Extend the 'netlogon' CLDAP and NBT implementation.

author Andrew Bartlett <abartlet@samba.org>

Wed, 21 May 2008 02:37:36 +0000 (12:37 +1000)

committer Andrew Bartlett <abartlet@samba.org>

Wed, 21 May 2008 02:37:36 +0000 (12:37 +1000)
author Andrew Bartlett <abartlet@samba.org>
Wed, 21 May 2008 02:37:36 +0000 (12:37 +1000)
committer Andrew Bartlett <abartlet@samba.org>
Wed, 21 May 2008 02:37:36 +0000 (12:37 +1000)
diff --git a/source/cldap_server/netlogon.c b/source/cldap_server/netlogon.c

index b2a034d5a4b80d99c40b8d26e3d38350b0dfd70a..bca965781ac659d873a64fd3e31aa1ffb46ee7aa 100644 (file)
--- a/source/cldap_server/netlogon.c
+++ b/source/cldap_server/netlogon.c
@@ -46,6 +46,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
                                          struct dom_sid *domain_sid,
                                          const char *domain_guid,
                                          const char *user,
+                                        uint32_t acct_control,
                                          const char *src_address,
                                          uint32_t version,
                                          struct loadparm_context *lp_ctx,
@@ -53,7 +54,8 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
  {
         const char *ref_attrs[] = {"nETBIOSName", "dnsRoot", "ncName", NULL};
         const char *dom_attrs[] = {"objectGUID", NULL};
-       struct ldb_result *ref_res = NULL, *dom_res = NULL;
+       const char *none_attrs[] = {NULL};
+       struct ldb_result *ref_res = NULL, *dom_res = NULL, *user_res = NULL;
         int ret;
         const char **services = lp_server_services(lp_ctx);
         uint32_t server_type;
@@ -68,6 +70,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
         const char *pdc_ip;
         struct ldb_dn *partitions_basedn;
         struct interface *ifaces;
+       bool user_known;
  
         partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
  
@@ -201,6 +204,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
                 }
         }
  
+
         if ((ref_res == NULL || ref_res->count == 0)) {
                 DEBUG(2,("Unable to find domain reference with name %s or GUID {%s}\n", domain, domain_guid));
                 return NT_STATUS_NO_SUCH_DOMAIN;
@@ -211,6 +215,44 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
                 return NT_STATUS_NO_SUCH_DOMAIN;
         }
  
+       /* work around different inputs for not-specified users */
+       if (!user) {
+               user = "";
+       }
+
+       /* Enquire about any valid username with just a CLDAP packet -
+        * if kerberos didn't also do this, the security folks would
+        * scream... */
+       if (user[0]) {                                                  \
+               /* Only allow some bits to be enquired:  [MS-ATDS] 7.3.3.2 */
+               if (acct_control == (uint32_t)-1) {
+                       acct_control = 0;
+               }
+               acct_control = acct_control & (ACB_TEMPDUP | ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST);
+
+               /* We must exclude disabled accounts, but otherwise do the bitwise match the client asked for */
+               ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &user_res,
+                                        dom_res->msgs[0]->dn, LDB_SCOPE_SUBTREE, 
+                                        none_attrs, 
+                                        "(&(objectClass=user)(samAccountName=%s)"
+                                        "(!(userAccountControl:" LDB_OID_COMPARATOR_AND ":=%u))"
+                                        "(userAccountControl:" LDB_OID_COMPARATOR_OR ":=%u))", 
+                                        user, UF_ACCOUNTDISABLE, samdb_acb2uf(acct_control));
+               if (ret != LDB_SUCCESS) {
+                       DEBUG(2,("Unable to find referece to user '%s' with ACB 0x%8x under %s: %s\n",
+                                user, acct_control, ldb_dn_get_linearized(dom_res->msgs[0]->dn),
+                                ldb_errstring(sam_ctx)));
+                       return NT_STATUS_NO_SUCH_USER;
+               } else if (user_res->count == 1) {
+                       user_known = true;
+               } else {
+                       user_known = false;
+               }
+
+       } else {
+               user_known = true;
+       }
+               
         server_type      = 
                 NBT_SERVER_DS | NBT_SERVER_TIMESERV |
                 NBT_SERVER_CLOSEST | NBT_SERVER_WRITABLE | 
@@ -250,13 +292,13 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
  
         ZERO_STRUCTP(netlogon);
  
