2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "torture/torture.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "torture/rpc/rpc.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
35 #define TEST_MACHINE_NAME "torturetest"
37 static bool test_LogonUasLogon(struct torture_context *tctx,
38 struct dcerpc_pipe *p)
41 struct netr_LogonUasLogon r;
43 r.in.server_name = NULL;
44 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
45 r.in.workstation = TEST_MACHINE_NAME;
47 status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
48 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
53 static bool test_LogonUasLogoff(struct torture_context *tctx,
54 struct dcerpc_pipe *p)
57 struct netr_LogonUasLogoff r;
59 r.in.server_name = NULL;
60 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
61 r.in.workstation = TEST_MACHINE_NAME;
63 status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
64 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
69 static bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
70 struct cli_credentials *credentials,
71 struct creds_CredentialState **creds_out)
74 struct netr_ServerReqChallenge r;
75 struct netr_ServerAuthenticate a;
76 struct netr_Credential credentials1, credentials2, credentials3;
77 struct creds_CredentialState *creds;
78 struct samr_Password mach_password;
79 const char *plain_pass;
80 const char *machine_name;
82 plain_pass = cli_credentials_get_password(credentials);
83 machine_name = cli_credentials_get_workstation(credentials);
85 torture_comment(tctx, "Testing ServerReqChallenge\n");
87 creds = talloc(tctx, struct creds_CredentialState);
88 torture_assert(tctx, creds != NULL, "memory allocation");
90 r.in.server_name = NULL;
91 r.in.computer_name = machine_name;
92 r.in.credentials = &credentials1;
93 r.out.credentials = &credentials2;
95 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
97 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
98 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
100 E_md4hash(plain_pass, mach_password.hash);
102 a.in.server_name = NULL;
103 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
104 a.in.secure_channel_type = SEC_CHAN_BDC;
105 a.in.computer_name = machine_name;
106 a.in.credentials = &credentials3;
107 a.out.credentials = &credentials3;
109 creds_client_init(creds, &credentials1, &credentials2,
110 &mach_password, &credentials3,
113 torture_comment(tctx, "Testing ServerAuthenticate\n");
115 status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
116 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
118 torture_assert(tctx, creds_client_check(creds, &credentials3),
119 "Credential chaining failed");
125 static bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
126 uint32_t negotiate_flags,
127 struct cli_credentials *machine_credentials,
129 struct creds_CredentialState **creds_out)
132 struct netr_ServerReqChallenge r;
133 struct netr_ServerAuthenticate2 a;
134 struct netr_Credential credentials1, credentials2, credentials3;
135 struct creds_CredentialState *creds;
136 struct samr_Password mach_password;
137 const char *machine_name;
138 const char *plain_pass;
140 machine_name = cli_credentials_get_workstation(machine_credentials);
141 plain_pass = cli_credentials_get_password(machine_credentials);
143 torture_comment(tctx, "Testing ServerReqChallenge\n");
145 creds = talloc(tctx, struct creds_CredentialState);
146 torture_assert(tctx, creds != NULL, "memory allocation");
148 r.in.server_name = NULL;
149 r.in.computer_name = machine_name;
150 r.in.credentials = &credentials1;
151 r.out.credentials = &credentials2;
153 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
155 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
156 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
158 E_md4hash(plain_pass, mach_password.hash);
160 a.in.server_name = NULL;
161 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
162 a.in.secure_channel_type = sec_chan_type;
163 a.in.computer_name = machine_name;
164 a.in.negotiate_flags = &negotiate_flags;
165 a.out.negotiate_flags = &negotiate_flags;
166 a.in.credentials = &credentials3;
167 a.out.credentials = &credentials3;
169 creds_client_init(creds, &credentials1, &credentials2,
170 &mach_password, &credentials3,
173 torture_comment(tctx, "Testing ServerAuthenticate2\n");
175 status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
176 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
178 torture_assert(tctx, creds_client_check(creds, &credentials3),
179 "Credential chaining failed");
181 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
188 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
189 uint32_t negotiate_flags,
190 struct cli_credentials *machine_credentials,
191 struct creds_CredentialState **creds_out)
194 struct netr_ServerReqChallenge r;
195 struct netr_ServerAuthenticate3 a;
196 struct netr_Credential credentials1, credentials2, credentials3;
197 struct creds_CredentialState *creds;
198 struct samr_Password mach_password;
200 const char *machine_name;
201 const char *plain_pass;
203 machine_name = cli_credentials_get_workstation(machine_credentials);
204 plain_pass = cli_credentials_get_password(machine_credentials);
206 torture_comment(tctx, "Testing ServerReqChallenge\n");
208 creds = talloc(tctx, struct creds_CredentialState);
