2 Unix SMB/CIFS implementation.
3 test suite for lsa rpc operations
5 Copyright (C) Andrew Tridgell 2003
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 these really shouldn't be here ....
28 static char *lsa_sid_string_talloc(TALLOC_CTX *mem_ctx, struct dom_sid *sid)
35 return talloc_asprintf(mem_ctx, "(NULL SID)");
38 maxlen = sid->num_auths * 11 + 25;
39 ret = talloc(mem_ctx, maxlen);
40 if (!ret) return NULL;
42 ia = (sid->id_auth[5]) +
43 (sid->id_auth[4] << 8 ) +
44 (sid->id_auth[3] << 16) +
45 (sid->id_auth[2] << 24);
47 ofs = snprintf(ret, maxlen, "S-%u-%lu",
48 (unsigned int)sid->sid_rev_num, (unsigned long)ia);
50 for (i = 0; i < sid->num_auths; i++) {
51 ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]);
57 static int dom_sid_compare(struct dom_sid *sid1, struct dom_sid *sid2)
61 if (sid1 == sid2) return 0;
65 /* Compare most likely different rids, first: i.e start at end */
66 if (sid1->num_auths != sid2->num_auths)
67 return sid1->num_auths - sid2->num_auths;
69 for (i = sid1->num_auths-1; i >= 0; --i)
70 if (sid1->sub_auths[i] != sid2->sub_auths[i])
71 return sid1->sub_auths[i] - sid2->sub_auths[i];
73 if (sid1->sid_rev_num != sid2->sid_rev_num)
74 return sid1->sid_rev_num - sid2->sid_rev_num;
76 for (i = 0; i < 6; i++)
77 if (sid1->id_auth[i] != sid2->id_auth[i])
78 return sid1->id_auth[i] - sid2->id_auth[i];
83 static BOOL test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
85 struct lsa_ObjectAttribute attr;
86 struct policy_handle handle;
87 struct lsa_QosInfo qos;
88 struct lsa_OpenPolicy r;
90 uint16 system_name = '\\';
92 printf("\ntesting OpenPolicy\n");
95 qos.impersonation_level = 2;
97 qos.effective_only = 0;
100 attr.root_dir = NULL;
101 attr.object_name = NULL;
103 attr.sec_desc = NULL;
106 r.in.system_name = &system_name;
108 r.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
109 r.out.handle = &handle;
111 status = dcerpc_lsa_OpenPolicy(p, mem_ctx, &r);
112 if (!NT_STATUS_IS_OK(status)) {
113 printf("OpenPolicy failed - %s\n", nt_errstr(status));
121 static BOOL test_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
122 struct policy_handle *handle)
124 struct lsa_ObjectAttribute attr;
125 struct lsa_QosInfo qos;
126 struct lsa_OpenPolicy2 r;
129 printf("\ntesting OpenPolicy2\n");
132 qos.impersonation_level = 2;
133 qos.context_mode = 1;
134 qos.effective_only = 0;
137 attr.root_dir = NULL;
138 attr.object_name = NULL;
140 attr.sec_desc = NULL;
143 r.in.system_name = "\\";
145 r.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
146 r.out.handle = handle;
148 status = dcerpc_lsa_OpenPolicy2(p, mem_ctx, &r);
149 if (!NT_STATUS_IS_OK(status)) {
150 printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
157 static BOOL test_LookupNames(struct dcerpc_pipe *p,
159 struct policy_handle *handle,
160 struct lsa_TransNameArray *tnames)
162 struct lsa_LookupNames r;
163 struct lsa_TransSidArray sids;
164 struct lsa_Name *names;
169 printf("\nTesting LookupNames\n");
174 names = talloc(mem_ctx, tnames->count * sizeof(names[0]));
175 for (i=0;i<tnames->count;i++) {
176 names[i].name_len = 2*strlen(tnames->names[i].name.name);
177 names[i].name_size = 2*strlen(tnames->names[i].name.name);
178 names[i].name = tnames->names[i].name.name;
181 r.in.handle = handle;
182 r.in.num_names = tnames->count;
187 r.out.count = &count;
190 status = dcerpc_lsa_LookupNames(p, mem_ctx, &r);
191 if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
192 printf("LookupNames failed - %s\n", nt_errstr(status));
197 NDR_PRINT_DEBUG(lsa_RefDomainList, r.out.domains);
200 printf("lookup gave %d sids (sids.count=%d)\n", count, sids.count);
202 NDR_PRINT_DEBUG(lsa_TransSidArray, r.out.sids);
210 static BOOL test_LookupSids(struct dcerpc_pipe *p,
212 struct policy_handle *handle,
213 struct lsa_SidArray *sids)
215 struct lsa_LookupSids r;
