X-Git-Url: http://git.samba.org/samba.git/?a=blobdiff_plain;f=source4%2Ftorture%2Frpc%2Fsamlogon.c;h=10cb1b45572441076da665b3cd7fcb1922fa8813;hb=0479a2f1cbae51fcd8dbdc3c148c808421fb4d25;hp=7b193040715e6c76c75a91605650e947a9bfce02;hpb=09bfb8ffb06145308aa31543faa9f5f102ac2642;p=kai%2Fsamba-autobuild%2F.git diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 7b193040715..10cb1b45572 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,15 +18,18 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" #include "librpc/gen_ndr/ndr_netlogon.h" +#include "librpc/gen_ndr/ndr_netlogon_c.h" #include "auth/auth.h" #include "lib/crypto/crypto.h" #include "lib/cmdline/popt_common.h" +#include "torture/rpc/rpc.h" +#include "auth/gensec/schannel_proto.h" +#include "libcli/auth/libcli_auth.h" #define TEST_MACHINE_NAME "samlogontest" #define TEST_USER_NAME "samlogontestuser" @@ -55,6 +58,7 @@ struct samlogon_state { struct netr_Authenticator auth, auth2; struct creds_CredentialState *creds; NTSTATUS expected_error; + BOOL old_password; /* Allow an old password to be accepted or rejected without error, as well as session key bugs */ DATA_BLOB chall; }; @@ -147,7 +151,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r); if (!r->out.return_authenticator || !creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); + d_printf("Credential chaining failed\n"); } if (!NT_STATUS_IS_OK(status)) { if (error_string) { @@ -205,7 +209,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags); if (!r_flags->out.return_authenticator || !creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); + d_printf("Credential chaining failed\n"); } if (!NT_STATUS_IS_OK(status)) { if (error_string) { @@ -230,10 +234,13 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, break; } break; + default: + /* can't happen */ + return NT_STATUS_INVALID_PARAMETER; } if (!base) { - printf("No user info returned from 'successful' SamLogon*() call!\n"); + d_printf("No user info returned from 'successful' SamLogon*() call!\n"); return NT_STATUS_INVALID_PARAMETER; } @@ -298,10 +305,14 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm if (break_which == NO_NT && !lm_good) { return True; } + /* for 'old' passwords, we allow the server to be OK or wrong password */ + if (samlogon_state->old_password) { + return True; + } return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); - } - - if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) { + return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT)); + } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { SAFE_FREE(*error_string); asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); return False; @@ -318,10 +329,10 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm if (memcmp(lm_hash, lm_key, sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); + d_printf("LM Key does not match expectations!\n"); + d_printf("lm_key:\n"); dump_data(1, lm_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lm_hash, 8); pass = False; } @@ -335,9 +346,9 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm if (memcmp(lm_key_expected, user_session_key, 16) != 0) { *error_string = strdup("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, sizeof(user_session_key)); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lm_key_expected, sizeof(lm_key_expected)); pass = False; } @@ -347,9 +358,9 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm if (memcmp(session_key.data, user_session_key, sizeof(user_session_key)) != 0) { *error_string = strdup("NT Session Key does not match expectations!\n"); - printf("user_session_key:\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, session_key.data, session_key.length); pass = False; } @@ -416,7 +427,13 @@ static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_ user_session_key, error_string); - if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { + /* for 'old' passwords, we allow the server to be OK or wrong password */ + if (samlogon_state->old_password) { + return True; + } + return False; + } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { SAFE_FREE(*error_string); asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); return False; @@ -429,10 +446,10 @@ static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_ if (lm_good) { if (memcmp(lm_hash, lm_key, sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); + d_printf("LM Key does not match expectations!\n"); + d_printf("lm_key:\n"); dump_data(1, lm_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lm_hash, 8); pass = False; } @@ -440,10 +457,10 @@ static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_ } else { if (memcmp(session_key.data, lm_key, sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations (first 8 session key)!\n"); - printf("lm_key:\n"); + d_printf("LM Key does not match expectations (first 8 session key)!