-       if (version & NETLOGON_NT_VERSION_5EX) {
+       /* check if either of these bits is present */
+       if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) {
                 uint32_t extra_flags = 0;
                 netlogon->ntver = NETLOGON_NT_VERSION_5EX;
  
                 /* could check if the user exists */
-               if (!user) {
-                       user = "";
+               if (user_known) {
                         netlogon->nt5_ex.command      = LOGON_SAM_LOGON_RESPONSE_EX;
                 } else {
                         netlogon->nt5_ex.command      = LOGON_SAM_LOGON_USER_UNKNOWN_EX;
@@ -277,7 +319,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
                         extra_flags = NETLOGON_NT_VERSION_5EX_WITH_IP;
                         netlogon->nt5_ex.sockaddr.sa_family    = 2;
                         netlogon->nt5_ex.sockaddr.pdc_ip       = pdc_ip;
-                       netlogon->nt5_ex.sockaddr.remaining = data_blob(NULL, 4);
+                       netlogon->nt5_ex.sockaddr.remaining = data_blob_talloc(mem_ctx, NULL, 4);
                 }
                 netlogon->nt5_ex.nt_version   = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5EX|extra_flags;
                 netlogon->nt5_ex.lmnt_token   = 0xFFFF;
@@ -287,8 +329,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
                 netlogon->ntver = NETLOGON_NT_VERSION_5;
  
                 /* could check if the user exists */
-               if (!user) {
-                       user = "";
+               if (user_known) {
                         netlogon->nt5.command      = LOGON_SAM_LOGON_RESPONSE;
                 } else {
                         netlogon->nt5.command      = LOGON_SAM_LOGON_USER_UNKNOWN;
@@ -309,8 +350,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
         } else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ {
                 netlogon->ntver = NETLOGON_NT_VERSION_1;
                 /* could check if the user exists */
-               if (!user) {
-                       user = "";
+               if (user_known) {
                         netlogon->nt4.command      = LOGON_SAM_LOGON_RESPONSE;
                 } else {
                         netlogon->nt4.command      = LOGON_SAM_LOGON_USER_UNKNOWN;
@@ -406,7 +446,7 @@ void cldapd_netlogon_request(struct cldap_socket *cldap,
                  domain, host, user, version, domain_guid));
  
         status = fill_netlogon_samlogon_response(cldapd->samctx, tmp_ctx, domain, NULL, NULL, domain_guid,
-                                                user, src->addr, 
+                                                user, acct_control, src->addr, 
                                                  version, cldapd->task->lp_ctx, &netlogon);
         if (!NT_STATUS_IS_OK(status)) {
                 goto failed;
diff --git a/source/nbt_server/dgram/netlogon.c b/source/nbt_server/dgram/netlogon.c

index 664cd56636df76e5dc0277ad9e5fd5ea6934b73f..5e263a585471314759336effe26a2caedc519d47 100644 (file)
--- a/source/nbt_server/dgram/netlogon.c
+++ b/source/nbt_server/dgram/netlogon.c
@@ -139,7 +139,7 @@ static void nbtd_netlogon_samlogon(struct dgram_mailslot_handler *dgmslot,
         }
  
         status = fill_netlogon_samlogon_response(samctx, packet, NULL, name->name, sid, NULL, 
-                                                netlogon->req.logon.user_name, src->addr, 
+                                                netlogon->req.logon.user_name, netlogon->req.logon.acct_control, src->addr, 
                                                  netlogon->req.logon.nt_version, iface->nbtsrv->task->lp_ctx, &netlogon_response.samlogon);
         if (!NT_STATUS_IS_OK(status)) {
                 DEBUG(2,("NBT netlogon query failed domain=%s sid=%s version=%d - %s\n",
diff --git a/source/torture/ldap/cldap.c b/source/torture/ldap/cldap.c

index a77920d4e61cb30e410a4d83f838c88fb13e8385..5d4acd581b34c6175eb5306440b1821fc325305f 100644 (file)
--- a/source/torture/ldap/cldap.c
+++ b/source/torture/ldap/cldap.c
@@ -144,18 +144,38 @@ static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest)
         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
  
         printf("Trying with a AAC\n");
-       search.in.acct_control = 0x180;
+       search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST;
         search.in.realm = n1.nt5_ex.dns_domain;
         status = cldap_netlogon(cldap, tctx, &search);
         CHECK_STATUS(status, NT_STATUS_OK);
         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
  