209 torture_assert(tctx, creds != NULL, "memory allocation");
211 r.in.server_name = NULL;
212 r.in.computer_name = machine_name;
213 r.in.credentials = &credentials1;
214 r.out.credentials = &credentials2;
216 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
218 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
219 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
221 E_md4hash(plain_pass, mach_password.hash);
223 a.in.server_name = NULL;
224 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
225 a.in.secure_channel_type = SEC_CHAN_BDC;
226 a.in.computer_name = machine_name;
227 a.in.negotiate_flags = &negotiate_flags;
228 a.in.credentials = &credentials3;
229 a.out.credentials = &credentials3;
230 a.out.negotiate_flags = &negotiate_flags;
233 creds_client_init(creds, &credentials1, &credentials2,
234 &mach_password, &credentials3,
237 torture_comment(tctx, "Testing ServerAuthenticate3\n");
239 status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
240 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
241 torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed");
243 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
250 try a change password for our machine account
252 static bool test_SetPassword(struct torture_context *tctx,
253 struct dcerpc_pipe *p,
254 struct cli_credentials *machine_credentials)
257 struct netr_ServerPasswordSet r;
258 const char *password;
259 struct creds_CredentialState *creds;
261 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
265 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
266 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
267 r.in.secure_channel_type = SEC_CHAN_BDC;
268 r.in.computer_name = TEST_MACHINE_NAME;
270 password = generate_random_str(tctx, 8);
271 E_md4hash(password, r.in.new_password.hash);
273 creds_des_encrypt(creds, &r.in.new_password);
275 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
276 torture_comment(tctx, "Changing machine account password to '%s'\n",
279 creds_client_authenticator(creds, &r.in.credential);
281 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
282 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
284 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
285 torture_comment(tctx, "Credential chaining failed\n");
288 /* by changing the machine password twice we test the
289 credentials chaining fully, and we verify that the server
290 allows the password to be set to the same value twice in a
291 row (match win2k3) */
292 torture_comment(tctx,
293 "Testing a second ServerPasswordSet on machine account\n");
294 torture_comment(tctx,
295 "Changing machine account password to '%s' (same as previous run)\n", password);
297 creds_client_authenticator(creds, &r.in.credential);
299 status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
300 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
302 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
303 torture_comment(tctx, "Credential chaining failed\n");
306 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
309 test_SetupCredentials(p, tctx, machine_credentials, &creds),
310 "ServerPasswordSet failed to actually change the password");
316 try a change password for our machine account
318 static bool test_SetPassword2(struct torture_context *tctx,
319 struct dcerpc_pipe *p,
320 struct cli_credentials *machine_credentials)
323 struct netr_ServerPasswordSet2 r;
324 const char *password;
325 struct creds_CredentialState *creds;
326 struct samr_CryptPassword password_buf;
328 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
332 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
333 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
334 r.in.secure_channel_type = SEC_CHAN_BDC;
335 r.in.computer_name = TEST_MACHINE_NAME;
337 password = generate_random_str(tctx, 8);
338 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
339 creds_arcfour_crypt(creds, password_buf.data, 516);
341 memcpy(r.in.new_password.data, password_buf.data, 512);
342 r.in.new_password.length = IVAL(password_buf.data, 512);
344 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
345 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
347 creds_client_authenticator(creds, &r.in.credential);
349 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
350 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
352 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
353 torture_comment(tctx, "Credential chaining failed\n");
356 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
358 if (!torture_setting_bool(tctx, "dangerous", false)) {
359 torture_comment(tctx,
360 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
362 /* by changing the machine password to ""
363 * we check if the server uses password restrictions
364 * for ServerPasswordSet2
365 * (win2k3 accepts "")
368 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
369 creds_arcfour_crypt(creds, password_buf.data, 516);
371 memcpy(r.in.new_password.data, password_buf.data, 512);
372 r.in.new_password.length = IVAL(password_buf.data, 512);
374 torture_comment(tctx,
375 "Testing ServerPasswordSet2 on machine account\n");
376 torture_comment(tctx,
377 "Changing machine account password to '%s'\n", password);
379 creds_client_authenticator(creds, &r.in.credential);
381 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
