Finish removal of iconv_convenience in public API's.
[bbaumbach/samba-autobuild/.git] / source4 / torture / rpc / samba3rpc.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    dcerpc torture tests, designed to walk Samba3 code paths
5
6    Copyright (C) Volker Lendecke 2006
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/raw/libcliraw.h"
24 #include "libcli/raw/raw_proto.h"
25 #include "../librpc/gen_ndr/rap.h"
26 #include "torture/util.h"
27 #include "torture/rap/proto.h"
28 #include "librpc/gen_ndr/ndr_lsa_c.h"
29 #include "librpc/gen_ndr/ndr_samr_c.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "librpc/gen_ndr/ndr_srvsvc_c.h"
32 #include "librpc/gen_ndr/ndr_spoolss_c.h"
33 #include "librpc/gen_ndr/ndr_winreg_c.h"
34 #include "librpc/gen_ndr/ndr_wkssvc_c.h"
35 #include "lib/cmdline/popt_common.h"
36 #include "torture/rpc/torture_rpc.h"
37 #include "libcli/libcli.h"
38 #include "libcli/smb_composite/smb_composite.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "../lib/crypto/crypto.h"
41 #include "libcli/security/security.h"
42 #include "param/param.h"
43 #include "lib/registry/registry.h"
44 #include "libcli/resolve/resolve.h"
45
46 /*
47  * This tests a RPC call using an invalid vuid
48  */
49
50 bool torture_bind_authcontext(struct torture_context *torture)
51 {
52         TALLOC_CTX *mem_ctx;
53         NTSTATUS status;
54         bool ret = false;
55         struct lsa_ObjectAttribute objectattr;
56         struct lsa_OpenPolicy2 openpolicy;
57         struct policy_handle handle;
58         struct lsa_Close close_handle;
59         struct smbcli_session *tmp;
60         struct smbcli_session *session2;
61         struct smbcli_state *cli;
62         struct dcerpc_pipe *lsa_pipe;
63         struct dcerpc_binding_handle *lsa_handle;
64         struct cli_credentials *anon_creds;
65         struct smb_composite_sesssetup setup;
66         struct smbcli_options options;
67         struct smbcli_session_options session_options;
68
69         mem_ctx = talloc_init("torture_bind_authcontext");
70
71         if (mem_ctx == NULL) {
72                 torture_comment(torture, "talloc_init failed\n");
73                 return false;
74         }
75
76         lp_smbcli_options(torture->lp_ctx, &options);
77         lp_smbcli_session_options(torture->lp_ctx, &session_options);
78
79         status = smbcli_full_connection(mem_ctx, &cli,
80                                         torture_setting_string(torture, "host", NULL),
81                                         lp_smb_ports(torture->lp_ctx),
82                                         "IPC$", NULL,
83                                         lp_socket_options(torture->lp_ctx),
84                                         cmdline_credentials,
85                                         lp_resolve_context(torture->lp_ctx),
86                                         torture->ev, &options, &session_options,
87                                         lp_gensec_settings(torture, torture->lp_ctx));
88         if (!NT_STATUS_IS_OK(status)) {
89                 torture_comment(torture, "smbcli_full_connection failed: %s\n",
90                          nt_errstr(status));
91                 goto done;
92         }
93
94         lsa_pipe = dcerpc_pipe_init(mem_ctx, cli->transport->socket->event.ctx);
95         if (lsa_pipe == NULL) {
96                 torture_comment(torture, "dcerpc_pipe_init failed\n");
97                 goto done;
98         }
99         lsa_handle = lsa_pipe->binding_handle;
100
101         status = dcerpc_pipe_open_smb(lsa_pipe, cli->tree, "\\lsarpc");
102         if (!NT_STATUS_IS_OK(status)) {
103                 torture_comment(torture, "dcerpc_pipe_open_smb failed: %s\n",
104                          nt_errstr(status));
105                 goto done;
106         }
107
108         status = dcerpc_bind_auth_none(lsa_pipe, &ndr_table_lsarpc);
109         if (!NT_STATUS_IS_OK(status)) {
110                 torture_comment(torture, "dcerpc_bind_auth_none failed: %s\n",
111                          nt_errstr(status));
112                 goto done;
113         }
114
115         openpolicy.in.system_name =talloc_asprintf(
116                 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
117         ZERO_STRUCT(objectattr);
118         openpolicy.in.attr = &objectattr;
119         openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
120         openpolicy.out.handle = &handle;
121
122         status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
123
124         if (!NT_STATUS_IS_OK(status)) {
125                 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
126                          nt_errstr(status));
127                 goto done;
128         }
129         if (!NT_STATUS_IS_OK(openpolicy.out.result)) {
130                 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
131                          nt_errstr(openpolicy.out.result));
132                 goto done;
133         }
134
135         close_handle.in.handle = &handle;
136         close_handle.out.handle = &handle;
137
138         status = dcerpc_lsa_Close_r(lsa_handle, mem_ctx, &close_handle);
139         if (!NT_STATUS_IS_OK(status)) {
140                 torture_comment(torture, "dcerpc_lsa_Close failed: %s\n",
141                          nt_errstr(status));
142                 goto done;
143         }
144         if (!NT_STATUS_IS_OK(close_handle.out.result)) {
145                 torture_comment(torture, "dcerpc_lsa_Close failed: %s\n",
146                          nt_errstr(close_handle.out.result));
147                 goto done;
148         }
149
150         session2 = smbcli_session_init(cli->transport, mem_ctx, false, session_options);
151         if (session2 == NULL) {
152                 torture_comment(torture, "smbcli_session_init failed\n");
153                 goto done;
154         }
155
156         if (!(anon_creds = cli_credentials_init_anon(mem_ctx))) {
157                 torture_comment(torture, "create_anon_creds failed\n");
158                 goto done;
159         }
160
161         setup.in.sesskey = cli->transport->negotiate.sesskey;
162         setup.in.capabilities = cli->transport->negotiate.capabilities;
163         setup.in.workgroup = "";
164         setup.in.credentials = anon_creds;
165         setup.in.gensec_settings = lp_gensec_settings(torture, torture->lp_ctx);
166
167         status = smb_composite_sesssetup(session2, &setup);
168         if (!NT_STATUS_IS_OK(status)) {
169                 torture_comment(torture, "anon session setup failed: %s\n",
170                          nt_errstr(status));
171                 goto done;
172         }
173         session2->vuid = setup.out.vuid;
174
175         tmp = cli->tree->session;
176         cli->tree->session = session2;
177
178         status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
179
180         cli->tree->session = tmp;
181         talloc_free(lsa_pipe);
182         lsa_pipe = NULL;
183
184         if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
185                 torture_comment(torture, "dcerpc_lsa_OpenPolicy2 with wrong vuid gave %s, "
186                          "expected NT_STATUS_INVALID_HANDLE\n",
187                          nt_errstr(status));
188                 goto done;
189         }
190
191         ret = true;
192  done:
193         talloc_free(mem_ctx);
194         return ret;
195 }
196
197 /*
198  * Bind to lsa using a specific auth method
199  */
200
201 static bool bindtest(struct torture_context *tctx,
202                      struct smbcli_state *cli,
203                      struct cli_credentials *credentials,
204                      uint8_t auth_type, uint8_t auth_level)
205 {
206         TALLOC_CTX *mem_ctx;
207         bool ret = false;
208         NTSTATUS status;
209
210         struct dcerpc_pipe *lsa_pipe;
211         struct dcerpc_binding_handle *lsa_handle;
212         struct lsa_ObjectAttribute objectattr;
213         struct lsa_OpenPolicy2 openpolicy;
214         struct lsa_QueryInfoPolicy query;
215         union lsa_PolicyInformation *info = NULL;
216         struct policy_handle handle;
217         struct lsa_Close close_handle;
218
219         if ((mem_ctx = talloc_init("bindtest")) == NULL) {
220                 torture_comment(tctx, "talloc_init failed\n");
221                 return false;
222         }
223
224         lsa_pipe = dcerpc_pipe_init(mem_ctx,
225                                     cli->transport->socket->event.ctx); 
226         if (lsa_pipe == NULL) {
227                 torture_comment(tctx, "dcerpc_pipe_init failed\n");
228                 goto done;
229         }
230         lsa_handle = lsa_pipe->binding_handle;
231
232         status = dcerpc_pipe_open_smb(lsa_pipe, cli->tree, "\\lsarpc");
233         if (!NT_STATUS_IS_OK(status)) {
234                 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
235                          nt_errstr(status));
236                 goto done;
237         }
238
239         status = dcerpc_bind_auth(lsa_pipe, &ndr_table_lsarpc,
240                                   credentials, lp_gensec_settings(tctx->lp_ctx, tctx->lp_ctx), auth_type, auth_level,
241                                   NULL);
242         if (!NT_STATUS_IS_OK(status)) {
243                 torture_comment(tctx, "dcerpc_bind_auth failed: %s\n", nt_errstr(status));
244                 goto done;
245         }
246
247         openpolicy.in.system_name =talloc_asprintf(
248                 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
249         ZERO_STRUCT(objectattr);
250         openpolicy.in.attr = &objectattr;
251         openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
252         openpolicy.out.handle = &handle;
253
254         status = dcerpc_lsa_OpenPolicy2_r(lsa_handle, mem_ctx, &openpolicy);
255
256         if (!NT_STATUS_IS_OK(status)) {
257                 torture_comment(tctx, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
258                          nt_errstr(status));
259                 goto done;
260         }
261         if (!NT_STATUS_IS_OK(openpolicy.out.result)) {
262                 torture_comment(tctx, "dcerpc_lsa_OpenPolicy2 failed: %s\n",
263                          nt_errstr(openpolicy.out.result));
264                 goto done;
265         }
266
267         query.in.handle = &handle;
268         query.in.level = LSA_POLICY_INFO_DOMAIN;
269         query.out.info = &info;
270
271         status = dcerpc_lsa_QueryInfoPolicy_r(lsa_handle, mem_ctx, &query);
272         if (!NT_STATUS_IS_OK(status)) {
273                 torture_comment(tctx, "dcerpc_lsa_QueryInfoPolicy failed: %s\n",
274                          nt_errstr(status));
275                 goto done;
276         }
277         if (!NT_STATUS_IS_OK(query.out.result)) {
278                 torture_comment(tctx, "dcerpc_lsa_QueryInfoPolicy failed: %s\n",
279                          nt_errstr(query.out.result));
280                 goto done;
281         }
282
283         close_handle.in.handle = &handle;
284         close_handle.out.handle = &handle;
285
286         status = dcerpc_lsa_Close_r(lsa_handle, mem_ctx, &close_handle);
287         if (!NT_STATUS_IS_OK(status)) {
288                 torture_comment(tctx, "dcerpc_lsa_Close failed: %s\n",
289                          nt_errstr(status));
290                 goto done;
291         }
292         if (!NT_STATUS_IS_OK(close_handle.out.result)) {
293                 torture_comment(tctx, "dcerpc_lsa_Close failed: %s\n",
294                          nt_errstr(close_handle.out.result));
295                 goto done;
296         }
297
298
299         ret = true;
300  done:
301         talloc_free(mem_ctx);
302         return ret;
303 }
304
305 /*
306  * test authenticated RPC binds with the variants Samba3 does support
307  */
308
309 static bool torture_bind_samba3(struct torture_context *torture)
310 {
311         TALLOC_CTX *mem_ctx;
312         NTSTATUS status;
313         bool ret = false;
314         struct smbcli_state *cli;
315         struct smbcli_options options;
316         struct smbcli_session_options session_options;
317
318         mem_ctx = talloc_init("torture_bind_authcontext");
319
320         if (mem_ctx == NULL) {
321                 torture_comment(torture, "talloc_init failed\n");
322                 return false;
323         }
324
325         lp_smbcli_options(torture->lp_ctx, &options);
326         lp_smbcli_session_options(torture->lp_ctx, &session_options);
