpc_server_name(p)) {
3598 /* Set up connection to SAMDB on DC */
3599 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
3600 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
3602 cmdline_credentials,
3605 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
3608 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
3609 netlogon_creds_client_authenticator(creds, &a);
3612 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3613 r.in.computer_name = TEST_MACHINE_NAME;
3614 r.in.credential = &a;
3616 r.in.return_authenticator = &a;
3617 r.in.query = &query;
3618 r.out.return_authenticator = &a;
3622 os.os.MajorVersion = 123;
3623 os.os.MinorVersion = 456;
3624 os.os.BuildNumber = 789;
3625 os.os.CSDVersion = "Service Pack 10";
3626 os.os.ServicePackMajor = 10;
3627 os.os.ServicePackMinor = 1;
3628 os.os.SuiteMask = NETR_VER_SUITE_SINGLEUSERTS;
3629 os.os.ProductType = NETR_VER_NT_SERVER;
3632 version_str = talloc_asprintf(tctx, "%d.%d (%d)", os.os.MajorVersion,
3633 os.os.MinorVersion, os.os.BuildNumber);
3636 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3637 lpcfg_dnsdomain(tctx->lp_ctx));
3638 q1.sitename = "Default-First-Site-Name";
3639 q1.os_version.os = &os;
3640 q1.os_name.string = talloc_asprintf(tctx,
3641 "Tortured by Samba4 RPC-NETLOGON: %s",
3642 timestring(tctx, time(NULL)));
3644 /* The workstation handles the "servicePrincipalName" and DNS hostname
3646 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3648 query.workstation_info = &q1;
3651 /* Gets back the old DNS hostname in AD */
3652 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3653 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3655 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL);
3657 /* Gets back the "servicePrincipalName"s in AD */
3658 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3659 if (spn_el != NULL) {
3660 for (i=0; i < spn_el->num_values; i++) {
3661 spns = talloc_realloc(tctx, spns, char *, i + 1);
3662 spns[i] = (char *) spn_el->values[i].data;
3668 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3669 "LogonGetDomainInfo failed");
3670 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3671 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3676 /* AD workstation infos entry check */
3677 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3678 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3679 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3680 torture_assert_str_equal(tctx,
3681 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
3682 q1.os_name.string, "'operatingSystem' wrong!");
3683 torture_assert_str_equal(tctx,
3684 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL),
3685 os.os.CSDVersion, "'operatingSystemServicePack' wrong!");
3686 torture_assert_str_equal(tctx,
3687 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
3688 version_str, "'operatingSystemVersion' wrong!");
3690 if (old_dnsname != NULL) {
3691 /* If before a DNS hostname was set then it should remain
3692 the same in combination with the "servicePrincipalName"s.
3693 The DNS hostname should also be returned by our
3694 "LogonGetDomainInfo" call (in the domain info structure). */
3696 torture_assert_str_equal(tctx,
3697 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
3698 old_dnsname, "'DNS hostname' was not set!");
3700 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3701 torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)),
3702 "'servicePrincipalName's not set!");
3703 torture_assert(tctx, spn_el->num_values == num_spns,
3704 "'servicePrincipalName's incorrect!");
3705 for (i=0; (i < spn_el->num_values) && (i < num_spns); i++)
3706 torture_assert_str_equal(tctx,
3707 (char *) spn_el->values[i].data,
3708 spns[i], "'servicePrincipalName's incorrect!");
3710 torture_assert_str_equal(tctx,
3711 info.domain_info->dns_hostname.string,
3713 "Out 'DNS hostname' doesn't match the old one!");
3715 /* If no DNS hostname was set then also now none should be set,
3716 the "servicePrincipalName"s should remain empty and no DNS
3717 hostname should be returned by our "LogonGetDomainInfo"
3718 call (in the domain info structure). */
3720 torture_assert(tctx,
3721 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL,
3722 "'DNS hostname' was set!");
3724 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3725 torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)),
3726 "'servicePrincipalName's were set!");
3728 torture_assert(tctx,
3729 info.domain_info->dns_hostname.string == NULL,
3730 "Out 'DNS host name' was set!");
3734 /* Checks "workstation flags" */
3735 torture_assert(tctx,
3736 info.domain_info->workstation_flags
3737 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3738 "Out 'workstation flags' don't match!");
3741 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname doesn't work)\n");
3742 netlogon_creds_client_authenticator(creds, &a);
3744 /* Wipe out the osVersion, and prove which values still 'stick' */
3745 q1.os_version.os = NULL;
3747 /* Change also the DNS hostname to test differences in behaviour */
3748 talloc_free(discard_const_p(char, q1.dns_hostname));
3749 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
3750 lpcfg_dnsdomain(tctx->lp_ctx));
3752 /* The workstation handles the "servicePrincipalName" and DNS hostname
3754 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3756 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3757 "LogonGetDomainInfo failed");