382 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
384 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
385 torture_comment(tctx, "Credential chaining failed\n");
388 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
391 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
392 "ServerPasswordSet failed to actually change the password");
394 /* now try a random password */
395 password = generate_random_str(tctx, 8);
396 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
397 creds_arcfour_crypt(creds, password_buf.data, 516);
399 memcpy(r.in.new_password.data, password_buf.data, 512);
400 r.in.new_password.length = IVAL(password_buf.data, 512);
402 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
403 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
405 creds_client_authenticator(creds, &r.in.credential);
407 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
408 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
410 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
411 torture_comment(tctx, "Credential chaining failed\n");
414 /* by changing the machine password twice we test the
415 credentials chaining fully, and we verify that the server
416 allows the password to be set to the same value twice in a
417 row (match win2k3) */
418 torture_comment(tctx,
419 "Testing a second ServerPasswordSet2 on machine account\n");
420 torture_comment(tctx,
421 "Changing machine account password to '%s' (same as previous run)\n", password);
423 creds_client_authenticator(creds, &r.in.credential);
425 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
426 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
428 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
429 torture_comment(tctx, "Credential chaining failed\n");
432 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
434 torture_assert (tctx,
435 test_SetupCredentials(p, tctx, machine_credentials, &creds),
436 "ServerPasswordSet failed to actually change the password");
441 static bool test_GetPassword(struct torture_context *tctx,
442 struct dcerpc_pipe *p,
443 struct cli_credentials *machine_credentials)
445 struct netr_ServerPasswordGet r;
446 struct creds_CredentialState *creds;
447 struct netr_Authenticator credential;
449 struct netr_Authenticator return_authenticator;
450 struct samr_Password password;
452 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
456 creds_client_authenticator(creds, &credential);
458 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
459 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
460 r.in.secure_channel_type = SEC_CHAN_BDC;
461 r.in.computer_name = TEST_MACHINE_NAME;
462 r.in.credential = &credential;
463 r.out.return_authenticator = &return_authenticator;
464 r.out.password = &password;
466 status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
467 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
472 static bool test_GetTrustPasswords(struct torture_context *tctx,
473 struct dcerpc_pipe *p,
474 struct cli_credentials *machine_credentials)
476 struct netr_ServerTrustPasswordsGet r;
477 struct creds_CredentialState *creds;
478 struct netr_Authenticator credential;
480 struct netr_Authenticator return_authenticator;
481 struct samr_Password password, password2;
483 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
487 creds_client_authenticator(creds, &credential);
489 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
490 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
491 r.in.secure_channel_type = SEC_CHAN_BDC;
492 r.in.computer_name = TEST_MACHINE_NAME;
493 r.in.credential = &credential;
494 r.out.return_authenticator = &return_authenticator;
495 r.out.password = &password;
496 r.out.password2 = &password2;
498 status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
499 torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
505 try a netlogon SamLogon
507 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
508 struct cli_credentials *credentials,
509 struct creds_CredentialState *creds)
512 struct netr_LogonSamLogon r;
513 struct netr_Authenticator auth, auth2;
514 struct netr_NetworkInfo ninfo;
515 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
517 int flags = CLI_CRED_NTLM_AUTH;
518 if (lp_client_lanman_auth(tctx->lp_ctx)) {
519 flags |= CLI_CRED_LANMAN_AUTH;
522 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
523 flags |= CLI_CRED_NTLMv2_AUTH;
526 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
527 &ninfo.identity_info.account_name.string,
528 &ninfo.identity_info.domain_name.string);
530 generate_random_buffer(ninfo.challenge,
531 sizeof(ninfo.challenge));
532 chal = data_blob_const(ninfo.challenge,
533 sizeof(ninfo.challenge));
535 names_blob = NTLMv2_generate_names_blob(tctx, lp_iconv_convenience(tctx->lp_ctx), cli_credentials_get_workstation(credentials),
536 cli_credentials_get_domain(credentials));
538 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
544 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
546 ninfo.lm.data = lm_resp.data;
547 ninfo.lm.length = lm_resp.length;
549 ninfo.nt.data = nt_resp.data;
550 ninfo.nt.length = nt_resp.length;
552 ninfo.identity_info.parameter_control = 0;
553 ninfo.identity_info.logon_id_low = 0;
554 ninfo.identity_info.logon_id_high = 0;
555 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