327
328         status = smbcli_full_connection(mem_ctx, &cli,
329                                         torture_setting_string(torture, "host", NULL),
330                                         lp_smb_ports(torture->lp_ctx),
331                                         "IPC$", NULL,
332                                         lp_socket_options(torture->lp_ctx),
333                                         cmdline_credentials,
334                                         lp_resolve_context(torture->lp_ctx),
335                                         torture->ev, &options, &session_options,
336                                         lp_gensec_settings(torture, torture->lp_ctx));
337         if (!NT_STATUS_IS_OK(status)) {
338                 torture_comment(torture, "smbcli_full_connection failed: %s\n",
339                          nt_errstr(status));
340                 goto done;
341         }
342
343         ret = true;
344
345         ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_NTLMSSP,
346                         DCERPC_AUTH_LEVEL_INTEGRITY);
347         ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_NTLMSSP,
348                         DCERPC_AUTH_LEVEL_PRIVACY);
349         ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_SPNEGO,
350                         DCERPC_AUTH_LEVEL_INTEGRITY);
351         ret &= bindtest(torture, cli, cmdline_credentials, DCERPC_AUTH_TYPE_SPNEGO,
352                         DCERPC_AUTH_LEVEL_PRIVACY);
353
354  done:
355         talloc_free(mem_ctx);
356         return ret;
357 }
358
359 /*
360  * Lookup or create a user and return all necessary info
361  */
362
363 static bool get_usr_handle(struct torture_context *tctx,
364                            struct smbcli_state *cli,
365                            TALLOC_CTX *mem_ctx,
366                            struct cli_credentials *admin_creds,
367                            uint8_t auth_type,
368                            uint8_t auth_level,
369                            const char *username,
370                            char **domain,
371                            struct dcerpc_pipe **result_pipe,
372                            struct policy_handle **result_handle,
373                            struct dom_sid **sid_p)
374 {
375         struct dcerpc_pipe *samr_pipe;
376         struct dcerpc_binding_handle *samr_handle;
377         NTSTATUS status;
378         struct policy_handle conn_handle;
379         struct policy_handle domain_handle;
380         struct policy_handle *user_handle;
381         struct samr_Connect2 conn;
382         struct samr_EnumDomains enumdom;
383         uint32_t resume_handle = 0;
384         uint32_t num_entries = 0;
385         struct samr_SamArray *sam = NULL;
386         struct samr_LookupDomain l;
387         struct dom_sid2 *sid = NULL;
388         int dom_idx;
389         struct lsa_String domain_name;
390         struct lsa_String user_name;
391         struct samr_OpenDomain o;
392         struct samr_CreateUser2 c;
393         uint32_t user_rid,access_granted;
394
395         samr_pipe = dcerpc_pipe_init(mem_ctx,
396                                      cli->transport->socket->event.ctx);
397         torture_assert(tctx, samr_pipe, "dcerpc_pipe_init failed");
398
399         samr_handle = samr_pipe->binding_handle;
400
401         torture_assert_ntstatus_ok(tctx,
402                 dcerpc_pipe_open_smb(samr_pipe, cli->tree, "\\samr"),
403                 "dcerpc_pipe_open_smb failed");
404
405         if (admin_creds != NULL) {
406                 torture_assert_ntstatus_ok(tctx,
407                         dcerpc_bind_auth(samr_pipe, &ndr_table_samr,
408                                           admin_creds, lp_gensec_settings(tctx->lp_ctx, tctx->lp_ctx), auth_type, auth_level,
409                                           NULL),
410                         "dcerpc_bind_auth failed");
411         } else {
412                 /* We must have an authenticated SMB connection */
413                 torture_assert_ntstatus_ok(tctx,
414                         dcerpc_bind_auth_none(samr_pipe, &ndr_table_samr),
415                         "dcerpc_bind_auth_none failed");
416         }
417
418         conn.in.system_name = talloc_asprintf(
419                 mem_ctx, "\\\\%s", dcerpc_server_name(samr_pipe));
420         conn.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
421         conn.out.connect_handle = &conn_handle;
422
423         torture_assert_ntstatus_ok(tctx,
424                 dcerpc_samr_Connect2_r(samr_handle, mem_ctx, &conn),
425                 "samr_Connect2 failed");
426         torture_assert_ntstatus_ok(tctx, conn.out.result,
427                 "samr_Connect2 failed");
428
429         enumdom.in.connect_handle = &conn_handle;
430         enumdom.in.resume_handle = &resume_handle;
431         enumdom.in.buf_size = (uint32_t)-1;
432         enumdom.out.resume_handle = &resume_handle;
433         enumdom.out.num_entries = &num_entries;
434         enumdom.out.sam = &sam;
435
436         torture_assert_ntstatus_ok(tctx,
437                 dcerpc_samr_EnumDomains_r(samr_handle, mem_ctx, &enumdom),
438                 "samr_EnumDomains failed");
439         torture_assert_ntstatus_ok(tctx, enumdom.out.result,
440                 "samr_EnumDomains failed");
441
442         torture_assert_int_equal(tctx, *enumdom.out.num_entries, 2,
443                 "samr_EnumDomains returned unexpected num_entries");
444
445         dom_idx = strequal(sam->entries[0].name.string,
446                            "builtin") ? 1:0;
447
448         l.in.connect_handle = &conn_handle;
449         domain_name.string = sam->entries[dom_idx].name.string;
450         *domain = talloc_strdup(mem_ctx, domain_name.string);
451         l.in.domain_name = &domain_name;
452         l.out.sid = &sid;
453
454         torture_assert_ntstatus_ok(tctx,
455                 dcerpc_samr_LookupDomain_r(samr_handle, mem_ctx, &l),
456                 "samr_LookupDomain failed");
457         torture_assert_ntstatus_ok(tctx, l.out.result,
458                 "samr_LookupDomain failed");
459
460         o.in.connect_handle = &conn_handle;
461         o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
462         o.in.sid = *l.out.sid;
463         o.out.domain_handle = &domain_handle;
464
465         torture_assert_ntstatus_ok(tctx,
466                 dcerpc_samr_OpenDomain_r(samr_handle, mem_ctx, &o),
467                 "samr_OpenDomain failed");
468         torture_assert_ntstatus_ok(tctx, o.out.result,
469                 "samr_OpenDomain failed");
470
471         c.in.domain_handle = &domain_handle;
472         user_name.string = username;
473         c.in.account_name = &user_name;
474         c.in.acct_flags = ACB_NORMAL;
475         c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
476         user_handle = talloc(mem_ctx, struct policy_handle);
477         c.out.user_handle = user_handle;
478         c.out.access_granted = &access_granted;
479         c.out.rid = &user_rid;
480
481         torture_assert_ntstatus_ok(tctx,
482                 dcerpc_samr_CreateUser2_r(samr_handle, mem_ctx, &c),
483                 "samr_CreateUser2 failed");
484
485         if (NT_STATUS_EQUAL(c.out.result, NT_STATUS_USER_EXISTS)) {
486                 struct samr_LookupNames ln;
487                 struct samr_OpenUser ou;
488                 struct samr_Ids rids, types;
489
490                 ln.in.domain_handle = &domain_handle;
491                 ln.in.num_names = 1;
492                 ln.in.names = &user_name;
493                 ln.out.rids = &rids;
494                 ln.out.types = &types;
495
496                 torture_assert_ntstatus_ok(tctx,
497                         dcerpc_samr_LookupNames_r(samr_handle, mem_ctx, &ln),
498                         "samr_LookupNames failed");
499                 torture_assert_ntstatus_ok(tctx, ln.out.result,
500                         "samr_LookupNames failed");
501
502                 ou.in.domain_handle = &domain_handle;
503                 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
504                 user_rid = ou.in.rid = ln.out.rids->ids[0];
505                 ou.out.user_handle = user_handle;
506
507                 torture_assert_ntstatus_ok(tctx,
508                         dcerpc_samr_OpenUser_r(samr_handle, mem_ctx, &ou),
509                         "samr_OpenUser failed");
510                 status = ou.out.result;
511         } else {
512                 status = c.out.result;
513         }
514
515         torture_assert_ntstatus_ok(tctx, status,
516                 "samr_CreateUser failed");
517
518         *result_pipe = samr_pipe;
519         *result_handle = user_handle;
520         if (sid_p != NULL) {
521                 *sid_p = dom_sid_add_rid(mem_ctx, *l.out.sid, user_rid);
522         }
523         return true;
524
525 }
526
527 /*
528  * Create a test user
529  */
530
531 static bool create_user(struct torture_context *tctx,
532                         TALLOC_CTX *mem_ctx, struct smbcli_state *cli,
533                         struct cli_credentials *admin_creds,
534                         const char *username, const char *password,
535                         char **domain_name,
536                         struct dom_sid **user_sid)
537 {
538         TALLOC_CTX *tmp_ctx;
539         NTSTATUS status;
540         struct dcerpc_pipe *samr_pipe;
541         struct dcerpc_binding_handle *samr_handle;
542         struct policy_handle *wks_handle;
543         bool ret = false;
544
545         if (!(tmp_ctx = talloc_new(mem_ctx))) {
546                 torture_comment(tctx, "talloc_init failed\n");
547                 return false;
548         }
549
550         ret = get_usr_handle(tctx, cli, tmp_ctx, admin_creds,
551                              DCERPC_AUTH_TYPE_NTLMSSP,
552                              DCERPC_AUTH_LEVEL_INTEGRITY,
553                              username, domain_name, &samr_pipe, &wks_handle,
554                              user_sid);
555         if (ret == false) {
556                 torture_comment(tctx, "get_usr_handle failed\n");
557                 goto done;
558         }
559         samr_handle = samr_pipe->binding_handle;
560
561         {
562                 struct samr_SetUserInfo2 sui2;
563                 struct samr_SetUserInfo sui;
564                 struct samr_QueryUserInfo qui;
565                 union samr_UserInfo u_info;
566                 union samr_UserInfo *info;
567                 DATA_BLOB session_key;
568
569
570                 ZERO_STRUCT(u_info);
571                 encode_pw_buffer(u_info.info23.password.data, password,
572                                  STR_UNICODE);
573
574                 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
575                 if (!NT_STATUS_IS_OK(status)) {
576                         torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
577                         goto done;
578                 }
579                 arcfour_crypt_blob(u_info.info23.password.data, 516,
580                                    &session_key);
581                 u_info.info23.info.password_expired = 0;
582                 u_info.info23.info.fields_present = SAMR_FIELD_NT_PASSWORD_PRESENT |
583                                                     SAMR_FIELD_LM_PASSWORD_PRESENT |
584                                                     SAMR_FIELD_EXPIRED_FLAG;
585                 sui2.in.user_handle = wks_handle;
586                 sui2.in.info = &u_info;
587                 sui2.in.level = 23;
588
589                 status = dcerpc_samr_SetUserInfo2_r(samr_handle, tmp_ctx, &sui2);
590                 if (!NT_STATUS_IS_OK(status)) {
591                         torture_comment(tctx, "samr_SetUserInfo(23) failed: %s\n",
592                                  nt_errstr(status));
593                         goto done;
594                 }
595                 if (!NT_STATUS_IS_OK(sui2.out.result)) {
596                         torture_comment(tctx, "samr_SetUserInfo(23) failed: %s\n",
597                                  nt_errstr(sui2.out.result));
598                         goto done;
599                 }
600
601                 u_info.info16.acct_flags = ACB_NORMAL;
602                 sui.in.user_handle = wks_handle;
603                 sui.in.info = &u_info;
604                 sui.in.level = 16;
605
606                 status = dcerpc_samr_SetUserInfo_r(samr_handle, tmp_ctx, &sui);