3758 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3760 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3765 /* AD workstation infos entry check */
3766 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3767 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3768 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3770 torture_assert_str_equal(tctx,
3771 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
3772 q1.os_name.string, "'operatingSystem' should stick!");
3773 torture_assert(tctx,
3774 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
3775 "'operatingSystemServicePack' shouldn't stick!");
3776 torture_assert(tctx,
3777 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
3778 "'operatingSystemVersion' shouldn't stick!");
3780 /* The DNS host name shouldn't have been updated by the server */
3782 torture_assert_str_equal(tctx,
3783 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
3784 old_dnsname, "'DNS host name' did change!");
3786 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
3787 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
3789 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3790 torture_assert(tctx, spn_el != NULL,
3791 "There should exist 'servicePrincipalName's in AD!");
3792 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
3793 for (i=0; i < spn_el->num_values; i++)
3794 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3796 torture_assert(tctx, i != spn_el->num_values,
3797 "'servicePrincipalName' HOST/<Netbios name> not found!");
3798 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
3799 for (i=0; i < spn_el->num_values; i++)
3800 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3802 torture_assert(tctx, i != spn_el->num_values,
3803 "'servicePrincipalName' HOST/<FQDN name> not found!");
3805 /* Check that the out DNS hostname was set properly */
3806 torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string,
3807 old_dnsname, "Out 'DNS hostname' doesn't match the old one!");
3810 /* Checks "workstation flags" */
3811 torture_assert(tctx,
3812 info.domain_info->workstation_flags == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3813 "Out 'workstation flags' don't match!");
3816 /* Now try the same but the workstation flags set to 0 */
3818 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 3rd call (variation of DNS hostname doesn't work)\n");
3819 netlogon_creds_client_authenticator(creds, &a);
3821 /* Change also the DNS hostname to test differences in behaviour */
3822 talloc_free(discard_const_p(char, q1.dns_hostname));
3823 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
3824 lpcfg_dnsdomain(tctx->lp_ctx));
3826 /* Wipe out the osVersion, and prove which values still 'stick' */
3827 q1.os_version.os = NULL;
3829 /* Let the DC handle the "servicePrincipalName" and DNS hostname
3831 q1.workstation_flags = 0;
3833 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3834 "LogonGetDomainInfo failed");
3835 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3836 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3841 /* AD workstation infos entry check */
3842 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3843 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3844 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3846 torture_assert_str_equal(tctx,
3847 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
3848 q1.os_name.string, "'operatingSystem' should stick!");
3849 torture_assert(tctx,
3850 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
3851 "'operatingSystemServicePack' shouldn't stick!");
3852 torture_assert(tctx,
3853 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
3854 "'operatingSystemVersion' shouldn't stick!");
3856 /* The DNS host name shouldn't have been updated by the server */
3858 torture_assert_str_equal(tctx,
3859 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
3860 old_dnsname, "'DNS host name' did change!");
3862 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
3863 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
3865 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3866 torture_assert(tctx, spn_el != NULL,
3867 "There should exist 'servicePrincipalName's in AD!");
3868 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
3869 for (i=0; i < spn_el->num_values; i++)
3870 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3872 torture_assert(tctx, i != spn_el->num_values,
3873 "'servicePrincipalName' HOST/<Netbios name> not found!");
3874 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
3875 for (i=0; i < spn_el->num_values; i++)
3876 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3878 torture_assert(tctx, i != spn_el->num_values,
3879 "'servicePrincipalName' HOST/<FQDN name> not found!");
3881 /* Here the server gives us NULL as the out DNS hostname */
3882 torture_assert(tctx, info.domain_info->dns_hostname.string == NULL,
3883 "Out 'DNS hostname' should be NULL!");
3886 /* Checks "workstation flags" */
3887 torture_assert(tctx,
3888 info.domain_info->workstation_flags == 0,
3889 "Out 'workstation flags' don't match!");
3892 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 4th call (verification of DNS hostname and check for trusted domains)\n");
3893 netlogon_creds_client_authenticator(creds, &a);
3895 /* Put the DNS hostname back */
3896 talloc_free(discard_const_p(char, q1.dns_hostname));