+       printf("Trying with a zero AAC\n");
+       search.in.acct_control = 0x0;
+       search.in.realm = n1.nt5_ex.dns_domain;
+       status = cldap_netlogon(cldap, tctx, &search);
+       CHECK_STATUS(status, NT_STATUS_OK);
+       CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+       CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
+
+       printf("Trying with a zero AAC and user=Administrator\n");
+       search.in.acct_control = 0x0;
+       search.in.user = "Administrator";
+       search.in.realm = n1.nt5_ex.dns_domain;
+       status = cldap_netlogon(cldap, tctx, &search);
+       CHECK_STATUS(status, NT_STATUS_OK);
+       CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
+       CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "Administrator");
+
         printf("Trying with a bad AAC\n");
+       search.in.user = NULL;
         search.in.acct_control = 0xFF00FF00;
         search.in.realm = n1.nt5_ex.dns_domain;
         status = cldap_netlogon(cldap, tctx, &search);
         CHECK_STATUS(status, NT_STATUS_OK);
+       CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+       CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
  
         printf("Trying with a user only\n");
         search = empty_search;
diff --git a/source/torture/nbt/dgram.c b/source/torture/nbt/dgram.c

index 2bc3d3d75e2f8b27f29513140373d986bf7215ab..66a3d142db59c115fe7e8d267fa37e241d2bba68 100644 (file)
--- a/source/torture/nbt/dgram.c
+++ b/source/torture/nbt/dgram.c
@@ -42,19 +42,24 @@ static void netlogon_handler(struct dgram_mailslot_handler *dgmslot,
                              struct socket_address *src)
  {
         NTSTATUS status;
-       struct nbt_netlogon_response netlogon;
-       int *replies = (int *)dgmslot->private;
+       struct nbt_netlogon_response *netlogon = dgmslot->private;
  
+       dgmslot->private = netlogon = talloc(dgmslot, struct nbt_netlogon_response);
+
+       if (!dgmslot->private) {
+               return;
+       }
+       
         printf("netlogon reply from %s:%d\n", src->addr, src->port);
  
-       status = dgram_mailslot_netlogon_parse_response(dgmslot, dgmslot, packet, &netlogon);
+       /* Fills in the netlogon pointer */
+       status = dgram_mailslot_netlogon_parse_response(dgmslot, netlogon, packet, netlogon);
         if (!NT_STATUS_IS_OK(status)) {
                 printf("Failed to parse netlogon packet from %s:%d\n",
                        src->addr, src->port);
                 return;
         }
-       
-       (*replies)++;
+
  }
  
  
@@ -67,10 +72,10 @@ static bool nbt_test_netlogon(struct torture_context *tctx)
         struct socket_address *dest;
         const char *myaddress;
         struct nbt_netlogon_packet logon;
+       struct nbt_netlogon_response *response;
         struct nbt_name myname;
         NTSTATUS status;
         struct timeval tv = timeval_current();
-       int replies = 0;
  
         struct socket_address *socket_address;
  
@@ -78,7 +83,7 @@ static bool nbt_test_netlogon(struct torture_context *tctx)
         struct nbt_name name;
  
         struct interface *ifaces;
-       
+
         name.name = lp_workgroup(tctx->lp_ctx);
         name.type = NBT_NAME_LOGON;
         name.scope = NULL;
@@ -112,7 +117,7 @@ static bool nbt_test_netlogon(struct torture_context *tctx)
  
         /* setup a temporary mailslot listener for replies */
         dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
-                                     netlogon_handler, &replies);
+                                     netlogon_handler, NULL);
  
         ZERO_STRUCT(logon);
         logon.command = LOGON_PRIMARY_QUERY;
@@ -134,10 +139,17 @@ static bool nbt_test_netlogon(struct torture_context *tctx)
                                               &myname, &logon);
         torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request");
  
-       while (timeval_elapsed(&tv) < 5 && replies == 0) {
+       while (timeval_elapsed(&tv) < 5 && !dgmslot->private) {
                 event_loop_once(dgmsock->event_ctx);
         }
  
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert(tctx, response->response_type == NETLOGON_GET_PDC, "Got incorrect type of netlogon response");
+       torture_assert(tctx, response->get_pdc.command == NETLOGON_RESPONSE_FROM_PDC, "Got incorrect netlogon response command");
+
         return true;
  }
  