\n"); + d_printf("lm_key:\n"); dump_data(1, lm_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, session_key.data, 8); pass = False; } @@ -455,10 +472,10 @@ static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_ memset(lm_key_expected+8, '\0', 8); if (memcmp(lm_key_expected, user_session_key, 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); + d_printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, sizeof(user_session_key)); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lm_key_expected, sizeof(lm_key_expected)); pass = False; } @@ -507,7 +524,13 @@ static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **erro user_session_key, error_string); - if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { + /* for 'old' passwords, we allow the server to be OK or wrong password */ + if (samlogon_state->old_password) { + return True; + } + return False; + } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { SAFE_FREE(*error_string); asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); return False; @@ -523,19 +546,19 @@ static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **erro if (memcmp(lm_hash, lm_key, sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); + d_printf("LM Key does not match expectations!\n"); + d_printf("lm_key:\n"); dump_data(1, lm_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lm_hash, 8); pass = False; } if (memcmp(session_key.data, user_session_key, sizeof(user_session_key)) != 0) { - printf("NT Session Key does not match expectations!\n"); - printf("user_session_key:\n"); + d_printf("NT Session Key does not match expectations!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, session_key.data, session_key.length); pass = False; } @@ -612,11 +635,15 @@ static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, data_blob_free(&ntlmv2_response); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { + if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { + /* for 'old' passwords, we allow the server to be OK or wrong password */ + if (samlogon_state->old_password) { + return True; + } return break_which == BREAK_BOTH; - } - - if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) { + return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT)); + } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { SAFE_FREE(*error_string); asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); return False; @@ -631,19 +658,19 @@ static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, case NO_NT: if (memcmp(lmv2_session_key.data, user_session_key, sizeof(user_session_key)) != 0) { - printf("USER (LMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); + d_printf("USER (LMv2) Session Key does not match expectations!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lmv2_session_key.data, ntlmv2_session_key.length); pass = False; } if (memcmp(lmv2_session_key.data, lm_session_key, sizeof(lm_session_key)) != 0) { - printf("LM (LMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); + d_printf("LM (LMv2) Session Key does not match expectations!\n"); + d_printf("lm_session_key:\n"); dump_data(1, lm_session_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lmv2_session_key.data, 8); pass = False; } @@ -653,18 +680,18 @@ static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, sizeof(user_session_key)) != 0) { if (memcmp(lmv2_session_key.data, user_session_key, sizeof(user_session_key)) == 0) { - printf("USER (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n"); - printf("user_session_key:\n"); + d_printf("USER (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, ntlmv2_session_key.data, ntlmv2_session_key.length); pass = False; } else { - printf("USER (NTLMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); + d_printf("USER (NTLMv2) Session Key does not match expectations!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, ntlmv2_session_key.data, ntlmv2_session_key.length); pass = False; } @@ -673,17 +700,17 @@ static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, sizeof(lm_session_key)) != 0) { if (memcmp(lmv2_session_key.data, lm_session_key, sizeof(lm_session_key)) == 0) { - printf("LM (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n"); - printf("user_session_key:\n"); + d_printf("LM (NTLMv2) Session Key expected, got LMv2 sessesion key instead:\n"); + d_printf("user_session_key:\n"); dump_data(1, lm_session_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, ntlmv2_session_key.data, 8); pass = False; } else { - printf("LM (NTLMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); + d_printf("LM (NTLMv2) Session Key does not match expectations!\n"); + d_printf("lm_session_key:\n"); dump_data(1, lm_session_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, ntlmv2_session_key.data, 8); pass = False; } @@ -777,10 +804,14 @@ static BOOL test_lmv2_ntlm_broken(struct samlogon_state *samlogon_state, if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { + /* for 'old' passwords, we allow the server to be OK or wrong password */ + if (samlogon_state->old_password) { + return True; + } return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); - } - - if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) { + return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); + } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { SAFE_FREE(*error_string); asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); return False; @@ -794,19 +825,19 @@ static BOOL test_lmv2_ntlm_broken(struct samlogon_state *samlogon_state, case NO_NT: if (memcmp(lmv2_session_key.data, user_session_key, sizeof(user_session_key)) != 0) { - printf("USER (LMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); + d_printf("USER (LMv2) Session Key does not match expectations!