607                 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
608                         torture_comment(tctx, "samr_SetUserInfo(16) failed\n");
609                         goto done;
610                 }
611
612                 qui.in.user_handle = wks_handle;
613                 qui.in.level = 21;
614                 qui.out.info = &info;
615
616                 status = dcerpc_samr_QueryUserInfo_r(samr_handle, tmp_ctx, &qui);
617                 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(qui.out.result)) {
618                         torture_comment(tctx, "samr_QueryUserInfo(21) failed\n");
619                         goto done;
620                 }
621
622                 info->info21.allow_password_change = 0;
623                 info->info21.force_password_change = 0;
624                 info->info21.account_name.string = NULL;
625                 info->info21.rid = 0;
626                 info->info21.acct_expiry = 0;
627                 info->info21.fields_present = 0x81827fa; /* copy usrmgr.exe */
628
629                 u_info.info21 = info->info21;
630                 sui.in.user_handle = wks_handle;
631                 sui.in.info = &u_info;
632                 sui.in.level = 21;
633
634                 status = dcerpc_samr_SetUserInfo_r(samr_handle, tmp_ctx, &sui);
635                 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
636                         torture_comment(tctx, "samr_SetUserInfo(21) failed\n");
637                         goto done;
638                 }
639         }
640
641         *domain_name= talloc_steal(mem_ctx, *domain_name);
642         *user_sid = talloc_steal(mem_ctx, *user_sid);
643         ret = true;
644  done:
645         talloc_free(tmp_ctx);
646         return ret;
647 }
648
649 /*
650  * Delete a test user
651  */
652
653 static bool delete_user(struct torture_context *tctx,
654                         struct smbcli_state *cli,
655                         struct cli_credentials *admin_creds,
656                         const char *username)
657 {
658         TALLOC_CTX *mem_ctx;
659         NTSTATUS status;
660         char *dom_name;
661         struct dcerpc_pipe *samr_pipe;
662         struct dcerpc_binding_handle *samr_handle;
663         struct policy_handle *user_handle;
664         bool ret = false;
665
666         if ((mem_ctx = talloc_init("leave")) == NULL) {
667                 torture_comment(tctx, "talloc_init failed\n");
668                 return false;
669         }
670
671         ret = get_usr_handle(tctx, cli, mem_ctx, admin_creds,
672                              DCERPC_AUTH_TYPE_NTLMSSP,
673                              DCERPC_AUTH_LEVEL_INTEGRITY,
674                              username, &dom_name, &samr_pipe,
675                              &user_handle, NULL);
676         if (ret == false) {
677                 torture_comment(tctx, "get_wks_handle failed\n");
678                 goto done;
679         }
680         samr_handle = samr_pipe->binding_handle;
681
682         {
683                 struct samr_DeleteUser d;
684
685                 d.in.user_handle = user_handle;
686                 d.out.user_handle = user_handle;
687
688                 status = dcerpc_samr_DeleteUser_r(samr_handle, mem_ctx, &d);
689                 if (!NT_STATUS_IS_OK(status)) {
690                         torture_comment(tctx, "samr_DeleteUser failed %s\n", nt_errstr(status));
691                         goto done;
692                 }
693                 if (!NT_STATUS_IS_OK(d.out.result)) {
694                         torture_comment(tctx, "samr_DeleteUser failed %s\n", nt_errstr(d.out.result));
695                         goto done;
696                 }
697
698         }
699
700         ret = true;
701
702  done:
703         talloc_free(mem_ctx);
704         return ret;
705 }
706
707 /*
708  * Do a Samba3-style join
709  */
710
711 static bool join3(struct torture_context *tctx,
712                   struct smbcli_state *cli,
713                   bool use_level25,
714                   struct cli_credentials *admin_creds,
715                   struct cli_credentials *wks_creds)
716 {
717         TALLOC_CTX *mem_ctx;
718         NTSTATUS status;
719         char *dom_name;
720         struct dcerpc_pipe *samr_pipe;
721         struct dcerpc_binding_handle *samr_handle;
722         struct policy_handle *wks_handle;
723         bool ret = false;
724         NTTIME last_password_change;
725
726         if ((mem_ctx = talloc_init("join3")) == NULL) {
727                 torture_comment(tctx, "talloc_init failed\n");
728                 return false;
729         }
730
731         ret = get_usr_handle(
732                 tctx, cli, mem_ctx, admin_creds,
733                 DCERPC_AUTH_TYPE_NTLMSSP,
734                 DCERPC_AUTH_LEVEL_PRIVACY,
735                 talloc_asprintf(mem_ctx, "%s$",
736                                 cli_credentials_get_workstation(wks_creds)),
737                 &dom_name, &samr_pipe, &wks_handle, NULL);
738         if (ret == false) {
739                 torture_comment(tctx, "get_wks_handle failed\n");
740                 goto done;
741         }
742         samr_handle = samr_pipe->binding_handle;
743
744         {
745                 struct samr_QueryUserInfo q;
746                 union samr_UserInfo *info;
747
748                 q.in.user_handle = wks_handle;
749                 q.in.level = 21;
750                 q.out.info = &info;
751
752                 status = dcerpc_samr_QueryUserInfo_r(samr_handle, mem_ctx, &q);
753                 if (!NT_STATUS_IS_OK(status)) {
754                         torture_warning(tctx, "QueryUserInfo failed: %s\n",
755                                   nt_errstr(status));
756                         goto done;
757                 }
758                 if (!NT_STATUS_IS_OK(q.out.result)) {
759                         torture_warning(tctx, "QueryUserInfo failed: %s\n",
760                                   nt_errstr(q.out.result));
761                         goto done;
762                 }
763
764
765                 last_password_change = info->info21.last_password_change;
766         }
767
768         cli_credentials_set_domain(wks_creds, dom_name, CRED_SPECIFIED);
769
770         if (use_level25) {
771                 struct samr_SetUserInfo2 sui2;
772                 union samr_UserInfo u_info;
773                 struct samr_UserInfo21 *i21 = &u_info.info25.info;
774                 DATA_BLOB session_key;
775                 DATA_BLOB confounded_session_key = data_blob_talloc(
776                         mem_ctx, NULL, 16);
777                 struct MD5Context ctx;
778                 uint8_t confounder[16];
779
780                 ZERO_STRUCT(u_info);
781
782                 i21->full_name.string = talloc_asprintf(
783                         mem_ctx, "%s$",
784                         cli_credentials_get_workstation(wks_creds));
785                 i21->acct_flags = ACB_WSTRUST;
786                 i21->fields_present = SAMR_FIELD_FULL_NAME |
787                         SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_NT_PASSWORD_PRESENT;
788                 /* this would break the test result expectations
789                 i21->fields_present |= SAMR_FIELD_EXPIRED_FLAG;
790                 i21->password_expired = 1;
791                 */
792
793                 encode_pw_buffer(u_info.info25.password.data,
794                                  cli_credentials_get_password(wks_creds),
795                                  STR_UNICODE);
796                 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
797                 if (!NT_STATUS_IS_OK(status)) {
798                         torture_comment(tctx, "dcerpc_fetch_session_key failed: %s\n",
799                                  nt_errstr(status));
800                         goto done;
801                 }
802                 generate_random_buffer((uint8_t *)confounder, 16);
803
804                 MD5Init(&ctx);
805                 MD5Update(&ctx, confounder, 16);
806                 MD5Update(&ctx, session_key.data, session_key.length);
807                 MD5Final(confounded_session_key.data, &ctx);
808
809                 arcfour_crypt_blob(u_info.info25.password.data, 516,
810                                    &confounded_session_key);
811                 memcpy(&u_info.info25.password.data[516], confounder, 16);
812
813                 sui2.in.user_handle = wks_handle;
814                 sui2.in.level = 25;
815                 sui2.in.info = &u_info;
816
817                 status = dcerpc_samr_SetUserInfo2_r(samr_handle, mem_ctx, &sui2);
818                 if (!NT_STATUS_IS_OK(status)) {
819                         torture_comment(tctx, "samr_SetUserInfo2(25) failed: %s\n",
820                                  nt_errstr(status));
821                         goto done;
822                 }
823                 if (!NT_STATUS_IS_OK(sui2.out.result)) {
824                         torture_comment(tctx, "samr_SetUserInfo2(25) failed: %s\n",
825                                  nt_errstr(sui2.out.result));
826                         goto done;
827                 }
828         } else {
829                 struct samr_SetUserInfo2 sui2;
830                 struct samr_SetUserInfo sui;
831                 union samr_UserInfo u_info;
832                 DATA_BLOB session_key;
833
834                 encode_pw_buffer(u_info.info24.password.data,
835                                  cli_credentials_get_password(wks_creds),
836                                  STR_UNICODE);
837                 /* just to make this test pass */
838                 u_info.info24.password_expired = 1;
839
840                 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
841                 if (!NT_STATUS_IS_OK(status)) {
842                         torture_comment(tctx, "dcerpc_fetch_session_key failed\n");
843                         goto done;
844                 }
845                 arcfour_crypt_blob(u_info.info24.password.data, 516,
846                                    &session_key);
847                 sui2.in.user_handle = wks_handle;
848                 sui2.in.info = &u_info;
849                 sui2.in.level = 24;
850
851                 status = dcerpc_samr_SetUserInfo2_r(samr_handle, mem_ctx, &sui2);
852                 if (!NT_STATUS_IS_OK(status)) {
853                         torture_comment(tctx, "samr_SetUserInfo(24) failed: %s\n",
854                                  nt_errstr(status));
855                         goto done;
856                 }
857                 if (!NT_STATUS_IS_OK(sui2.out.result)) {
858                         torture_comment(tctx, "samr_SetUserInfo(24) failed: %s\n",
859                                  nt_errstr(sui2.out.result));
860                         goto done;
861                 }
862
863                 u_info.info16.acct_flags = ACB_WSTRUST;
864                 sui.in.user_handle = wks_handle;
865                 sui.in.info = &u_info;
866                 sui.in.level = 16;
867
868                 status = dcerpc_samr_SetUserInfo_r(samr_handle, mem_ctx, &sui);
869                 if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(sui.out.result)) {
870                         torture_comment(tctx, "samr_SetUserInfo(16) failed\n");
871                         goto done;
872                 }
873         }
874
875         {
876                 struct samr_QueryUserInfo q;
877                 union samr_UserInfo *info;
878
879                 q.in.user_handle = wks_handle;
880                 q.in.level = 21;
881                 q.out.info = &info;
882
883                 status = dcerpc_samr_QueryUserInfo_r(samr_handle, mem_ctx, &q);
884                 if (!NT_STATUS_IS_OK(status)) {
885                         torture_warning(tctx, "QueryUserInfo failed: %s\n",
886                                   nt_errstr(status));
887                         goto done;
888                 }
889                 if (!NT_STATUS_IS_OK(q.out.result)) {
890                         torture_warning(tctx, "QueryUserInfo failed: %s\n",
891                                   nt_errstr(q.out.result));
892                         goto done;
893                 }
894
895                 if (use_level25) {
896                         if (last_password_change
897                             == info->info21.last_password_change) {
898                                 torture_warning(tctx, "last_password_change unchanged "
899                                          "during join, level25 must change "