@@ -151,10 +163,10 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
         struct socket_address *dest;
         const char *myaddress;
         struct nbt_netlogon_packet logon;
+       struct nbt_netlogon_response *response;
         struct nbt_name myname;
         NTSTATUS status;
         struct timeval tv = timeval_current();
-       int replies = 0;
  
         struct socket_address *socket_address;
  
@@ -198,7 +210,7 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
  
         /* setup a temporary mailslot listener for replies */
         dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
-                                     netlogon_handler, &replies);
+                                     netlogon_handler, NULL);
         
  
         ZERO_STRUCT(logon);
@@ -207,7 +219,7 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
         logon.req.logon.computer_name = TEST_NAME;
         logon.req.logon.user_name     = "";
         logon.req.logon.mailslot_name = dgmslot->mailslot_name;
-       logon.req.logon.nt_version    = 11;
+       logon.req.logon.nt_version    = NETLOGON_NT_VERSION_5EX_WITH_IP|NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_1;
         logon.req.logon.lmnt_token    = 0xFFFF;
         logon.req.logon.lm20_token    = 0xFFFF;
  
@@ -222,10 +234,23 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
                                               &myname, &logon);
         torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request");
  
-       while (timeval_elapsed(&tv) < 5 && replies == 0) {
+       while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) {
                 event_loop_once(dgmsock->event_ctx);
         }
  
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response");
+       map_netlogon_samlogon_response(&response->samlogon);
+
+       torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX, "Got incorrect netlogon response command");
+
+       /* setup (another) temporary mailslot listener for replies */
+       dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
+                                     netlogon_handler, NULL);
+       
         ZERO_STRUCT(logon);
         logon.command = LOGON_SAM_LOGON_REQUEST;
         logon.req.logon.request_count = 0;
@@ -247,15 +272,109 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
                                               &myname, &logon);
         torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request");
  
-       while (timeval_elapsed(&tv) < 5 && replies == 0) {
+       while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) {
                 event_loop_once(dgmsock->event_ctx);
         }
  
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response");
+       map_netlogon_samlogon_response(&response->samlogon);
+
+       torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN, "Got incorrect netlogon response command");
+
+       torture_assert_str_equal(tctx, response->samlogon.nt5_ex.user_name, TEST_NAME"$", "Got incorrect user in netlogon response");
+
         join_ctx = torture_join_domain(tctx, TEST_NAME, 
                                        ACB_WSTRUST, &machine_credentials);
  
         dom_sid = torture_join_sid(join_ctx);
  
+       /* setup (another) temporary mailslot listener for replies */
+       dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
+                                     netlogon_handler, NULL);
+       
+       ZERO_STRUCT(logon);
+       logon.command = LOGON_SAM_LOGON_REQUEST;
+       logon.req.logon.request_count = 0;
+       logon.req.logon.computer_name = TEST_NAME;
+       logon.req.logon.user_name     = TEST_NAME"$";
+       logon.req.logon.mailslot_name = dgmslot->mailslot_name;
+       logon.req.logon.sid           = *dom_sid;
+       logon.req.logon.nt_version    = 1;
+       logon.req.logon.lmnt_token    = 0xFFFF;
+       logon.req.logon.lm20_token    = 0xFFFF;
+
+       make_nbt_name_client(&myname, TEST_NAME);
+
+       dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, 
+                                          address, lp_dgram_port(tctx->lp_ctx));
+
+       torture_assert(tctx, dest != NULL, "Error getting address");
+       status = dgram_mailslot_netlogon_send(dgmsock, &name, dest,
+                                             NBT_MAILSLOT_NETLOGON, 
+                                             &myname, &logon);
+       torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request");
+
+
+       while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) {
+               event_loop_once(dgmsock->event_ctx);
+       }
+
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response");
+       map_netlogon_samlogon_response(&response->samlogon);
+
+       torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN, "Got incorrect netlogon response command");
+
+       /* setup (another) temporary mailslot listener for replies */
+       dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
+                                     netlogon_handler, NULL);
+       
+       ZERO_STRUCT(logon);
+       logon.command = LOGON_SAM_LOGON_REQUEST;
+       logon.req.logon.request_count = 0;
+       logon.req.logon.computer_name = TEST_NAME;
+       logon.req.logon.user_name     = TEST_NAME"$";
+       logon.req.logon.mailslot_name = dgmslot->mailslot_name;
+       logon.req.logon.sid           = *dom_sid;
+       logon.req.logon.acct_control  = ACB_WSTRUST;
+       logon.req.logon.nt_version    = 1;
+       logon.req.logon.lmnt_token    = 0xFFFF;
+       logon.req.logon.lm20_token    = 0xFFFF;
+
+       make_nbt_name_client(&myname, TEST_NAME);
+
+       dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, 
+                                          address, lp_dgram_port(tctx->lp_ctx));
+
+       torture_assert(tctx, dest != NULL, "Error getting address");
+       status = dgram_mailslot_netlogon_send(dgmsock, &name, dest,
+                                             NBT_MAILSLOT_NETLOGON, 
+                                             &myname, &logon);
+       torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request");
+
+
+       while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) {
+               event_loop_once(dgmsock->event_ctx);
+       }
+
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response");
+       map_netlogon_samlogon_response(&response->samlogon);
+
+       torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE, "Got incorrect netlogon response command");
+
+       dgmslot->private = NULL;
+
         ZERO_STRUCT(logon);
         logon.command = LOGON_SAM_LOGON_REQUEST;
         logon.req.logon.request_count = 0;
@@ -263,6 +382,7 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
         logon.req.logon.user_name     = TEST_NAME"$";
         logon.req.logon.mailslot_name = dgmslot->mailslot_name;
         logon.req.logon.sid           = *dom_sid;
+       logon.req.logon.acct_control  = ACB_NORMAL;
         logon.req.logon.nt_version    = 1;
         logon.req.logon.lmnt_token    = 0xFFFF;
         logon.req.logon.lm20_token    = 0xFFFF;
@@ -278,10 +398,20 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
                                               &myname, &logon);
         torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request");
  