3897 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3898 lpcfg_dnsdomain(tctx->lp_ctx));
3900 /* The workstation handles the "servicePrincipalName" and DNS hostname
3902 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3904 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3905 "LogonGetDomainInfo failed");
3906 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3907 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3911 /* Now the in/out DNS hostnames should be the same */
3912 torture_assert_str_equal(tctx,
3913 info.domain_info->dns_hostname.string,
3914 query.workstation_info->dns_hostname,
3915 "In/Out 'DNS hostnames' don't match!");
3916 old_dnsname = info.domain_info->dns_hostname.string;
3918 /* Checks "workstation flags" */
3919 torture_assert(tctx,
3920 info.domain_info->workstation_flags
3921 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3922 "Out 'workstation flags' don't match!");
3924 /* Checks for trusted domains */
3925 torture_assert(tctx,
3926 (info.domain_info->trusted_domain_count != 0)
3927 && (info.domain_info->trusted_domains != NULL),
3928 "Trusted domains have been requested!");
3931 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 5th call (check for trusted domains)\n");
3932 netlogon_creds_client_authenticator(creds, &a);
3934 /* The workstation handles the "servicePrincipalName" and DNS hostname
3935 updates and requests inbound trusts */
3936 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
3937 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS;
3939 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3940 "LogonGetDomainInfo failed");
3941 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3942 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3946 /* Checks "workstation flags" */
3947 torture_assert(tctx,
3948 info.domain_info->workstation_flags
3949 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
3950 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
3951 "Out 'workstation flags' don't match!");
3953 /* Checks for trusted domains */
3954 torture_assert(tctx,
3955 (info.domain_info->trusted_domain_count != 0)
3956 && (info.domain_info->trusted_domains != NULL),
3957 "Trusted domains have been requested!");
3960 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 6th call (no DNS hostname)\n");
3961 netlogon_creds_client_authenticator(creds, &a);
3963 query.workstation_info->dns_hostname = NULL;
3965 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3966 "LogonGetDomainInfo failed");
3967 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3968 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3970 /* The old DNS hostname should stick */
3971 torture_assert_str_equal(tctx,
3972 info.domain_info->dns_hostname.string,
3974 "'DNS hostname' changed!");
3976 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 7th call (extra workstation flags)\n");
3977 netlogon_creds_client_authenticator(creds, &a);
3979 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
3980 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS | 0x4;
3982 /* Put the DNS hostname back */
3983 talloc_free(discard_const_p(char, q1.dns_hostname));
3984 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3985 lpcfg_dnsdomain(tctx->lp_ctx));
3987 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3988 "LogonGetDomainInfo failed");
3989 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3990 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3992 /* Checks "workstation flags" */
3993 torture_assert(tctx,
3994 info.domain_info->workstation_flags
3995 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
3996 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
3997 "Out 'workstation flags' don't match!");
3999 if (!torture_setting_bool(tctx, "dangerous", false)) {
4000 torture_comment(tctx, "Not testing netr_LogonGetDomainInfo 8th call (no workstation info) - enable dangerous tests in order to do so\n");
4002 /* Try a call without the workstation information structure */
4004 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 8th call (no workstation info)\n");
4005 netlogon_creds_client_authenticator(creds, &a);
4007 query.workstation_info = NULL;
4009 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
4010 "LogonGetDomainInfo failed");
4011 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
4012 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
4018 static bool test_GetDomainInfo_async(struct torture_context *tctx,
4019 struct dcerpc_pipe *p1,
4020 struct cli_credentials *machine_credentials)
4023 struct netr_LogonGetDomainInfo r;
4024 struct netr_WorkstationInformation q1;
4025 struct netr_Authenticator a;
4026 #define ASYNC_COUNT 100
4027 struct netlogon_creds_CredentialState *creds;
4028 struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
4029 struct tevent_req *req[ASYNC_COUNT];
4031 union netr_WorkstationInfo query;
4032 union netr_DomainInfo info;
4033 struct dcerpc_pipe *p = NULL;
4035 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
4037 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
4038 machine_credentials, &creds)) {
4041 if (!test_SetupCredentialsPipe(p1, tctx, machine_credentials, creds,
4042 DCERPC_SIGN | DCERPC_SEAL, &p)) {
4047 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
4048 r.in.computer_name = TEST_MACHINE_NAME;
4049 r.in.credential = &a;
4051 r.in.return_authenticator = &a;
4052 r.in.query = &query;
4053 r.out.return_authenticator = &a;
