2 Unix SMB/CIFS implementation.
3 test suite for lsa rpc operations
5 Copyright (C) Andrew Tridgell 2003
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 these really shouldn't be here ....
28 static char *lsa_sid_string_talloc(TALLOC_CTX *mem_ctx, struct dom_sid *sid)
35 return talloc_asprintf(mem_ctx, "(NULL SID)");
38 maxlen = sid->num_auths * 11 + 25;
39 ret = talloc(mem_ctx, maxlen);
40 if (!ret) return NULL;
42 ia = (sid->id_auth[5]) +
43 (sid->id_auth[4] << 8 ) +
44 (sid->id_auth[3] << 16) +
45 (sid->id_auth[2] << 24);
47 ofs = snprintf(ret, maxlen, "S-%u-%lu",
48 (unsigned int)sid->sid_rev_num, (unsigned long)ia);
50 for (i = 0; i < sid->num_auths; i++) {
51 ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]);
57 static int dom_sid_compare(struct dom_sid *sid1, struct dom_sid *sid2)
61 if (sid1 == sid2) return 0;
65 /* Compare most likely different rids, first: i.e start at end */
66 if (sid1->num_auths != sid2->num_auths)
67 return sid1->num_auths - sid2->num_auths;
69 for (i = sid1->num_auths-1; i >= 0; --i)
70 if (sid1->sub_auths[i] != sid2->sub_auths[i])
71 return sid1->sub_auths[i] - sid2->sub_auths[i];
73 if (sid1->sid_rev_num != sid2->sid_rev_num)
74 return sid1->sid_rev_num - sid2->sid_rev_num;
76 for (i = 0; i < 6; i++)
77 if (sid1->id_auth[i] != sid2->id_auth[i])
78 return sid1->id_auth[i] - sid2->id_auth[i];
83 static BOOL test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
85 struct lsa_ObjectAttribute attr;
86 struct policy_handle handle;
87 struct lsa_QosInfo qos;
88 struct lsa_OpenPolicy r;
90 uint16 system_name = '\\';
92 printf("\ntesting OpenPolicy\n");
94 qos.impersonation_level = 2;
96 qos.effective_only = 0;
99 attr.object_name = NULL;
101 attr.sec_desc = NULL;
104 r.in.system_name = &system_name;
106 r.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
107 r.out.handle = &handle;
109 status = dcerpc_lsa_OpenPolicy(p, mem_ctx, &r);
110 if (!NT_STATUS_IS_OK(status)) {
111 printf("OpenPolicy failed - %s\n", nt_errstr(status));
119 static BOOL test_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
120 struct policy_handle *handle)
122 struct lsa_ObjectAttribute attr;
123 struct lsa_QosInfo qos;
124 struct lsa_OpenPolicy2 r;
127 printf("\ntesting OpenPolicy2\n");
129 qos.impersonation_level = 2;
130 qos.context_mode = 1;
131 qos.effective_only = 0;
133 attr.root_dir = NULL;
134 attr.object_name = NULL;
136 attr.sec_desc = NULL;
139 r.in.system_name = "\\";
141 r.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
142 r.out.handle = handle;
144 status = dcerpc_lsa_OpenPolicy2(p, mem_ctx, &r);
145 if (!NT_STATUS_IS_OK(status)) {
146 printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
153 static BOOL test_LookupNames(struct dcerpc_pipe *p,
155 struct policy_handle *handle,
156 struct lsa_TransNameArray *tnames)
158 struct lsa_LookupNames r;
159 struct lsa_TransSidArray sids;
160 struct lsa_Name *names;
165 printf("\nTesting LookupNames\n");
170 names = talloc(mem_ctx, tnames->count * sizeof(names[0]));
171 for (i=0;i<tnames->count;i++) {
172 names[i].name_len = 2*strlen(tnames->names[i].name.name);
173 names[i].name_size = 2*strlen(tnames->names[i].name.name);
174 names[i].name = tnames->names[i].name.name;
177 r.in.handle = handle;
178 r.in.num_names = tnames->count;
183 r.out.count = &count;
186 status = dcerpc_lsa_LookupNames(p, mem_ctx, &r);
187 if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
188 printf("LookupNames failed - %s\n", nt_errstr(status));
193 NDR_PRINT_DEBUG(lsa_RefDomainList, r.out.domains);
196 printf("lookup gave %d sids (sids.count=%d)\n", count, sids.count);
198 NDR_PRINT_DEBUG(lsa_TransSidArray, r.out.sids);
206 static BOOL test_LookupSids(struct dcerpc_pipe *p,