216 struct lsa_TransNameArray names;
217 uint32 count = sids->num_sids;
220 printf("\nTesting LookupSids\n");
225 r.in.handle = handle;
230 r.out.count = &count;
231 r.out.names = &names;
233 status = dcerpc_lsa_LookupSids(p, mem_ctx, &r);
234 if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
235 printf("LookupSids failed - %s\n", nt_errstr(status));
240 NDR_PRINT_DEBUG(lsa_RefDomainList, r.out.domains);
243 NDR_PRINT_DEBUG(lsa_TransNameArray, r.out.names);
247 if (!test_LookupNames(p, mem_ctx, handle, &names)) {
254 static BOOL test_LookupPrivName(struct dcerpc_pipe *p,
256 struct policy_handle *handle,
257 struct lsa_LUID *luid)
260 struct lsa_LookupPrivName r;
262 r.in.handle = handle;
265 status = dcerpc_lsa_LookupPrivName(p, mem_ctx, &r);
266 if (!NT_STATUS_IS_OK(status)) {
267 printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
271 NDR_PRINT_DEBUG(lsa_Name, r.out.name);
276 static BOOL test_EnumPrivsAccount(struct dcerpc_pipe *p,
278 struct policy_handle *handle,
279 struct policy_handle *acct_handle)
282 struct lsa_EnumPrivsAccount r;
284 printf("Testing EnumPrivsAccount\n");
286 r.in.handle = acct_handle;
288 status = dcerpc_lsa_EnumPrivsAccount(p, mem_ctx, &r);
289 if (!NT_STATUS_IS_OK(status)) {
290 printf("EnumPrivsAccount failed - %s\n", nt_errstr(status));
294 printf("received %d privileges\n",
295 r.out.privs?r.out.privs->count:0);
299 NDR_PRINT_DEBUG(lsa_PrivilegeSet, r.out.privs);
300 for (i=0;i<r.out.privs->count;i++) {
301 test_LookupPrivName(p, mem_ctx, handle,
302 &r.out.privs->set[i].luid);
309 static BOOL test_EnumAccountRights(struct dcerpc_pipe *p,
311 struct policy_handle *acct_handle,
315 struct lsa_EnumAccountRights r;
316 struct lsa_RightSet rights;
318 printf("Testing EnumAccountRights\n");
320 r.in.handle = acct_handle;
322 r.out.rights = &rights;
324 status = dcerpc_lsa_EnumAccountRights(p, mem_ctx, &r);
325 if (!NT_STATUS_IS_OK(status)) {
326 printf("EnumAccountRights failed - %s\n", nt_errstr(status));
330 NDR_PRINT_DEBUG(lsa_RightSet, r.out.rights);
336 static BOOL test_QuerySecObj(struct dcerpc_pipe *p,
338 struct policy_handle *acct_handle,
342 struct lsa_QuerySecObj r;
344 printf("Testing QuerySecObj\n");
346 r.in.handle = acct_handle;
349 status = dcerpc_lsa_QuerySecObj(p, mem_ctx, &r);
350 if (!NT_STATUS_IS_OK(status)) {
351 printf("QuerySecObj failed - %s\n", nt_errstr(status));
355 NDR_PRINT_DEBUG(sec_desc_buf, r.out.sd);
360 static BOOL test_OpenAccount(struct dcerpc_pipe *p,
362 struct policy_handle *handle,
366 struct lsa_OpenAccount r;
367 struct policy_handle acct_handle;
369 printf("Testing OpenAccount(%s)\n", lsa_sid_string_talloc(mem_ctx, sid));
371 r.in.handle = handle;
373 r.in.desired_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
374 r.out.acct_handle = &acct_handle;
376 status = dcerpc_lsa_OpenAccount(p, mem_ctx, &r);
377 if (!NT_STATUS_IS_OK(status)) {
378 printf("OpenAccount failed - %s\n", nt_errstr(status));
382 if (!test_EnumPrivsAccount(p, mem_ctx, handle, &acct_handle)) {
386 if (!test_QuerySecObj(p, mem_ctx, handle, &acct_handle)) {
393 static BOOL test_EnumAccounts(struct dcerpc_pipe *p,
395 struct policy_handle *handle)
398 struct lsa_EnumAccounts r;
399 struct lsa_SidArray sids1, sids2;
400 uint32 resume_handle = 0;
403 printf("\ntesting EnumAccounts\n");
405 r.in.handle = handle;
406 r.in.resume_handle = &resume_handle;
407 r.in.num_entries = 100;
408 r.out.resume_handle = &resume_handle;
412 status = dcerpc_lsa_EnumAccounts(p, mem_ctx, &r);
413 if (!NT_STATUS_IS_OK(status)) {
414 printf("EnumAccounts failed - %s\n", nt_errstr(status));
418 printf("Got %d sids resume_handle=%u\n", sids1.num_sids, resume_handle);
420 NDR_PRINT_DEBUG(lsa_SidArray, r.out.sids);
422 if (!test_LookupSids(p, mem_ctx, handle, &sids1)) {
426 printf("testing all accounts\n");
427 for (i=0;i<sids1.num_sids;i++) {