4057 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
4058 lpcfg_dnsdomain(tctx->lp_ctx));
4059 q1.sitename = "Default-First-Site-Name";
4060 q1.os_name.string = "UNIX/Linux or similar";
4062 query.workstation_info = &q1;
4064 for (i=0;i<ASYNC_COUNT;i++) {
4065 netlogon_creds_client_authenticator(creds, &a);
4067 creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
4068 req[i] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx, tctx->ev, p->binding_handle, &r);
4070 /* even with this flush per request a w2k3 server seems to
4071 clag with multiple outstanding requests. bleergh. */
4072 torture_assert_int_equal(tctx, tevent_loop_once(tctx->ev), 0,
4073 "tevent_loop_once failed");
4076 for (i=0;i<ASYNC_COUNT;i++) {
4077 torture_assert_int_equal(tctx, tevent_req_poll(req[i], tctx->ev), true,
4078 "tevent_req_poll() failed");
4080 status = dcerpc_netr_LogonGetDomainInfo_r_recv(req[i], tctx);
4082 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
4083 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
4085 torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred),
4086 "Credential chaining failed at async");
4089 torture_comment(tctx,
4090 "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT);
4095 static bool test_ManyGetDCName(struct torture_context *tctx,
4096 struct dcerpc_pipe *p)
4099 struct cli_credentials *anon_creds;
4100 struct dcerpc_binding *binding2;
4101 struct dcerpc_pipe *p2;
4102 struct lsa_ObjectAttribute attr;
4103 struct lsa_QosInfo qos;
4104 struct lsa_OpenPolicy2 o;
4105 struct policy_handle lsa_handle;
4106 struct lsa_DomainList domains;
4108 struct lsa_EnumTrustDom t;
4109 uint32_t resume_handle = 0;
4110 struct netr_GetAnyDCName d;
4111 const char *dcname = NULL;
4112 struct dcerpc_binding_handle *b = p->binding_handle;
4113 struct dcerpc_binding_handle *b2;
4117 if (p->conn->transport.transport != NCACN_NP) {
4118 torture_skip(tctx, "test_ManyGetDCName works only with NCACN_NP");
4121 torture_comment(tctx, "Torturing GetDCName\n");
4123 anon_creds = cli_credentials_init_anon(tctx);
4124 torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon failed");
4126 binding2 = dcerpc_binding_dup(tctx, p->binding);
4127 /* Swap the binding details from NETLOGON to LSA */
4128 status = dcerpc_epm_map_binding(tctx, binding2, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx);
4129 dcerpc_binding_set_assoc_group_id(binding2, 0);
4130 torture_assert_ntstatus_ok(tctx, status, "epm map");
4132 status = dcerpc_secondary_auth_connection(p, binding2, &ndr_table_lsarpc,
4133 anon_creds, tctx->lp_ctx,
4135 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
4136 b2 = p2->binding_handle;
4139 qos.impersonation_level = 2;
4140 qos.context_mode = 1;
4141 qos.effective_only = 0;
4144 attr.root_dir = NULL;
4145 attr.object_name = NULL;
4146 attr.attributes = 0;
4147 attr.sec_desc = NULL;
4148 attr.sec_qos = &qos;
4150 o.in.system_name = "\\";
4152 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
4153 o.out.handle = &lsa_handle;
4155 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b2, tctx, &o),
4156 "OpenPolicy2 failed");
4157 torture_assert_ntstatus_ok(tctx, o.out.result, "OpenPolicy2 failed");
4159 t.in.handle = &lsa_handle;
4160 t.in.resume_handle = &resume_handle;
4161 t.in.max_size = 1000;
4162 t.out.domains = &domains;
4163 t.out.resume_handle = &resume_handle;
4165 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b2, tctx, &t),
4166 "EnumTrustDom failed");
4168 if ((!NT_STATUS_IS_OK(t.out.result) &&
4169 (!NT_STATUS_EQUAL(t.out.result, NT_STATUS_NO_MORE_ENTRIES))))
4170 torture_fail(tctx, "Could not list domains");
4174 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
4175 dcerpc_server_name(p));
4176 d.out.dcname = &dcname;
4178 for (i=0; i<domains.count * 4; i++) {
4179 struct lsa_DomainInfo *info =
4180 &domains.domains[rand()%domains.count];
4182 d.in.domainname = info->name.string;
4184 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &d);
4185 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
4187 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
4188 dcname ? dcname : "unknown");
4194 static bool test_lsa_over_netlogon(struct torture_context *tctx,
4195 struct dcerpc_pipe *p)
4198 struct cli_credentials *anon_creds;
4199 const struct dcerpc_binding *binding2;
4200 struct dcerpc_pipe *p2;
4201 struct lsa_ObjectAttribute attr;
4202 struct lsa_QosInfo qos;
4203 struct lsa_OpenPolicy2 o;
4204 struct policy_handle lsa_handle;
4206 struct dcerpc_binding_handle *b2;
4209 if (p->conn->transport.transport != NCACN_NP) {
4210 torture_skip(tctx, "test_lsa_over_netlogon works only with NCACN_NP");
4213 torture_comment(tctx, "Testing if we can access the LSA server over\n"
4214 " \\\\pipe\\netlogon rather than \\\\pipe\\lsarpc\n");
4216 anon_creds = cli_credentials_init_anon(tctx);
4217 torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon failed");
4219 binding2 = p->binding;
4221 status = dcerpc_secondary_auth_connection(p, binding2, &ndr_table_lsarpc,
4222 anon_creds, tctx->lp_ctx,
4224 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
4225 b2 = p2->binding_handle;
4228 qos.impersonation_level = 2;
4229 qos.context_mode = 1;
4230 qos.effective_only = 0;
4233 attr.root_dir = NULL;
4234 attr.object_name = NULL;
4235 attr.attributes = 0;
4236 attr.sec_desc = NULL;
4237 attr.sec_qos = &qos;
4239 o.in.system_name = "\\";
4241 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