208 struct policy_handle *handle,
209 struct lsa_SidArray *sids)
211 struct lsa_LookupSids r;
212 struct lsa_TransNameArray names;
213 uint32 count = sids->num_sids;
216 printf("\nTesting LookupSids\n");
221 r.in.handle = handle;
226 r.out.count = &count;
227 r.out.names = &names;
229 status = dcerpc_lsa_LookupSids(p, mem_ctx, &r);
230 if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
231 printf("LookupSids failed - %s\n", nt_errstr(status));
236 NDR_PRINT_DEBUG(lsa_RefDomainList, r.out.domains);
239 NDR_PRINT_DEBUG(lsa_TransNameArray, r.out.names);
243 if (!test_LookupNames(p, mem_ctx, handle, &names)) {
250 static BOOL test_LookupPrivName(struct dcerpc_pipe *p,
252 struct policy_handle *handle,
253 struct lsa_LUID *luid)
256 struct lsa_LookupPrivName r;
258 r.in.handle = handle;
259 r.in.luid_high = luid->high;
260 r.in.luid_low = luid->low;
262 status = dcerpc_lsa_LookupPrivName(p, mem_ctx, &r);
263 if (!NT_STATUS_IS_OK(status)) {
264 printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
268 NDR_PRINT_DEBUG(lsa_Name, r.out.name);
273 static BOOL test_EnumPrivsAccount(struct dcerpc_pipe *p,
275 struct policy_handle *handle,
276 struct policy_handle *acct_handle)
279 struct lsa_EnumPrivsAccount r;
281 printf("Testing EnumPrivsAccount\n");
283 r.in.handle = acct_handle;
285 status = dcerpc_lsa_EnumPrivsAccount(p, mem_ctx, &r);
286 if (!NT_STATUS_IS_OK(status)) {
287 printf("EnumPrivsAccount failed - %s\n", nt_errstr(status));
291 printf("received %d privileges\n",
292 r.out.privs?r.out.privs->count:0);
296 NDR_PRINT_DEBUG(lsa_PrivilegeSet, r.out.privs);
297 for (i=0;i<r.out.privs->count;i++) {
298 test_LookupPrivName(p, mem_ctx, handle,
299 &r.out.privs->set[i].luid);
306 static BOOL test_EnumAccountRights(struct dcerpc_pipe *p,
308 struct policy_handle *acct_handle,
312 struct lsa_EnumAccountRights r;
313 struct lsa_RightSet rights;
315 printf("Testing EnumAccountRights\n");
317 r.in.handle = acct_handle;
319 r.out.rights = &rights;
321 status = dcerpc_lsa_EnumAccountRights(p, mem_ctx, &r);
322 if (!NT_STATUS_IS_OK(status)) {
323 printf("EnumAccountRights failed - %s\n", nt_errstr(status));
327 NDR_PRINT_DEBUG(lsa_RightSet, r.out.rights);
332 static BOOL test_OpenAccount(struct dcerpc_pipe *p,
334 struct policy_handle *handle,
338 struct lsa_OpenAccount r;
339 struct policy_handle acct_handle;
341 printf("Testing OpenAccount(%s)\n", lsa_sid_string_talloc(mem_ctx, sid));
343 r.in.handle = handle;
345 r.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
346 r.out.acct_handle = &acct_handle;
348 status = dcerpc_lsa_OpenAccount(p, mem_ctx, &r);
349 if (!NT_STATUS_IS_OK(status)) {
350 printf("OpenAccount failed - %s\n", nt_errstr(status));
354 if (!test_EnumPrivsAccount(p, mem_ctx, handle, &acct_handle)) {
361 static BOOL test_EnumAccounts(struct dcerpc_pipe *p,
363 struct policy_handle *handle)
366 struct lsa_EnumAccounts r;
367 struct lsa_SidArray sids1, sids2;
368 uint32 resume_handle = 0;
371 printf("\ntesting EnumAccounts\n");
373 r.in.handle = handle;
374 r.in.resume_handle = &resume_handle;
375 r.in.num_entries = 100;
376 r.out.resume_handle = &resume_handle;
380 status = dcerpc_lsa_EnumAccounts(p, mem_ctx, &r);
381 if (!NT_STATUS_IS_OK(status)) {
382 printf("EnumAccounts failed - %s\n", nt_errstr(status));
386 printf("Got %d sids resume_handle=%u\n", sids1.num_sids, resume_handle);
388 NDR_PRINT_DEBUG(lsa_SidArray, r.out.sids);
390 if (!test_LookupSids(p, mem_ctx, handle, &sids1)) {
394 printf("testing all accounts\n");
395 for (i=0;i<sids1.num_sids;i++) {
396 test_OpenAccount(p, mem_ctx, handle, sids1.sids[i].sid);
397 test_EnumAccountRights(p, mem_ctx, handle, sids1.sids[i].sid);
401 if (sids1.num_sids < 3) {