900                                          "it\n");
901                                 goto done;
902                         }
903                 }
904                 else {
905                         if (last_password_change
906                             != info->info21.last_password_change) {
907                                 torture_warning(tctx, "last_password_change changed "
908                                          "during join, level24 doesn't "
909                                          "change it\n");
910                                 goto done;
911                         }
912                 }
913         }
914
915         ret = true;
916
917  done:
918         talloc_free(mem_ctx);
919         return ret;
920 }
921
922 /*
923  * Do a ReqChallenge/Auth2 and get the wks creds
924  */
925
926 static bool auth2(struct torture_context *tctx,
927                   struct smbcli_state *cli,
928                   struct cli_credentials *wks_cred)
929 {
930         TALLOC_CTX *mem_ctx;
931         struct dcerpc_pipe *net_pipe;
932         struct dcerpc_binding_handle *net_handle;
933         bool result = false;
934         NTSTATUS status;
935         struct netr_ServerReqChallenge r;
936         struct netr_Credential netr_cli_creds;
937         struct netr_Credential netr_srv_creds;
938         uint32_t negotiate_flags;
939         struct netr_ServerAuthenticate2 a;
940         struct netlogon_creds_CredentialState *creds_state;
941         struct netr_Credential netr_cred;
942         struct samr_Password mach_pw;
943
944         mem_ctx = talloc_new(NULL);
945         if (mem_ctx == NULL) {
946                 torture_comment(tctx, "talloc_new failed\n");
947                 return false;
948         }
949
950         net_pipe = dcerpc_pipe_init(mem_ctx,
951                                     cli->transport->socket->event.ctx);
952         if (net_pipe == NULL) {
953                 torture_comment(tctx, "dcerpc_pipe_init failed\n");
954                 goto done;
955         }
956         net_handle = net_pipe->binding_handle;
957
958         status = dcerpc_pipe_open_smb(net_pipe, cli->tree, "\\netlogon");
959         if (!NT_STATUS_IS_OK(status)) {
960                 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
961                          nt_errstr(status));
962                 goto done;
963         }
964
965         status = dcerpc_bind_auth_none(net_pipe, &ndr_table_netlogon);
966         if (!NT_STATUS_IS_OK(status)) {
967                 torture_comment(tctx, "dcerpc_bind_auth_none failed: %s\n",
968                          nt_errstr(status));
969                 goto done;
970         }
971
972         r.in.computer_name = cli_credentials_get_workstation(wks_cred);
973         r.in.server_name = talloc_asprintf(
974                 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
975         if (r.in.server_name == NULL) {
976                 torture_comment(tctx, "talloc_asprintf failed\n");
977                 goto done;
978         }
979         generate_random_buffer(netr_cli_creds.data,
980                                sizeof(netr_cli_creds.data));
981         r.in.credentials = &netr_cli_creds;
982         r.out.return_credentials = &netr_srv_creds;
983
984         status = dcerpc_netr_ServerReqChallenge_r(net_handle, mem_ctx, &r);
985         if (!NT_STATUS_IS_OK(status)) {
986                 torture_comment(tctx, "netr_ServerReqChallenge failed: %s\n",
987                          nt_errstr(status));
988                 goto done;
989         }
990         if (!NT_STATUS_IS_OK(r.out.result)) {
991                 torture_comment(tctx, "netr_ServerReqChallenge failed: %s\n",
992                          nt_errstr(r.out.result));
993                 goto done;
994         }
995
996         negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
997         E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
998
999         a.in.server_name = talloc_asprintf(
1000                 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1001         a.in.account_name = talloc_asprintf(
1002                 mem_ctx, "%s$", cli_credentials_get_workstation(wks_cred));
1003         a.in.computer_name = cli_credentials_get_workstation(wks_cred);
1004         a.in.secure_channel_type = SEC_CHAN_WKSTA;
1005         a.in.negotiate_flags = &negotiate_flags;
1006         a.out.negotiate_flags = &negotiate_flags;
1007         a.in.credentials = &netr_cred;
1008         a.out.return_credentials = &netr_cred;
1009
1010         creds_state = netlogon_creds_client_init(mem_ctx,
1011                                                  a.in.account_name,
1012                                                  a.in.computer_name,
1013                                                  r.in.credentials,
1014                                                  r.out.return_credentials, &mach_pw,
1015                                                  &netr_cred, negotiate_flags);
1016
1017         status = dcerpc_netr_ServerAuthenticate2_r(net_handle, mem_ctx, &a);
1018         if (!NT_STATUS_IS_OK(status)) {
1019                 torture_comment(tctx, "netr_ServerServerAuthenticate2 failed: %s\n",
1020                          nt_errstr(status));
1021                 goto done;
1022         }
1023         if (!NT_STATUS_IS_OK(a.out.result)) {
1024                 torture_comment(tctx, "netr_ServerServerAuthenticate2 failed: %s\n",
1025                          nt_errstr(a.out.result));
1026                 goto done;
1027         }
1028
1029         if (!netlogon_creds_client_check(creds_state, a.out.return_credentials)) {
1030                 torture_comment(tctx, "creds_client_check failed\n");
1031                 goto done;
1032         }
1033
1034         cli_credentials_set_netlogon_creds(wks_cred, creds_state);
1035
1036         result = true;
1037
1038  done:
1039         talloc_free(mem_ctx);
1040         return result;
1041 }
1042
1043 /*
1044  * Do a couple of schannel protected Netlogon ops: Interactive and Network
1045  * login, and change the wks password
1046  */
1047
1048 static bool schan(struct torture_context *tctx,
1049                   struct smbcli_state *cli,
1050                   struct cli_credentials *wks_creds,
1051                   struct cli_credentials *user_creds)
1052 {
1053         TALLOC_CTX *mem_ctx;
1054         NTSTATUS status;
1055         bool ret = false;
1056         struct dcerpc_pipe *net_pipe;
1057         struct dcerpc_binding_handle *net_handle;
1058         int i;
1059
1060         mem_ctx = talloc_new(NULL);
1061         if (mem_ctx == NULL) {
1062                 torture_comment(tctx, "talloc_new failed\n");
1063                 return false;
1064         }
1065
1066         net_pipe = dcerpc_pipe_init(mem_ctx,
1067                                     cli->transport->socket->event.ctx);
1068         if (net_pipe == NULL) {
1069                 torture_comment(tctx, "dcerpc_pipe_init failed\n");
1070                 goto done;
1071         }
1072         net_handle = net_pipe->binding_handle;
1073
1074         status = dcerpc_pipe_open_smb(net_pipe, cli->tree, "\\netlogon");
1075         if (!NT_STATUS_IS_OK(status)) {
1076                 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
1077                          nt_errstr(status));
1078                 goto done;
1079         }
1080
1081 #if 0
1082         net_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN |
1083                 DCERPC_DEBUG_PRINT_OUT;
1084 #endif
1085 #if 1
1086         net_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
1087         status = dcerpc_bind_auth(net_pipe, &ndr_table_netlogon,
1088                                   wks_creds, lp_gensec_settings(tctx->lp_ctx, tctx->lp_ctx), DCERPC_AUTH_TYPE_SCHANNEL,
1089                                   DCERPC_AUTH_LEVEL_PRIVACY,
1090                                   NULL);
1091 #else
1092         status = dcerpc_bind_auth_none(net_pipe, &ndr_table_netlogon);
1093 #endif
1094         if (!NT_STATUS_IS_OK(status)) {
1095                 torture_comment(tctx, "schannel bind failed: %s\n", nt_errstr(status));
1096                 goto done;
1097         }
1098
1099
1100         for (i=2; i<4; i++) {
1101                 int flags;
1102                 DATA_BLOB chal, nt_resp, lm_resp, names_blob, session_key;
1103                 struct netlogon_creds_CredentialState *creds_state;
1104                 struct netr_Authenticator netr_auth, netr_auth2;
1105                 struct netr_NetworkInfo ninfo;
1106                 struct netr_PasswordInfo pinfo;
1107                 struct netr_LogonSamLogon r;
1108                 union netr_LogonLevel logon;
1109                 union netr_Validation validation;
1110                 uint8_t authoritative;
1111                 struct netr_Authenticator return_authenticator;
1112
1113                 flags = CLI_CRED_LANMAN_AUTH | CLI_CRED_NTLM_AUTH |
1114                         CLI_CRED_NTLMv2_AUTH;
1115
1116                 chal = data_blob_talloc(mem_ctx, NULL, 8);
1117                 if (chal.data == NULL) {
1118                         torture_comment(tctx, "data_blob_talloc failed\n");
1119                         goto done;
1120                 }
1121
1122                 generate_random_buffer(chal.data, chal.length);
1123                 names_blob = NTLMv2_generate_names_blob(
1124                         mem_ctx,
1125                         cli_credentials_get_workstation(user_creds),
1126                         cli_credentials_get_domain(user_creds));
1127                 status = cli_credentials_get_ntlm_response(
1128                         user_creds, mem_ctx, &flags, chal, names_blob,
1129                         &lm_resp, &nt_resp, NULL, NULL);
1130                 if (!NT_STATUS_IS_OK(status)) {
1131                         torture_comment(tctx, "cli_credentials_get_ntlm_response failed:"
1132                                  " %s\n", nt_errstr(status));
1133                         goto done;
1134                 }
1135
1136                 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
1137                 netlogon_creds_client_authenticator(creds_state, &netr_auth);
1138
1139                 ninfo.identity_info.account_name.string =
1140                         cli_credentials_get_username(user_creds);
1141                 ninfo.identity_info.domain_name.string =
1142                         cli_credentials_get_domain(user_creds);
1143                 ninfo.identity_info.parameter_control = 0;
1144                 ninfo.identity_info.logon_id_low = 0;
1145                 ninfo.identity_info.logon_id_high = 0;
1146                 ninfo.identity_info.workstation.string =
1147                         cli_credentials_get_workstation(user_creds);
1148                 memcpy(ninfo.challenge, chal.data, sizeof(ninfo.challenge));
1149                 ninfo.nt.length = nt_resp.length;
1150                 ninfo.nt.data = nt_resp.data;
1151                 ninfo.lm.length = lm_resp.length;
1152                 ninfo.lm.data = lm_resp.data;
1153
1154                 logon.network = &ninfo;
1155
1156                 r.in.server_name = talloc_asprintf(
1157                         mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1158                 ZERO_STRUCT(netr_auth2);
1159                 r.in.computer_name =
1160                         cli_credentials_get_workstation(wks_creds);
1161                 r.in.credential = &netr_auth;
1162                 r.in.return_authenticator = &netr_auth2;
1163                 r.in.logon_level = 2;
1164                 r.in.validation_level = i;
1165                 r.in.logon = &logon;
1166                 r.out.validation = &validation;
1167                 r.out.authoritative = &authoritative;
1168                 r.out.return_authenticator = &return_authenticator;
1169
1170                 status = dcerpc_netr_LogonSamLogon_r(net_handle, mem_ctx, &r);
1171                 if (!NT_STATUS_IS_OK(status)) {
1172                         torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1173                                  nt_errstr(status));
1174                         goto done;
1175                 }
1176                 if (!NT_STATUS_IS_OK(r.out.result)) {
1177                         torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1178                                  nt_errstr(r.out.result));