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lmv2_session_key.data, ntlmv2_session_key.length); pass = False; } if (memcmp(lmv2_session_key.data, lm_session_key, sizeof(lm_session_key)) != 0) { - printf("LM (LMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); + d_printf("LM (LMv2) Session Key does not match expectations!\n"); + d_printf("lm_session_key:\n"); dump_data(1, lm_session_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lmv2_session_key.data, 8); pass = False; } @@ -814,31 +845,31 @@ static BOOL test_lmv2_ntlm_broken(struct samlogon_state *samlogon_state, case BREAK_LM: if (memcmp(ntlm_session_key.data, user_session_key, sizeof(user_session_key)) != 0) { - printf("USER (NTLMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); + d_printf("USER (NTLMv2) Session Key does not match expectations!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, ntlm_session_key.data, ntlm_session_key.length); pass = False; } if (lm_good) { if (memcmp(lm_hash, lm_session_key, sizeof(lm_session_key)) != 0) { - printf("LM Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); + d_printf("LM Session Key does not match expectations!\n"); + d_printf("lm_session_key:\n"); dump_data(1, lm_session_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lm_hash, 8); pass = False; } } else { - static const char zeros[8]; + static const uint8_t zeros[8]; if (memcmp(zeros, lm_session_key, sizeof(lm_session_key)) != 0) { - printf("LM Session Key does not match expectations (zeros)!\n"); - printf("lm_session_key:\n"); + d_printf("LM Session Key does not match expectations (zeros)!\n"); + d_printf("lm_session_key:\n"); dump_data(1, lm_session_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, zeros, 8); pass = False; } @@ -847,19 +878,19 @@ static BOOL test_lmv2_ntlm_broken(struct samlogon_state *samlogon_state, default: if (memcmp(ntlm_session_key.data, user_session_key, sizeof(user_session_key)) != 0) { - printf("USER (NTLMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); + d_printf("USER (NTLMv2) Session Key does not match expectations!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, 16); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, ntlm_session_key.data, ntlm_session_key.length); pass = False; } if (memcmp(ntlm_session_key.data, lm_session_key, sizeof(lm_session_key)) != 0) { - printf("LM (NTLMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); + d_printf("LM (NTLMv2) Session Key does not match expectations!\n"); + d_printf("lm_session_key:\n"); dump_data(1, lm_session_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, ntlm_session_key.data, 8); pass = False; } @@ -1055,7 +1086,13 @@ static BOOL test_ntlm2(struct samlogon_state *samlogon_state, char **error_strin user_session_key, error_string); - if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { + /* for 'old' passwords, we allow the server to be OK or wrong password */ + if (samlogon_state->old_password) { + return True; + } + return False; + } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { SAFE_FREE(*error_string); asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); return False; @@ -1068,30 +1105,30 @@ static BOOL test_ntlm2(struct samlogon_state *samlogon_state, char **error_strin if (lm_good) { if (memcmp(lm_hash, lm_key, sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); + d_printf("LM Key does not match expectations!\n"); + d_printf("lm_key:\n"); dump_data(1, lm_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, lm_hash, 8); pass = False; } } else { - static const char zeros[8]; + static const uint8_t zeros[8]; if (memcmp(zeros, lm_key, sizeof(lm_key)) != 0) { - printf("LM Session Key does not match expectations (zeros)!\n"); - printf("lm_key:\n"); + d_printf("LM Session Key does not match expectations (zeros)!\n"); + d_printf("lm_key:\n"); dump_data(1, lm_key, 8); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, zeros, 8); pass = False; } } if (memcmp(nt_key, user_session_key, 16) != 0) { - printf("NT Session Key does not match expectations (should be NT Key)!\n"); - printf("user_session_key:\n"); + d_printf("NT Session Key does not match expectations (should be NT Key)!