557 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
558 r.in.computer_name = cli_credentials_get_workstation(credentials);
559 r.in.credential = &auth;
560 r.in.return_authenticator = &auth2;
561 r.in.logon_level = 2;
562 r.in.logon.network = &ninfo;
564 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
568 creds_client_authenticator(creds, &auth);
570 r.in.validation_level = i;
572 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
573 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
575 torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
576 "Credential chaining failed");
579 r.in.credential = NULL;
583 r.in.validation_level = i;
585 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
587 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
588 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
589 "LogonSamLogon expected INVALID_PARAMETER");
597 try a netlogon SamLogon
599 static bool test_SamLogon(struct torture_context *tctx,
600 struct dcerpc_pipe *p,
601 struct cli_credentials *credentials)
603 struct creds_CredentialState *creds;
605 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
609 return test_netlogon_ops(p, tctx, credentials, creds);
612 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
613 static uint64_t sequence_nums[3];
616 try a netlogon DatabaseSync
618 static bool test_DatabaseSync(struct torture_context *tctx,
619 struct dcerpc_pipe *p,
620 struct cli_credentials *machine_credentials)
623 struct netr_DatabaseSync r;
624 struct creds_CredentialState *creds;
625 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
628 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
632 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
633 r.in.computername = TEST_MACHINE_NAME;
634 r.in.preferredmaximumlength = (uint32_t)-1;
635 ZERO_STRUCT(r.in.return_authenticator);
637 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
638 r.in.sync_context = 0;
639 r.in.database_id = database_ids[i];
641 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
644 creds_client_authenticator(creds, &r.in.credential);
646 status = dcerpc_netr_DatabaseSync(p, tctx, &r);
647 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
650 /* Native mode servers don't do this */
651 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
654 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
656 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
657 torture_comment(tctx, "Credential chaining failed\n");
660 r.in.sync_context = r.out.sync_context;
662 if (r.out.delta_enum_array &&
663 r.out.delta_enum_array->num_deltas > 0 &&
664 r.out.delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
665 r.out.delta_enum_array->delta_enum[0].delta_union.domain) {
666 sequence_nums[r.in.database_id] =
667 r.out.delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
668 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
670 (unsigned long long)sequence_nums[r.in.database_id]);
672 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
680 try a netlogon DatabaseDeltas
682 static bool test_DatabaseDeltas(struct torture_context *tctx,
683 struct dcerpc_pipe *p,
684 struct cli_credentials *machine_credentials)
687 struct netr_DatabaseDeltas r;
688 struct creds_CredentialState *creds;
689 const uint32_t database_ids[] = {0, 1, 2};
692 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
696 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
697 r.in.computername = TEST_MACHINE_NAME;
698 r.in.preferredmaximumlength = (uint32_t)-1;
699 ZERO_STRUCT(r.in.return_authenticator);
701 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
702 r.in.database_id = database_ids[i];
703 r.in.sequence_num = sequence_nums[r.in.database_id];
705 if (r.in.sequence_num == 0) continue;
707 r.in.sequence_num -= 1;
709 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
710 r.in.database_id, (unsigned long long)r.in.sequence_num);
713 creds_client_authenticator(creds, &r.in.credential);
715 status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
716 if (NT_STATUS_EQUAL(status,
717 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
718 torture_comment(tctx, "not considering %s to be an error\n",
722 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
725 torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
727 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
728 torture_comment(tctx, "Credential chaining failed\n");
732 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
740 try a netlogon AccountDeltas
742 static bool test_AccountDeltas(struct torture_context *tctx,
743 struct dcerpc_pipe *p,
744 struct cli_credentials *machine_credentials)
747 struct netr_AccountDeltas r;
748 struct creds_CredentialState *creds;
750 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
754 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
755 r.in.computername = TEST_MACHINE_NAME;
756 ZERO_STRUCT(r.in.return_authenticator);
757 creds_client_authenticator(creds, &r.in.credential);
758 ZERO_STRUCT(r.in.uas);
763 /* w2k3 returns "NOT IMPLEMENTED" for this call */
764 status = dcerpc_netr_AccountDeltas(p, tctx, &r);
765 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
771 try a netlogon AccountSync
773 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
774 struct cli_credentials *machine_credentials)
777 struct netr_AccountSync r;