-       while (timeval_elapsed(&tv) < 5 && replies == 0) {
+
+       while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) {
                 event_loop_once(dgmsock->event_ctx);
         }
  
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response");
+       map_netlogon_samlogon_response(&response->samlogon);
+
+       torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN, "Got incorrect netlogon response command");
+
         torture_leave_domain(join_ctx);
         return true;
  }
@@ -295,14 +425,15 @@ static bool nbt_test_ntlogon(struct torture_context *tctx)
                                                                  lp_iconv_convenience(tctx->lp_ctx));
         struct socket_address *dest;
         struct test_join *join_ctx;
+       const struct dom_sid *dom_sid;
         struct cli_credentials *machine_credentials;
  
         const char *myaddress;
         struct nbt_netlogon_packet logon;
+       struct nbt_netlogon_response *response;
         struct nbt_name myname;
         NTSTATUS status;
         struct timeval tv = timeval_current();
-       int replies = 0;
  
         struct socket_address *socket_address;
         const char *address;
@@ -342,13 +473,60 @@ static bool nbt_test_ntlogon(struct torture_context *tctx)
  
         join_ctx = torture_join_domain(tctx, TEST_NAME, 
                                        ACB_WSTRUST, &machine_credentials);
+       dom_sid = torture_join_sid(join_ctx);
+
         torture_assert(tctx, join_ctx != NULL,
                        talloc_asprintf(tctx, "Failed to join domain %s as %s\n",
                                        lp_workgroup(tctx->lp_ctx), TEST_NAME));
  
         /* setup a temporary mailslot listener for replies */
         dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
-                                     netlogon_handler, &replies);
+                                     netlogon_handler, NULL);
+       
+
+       ZERO_STRUCT(logon);
+       logon.command = LOGON_SAM_LOGON_REQUEST;
+       logon.req.logon.request_count = 0;
+       logon.req.logon.computer_name = TEST_NAME;
+       logon.req.logon.user_name     = TEST_NAME"$";
+       logon.req.logon.mailslot_name = dgmslot->mailslot_name;
+       logon.req.logon.acct_control  = ACB_WSTRUST;
+       /* Try with a SID this time */
+       logon.req.logon.sid           = *dom_sid;
+       logon.req.logon.nt_version    = 1;
+       logon.req.logon.lmnt_token    = 0xFFFF;
+       logon.req.logon.lm20_token    = 0xFFFF;
+
+       make_nbt_name_client(&myname, TEST_NAME);
+
+       dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, 
+                                          address, lp_dgram_port(tctx->lp_ctx));
+       torture_assert(tctx, dest != NULL, "Error getting address");
+       status = dgram_mailslot_netlogon_send(dgmsock, 
+                                             &name, dest, 
+                                             NBT_MAILSLOT_NTLOGON, 
+                                             &myname, &logon);
+       torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request");
+
+       while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) {
+               event_loop_once(dgmsock->event_ctx);
+       }
+
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response");
+       map_netlogon_samlogon_response(&response->samlogon);
+
+       torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE, "Got incorrect netlogon response command");
+
+       torture_assert_str_equal(tctx, response->samlogon.nt5_ex.user_name, TEST_NAME"$", "Got incorrect user in netlogon response");
+
+
+       /* setup a temporary mailslot listener for replies */
+       dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
+                                     netlogon_handler, NULL);
         