\n"); + d_printf("user_session_key:\n"); dump_data(1, user_session_key, sizeof(user_session_key)); - printf("expected:\n"); + d_printf("expected:\n"); dump_data(1, nt_key, sizeof(nt_key)); pass = False; } @@ -1147,14 +1184,18 @@ static BOOL test_plaintext(struct samlogon_state *samlogon_state, enum ntlm_brea error_string); if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { + /* for 'old' passwords, we allow the server to be OK or wrong password */ + if (samlogon_state->old_password) { + return True; + } /* for 'long' passwords, the LM password is invalid */ if (break_which == NO_NT && !lm_good) { return True; } return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); - } - - if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) { + return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT)); + } else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { SAFE_FREE(*error_string); asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); return False; @@ -1267,7 +1308,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, const char *comment, const char *account_domain, const char *account_name, const char *plain_pass, uint32_t parameter_control, - NTSTATUS expected_error, + NTSTATUS expected_error, BOOL old_password, int n_subtests) { TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_SamLogon function-level context"); @@ -1281,7 +1322,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, DCERPC_NETR_LOGONSAMLOGONWITHFLAGS }; struct samlogon_state samlogon_state; - printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n"); + d_printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n"); samlogon_state.comment = comment; samlogon_state.account_name = account_name; @@ -1292,20 +1333,21 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, samlogon_state.expected_error = expected_error; samlogon_state.chall = data_blob_talloc(fn_ctx, NULL, 8); samlogon_state.parameter_control = parameter_control; + samlogon_state.old_password = old_password; generate_random_buffer(samlogon_state.chall.data, 8); samlogon_state.r_flags.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r_flags.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r_flags.in.computer_name = TEST_MACHINE_NAME; samlogon_state.r_flags.in.credential = &samlogon_state.auth; samlogon_state.r_flags.in.return_authenticator = &samlogon_state.auth2; samlogon_state.r_flags.in.flags = 0; samlogon_state.r_ex.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r_ex.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r_ex.in.computer_name = TEST_MACHINE_NAME; samlogon_state.r_ex.in.flags = 0; samlogon_state.r.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r.in.computer_name = TEST_MACHINE_NAME; samlogon_state.r.in.credential = &samlogon_state.auth; samlogon_state.r.in.return_authenticator = &samlogon_state.auth2; @@ -1327,7 +1369,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, samlogon_state.r_flags.in.validation_level = validation_levels[v]; samlogon_state.r_flags.in.logon_level = logon_levels[l]; if (!test_table[i].fn(&samlogon_state, &error_string)) { - printf("Testing '%s' [%s]\\[%s] '%s' at validation level %d, logon level %d, function %d: \n", + d_printf("Testing '%s' [%s]\\[%s] '%s' at validation level %d, logon level %d, function %d: \n", samlogon_state.comment, samlogon_state.account_domain, samlogon_state.account_name, @@ -1335,9 +1377,9 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, logon_levels[l], function_levels[f]); if (test_table[i].expect_fail) { - printf(" failed (expected, test incomplete): %s\n", error_string); + d_printf(" failed (expected, test incomplete): %s\n", error_string); } else { - printf(" failed: %s\n", error_string); + d_printf(" failed: %s\n", error_string); ret = False; } SAFE_FREE(error_string); @@ -1359,7 +1401,8 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, const char *comment, const char *workstation_name, const char *account_domain, const char *account_name, - const char *plain_pass, NTSTATUS expected_error) + const char *plain_pass, uint32_t parameter_control, + NTSTATUS expected_error) { NTSTATUS status; TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context"); @@ -1374,7 +1417,7 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, creds_client_authenticator(creds, &a); r.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - r.in.workstation = TEST_MACHINE_NAME; + r.in.computer_name = TEST_MACHINE_NAME; r.in.credential = &a; r.in.return_authenticator = &ra; r.in.logon_level = 5; @@ -1383,7 +1426,7 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.flags = 0; pinfo.identity_info.domain_name.string = account_domain; - pinfo.identity_info.parameter_control = 0; + pinfo.identity_info.parameter_control = parameter_control; pinfo.identity_info.logon_id_low = 0; pinfo.identity_info.logon_id_high = 0; pinfo.identity_info.account_name.string = account_name; @@ -1402,12 +1445,12 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, creds_des_encrypt(creds, &pinfo.ntpassword); } - printf("Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment); + d_printf("Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment); status = dcerpc_netr_LogonSamLogonWithFlags(p, fn_ctx, &r); if (!r.out.return_authenticator || !creds_client_check(creds, &r.out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); + d_printf("Credential chaining failed\n"); talloc_free(fn_ctx); return False; } @@ -1415,7 +1458,7 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, talloc_free(fn_ctx); if (!NT_STATUS_EQUAL(expected_error, status)) { - printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - expected %s got %s\n", + d_printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - expected %s got %s\n", account_domain, account_name, nt_errstr(expected_error), nt_errstr(status)); return