778 struct creds_CredentialState *creds;
780 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
784 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
785 r.in.computername = TEST_MACHINE_NAME;
786 ZERO_STRUCT(r.in.return_authenticator);
787 creds_client_authenticator(creds, &r.in.credential);
788 ZERO_STRUCT(r.in.recordid);
793 /* w2k3 returns "NOT IMPLEMENTED" for this call */
794 status = dcerpc_netr_AccountSync(p, tctx, &r);
795 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
801 try a netlogon GetDcName
803 static bool test_GetDcName(struct torture_context *tctx,
804 struct dcerpc_pipe *p)
807 struct netr_GetDcName r;
809 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
810 r.in.domainname = lp_workgroup(tctx->lp_ctx);
812 status = dcerpc_netr_GetDcName(p, tctx, &r);
813 torture_assert_ntstatus_ok(tctx, status, "GetDcName");
814 torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
816 torture_comment(tctx, "\tDC is at '%s'\n", r.out.dcname);
822 try a netlogon LogonControl
824 static bool test_LogonControl(struct torture_context *tctx,
825 struct dcerpc_pipe *p)
828 struct netr_LogonControl r;
831 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
832 r.in.function_code = 1;
837 torture_comment(tctx, "Testing LogonControl level %d\n", i);
839 status = dcerpc_netr_LogonControl(p, tctx, &r);
840 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
848 try a netlogon GetAnyDCName
850 static bool test_GetAnyDCName(struct torture_context *tctx,
851 struct dcerpc_pipe *p)
854 struct netr_GetAnyDCName r;
856 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
857 r.in.domainname = lp_workgroup(tctx->lp_ctx);
859 status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
860 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
863 torture_comment(tctx, "\tDC is at '%s'\n", r.out.dcname);
871 try a netlogon LogonControl2
873 static bool test_LogonControl2(struct torture_context *tctx,
874 struct dcerpc_pipe *p)
877 struct netr_LogonControl2 r;
880 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
882 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
883 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
888 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
889 i, r.in.function_code);
891 status = dcerpc_netr_LogonControl2(p, tctx, &r);
892 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
895 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
896 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
901 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
902 i, r.in.function_code);
904 status = dcerpc_netr_LogonControl2(p, tctx, &r);
905 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
908 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
909 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
914 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
915 i, r.in.function_code);
917 status = dcerpc_netr_LogonControl2(p, tctx, &r);
918 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
921 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
922 r.in.data.debug_level = ~0;
927 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
928 i, r.in.function_code);
930 status = dcerpc_netr_LogonControl2(p, tctx, &r);
931 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
938 try a netlogon DatabaseSync2
940 static bool test_DatabaseSync2(struct torture_context *tctx,
941 struct dcerpc_pipe *p,
942 struct cli_credentials *machine_credentials)
945 struct netr_DatabaseSync2 r;
946 struct creds_CredentialState *creds;
947 const uint32_t database_ids[] = {0, 1, 2};
950 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
952 SEC_CHAN_BDC, &creds)) {
956 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
957 r.in.computername = TEST_MACHINE_NAME;
958 r.in.preferredmaximumlength = (uint32_t)-1;
959 ZERO_STRUCT(r.in.return_authenticator);
961 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
962 r.in.sync_context = 0;
963 r.in.database_id = database_ids[i];
964 r.in.restart_state = 0;
966 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
969 creds_client_authenticator(creds, &r.in.credential);
971 status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
972 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
975 /* Native mode servers don't do this */
976 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
980 torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
982 if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
983 torture_comment(tctx, "Credential chaining failed\n");
986 r.in.sync_context = r.out.sync_context;
987 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
995 try a netlogon LogonControl2Ex
997 static bool test_LogonControl2Ex(struct torture_context *tctx,
998 struct dcerpc_pipe *p)
1001 struct netr_LogonControl2Ex r;
1004 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1006 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1007 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1012 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1013 i, r.in.function_code);
1015 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1016 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1019 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1020 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1025 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1026 i, r.in.function_code);