4242 o.out.handle = &lsa_handle;
4244 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b2, tctx, &o),
4245 "OpenPolicy2 failed");
4246 torture_assert_ntstatus_ok(tctx, o.out.result, "OpenPolicy2 failed");
4253 static bool test_SetPassword_with_flags(struct torture_context *tctx,
4254 struct dcerpc_pipe *p,
4255 struct cli_credentials *machine_credentials)
4257 uint32_t flags[] = { 0, NETLOGON_NEG_STRONG_KEYS };
4258 struct netlogon_creds_CredentialState *creds;
4261 if (!test_SetupCredentials2(p, tctx, 0,
4262 machine_credentials,
4263 cli_credentials_get_secure_channel_type(machine_credentials),
4265 torture_skip(tctx, "DC does not support negotiation of 64bit session keys");
4268 for (i=0; i < ARRAY_SIZE(flags); i++) {
4269 torture_assert(tctx,
4270 test_SetPassword_flags(tctx, p, machine_credentials, flags[i]),
4271 talloc_asprintf(tctx, "failed to test SetPassword negotiating with 0x%08x flags", flags[i]));
4277 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
4279 struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon");
4280 struct torture_rpc_tcase *tcase;
4281 struct torture_test *test;
4283 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
4284 &ndr_table_netlogon, TEST_MACHINE_NAME);
4286 torture_rpc_tcase_add_test(tcase, "Broken RPC binding handle",
4287 test_netr_broken_binding_handle);
4289 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
4290 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
4291 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
4292 torture_rpc_tcase_add_test_creds(tcase, "invalidAuthenticate2", test_invalidAuthenticate2);
4293 torture_rpc_tcase_add_test_creds(tcase, "ServerReqChallengeGlobal", test_ServerReqChallengeGlobal);
4294 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
4295 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
4296 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES);
4297 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
4298 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
4299 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
4300 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
4301 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
4302 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
4303 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
4304 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
4305 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
4306 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
4307 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
4308 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
4309 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
4310 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
4311 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
4312 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
4313 test->dangerous = true;
4314 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
4315 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
4316 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
4317 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
4318 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
4319 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
4320 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
4321 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo_AES", test_netr_ServerGetTrustInfo_AES);
4322 torture_rpc_tcase_add_test_creds(tcase, "GetForestTrustInformation", test_netr_GetForestTrustInformation);
4324 torture_rpc_tcase_add_test(tcase, "lsa_over_netlogon", test_lsa_over_netlogon);
4325 torture_rpc_tcase_add_test_creds(tcase, "SetupCredentialsDowngrade", test_SetupCredentialsDowngrade);
4330 struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
4332 struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon-s3");
4333 struct torture_rpc_tcase *tcase;
4335 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
4336 &ndr_table_netlogon, TEST_MACHINE_NAME);
4338 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
4339 torture_rpc_tcase_add_test_creds(tcase, "SamLogon_NULL_domain", test_SamLogon_NULL_domain);
4340 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
4341 torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
4342 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
4343 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES);
4344 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
4349 struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
4351 struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon.admin");
4352 struct torture_rpc_tcase *tcase;
4354 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "bdc",
4355 &ndr_table_netlogon, TEST_MACHINE_NAME);
4356 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
4357 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
4358 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
4360 tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "wkst",
4361 &ndr_table_netlogon, TEST_MACHINE_NAME);
4362 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
4363 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
4364 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
4366 tcase = torture_suite_add_rpc_iface_tcase(suite, "admin",
4367 &ndr_table_netlogon);
4368 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
4369 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
4370 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);