False; } @@ -1425,7 +1468,7 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, -BOOL torture_rpc_samlogon(void) +BOOL torture_rpc_samlogon(struct torture_context *torture) { NTSTATUS status; struct dcerpc_pipe *p; @@ -1435,10 +1478,10 @@ BOOL torture_rpc_samlogon(void) BOOL ret = True; struct test_join *join_ctx; struct test_join *user_ctx; - const char *user_password; + char *user_password; const char *old_user_password; char *test_machine_account; - const char *binding = lp_parm_string(-1, "torture", "binding"); + const char *binding = torture_setting_string(torture, "binding", NULL); const char *userdomain; int i; int ci; @@ -1460,32 +1503,30 @@ BOOL torture_rpc_samlogon(void) join_ctx = torture_join_domain(TEST_MACHINE_NAME, ACB_WSTRUST, &machine_credentials); if (!join_ctx) { - printf("Failed to join as Workstation\n"); + d_printf("Failed to join as Workstation\n"); return False; } - userdomain = lp_parm_string(-1, "torture", "userdomain"); - if (!userdomain) { - userdomain = lp_workgroup(); - } + userdomain = torture_setting_string(torture, "userdomain", lp_workgroup()); user_ctx = torture_create_testuser(TEST_USER_NAME, userdomain, ACB_NORMAL, - &user_password); + (const char **)&user_password); if (!user_ctx) { - printf("Failed to join as Workstation\n"); + d_printf("Failed to join as Workstation\n"); return False; } old_user_password = user_password; test_ChangePasswordUser3(torture_join_samr_pipe(user_ctx), mem_ctx, - TEST_USER_NAME, 16 /* > 14 */, &user_password); + TEST_USER_NAME, 16 /* > 14 */, &user_password, + NULL, 0, False); status = dcerpc_parse_binding(mem_ctx, binding, &b); if (!NT_STATUS_IS_OK(status)) { - printf("Bad binding string %s\n", binding); + d_printf("Bad binding string %s\n", binding); ret = False; goto failed; } @@ -1497,12 +1538,11 @@ BOOL torture_rpc_samlogon(void) b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128; status = dcerpc_pipe_connect_b(mem_ctx, &p, b, - DCERPC_NETLOGON_UUID, - DCERPC_NETLOGON_VERSION, + &dcerpc_table_netlogon, machine_credentials, NULL); if (!NT_STATUS_IS_OK(status)) { - printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status)); + d_printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status)); ret = False; goto failed; } @@ -1524,6 +1564,7 @@ BOOL torture_rpc_samlogon(void) NTSTATUS expected_interactive_error; NTSTATUS expected_network_error; uint32_t parameter_control; + BOOL old_password; /* Allow an old password to be accepted or rejected without error, as well as session key bugs */ } usercreds[] = { { .comment = "domain\\user", @@ -1552,7 +1593,7 @@ BOOL torture_rpc_samlogon(void) cli_credentials_get_domain(cmdline_credentials) ), .password = cli_credentials_get_password(cmdline_credentials), - .network_login = False, + .network_login = False, /* works for some things, but not NTLMv2. Odd */ .expected_interactive_error = NT_STATUS_OK, .expected_network_error = NT_STATUS_OK }, @@ -1605,7 +1646,7 @@ BOOL torture_rpc_samlogon(void) cli_credentials_get_domain(machine_credentials) ), .password = cli_credentials_get_password(machine_credentials), - .network_login = False, + .network_login = False, /* works for some things, but not NTLMv2. Odd */ .expected_interactive_error = NT_STATUS_NO_SUCH_USER, .parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT }, @@ -1651,7 +1692,7 @@ BOOL torture_rpc_samlogon(void) TEST_USER_NAME, userdomain), .password = user_password, - .network_login = False, + .network_login = False, /* works for some things, but not NTLMv2. Odd */ .expected_interactive_error = NT_STATUS_OK, .expected_network_error = NT_STATUS_OK }, @@ -1663,7 +1704,8 @@ BOOL torture_rpc_samlogon(void) .password = old_user_password, .network_login = True, .expected_interactive_error = NT_STATUS_WRONG_PASSWORD, - .expected_network_error = NT_STATUS_OK + .expected_network_error = NT_STATUS_OK, + .old_password = True } }; @@ -1676,6 +1718,7 @@ BOOL torture_rpc_samlogon(void) usercreds[ci].domain, usercreds[ci].username, usercreds[ci].password, + usercreds[ci].parameter_control, usercreds[ci].expected_interactive_error)) { ret = False; } @@ -1688,6 +1731,7 @@ BOOL torture_rpc_samlogon(void) usercreds[ci].password, usercreds[ci].parameter_control, usercreds[ci].expected_network_error, + usercreds[ci].old_password, 0)) { ret = False; } @@ -1699,17 +1743,20 @@ BOOL torture_rpc_samlogon(void) * session key encryption) */ for (i=0; i < ARRAY_SIZE(credential_flags); i++) { + /* TODO: Somehow we lost setting up the different credential flags here! */ + if (!test_InteractiveLogon(p, mem_ctx, creds, usercreds[0].comment, TEST_MACHINE_NAME, usercreds[0].domain, usercreds[0].username, usercreds[0].password, + usercreds[0].parameter_control, usercreds[0].expected_interactive_error)) { ret = False; } - if (usercreds[ci].network_login) { + if (usercreds[0].network_login) { if (!test_SamLogon(p, mem_ctx, creds, usercreds[0].comment, usercreds[0].domain, @@ -1717,6 +1764,7 @@ BOOL torture_rpc_samlogon(void) usercreds[0].password, usercreds[0].parameter_control, usercreds[0].expected_network_error, + usercreds[0].old_password, 1)) { ret = False; }