1028 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1029 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1032 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1033 r.in.data.domain = lp_workgroup(tctx->lp_ctx);
1038 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1039 i, r.in.function_code);
1041 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1042 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1045 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1046 r.in.data.debug_level = ~0;
1051 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1052 i, r.in.function_code);
1054 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1055 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1061 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
1062 struct dcerpc_pipe *p, const char *trusted_domain_name)
1065 struct netr_DsRGetForestTrustInformation r;
1066 struct lsa_ForestTrustInformation info, *info_ptr;
1070 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1071 r.in.trusted_domain_name = trusted_domain_name;
1073 r.out.forest_trust_info = &info_ptr;
1075 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1077 status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1078 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1079 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1085 try a netlogon netr_DsrEnumerateDomainTrusts
1087 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
1088 struct dcerpc_pipe *p)
1091 struct netr_DsrEnumerateDomainTrusts r;
1094 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1095 r.in.trust_flags = 0x3f;
1097 status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
1098 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
1099 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
1101 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
1102 * will show non-forest trusts and all UPN suffixes of the own forest
1103 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
1106 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
1111 for (i=0; i<r.out.count; i++) {
1113 /* get info for transitive forest trusts */
1115 if (r.out.trusts[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1116 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
1117 r.out.trusts[i].dns_name)) {
1126 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
1127 struct dcerpc_pipe *p)
1130 struct netr_NetrEnumerateTrustedDomains r;
1131 struct netr_Blob trusted_domains_blob;
1133 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1134 r.out.trusted_domains_blob = &trusted_domains_blob;
1136 status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
1137 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
1138 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
1143 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
1144 struct dcerpc_pipe *p)
1147 struct netr_NetrEnumerateTrustedDomainsEx r;
1148 struct netr_DomainTrustList dom_trust_list;
1150 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1151 r.out.dom_trust_list = &dom_trust_list;
1153 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
1154 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
1155 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
1161 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
1162 const char *computer_name,
1163 const char *expected_site)
1166 struct netr_DsRGetSiteName r;
1168 if (torture_setting_bool(tctx, "samba4", false))
1169 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
1171 r.in.computer_name = computer_name;
1172 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
1174 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1175 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1176 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
1177 torture_assert_str_equal(tctx, expected_site, r.out.site, "netr_DsRGetSiteName");
1179 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
1180 torture_comment(tctx,
1181 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
1183 status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1184 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1185 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
1191 try a netlogon netr_DsRGetDCName
1193 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
1194 struct dcerpc_pipe *p)
1197 struct netr_DsRGetDCName r;
1199 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1200 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1201 r.in.domain_guid = NULL;
1202 r.in.site_guid = NULL;
1203 r.in.flags = DS_RETURN_DNS_NAME;
1205 status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
1206 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
1207 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
1208 return test_netr_DsRGetSiteName(p, tctx,
1210 r.out.info->dc_site_name);
1214 try a netlogon netr_DsRGetDCNameEx
1216 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
1217 struct dcerpc_pipe *p)
1220 struct netr_DsRGetDCNameEx r;
1222 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1223 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1224 r.in.domain_guid = NULL;
1225 r.in.site_name = NULL;
1226 r.in.flags = DS_RETURN_DNS_NAME;
1228 status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
1229 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