1179                         goto done;
1180                 }
1181
1182                 if ((r.out.return_authenticator == NULL) ||
1183                     (!netlogon_creds_client_check(creds_state,
1184                                          &r.out.return_authenticator->cred))) {
1185                         torture_comment(tctx, "Credentials check failed!\n");
1186                         goto done;
1187                 }
1188
1189                 netlogon_creds_client_authenticator(creds_state, &netr_auth);
1190
1191                 pinfo.identity_info = ninfo.identity_info;
1192                 ZERO_STRUCT(pinfo.lmpassword.hash);
1193                 E_md4hash(cli_credentials_get_password(user_creds),
1194                           pinfo.ntpassword.hash);
1195                 session_key = data_blob_talloc(mem_ctx,
1196                                                creds_state->session_key, 16);
1197                 arcfour_crypt_blob(pinfo.ntpassword.hash,
1198                                    sizeof(pinfo.ntpassword.hash),
1199                                    &session_key);
1200
1201                 logon.password = &pinfo;
1202
1203                 r.in.logon_level = 1;
1204                 r.in.logon = &logon;
1205                 r.out.return_authenticator = &return_authenticator;
1206
1207                 status = dcerpc_netr_LogonSamLogon_r(net_handle, mem_ctx, &r);
1208                 if (!NT_STATUS_IS_OK(status)) {
1209                         torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1210                                  nt_errstr(status));
1211                         goto done;
1212                 }
1213                 if (!NT_STATUS_IS_OK(r.out.result)) {
1214                         torture_comment(tctx, "netr_LogonSamLogon failed: %s\n",
1215                                  nt_errstr(r.out.result));
1216                         goto done;
1217                 }
1218
1219                 if ((r.out.return_authenticator == NULL) ||
1220                     (!netlogon_creds_client_check(creds_state,
1221                                          &r.out.return_authenticator->cred))) {
1222                         torture_comment(tctx, "Credentials check failed!\n");
1223                         goto done;
1224                 }
1225         }
1226
1227         {
1228                 struct netr_ServerPasswordSet s;
1229                 char *password = generate_random_password(wks_creds, 8, 255);
1230                 struct netlogon_creds_CredentialState *creds_state;
1231                 struct netr_Authenticator credential, return_authenticator;
1232                 struct samr_Password new_password;
1233
1234                 s.in.server_name = talloc_asprintf(
1235                         mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1236                 s.in.computer_name = cli_credentials_get_workstation(wks_creds);
1237                 s.in.account_name = talloc_asprintf(
1238                         mem_ctx, "%s$", s.in.computer_name);
1239                 s.in.secure_channel_type = SEC_CHAN_WKSTA;
1240                 s.in.credential = &credential;
1241                 s.in.new_password = &new_password;
1242                 s.out.return_authenticator = &return_authenticator;
1243
1244                 E_md4hash(password, new_password.hash);
1245
1246                 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
1247                 netlogon_creds_des_encrypt(creds_state, &new_password);
1248                 netlogon_creds_client_authenticator(creds_state, &credential);
1249
1250                 status = dcerpc_netr_ServerPasswordSet_r(net_handle, mem_ctx, &s);
1251                 if (!NT_STATUS_IS_OK(status)) {
1252                         torture_comment(tctx, "ServerPasswordSet - %s\n", nt_errstr(status));
1253                         goto done;
1254                 }
1255                 if (!NT_STATUS_IS_OK(s.out.result)) {
1256                         torture_comment(tctx, "ServerPasswordSet - %s\n", nt_errstr(s.out.result));
1257                         goto done;
1258                 }
1259
1260                 if (!netlogon_creds_client_check(creds_state,
1261                                                  &s.out.return_authenticator->cred)) {
1262                         torture_comment(tctx, "Credential chaining failed\n");
1263                 }
1264
1265                 cli_credentials_set_password(wks_creds, password,
1266                                              CRED_SPECIFIED);
1267         }
1268
1269         ret = true;
1270  done:
1271         talloc_free(mem_ctx);
1272         return ret;
1273 }
1274
1275 /*
1276  * Delete the wks account again
1277  */
1278
1279 static bool leave(struct torture_context *tctx,
1280                   struct smbcli_state *cli,
1281                   struct cli_credentials *admin_creds,
1282                   struct cli_credentials *wks_creds)
1283 {
1284         char *wks_name = talloc_asprintf(
1285                 NULL, "%s$", cli_credentials_get_workstation(wks_creds));
1286         bool ret;
1287
1288         ret = delete_user(tctx, cli, admin_creds, wks_name);
1289         talloc_free(wks_name);
1290         return ret;
1291 }
1292
1293 /*
1294  * Test the Samba3 DC code a bit. Join, do some schan netlogon ops, leave
1295  */
1296
1297 static bool torture_netlogon_samba3(struct torture_context *torture)
1298 {
1299         TALLOC_CTX *mem_ctx;
1300         NTSTATUS status;
1301         bool ret = false;
1302         struct smbcli_state *cli;
1303         struct cli_credentials *anon_creds;
1304         struct cli_credentials *wks_creds;
1305         const char *wks_name;
1306         int i;
1307         struct smbcli_options options;
1308         struct smbcli_session_options session_options;
1309
1310         wks_name = torture_setting_string(torture, "wksname", NULL);
1311         if (wks_name == NULL) {
1312                 wks_name = get_myname(torture);
1313         }
1314
1315         mem_ctx = talloc_init("torture_netlogon_samba3");
1316
1317         if (mem_ctx == NULL) {
1318                 torture_comment(torture, "talloc_init failed\n");
1319                 return false;
1320         }
1321
1322         if (!(anon_creds = cli_credentials_init_anon(mem_ctx))) {
1323                 torture_comment(torture, "create_anon_creds failed\n");
1324                 goto done;
1325         }
1326
1327         lp_smbcli_options(torture->lp_ctx, &options);
1328         lp_smbcli_session_options(torture->lp_ctx, &session_options);
1329
1330         status = smbcli_full_connection(mem_ctx, &cli,
1331                                         torture_setting_string(torture, "host", NULL),
1332                                         lp_smb_ports(torture->lp_ctx),
1333                                         "IPC$", NULL,
1334                                         lp_socket_options(torture->lp_ctx),
1335                                         anon_creds,
1336                                         lp_resolve_context(torture->lp_ctx),
1337                                         torture->ev, &options, &session_options,
1338                                         lp_gensec_settings(torture, torture->lp_ctx));
1339         if (!NT_STATUS_IS_OK(status)) {
1340                 torture_comment(torture, "smbcli_full_connection failed: %s\n",
1341                          nt_errstr(status));
1342                 goto done;
1343         }
1344
1345         wks_creds = cli_credentials_init(mem_ctx);
1346         if (wks_creds == NULL) {
1347                 torture_comment(torture, "cli_credentials_init failed\n");
1348                 goto done;
1349         }
1350
1351         cli_credentials_set_conf(wks_creds, torture->lp_ctx);
1352         cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1353         cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1354         cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1355         cli_credentials_set_password(wks_creds,
1356                                      generate_random_password(wks_creds, 8, 255),
1357                                      CRED_SPECIFIED);
1358
1359         if (!join3(torture, cli, false, cmdline_credentials, wks_creds)) {
1360                 torture_comment(torture, "join failed\n");
1361                 goto done;
1362         }
1363
1364         cli_credentials_set_domain(
1365                 cmdline_credentials, cli_credentials_get_domain(wks_creds),
1366                 CRED_SPECIFIED);
1367
1368         for (i=0; i<2; i++) {
1369
1370                 /* Do this more than once, the routine "schan" changes
1371                  * the workstation password using the netlogon
1372                  * password change routine */
1373
1374                 int j;
1375
1376                 if (!auth2(torture, cli, wks_creds)) {
1377                         torture_comment(torture, "auth2 failed\n");
1378                         goto done;
1379                 }
1380
1381                 for (j=0; j<2; j++) {
1382                         if (!schan(torture, cli, wks_creds, cmdline_credentials)) {
1383                                 torture_comment(torture, "schan failed\n");
1384                                 goto done;
1385                         }
1386                 }
1387         }
1388
1389         if (!leave(torture, cli, cmdline_credentials, wks_creds)) {
1390                 torture_comment(torture, "leave failed\n");
1391                 goto done;
1392         }
1393
1394         ret = true;
1395
1396  done:
1397         talloc_free(mem_ctx);
1398         return ret;
1399 }
1400
1401 /*
1402  * Do a simple join, testjoin and leave using specified smb and samr
1403  * credentials
1404  */
1405
1406 static bool test_join3(struct torture_context *tctx,
1407                        bool use_level25,
1408                        struct cli_credentials *smb_creds,
1409                        struct cli_credentials *samr_creds,
1410                        const char *wks_name)
1411 {
1412         NTSTATUS status;
1413         struct smbcli_state *cli;
1414         struct cli_credentials *wks_creds;
1415         struct smbcli_options options;
1416         struct smbcli_session_options session_options;
1417
1418         lp_smbcli_options(tctx->lp_ctx, &options);
1419         lp_smbcli_session_options(tctx->lp_ctx, &session_options);
1420
1421         status = smbcli_full_connection(tctx, &cli,
1422                                         torture_setting_string(tctx, "host", NULL),
1423                                         lp_smb_ports(tctx->lp_ctx),
1424                                         "IPC$", NULL, lp_socket_options(tctx->lp_ctx),
1425                                         smb_creds, lp_resolve_context(tctx->lp_ctx),
1426                                         tctx->ev, &options, &session_options,
1427                                         lp_gensec_settings(tctx, tctx->lp_ctx));
1428         torture_assert_ntstatus_ok(tctx, status,
1429                 "smbcli_full_connection failed");
1430
1431         wks_creds = cli_credentials_init(cli);
1432         torture_assert(tctx, wks_creds, "cli_credentials_init failed");
1433
1434         cli_credentials_set_conf(wks_creds, tctx->lp_ctx);
1435         cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1436         cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1437         cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1438         cli_credentials_set_password(wks_creds,
1439                                      generate_random_password(wks_creds, 8, 255),
1440                                      CRED_SPECIFIED);
1441
1442         torture_assert(tctx,
1443                 join3(tctx, cli, use_level25, samr_creds, wks_creds),
1444                 "join failed");
1445
1446         cli_credentials_set_domain(
1447                 cmdline_credentials, cli_credentials_get_domain(wks_creds),
1448                 CRED_SPECIFIED);
1449
1450         torture_assert(tctx,
1451                 auth2(tctx, cli, wks_creds),
1452                 "auth2 failed");
1453
1454         torture_assert(tctx,
1455                 leave(tctx, cli, samr_creds, wks_creds),
1456                 "leave failed");
1457
1458         talloc_free(cli);
1459
1460         return true;
1461 }
1462
1463 /*
1464  * Test the different session key variants. Do it by joining, this uses the
1465  * session key in the setpassword routine. Test the join by doing the auth2.