  
         ZERO_STRUCT(logon);
@@ -374,10 +552,26 @@ static bool nbt_test_ntlogon(struct torture_context *tctx)
                                               &myname, &logon);
         torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request");
  
-       while (timeval_elapsed(&tv) < 5 && replies == 0) {
+       while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) {
                 event_loop_once(dgmsock->event_ctx);
         }
  
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response");
+       map_netlogon_samlogon_response(&response->samlogon);
+
+       torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE, "Got incorrect netlogon response command");
+
+       torture_assert_str_equal(tctx, response->samlogon.nt5_ex.user_name, TEST_NAME"$", "Got incorrect user in netlogon response");
+
+
+       /* setup (another) temporary mailslot listener for replies */
+       dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
+                                     netlogon_handler, NULL);
+       
         ZERO_STRUCT(logon);
         logon.command = LOGON_PRIMARY_QUERY;
         logon.req.pdc.computer_name = TEST_NAME;
@@ -398,11 +592,55 @@ static bool nbt_test_ntlogon(struct torture_context *tctx)
                                               &myname, &logon);
         torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request");
  
-       while (timeval_elapsed(&tv) < 5 && replies == 0) {
+       while (timeval_elapsed(&tv) < 5 && !dgmslot->private) {
                 event_loop_once(dgmsock->event_ctx);
         }
  
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_GET_PDC, "Got incorrect type of ntlogon response");
+       torture_assert_int_equal(tctx, response->get_pdc.command, NETLOGON_RESPONSE_FROM_PDC, "Got incorrect ntlogon response command");
+
         torture_leave_domain(join_ctx);
+
+       /* setup (another) temporary mailslot listener for replies */
+       dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC,
+                                     netlogon_handler, NULL);
+       
+       ZERO_STRUCT(logon);
+       logon.command = LOGON_PRIMARY_QUERY;
+       logon.req.pdc.computer_name = TEST_NAME;
+       logon.req.pdc.mailslot_name = dgmslot->mailslot_name;
+       logon.req.pdc.unicode_name  = TEST_NAME;
+       logon.req.pdc.nt_version    = 1;
+       logon.req.pdc.lmnt_token    = 0xFFFF;
+       logon.req.pdc.lm20_token    = 0xFFFF;
+
+       make_nbt_name_client(&myname, TEST_NAME);
+
+       dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, 
+                                          address, lp_dgram_port(tctx->lp_ctx));
+       torture_assert(tctx, dest != NULL, "Error getting address");
+       status = dgram_mailslot_netlogon_send(dgmsock, 
+                                             &name, dest, 
+                                             NBT_MAILSLOT_NTLOGON, 
+                                             &myname, &logon);
+       torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request");
+
+       while (timeval_elapsed(&tv) < 5 && !dgmslot->private) {
+               event_loop_once(dgmsock->event_ctx);
+       }
+
+       response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response);
+
+       torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet");
+
+       torture_assert_int_equal(tctx, response->response_type, NETLOGON_GET_PDC, "Got incorrect type of ntlogon response");
+       torture_assert_int_equal(tctx, response->get_pdc.command, NETLOGON_RESPONSE_FROM_PDC, "Got incorrect ntlogon response command");
+
+
         return true;
  }
author	Andrew Bartlett <abartlet@samba.org>
	Wed, 21 May 2008 02:37:36 +0000 (12:37 +1000)
committer	Andrew Bartlett <abartlet@samba.org>
	Wed, 21 May 2008 02:37:36 +0000 (12:37 +1000)
source/cldap_server/netlogon.c		patch \| blob \| history
source/nbt_server/dgram/netlogon.c		patch \| blob \| history
source/torture/ldap/cldap.c		patch \| blob \| history
source/torture/nbt/dgram.c		patch \| blob \| history