1230 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
1232 return test_netr_DsRGetSiteName(p, tctx, r.out.info->dc_unc,
1233 r.out.info->dc_site_name);
1237 try a netlogon netr_DsRGetDCNameEx2
1239 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
1240 struct dcerpc_pipe *p)
1243 struct netr_DsRGetDCNameEx2 r;
1245 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1246 r.in.client_account = NULL;
1247 r.in.mask = 0x00000000;
1248 r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1249 r.in.domain_guid = NULL;
1250 r.in.site_name = NULL;
1251 r.in.flags = DS_RETURN_DNS_NAME;
1253 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
1255 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1256 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1257 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1259 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
1260 r.in.client_account = TEST_MACHINE_NAME"$";
1261 r.in.mask = ACB_SVRTRUST;
1262 r.in.flags = DS_RETURN_FLAT_NAME;
1264 status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1265 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1266 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1267 return test_netr_DsRGetSiteName(p, tctx, r.out.info->dc_unc,
1268 r.out.info->dc_site_name);
1271 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
1272 struct dcerpc_pipe *p)
1275 struct netr_DsrGetDcSiteCoverageW r;
1277 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1279 status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
1280 torture_assert_ntstatus_ok(tctx, status, "failed");
1281 torture_assert_werr_ok(tctx, r.out.result, "failed");
1286 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
1287 struct dcerpc_pipe *p)
1290 struct netr_DsRAddressToSitenamesW r;
1291 struct netr_DsRAddress addr;
1292 struct netr_DsRAddressToSitenamesWCtr *ctr;
1294 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
1297 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
1299 addr.buffer[0] = 2; /* AF_INET */
1300 addr.buffer[4] = 127;
1305 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1307 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
1308 r.in.addresses[0] = addr;
1311 status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
1312 torture_assert_ntstatus_ok(tctx, status, "failed");
1313 torture_assert_werr_ok(tctx, r.out.result, "failed");
1318 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
1319 struct dcerpc_pipe *p)
1322 struct netr_DsRAddressToSitenamesExW r;
1323 struct netr_DsRAddress addr;
1324 struct netr_DsRAddressToSitenamesExWCtr *ctr;
1326 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
1329 addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
1331 addr.buffer[0] = 2; /* AF_INET */
1332 addr.buffer[4] = 127;
1337 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1339 r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
1340 r.in.addresses[0] = addr;
1343 status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
1344 torture_assert_ntstatus_ok(tctx, status, "failed");
1345 torture_assert_werr_ok(tctx, r.out.result, "failed");
1350 static bool test_GetDomainInfo(struct torture_context *tctx,
1351 struct dcerpc_pipe *p,
1352 struct cli_credentials *machine_credentials)
1355 struct netr_LogonGetDomainInfo r;
1356 struct netr_DomainQuery1 q1;
1357 struct netr_Authenticator a;
1358 struct creds_CredentialState *creds;
1360 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
1361 machine_credentials, &creds)) {
1367 creds_client_authenticator(creds, &a);
1369 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1370 r.in.computer_name = TEST_MACHINE_NAME;
1372 r.in.credential = &a;
1373 r.in.return_authenticator = &a;
1374 r.out.return_authenticator = &a;
1376 r.in.query.query1 = &q1;
1379 /* this should really be the fully qualified name */
1380 q1.workstation_domain = TEST_MACHINE_NAME;
1381 q1.workstation_site = "Default-First-Site-Name";
1382 q1.blob2.length = 0;
1384 q1.blob2.data = NULL;
1385 q1.product.string = "product string";
1387 torture_comment(tctx, "Testing netr_uogonGetDomainInfo\n");
1389 status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
1390 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
1391 torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
1397 static void async_callback(struct rpc_request *req)
1399 int *counter = (int *)req->async.private_data;
1400 if (NT_STATUS_IS_OK(req->status)) {
1405 static bool test_GetDomainInfo_async(struct torture_context *tctx,
1406 struct dcerpc_pipe *p,
1407 struct cli_credentials *machine_credentials)
1410 struct netr_LogonGetDomainInfo r;
1411 struct netr_DomainQuery1 q1;
1412 struct netr_Authenticator a;
1413 #define ASYNC_COUNT 100
1414 struct creds_CredentialState *creds;
1415 struct creds_CredentialState *creds_async[ASYNC_COUNT];
1416 struct rpc_request *req[ASYNC_COUNT];
1418 int *async_counter = talloc(tctx, int);
1420 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
1421 machine_credentials, &creds)) {
1426 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1427 r.in.computer_name = TEST_MACHINE_NAME;
1429 r.in.credential = &a;
1430 r.in.return_authenticator = &a;
1431 r.out.return_authenticator = &a;
1433 r.in.query.query1 = &q1;
1436 /* this should really be the fully qualified name */