1466  */
1467
1468 static bool torture_samba3_sessionkey(struct torture_context *torture)
1469 {
1470         struct cli_credentials *anon_creds;
1471         const char *wks_name;
1472
1473         wks_name = torture_setting_string(torture, "wksname", get_myname(torture));
1474
1475         if (!(anon_creds = cli_credentials_init_anon(torture))) {
1476                 torture_fail(torture, "create_anon_creds failed\n");
1477         }
1478
1479         cli_credentials_set_workstation(anon_creds, wks_name, CRED_SPECIFIED);
1480
1481
1482         if (!torture_setting_bool(torture, "samba3", false)) {
1483
1484                 /* Samba3 in the build farm right now does this happily. Need
1485                  * to fix :-) */
1486
1487                 if (test_join3(torture, false, anon_creds, NULL, wks_name)) {
1488                         torture_fail(torture, "join using anonymous bind on an anonymous smb "
1489                                  "connection succeeded -- HUH??\n");
1490                 }
1491         }
1492
1493         torture_assert(torture,
1494                 test_join3(torture, false, anon_creds, cmdline_credentials, wks_name),
1495                 "join using ntlmssp bind on an anonymous smb connection failed");
1496
1497         torture_assert(torture,
1498                 test_join3(torture, false, cmdline_credentials, NULL, wks_name),
1499                 "join using anonymous bind on an authenticated smb connection failed");
1500
1501         torture_assert(torture,
1502                 test_join3(torture, false, cmdline_credentials, cmdline_credentials, wks_name),
1503                 "join using ntlmssp bind on an authenticated smb connection failed");
1504
1505         /*
1506          * The following two are tests for setuserinfolevel 25
1507          */
1508
1509         torture_assert(torture,
1510                 test_join3(torture, true, anon_creds, cmdline_credentials, wks_name),
1511                 "join using ntlmssp bind on an anonymous smb connection failed");
1512
1513         torture_assert(torture,
1514                 test_join3(torture, true, cmdline_credentials, NULL, wks_name),
1515                 "join using anonymous bind on an authenticated smb connection failed");
1516
1517         return true;
1518 }
1519
1520 /*
1521  * open pipe and bind, given an IPC$ context
1522  */
1523
1524 static NTSTATUS pipe_bind_smb(struct torture_context *tctx,
1525                               TALLOC_CTX *mem_ctx,
1526                               struct smbcli_tree *tree,
1527                               const char *pipe_name,
1528                               const struct ndr_interface_table *iface,
1529                               struct dcerpc_pipe **p)
1530 {
1531         struct dcerpc_pipe *result;
1532         NTSTATUS status;
1533
1534         if (!(result = dcerpc_pipe_init(
1535                       mem_ctx, tree->session->transport->socket->event.ctx))) {
1536                 return NT_STATUS_NO_MEMORY;
1537         }
1538
1539         status = dcerpc_pipe_open_smb(result, tree, pipe_name);
1540         if (!NT_STATUS_IS_OK(status)) {
1541                 torture_comment(tctx, "dcerpc_pipe_open_smb failed: %s\n",
1542                          nt_errstr(status));
1543                 talloc_free(result);
1544                 return status;
1545         }
1546
1547         status = dcerpc_bind_auth_none(result, iface);
1548         if (!NT_STATUS_IS_OK(status)) {
1549                 torture_comment(tctx, "schannel bind failed: %s\n", nt_errstr(status));
1550                 talloc_free(result);
1551                 return status;
1552         }
1553
1554         *p = result;
1555         return NT_STATUS_OK;
1556 }
1557
1558 /*
1559  * Sane wrapper around lsa_LookupNames
1560  */
1561
1562 static struct dom_sid *name2sid(struct torture_context *tctx,
1563                                 TALLOC_CTX *mem_ctx,
1564                                 struct dcerpc_pipe *p,
1565                                 const char *name,
1566                                 const char *domain)
1567 {
1568         struct lsa_ObjectAttribute attr;
1569         struct lsa_QosInfo qos;
1570         struct lsa_OpenPolicy2 r;
1571         struct lsa_Close c;
1572         NTSTATUS status;
1573         struct policy_handle handle;
1574         struct lsa_LookupNames l;
1575         struct lsa_TransSidArray sids;
1576         struct lsa_RefDomainList *domains = NULL;
1577         struct lsa_String lsa_name;
1578         uint32_t count = 0;
1579         struct dom_sid *result;
1580         TALLOC_CTX *tmp_ctx;
1581         struct dcerpc_binding_handle *b = p->binding_handle;
1582
1583         if (!(tmp_ctx = talloc_new(mem_ctx))) {
1584                 return NULL;
1585         }
1586
1587         qos.len = 0;
1588         qos.impersonation_level = 2;
1589         qos.context_mode = 1;
1590         qos.effective_only = 0;
1591
1592         attr.len = 0;
1593         attr.root_dir = NULL;
1594         attr.object_name = NULL;
1595         attr.attributes = 0;
1596         attr.sec_desc = NULL;
1597         attr.sec_qos = &qos;
1598
1599         r.in.system_name = "\\";
1600         r.in.attr = &attr;
1601         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1602         r.out.handle = &handle;
1603
1604         status = dcerpc_lsa_OpenPolicy2_r(b, tmp_ctx, &r);
1605         if (!NT_STATUS_IS_OK(status)) {
1606                 torture_comment(tctx, "OpenPolicy2 failed - %s\n", nt_errstr(status));
1607                 talloc_free(tmp_ctx);
1608                 return NULL;
1609         }
1610         if (!NT_STATUS_IS_OK(r.out.result)) {
1611                 torture_comment(tctx, "OpenPolicy2 failed - %s\n", nt_errstr(r.out.result));
1612                 talloc_free(tmp_ctx);
1613                 return NULL;
1614         }
1615
1616         sids.count = 0;
1617         sids.sids = NULL;
1618
1619         lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, name);
1620
1621         l.in.handle = &handle;
1622         l.in.num_names = 1;
1623         l.in.names = &lsa_name;
1624         l.in.sids = &sids;
1625         l.in.level = 1;
1626         l.in.count = &count;
1627         l.out.count = &count;
1628         l.out.sids = &sids;
1629         l.out.domains = &domains;
1630
1631         status = dcerpc_lsa_LookupNames_r(b, tmp_ctx, &l);
1632         if (!NT_STATUS_IS_OK(status)) {
1633                 torture_comment(tctx, "LookupNames of %s failed - %s\n", lsa_name.string,
1634                        nt_errstr(status));
1635                 talloc_free(tmp_ctx);
1636                 return NULL;
1637         }
1638         if (!NT_STATUS_IS_OK(l.out.result)) {
1639                 torture_comment(tctx, "LookupNames of %s failed - %s\n", lsa_name.string,
1640                        nt_errstr(l.out.result));
1641                 talloc_free(tmp_ctx);
1642                 return NULL;
1643         }
1644
1645         result = dom_sid_add_rid(mem_ctx, domains->domains[0].sid,
1646                                  l.out.sids->sids[0].rid);
1647
1648         c.in.handle = &handle;
1649         c.out.handle = &handle;
1650
1651         status = dcerpc_lsa_Close_r(b, tmp_ctx, &c);
1652         if (!NT_STATUS_IS_OK(status)) {
1653                 torture_comment(tctx, "dcerpc_lsa_Close failed - %s\n", nt_errstr(status));
1654                 talloc_free(tmp_ctx);
1655                 return NULL;
1656         }
1657         if (!NT_STATUS_IS_OK(c.out.result)) {
1658                 torture_comment(tctx, "dcerpc_lsa_Close failed - %s\n", nt_errstr(c.out.result));
1659                 talloc_free(tmp_ctx);
1660                 return NULL;
1661         }
1662
1663         talloc_free(tmp_ctx);
1664         return result;
1665 }
1666
1667 /*
1668  * Find out the user SID on this connection
1669  */
1670
1671 static struct dom_sid *whoami(struct torture_context *tctx,
1672                               TALLOC_CTX *mem_ctx,
1673                               struct smbcli_tree *tree)
1674 {
1675         struct dcerpc_pipe *lsa;
1676         struct dcerpc_binding_handle *lsa_handle;
1677         struct lsa_GetUserName r;
1678         NTSTATUS status;
1679         struct lsa_String *authority_name_p = NULL;
1680         struct lsa_String *account_name_p = NULL;
1681         struct dom_sid *result;
1682
1683         status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\lsarpc",
1684                                &ndr_table_lsarpc, &lsa);
1685         if (!NT_STATUS_IS_OK(status)) {
1686                 torture_warning(tctx, "Could not bind to LSA: %s\n",
1687                          nt_errstr(status));
1688                 return NULL;
1689         }
1690         lsa_handle = lsa->binding_handle;
1691
1692         r.in.system_name = "\\";
1693         r.in.account_name = &account_name_p;
1694         r.in.authority_name = &authority_name_p;
1695         r.out.account_name = &account_name_p;
1696
1697         status = dcerpc_lsa_GetUserName_r(lsa_handle, mem_ctx, &r);
1698
1699         authority_name_p = *r.out.authority_name;
1700
1701         if (!NT_STATUS_IS_OK(status)) {
1702                 torture_warning(tctx, "GetUserName failed - %s\n",
1703                        nt_errstr(status));
1704                 talloc_free(lsa);
1705                 return NULL;
1706         }
1707         if (!NT_STATUS_IS_OK(r.out.result)) {
1708                 torture_warning(tctx, "GetUserName failed - %s\n",
1709                        nt_errstr(r.out.result));
1710                 talloc_free(lsa);
1711                 return NULL;
1712         }
1713
1714         result = name2sid(tctx, mem_ctx, lsa, account_name_p->string,
1715                           authority_name_p->string);
1716
1717         talloc_free(lsa);
1718         return result;
1719 }
1720
1721 static int destroy_tree(struct smbcli_tree *tree)
1722 {
1723         smb_tree_disconnect(tree);
1724         return 0;
1725 }
1726
1727 /*
1728  * Do a tcon, given a session
1729  */
1730
1731 static NTSTATUS secondary_tcon(struct torture_context *tctx,
1732                                TALLOC_CTX *mem_ctx,
1733                                struct smbcli_session *session,
1734                                const char *sharename,
1735                                struct smbcli_tree **res)
1736 {
1737         struct smbcli_tree *result;
1738         TALLOC_CTX *tmp_ctx;
1739         union smb_tcon tcon;
1740         NTSTATUS status;
1741
1742         if (!(tmp_ctx = talloc_new(mem_ctx))) {
1743                 return NT_STATUS_NO_MEMORY;
1744         }
1745
1746         if (!(result = smbcli_tree_init(session, mem_ctx, false))) {
1747                 talloc_free(tmp_ctx);
1748                 return NT_STATUS_NO_MEMORY;
1749         }
1750
1751         tcon.generic.level = RAW_TCON_TCONX;
1752         tcon.tconx.in.flags = 0;
1753         tcon.tconx.in.password = data_blob(NULL, 0);
1754         tcon.tconx.in.path = sharename;
1755         tcon.tconx.in.device = "?????";
1756
1757         status = smb_raw_tcon(result, tmp_ctx, &tcon);
1758         if (!NT_STATUS_IS_OK(status)) {
1759                 torture_warning(tctx, "smb_raw_tcon failed: %s\n",
1760                          nt_errstr(status));
1761                 talloc_free(tmp_ctx);
1762                 return status;