428 test_OpenAccount(p, mem_ctx, handle, sids1.sids[i].sid);
429 test_EnumAccountRights(p, mem_ctx, handle, sids1.sids[i].sid);
433 if (sids1.num_sids < 3) {
437 printf("trying EnumAccounts partial listing (asking for 1 at 2)\n");
439 r.in.num_entries = 1;
442 status = dcerpc_lsa_EnumAccounts(p, mem_ctx, &r);
443 if (!NT_STATUS_IS_OK(status)) {
444 printf("EnumAccounts failed - %s\n", nt_errstr(status));
448 NDR_PRINT_DEBUG(lsa_SidArray, r.out.sids);
450 if (sids2.num_sids != 1) {
451 printf("Returned wrong number of entries (%d)\n", sids2.num_sids);
459 static BOOL test_EnumPrivs(struct dcerpc_pipe *p,
461 struct policy_handle *handle)
464 struct lsa_EnumPrivs r;
465 struct lsa_PrivArray privs1;
466 uint32 resume_handle = 0;
468 printf("\ntesting EnumPrivs\n");
470 r.in.handle = handle;
471 r.in.resume_handle = &resume_handle;
472 r.in.max_count = 1000;
473 r.out.resume_handle = &resume_handle;
474 r.out.privs = &privs1;
477 status = dcerpc_lsa_EnumPrivs(p, mem_ctx, &r);
478 if (!NT_STATUS_IS_OK(status)) {
479 printf("EnumPrivs failed - %s\n", nt_errstr(status));
483 printf("Got %d privs resume_handle=%u\n", privs1.count, resume_handle);
485 NDR_PRINT_DEBUG(lsa_PrivArray, r.out.privs);
491 static BOOL test_EnumTrustDom(struct dcerpc_pipe *p,
493 struct policy_handle *handle)
495 struct lsa_EnumTrustDom r;
497 uint32 resume_handle = 0;
498 struct lsa_DomainList domains;
500 printf("\nTesting EnumTrustDom\n");
502 r.in.handle = handle;
503 r.in.resume_handle = &resume_handle;
504 r.in.num_entries = 1000;
505 r.out.domains = &domains;
506 r.out.resume_handle = &resume_handle;
508 status = dcerpc_lsa_EnumTrustDom(p, mem_ctx, &r);
509 if (!NT_STATUS_IS_OK(status)) {
510 printf("EnumTrustDom failed - %s\n", nt_errstr(status));
514 printf("lookup gave %d domains\n", domains.count);
516 NDR_PRINT_DEBUG(lsa_DomainList, r.out.domains);
521 static BOOL test_QueryInfoPolicy(struct dcerpc_pipe *p,
523 struct policy_handle *handle)
525 struct lsa_QueryInfoPolicy r;
530 printf("\nTesting QueryInfoPolicy\n");
533 r.in.handle = handle;
536 printf("\ntrying QueryInfoPolicy level %d\n", i);
538 status = dcerpc_lsa_QueryInfoPolicy(p, mem_ctx, &r);
539 if (!NT_STATUS_IS_OK(status)) {
540 printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
545 NDR_PRINT_UNION_DEBUG(lsa_PolicyInformation, r.in.level, r.out.info);
551 static BOOL test_Delete(struct dcerpc_pipe *p,
553 struct policy_handle *handle)
558 printf("\ntesting Delete - but what does it do?\n");
560 r.in.handle = handle;
561 status = dcerpc_lsa_Delete(p, mem_ctx, &r);
562 if (!NT_STATUS_IS_OK(status)) {
563 printf("Delete failed - %s\n", nt_errstr(status));
572 static BOOL test_Close(struct dcerpc_pipe *p,
574 struct policy_handle *handle)
578 struct policy_handle handle2;
580 printf("\ntesting Close\n");
582 r.in.handle = handle;
583 r.out.handle = &handle2;
585 status = dcerpc_lsa_Close(p, mem_ctx, &r);
586 if (!NT_STATUS_IS_OK(status)) {
587 printf("Close failed - %s\n", nt_errstr(status));
591 status = dcerpc_lsa_Close(p, mem_ctx, &r);
592 /* its really a fault - we need a status code for rpc fault */
593 if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL)) {
594 printf("Close failed - %s\n", nt_errstr(status));
603 BOOL torture_rpc_lsa(int dummy)
606 struct dcerpc_pipe *p;
609 struct policy_handle handle;
611 mem_ctx = talloc_init("torture_rpc_lsa");
613 status = torture_rpc_connection(&p, "lsarpc");
614 if (!NT_STATUS_IS_OK(status)) {
618 if (!test_OpenPolicy(p, mem_ctx)) {
622 if (!test_OpenPolicy2(p, mem_ctx, &handle)) {
626 if (!test_EnumAccounts(p, mem_ctx, &handle)) {
630 if (!test_EnumPrivs(p, mem_ctx, &handle)) {
634 if (!test_EnumTrustDom(p, mem_ctx, &handle)) {
638 if (!test_QueryInfoPolicy(p, mem_ctx, &handle)) {
643 if (!test_Delete(p, mem_ctx, &handle)) {
648 if (!test_Close(p, mem_ctx, &handle)) {
652 torture_rpc_close(p);