1437 q1.workstation_domain = TEST_MACHINE_NAME;
1438 q1.workstation_site = "Default-First-Site-Name";
1439 q1.blob2.length = 0;
1441 q1.blob2.data = NULL;
1442 q1.product.string = "product string";
1444 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
1448 for (i=0;i<ASYNC_COUNT;i++) {
1449 creds_client_authenticator(creds, &a);
1451 creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
1452 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
1454 req[i]->async.callback = async_callback;
1455 req[i]->async.private_data = async_counter;
1457 /* even with this flush per request a w2k3 server seems to
1458 clag with multiple outstanding requests. bleergh. */
1459 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
1460 "event_loop_once failed");
1463 for (i=0;i<ASYNC_COUNT;i++) {
1464 status = dcerpc_ndr_request_recv(req[i]);
1466 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
1467 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
1469 torture_assert(tctx, creds_client_check(creds_async[i], &a.cred),
1470 "Credential chaining failed at async");
1473 torture_comment(tctx,
1474 "Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
1476 torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
1481 static bool test_ManyGetDCName(struct torture_context *tctx,
1482 struct dcerpc_pipe *p)
1485 struct dcerpc_pipe *p2;
1486 struct lsa_ObjectAttribute attr;
1487 struct lsa_QosInfo qos;
1488 struct lsa_OpenPolicy2 o;
1489 struct policy_handle lsa_handle;
1490 struct lsa_DomainList domains;
1492 struct lsa_EnumTrustDom t;
1493 uint32_t resume_handle = 0;
1494 struct netr_GetAnyDCName d;
1498 if (p->conn->transport.transport != NCACN_NP) {
1502 torture_comment(tctx, "Torturing GetDCName\n");
1504 status = dcerpc_secondary_connection(p, &p2, p->binding);
1505 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
1507 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
1508 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
1511 qos.impersonation_level = 2;
1512 qos.context_mode = 1;
1513 qos.effective_only = 0;
1516 attr.root_dir = NULL;
1517 attr.object_name = NULL;
1518 attr.attributes = 0;
1519 attr.sec_desc = NULL;
1520 attr.sec_qos = &qos;
1522 o.in.system_name = "\\";
1524 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1525 o.out.handle = &lsa_handle;
1527 status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
1528 torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
1530 t.in.handle = &lsa_handle;
1531 t.in.resume_handle = &resume_handle;
1532 t.in.max_size = 1000;
1533 t.out.domains = &domains;
1534 t.out.resume_handle = &resume_handle;
1536 status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
1538 if ((!NT_STATUS_IS_OK(status) &&
1539 (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
1540 torture_fail(tctx, "Could not list domains");
1544 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
1545 dcerpc_server_name(p));
1547 for (i=0; i<domains.count * 4; i++) {
1548 struct lsa_DomainInfo *info =
1549 &domains.domains[rand()%domains.count];
1551 d.in.domainname = info->name.string;
1553 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
1554 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1556 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
1557 d.out.dcname ? d.out.dcname : "unknown");
1563 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
1565 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
1566 struct torture_rpc_tcase *tcase;
1567 struct torture_test *test;
1569 tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "netlogon",
1570 &ndr_table_netlogon, TEST_MACHINE_NAME);
1571 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
1572 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
1573 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
1574 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
1575 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
1576 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
1577 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
1578 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
1579 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
1580 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
1581 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
1582 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
1583 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
1584 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
1585 torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
1586 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
1587 torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
1588 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
1589 torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
1590 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
1591 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
1592 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
1593 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
1594 test->dangerous = true;
1595 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
1596 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
1597 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
1598 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
1599 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
1600 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);