1763         }
1764
1765         result->tid = tcon.tconx.out.tid;
1766         result = talloc_steal(mem_ctx, result);
1767         talloc_set_destructor(result, destroy_tree);
1768         talloc_free(tmp_ctx);
1769         *res = result;
1770         return NT_STATUS_OK;
1771 }
1772
1773 /*
1774  * Test the getusername behaviour
1775  */
1776
1777 static bool torture_samba3_rpc_getusername(struct torture_context *torture)
1778 {
1779         NTSTATUS status;
1780         struct smbcli_state *cli;
1781         TALLOC_CTX *mem_ctx;
1782         bool ret = true;
1783         struct dom_sid *user_sid;
1784         struct dom_sid *created_sid;
1785         struct cli_credentials *anon_creds;
1786         struct cli_credentials *user_creds;
1787         char *domain_name;
1788         struct smbcli_options options;
1789         struct smbcli_session_options session_options;
1790
1791         if (!(mem_ctx = talloc_new(torture))) {
1792                 return false;
1793         }
1794
1795         lp_smbcli_options(torture->lp_ctx, &options);
1796         lp_smbcli_session_options(torture->lp_ctx, &session_options);
1797
1798         status = smbcli_full_connection(
1799                 mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
1800                 lp_smb_ports(torture->lp_ctx),
1801                 "IPC$", NULL, lp_socket_options(torture->lp_ctx), cmdline_credentials,
1802                 lp_resolve_context(torture->lp_ctx), torture->ev, &options,
1803                 &session_options, lp_gensec_settings(torture, torture->lp_ctx));
1804         if (!NT_STATUS_IS_OK(status)) {
1805                 torture_warning(torture, "smbcli_full_connection failed: %s\n",
1806                          nt_errstr(status));
1807                 ret = false;
1808                 goto done;
1809         }
1810
1811         if (!(user_sid = whoami(torture, mem_ctx, cli->tree))) {
1812                 torture_warning(torture, "whoami on auth'ed connection failed\n");
1813                 ret = false;
1814         }
1815
1816         talloc_free(cli);
1817
1818         if (!(anon_creds = cli_credentials_init_anon(mem_ctx))) {
1819                 torture_warning(torture, "create_anon_creds failed\n");
1820                 ret = false;
1821                 goto done;
1822         }
1823
1824         status = smbcli_full_connection(
1825                 mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
1826                 lp_smb_ports(torture->lp_ctx), "IPC$", NULL,
1827                 lp_socket_options(torture->lp_ctx), anon_creds,
1828                 lp_resolve_context(torture->lp_ctx),
1829                 torture->ev, &options, &session_options,
1830                 lp_gensec_settings(torture, torture->lp_ctx));
1831         if (!NT_STATUS_IS_OK(status)) {
1832                 torture_warning(torture, "anon smbcli_full_connection failed: %s\n",
1833                          nt_errstr(status));
1834                 ret = false;
1835                 goto done;
1836         }
1837
1838         if (!(user_sid = whoami(torture, mem_ctx, cli->tree))) {
1839                 torture_warning(torture, "whoami on anon connection failed\n");
1840                 ret = false;
1841                 goto done;
1842         }
1843
1844         if (!dom_sid_equal(user_sid,
1845                            dom_sid_parse_talloc(mem_ctx, "s-1-5-7"))) {
1846                 torture_warning(torture, "Anon lsa_GetUserName returned %s, expected "
1847                          "S-1-5-7",
1848                          dom_sid_string(mem_ctx, user_sid));
1849                 ret = false;
1850         }
1851
1852         if (!(user_creds = cli_credentials_init(mem_ctx))) {
1853                 torture_warning(torture, "cli_credentials_init failed\n");
1854                 ret = false;
1855                 goto done;
1856         }
1857
1858         cli_credentials_set_conf(user_creds, torture->lp_ctx);
1859         cli_credentials_set_username(user_creds, "torture_username",
1860                                      CRED_SPECIFIED);
1861         cli_credentials_set_password(user_creds,
1862                                      generate_random_password(user_creds, 8, 255),
1863                                      CRED_SPECIFIED);
1864
1865         if (!create_user(torture, mem_ctx, cli, cmdline_credentials,
1866                          cli_credentials_get_username(user_creds),
1867                          cli_credentials_get_password(user_creds),
1868                          &domain_name, &created_sid)) {
1869                 torture_warning(torture, "create_user failed\n");
1870                 ret = false;
1871                 goto done;
1872         }
1873
1874         cli_credentials_set_domain(user_creds, domain_name,
1875                                    CRED_SPECIFIED);
1876
1877         {
1878                 struct smbcli_session *session2;
1879                 struct smb_composite_sesssetup setup;
1880                 struct smbcli_tree *tree;
1881
1882                 session2 = smbcli_session_init(cli->transport, mem_ctx, false, session_options);
1883                 if (session2 == NULL) {
1884                         torture_warning(torture, "smbcli_session_init failed\n");
1885                         goto done;
1886                 }
1887
1888                 setup.in.sesskey = cli->transport->negotiate.sesskey;
1889                 setup.in.capabilities = cli->transport->negotiate.capabilities;
1890                 setup.in.workgroup = "";
1891                 setup.in.credentials = user_creds;
1892                 setup.in.gensec_settings = lp_gensec_settings(torture, torture->lp_ctx);
1893
1894                 status = smb_composite_sesssetup(session2, &setup);
1895                 if (!NT_STATUS_IS_OK(status)) {
1896                         torture_warning(torture, "session setup with new user failed: "
1897                                  "%s\n", nt_errstr(status));
1898                         ret = false;
1899                         goto done;
1900                 }
1901                 session2->vuid = setup.out.vuid;
1902
1903                 if (!NT_STATUS_IS_OK(secondary_tcon(torture, mem_ctx, session2,
1904                                                     "IPC$", &tree))) {
1905                         torture_warning(torture, "secondary_tcon failed\n");
1906                         ret = false;
1907                         goto done;
1908                 }
1909
1910                 if (!(user_sid = whoami(torture, mem_ctx, tree))) {
1911                         torture_warning(torture, "whoami on user connection failed\n");
1912                         ret = false;
1913                         goto del;
1914                 }
1915
1916                 talloc_free(tree);
1917         }
1918
1919         torture_comment(torture, "Created %s, found %s\n",
1920                  dom_sid_string(mem_ctx, created_sid),
1921                  dom_sid_string(mem_ctx, user_sid));
1922
1923         if (!dom_sid_equal(created_sid, user_sid)) {
1924                 ret = false;
1925         }
1926
1927  del:
1928         if (!delete_user(torture, cli,
1929                          cmdline_credentials,
1930                          cli_credentials_get_username(user_creds))) {
1931                 torture_warning(torture, "delete_user failed\n");
1932                 ret = false;
1933         }
1934
1935  done:
1936         talloc_free(mem_ctx);
1937         return ret;
1938 }
1939
1940 static bool test_NetShareGetInfo(struct torture_context *tctx,
1941                                  struct dcerpc_pipe *p,
1942                                  const char *sharename)
1943 {
1944         NTSTATUS status;
1945         struct srvsvc_NetShareGetInfo r;
1946         union srvsvc_NetShareInfo info;
1947         uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007, 1501 };
1948         int i;
1949         bool ret = true;
1950         struct dcerpc_binding_handle *b = p->binding_handle;
1951
1952         r.in.server_unc = talloc_asprintf(tctx, "\\\\%s",
1953                                           dcerpc_server_name(p));
1954         r.in.share_name = sharename;
1955         r.out.info = &info;
1956
1957         for (i=0;i<ARRAY_SIZE(levels);i++) {
1958                 r.in.level = levels[i];
1959
1960                 torture_comment(tctx, "Testing NetShareGetInfo level %u on share '%s'\n",
1961                        r.in.level, r.in.share_name);
1962
1963                 status = dcerpc_srvsvc_NetShareGetInfo_r(b, tctx, &r);
1964                 if (!NT_STATUS_IS_OK(status)) {
1965                         torture_warning(tctx, "NetShareGetInfo level %u on share '%s' failed"
1966                                " - %s\n", r.in.level, r.in.share_name,
1967                                nt_errstr(status));
1968                         ret = false;
1969                         continue;
1970                 }
1971                 if (!W_ERROR_IS_OK(r.out.result)) {
1972                         torture_warning(tctx, "NetShareGetInfo level %u on share '%s' failed "
1973                                "- %s\n", r.in.level, r.in.share_name,
1974                                win_errstr(r.out.result));
1975                         ret = false;
1976                         continue;
1977                 }
1978         }
1979
1980         return ret;
1981 }
1982
1983 static bool test_NetShareEnum(struct torture_context *tctx,
1984                               struct dcerpc_pipe *p,
1985                               const char **one_sharename)
1986 {
1987         NTSTATUS status;
1988         struct srvsvc_NetShareEnum r;
1989         struct srvsvc_NetShareInfoCtr info_ctr;
1990         struct srvsvc_NetShareCtr0 c0;
1991         struct srvsvc_NetShareCtr1 c1;
1992         struct srvsvc_NetShareCtr2 c2;
1993         struct srvsvc_NetShareCtr501 c501;
1994         struct srvsvc_NetShareCtr502 c502;
1995         struct srvsvc_NetShareCtr1004 c1004;
1996         struct srvsvc_NetShareCtr1005 c1005;
1997         struct srvsvc_NetShareCtr1006 c1006;
1998         struct srvsvc_NetShareCtr1007 c1007;
1999         uint32_t totalentries = 0;
2000         uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007 };
2001         int i;
2002         bool ret = true;
2003         struct dcerpc_binding_handle *b = p->binding_handle;
2004
2005         ZERO_STRUCT(info_ctr);
2006
2007         r.in.server_unc = talloc_asprintf(tctx,"\\\\%s",dcerpc_server_name(p));
2008         r.in.info_ctr = &info_ctr;
2009         r.in.max_buffer = (uint32_t)-1;
2010         r.in.resume_handle = NULL;
2011         r.out.totalentries = &totalentries;
2012         r.out.info_ctr = &info_ctr;
2013
2014         for (i=0;i<ARRAY_SIZE(levels);i++) {
2015                 info_ctr.level = levels[i];
2016
2017                 switch (info_ctr.level) {
2018                 case 0:
2019                         ZERO_STRUCT(c0);
2020                         info_ctr.ctr.ctr0 = &c0;
2021                         break;
2022                 case 1:
2023                         ZERO_STRUCT(c1);
2024                         info_ctr.ctr.ctr1 = &c1;
2025                         break;
2026                 case 2:
2027                         ZERO_STRUCT(c2);
2028                         info_ctr.ctr.ctr2 = &c2;