405 printf("trying EnumAccounts partial listing (asking for 1 at 2)\n");
407 r.in.num_entries = 1;
410 status = dcerpc_lsa_EnumAccounts(p, mem_ctx, &r);
411 if (!NT_STATUS_IS_OK(status)) {
412 printf("EnumAccounts failed - %s\n", nt_errstr(status));
416 NDR_PRINT_DEBUG(lsa_SidArray, r.out.sids);
418 if (sids2.num_sids != 1) {
419 printf("Returned wrong number of entries (%d)\n", sids2.num_sids);
427 static BOOL test_EnumPrivs(struct dcerpc_pipe *p,
429 struct policy_handle *handle)
432 struct lsa_EnumPrivs r;
433 struct lsa_PrivArray privs1;
434 uint32 resume_handle = 0;
436 printf("\ntesting EnumPrivs\n");
438 r.in.handle = handle;
439 r.in.resume_handle = &resume_handle;
440 r.in.max_count = 1000;
441 r.out.resume_handle = &resume_handle;
442 r.out.privs = &privs1;
445 status = dcerpc_lsa_EnumPrivs(p, mem_ctx, &r);
446 if (!NT_STATUS_IS_OK(status)) {
447 printf("EnumPrivs failed - %s\n", nt_errstr(status));
451 printf("Got %d privs resume_handle=%u\n", privs1.count, resume_handle);
453 NDR_PRINT_DEBUG(lsa_PrivArray, r.out.privs);
459 static BOOL test_EnumTrustDom(struct dcerpc_pipe *p,
461 struct policy_handle *handle)
463 struct lsa_EnumTrustDom r;
465 uint32 resume_handle = 0;
466 struct lsa_DomainList domains;
468 printf("\nTesting EnumTrustDom\n");
470 r.in.handle = handle;
471 r.in.resume_handle = &resume_handle;
472 r.in.num_entries = 1000;
473 r.out.domains = &domains;
474 r.out.resume_handle = &resume_handle;
476 status = dcerpc_lsa_EnumTrustDom(p, mem_ctx, &r);
477 if (!NT_STATUS_IS_OK(status)) {
478 printf("EnumTrustDom failed - %s\n", nt_errstr(status));
482 printf("lookup gave %d domains\n", domains.count);
484 NDR_PRINT_DEBUG(lsa_DomainList, r.out.domains);
489 static BOOL test_QueryInfoPolicy(struct dcerpc_pipe *p,
491 struct policy_handle *handle)
493 struct lsa_QueryInfoPolicy r;
498 printf("\nTesting QueryInfoPolicy\n");
501 r.in.handle = handle;
504 printf("\ntrying QueryInfoPolicy level %d\n", i);
506 status = dcerpc_lsa_QueryInfoPolicy(p, mem_ctx, &r);
507 if (!NT_STATUS_IS_OK(status)) {
508 printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
513 NDR_PRINT_UNION_DEBUG(lsa_PolicyInformation, r.in.level, r.out.info);
519 static BOOL test_Delete(struct dcerpc_pipe *p,
521 struct policy_handle *handle)
526 printf("\ntesting Delete - but what does it do?\n");
528 r.in.handle = handle;
529 status = dcerpc_lsa_Delete(p, mem_ctx, &r);
530 if (!NT_STATUS_IS_OK(status)) {
531 printf("Delete failed - %s\n", nt_errstr(status));
540 static BOOL test_Close(struct dcerpc_pipe *p,
542 struct policy_handle *handle)
546 struct policy_handle handle2;
548 printf("\ntesting Close\n");
550 r.in.handle = handle;
551 r.out.handle = &handle2;
553 status = dcerpc_lsa_Close(p, mem_ctx, &r);
554 if (!NT_STATUS_IS_OK(status)) {
555 printf("Close failed - %s\n", nt_errstr(status));
559 status = dcerpc_lsa_Close(p, mem_ctx, &r);
560 /* its really a fault - we need a status code for rpc fault */
561 if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL)) {
562 printf("Close failed - %s\n", nt_errstr(status));
571 BOOL torture_rpc_lsa(int dummy)
574 struct dcerpc_pipe *p;
577 struct policy_handle handle;
579 mem_ctx = talloc_init("torture_rpc_lsa");
581 status = torture_rpc_connection(&p, "lsarpc");
582 if (!NT_STATUS_IS_OK(status)) {
586 if (!test_OpenPolicy(p, mem_ctx)) {
590 if (!test_OpenPolicy2(p, mem_ctx, &handle)) {
594 if (!test_EnumAccounts(p, mem_ctx, &handle)) {
598 if (!test_EnumPrivs(p, mem_ctx, &handle)) {
602 if (!test_EnumTrustDom(p, mem_ctx, &handle)) {
606 if (!test_QueryInfoPolicy(p, mem_ctx, &handle)) {
611 if (!test_Delete(p, mem_ctx, &handle)) {
616 if (!test_Close(p, mem_ctx, &handle)) {
620 torture_rpc_close(p);