2029                         break;
2030                 case 501:
2031                         ZERO_STRUCT(c501);
2032                         info_ctr.ctr.ctr501 = &c501;
2033                         break;
2034                 case 502:
2035                         ZERO_STRUCT(c502);
2036                         info_ctr.ctr.ctr502 = &c502;
2037                         break;
2038                 case 1004:
2039                         ZERO_STRUCT(c1004);
2040                         info_ctr.ctr.ctr1004 = &c1004;
2041                         break;
2042                 case 1005:
2043                         ZERO_STRUCT(c1005);
2044                         info_ctr.ctr.ctr1005 = &c1005;
2045                         break;
2046                 case 1006:
2047                         ZERO_STRUCT(c1006);
2048                         info_ctr.ctr.ctr1006 = &c1006;
2049                         break;
2050                 case 1007:
2051                         ZERO_STRUCT(c1007);
2052                         info_ctr.ctr.ctr1007 = &c1007;
2053                         break;
2054                 }
2055
2056                 torture_comment(tctx, "Testing NetShareEnum level %u\n", info_ctr.level);
2057
2058                 status = dcerpc_srvsvc_NetShareEnum_r(b, tctx, &r);
2059                 if (!NT_STATUS_IS_OK(status)) {
2060                         torture_warning(tctx, "NetShareEnum level %u failed - %s\n",
2061                                info_ctr.level, nt_errstr(status));
2062                         ret = false;
2063                         continue;
2064                 }
2065                 if (!W_ERROR_IS_OK(r.out.result)) {
2066                         torture_warning(tctx, "NetShareEnum level %u failed - %s\n",
2067                                info_ctr.level, win_errstr(r.out.result));
2068                         continue;
2069                 }
2070                 if (info_ctr.level == 0) {
2071                         struct srvsvc_NetShareCtr0 *ctr = r.out.info_ctr->ctr.ctr0;
2072                         if (ctr->count > 0) {
2073                                 *one_sharename = ctr->array[0].name;
2074                         }
2075                 }
2076         }
2077
2078         return ret;
2079 }
2080
2081 static bool torture_samba3_rpc_srvsvc(struct torture_context *torture)
2082 {
2083         struct dcerpc_pipe *p;
2084         const char *sharename = NULL;
2085         bool ret = true;
2086
2087         torture_assert_ntstatus_ok(torture,
2088                 torture_rpc_connection(torture, &p, &ndr_table_srvsvc),
2089                 "failed to open srvsvc");
2090
2091         ret &= test_NetShareEnum(torture, p, &sharename);
2092         if (sharename == NULL) {
2093                 torture_comment(torture, "did not get sharename\n");
2094         } else {
2095                 ret &= test_NetShareGetInfo(torture, p, sharename);
2096         }
2097
2098         return ret;
2099 }
2100
2101 /*
2102  * Do a ReqChallenge/Auth2 with a random wks name, make sure it returns
2103  * NT_STATUS_NO_SAM_ACCOUNT
2104  */
2105
2106 static bool torture_samba3_rpc_randomauth2(struct torture_context *torture)
2107 {
2108         TALLOC_CTX *mem_ctx;
2109         struct dcerpc_pipe *net_pipe;
2110         struct dcerpc_binding_handle *net_handle;
2111         char *wksname;
2112         bool result = false;
2113         NTSTATUS status;
2114         struct netr_ServerReqChallenge r;
2115         struct netr_Credential netr_cli_creds;
2116         struct netr_Credential netr_srv_creds;
2117         uint32_t negotiate_flags;
2118         struct netr_ServerAuthenticate2 a;
2119         struct netlogon_creds_CredentialState *creds_state;
2120         struct netr_Credential netr_cred;
2121         struct samr_Password mach_pw;
2122         struct smbcli_state *cli;
2123
2124         if (!(mem_ctx = talloc_new(torture))) {
2125                 torture_comment(torture, "talloc_new failed\n");
2126                 return false;
2127         }
2128
2129         if (!(wksname = generate_random_str_list(
2130                       mem_ctx, 14, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"))) {
2131                 torture_comment(torture, "generate_random_str_list failed\n");
2132                 goto done;
2133         }
2134
2135         if (!(torture_open_connection_share(
2136                       mem_ctx, &cli,
2137                       torture, torture_setting_string(torture, "host", NULL),
2138                       "IPC$", torture->ev))) {
2139                 torture_comment(torture, "IPC$ connection failed\n");
2140                 goto done;
2141         }
2142
2143         if (!(net_pipe = dcerpc_pipe_init(
2144                       mem_ctx, cli->transport->socket->event.ctx))) {
2145                 torture_comment(torture, "dcerpc_pipe_init failed\n");
2146                 goto done;
2147         }
2148         net_handle = net_pipe->binding_handle;
2149
2150         status = dcerpc_pipe_open_smb(net_pipe, cli->tree, "\\netlogon");
2151         if (!NT_STATUS_IS_OK(status)) {
2152                 torture_comment(torture, "dcerpc_pipe_open_smb failed: %s\n",
2153                          nt_errstr(status));
2154                 goto done;
2155         }
2156
2157         status = dcerpc_bind_auth_none(net_pipe, &ndr_table_netlogon);
2158         if (!NT_STATUS_IS_OK(status)) {
2159                 torture_comment(torture, "dcerpc_bind_auth_none failed: %s\n",
2160                          nt_errstr(status));
2161                 goto done;
2162         }
2163
2164         r.in.computer_name = wksname;
2165         r.in.server_name = talloc_asprintf(
2166                 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
2167         if (r.in.server_name == NULL) {
2168                 torture_comment(torture, "talloc_asprintf failed\n");
2169                 goto done;
2170         }
2171         generate_random_buffer(netr_cli_creds.data,
2172                                sizeof(netr_cli_creds.data));
2173         r.in.credentials = &netr_cli_creds;
2174         r.out.return_credentials = &netr_srv_creds;
2175
2176         status = dcerpc_netr_ServerReqChallenge_r(net_handle, mem_ctx, &r);
2177         if (!NT_STATUS_IS_OK(status)) {
2178                 torture_comment(torture, "netr_ServerReqChallenge failed: %s\n",
2179                          nt_errstr(status));
2180                 goto done;
2181         }
2182         if (!NT_STATUS_IS_OK(r.out.result)) {
2183                 torture_comment(torture, "netr_ServerReqChallenge failed: %s\n",
2184                          nt_errstr(r.out.result));
2185                 goto done;
2186         }
2187
2188         negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
2189         E_md4hash("foobar", mach_pw.hash);
2190
2191         a.in.server_name = talloc_asprintf(
2192                 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
2193         a.in.account_name = talloc_asprintf(
2194                 mem_ctx, "%s$", wksname);
2195         a.in.computer_name = wksname;
2196         a.in.secure_channel_type = SEC_CHAN_WKSTA;
2197         a.in.negotiate_flags = &negotiate_flags;
2198         a.out.negotiate_flags = &negotiate_flags;
2199         a.in.credentials = &netr_cred;
2200         a.out.return_credentials = &netr_cred;
2201
2202         creds_state = netlogon_creds_client_init(mem_ctx,
2203                                                  a.in.account_name,
2204                                                  a.in.computer_name,
2205                                                  r.in.credentials,
2206                                                  r.out.return_credentials, &mach_pw,
2207                                                  &netr_cred, negotiate_flags);
2208
2209
2210         status = dcerpc_netr_ServerAuthenticate2_r(net_handle, mem_ctx, &a);
2211         if (!NT_STATUS_IS_OK(status)) {
2212                 goto done;
2213         }
2214         if (!NT_STATUS_EQUAL(a.out.result, NT_STATUS_NO_TRUST_SAM_ACCOUNT)) {
2215                 torture_comment(torture, "dcerpc_netr_ServerAuthenticate2 returned %s, "
2216                          "expected NT_STATUS_NO_TRUST_SAM_ACCOUNT\n",
2217                          nt_errstr(a.out.result));
2218                 goto done;
2219         }
2220
2221         result = true;
2222  done:
2223         talloc_free(mem_ctx);
2224         return result;
2225 }
2226
2227 static struct security_descriptor *get_sharesec(struct torture_context *tctx,
2228                                                 TALLOC_CTX *mem_ctx,
2229                                                 struct smbcli_session *sess,
2230                                                 const char *sharename)
2231 {
2232         struct smbcli_tree *tree;
2233         TALLOC_CTX *tmp_ctx;
2234         struct dcerpc_pipe *p;
2235         struct dcerpc_binding_handle *b;
2236         NTSTATUS status;
2237         struct srvsvc_NetShareGetInfo r;
2238         union srvsvc_NetShareInfo info;
2239         struct security_descriptor *result;
2240
2241         if (!(tmp_ctx = talloc_new(mem_ctx))) {
2242                 torture_comment(tctx, "talloc_new failed\n");
2243                 return NULL;
2244         }
2245
2246         if (!NT_STATUS_IS_OK(secondary_tcon(tctx, tmp_ctx, sess, "IPC$", &tree))) {
2247                 torture_comment(tctx, "secondary_tcon failed\n");
2248                 talloc_free(tmp_ctx);
2249                 return NULL;
2250         }
2251
2252         status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\srvsvc",
2253                                &ndr_table_srvsvc, &p);
2254         if (!NT_STATUS_IS_OK(status)) {
2255                 torture_warning(tctx, "could not bind to srvsvc pipe: %s\n",
2256                          nt_errstr(status));
2257                 talloc_free(tmp_ctx);
2258                 return NULL;
2259         }
2260         b = p->binding_handle;
2261
2262 #if 0
2263         p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
2264 #endif
2265
2266         r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
2267                                           dcerpc_server_name(p));
2268         r.in.share_name = sharename;
2269         r.in.level = 502;
2270         r.out.info = &info;
2271
2272         status = dcerpc_srvsvc_NetShareGetInfo_r(b, tmp_ctx, &r);
2273         if (!NT_STATUS_IS_OK(status)) {
2274                 torture_comment(tctx, "srvsvc_NetShareGetInfo failed: %s\n",
2275                          nt_errstr(status));
2276                 talloc_free(tmp_ctx);
2277                 return NULL;
2278         }
2279         if (!W_ERROR_IS_OK(r.out.result)) {
2280                 torture_comment(tctx, "srvsvc_NetShareGetInfo failed: %s\n",
2281                          win_errstr(r.out.result));
2282                 talloc_free(tmp_ctx);
2283                 return NULL;
2284         }
2285
2286         result = talloc_steal(mem_ctx, info.info502->sd_buf.sd);
2287         talloc_free(tmp_ctx);
2288         return result;
2289 }
2290
2291 static NTSTATUS set_sharesec(struct torture_context *tctx,
2292                              TALLOC_CTX *mem_ctx,
2293                              struct smbcli_session *sess,
2294                              const char *sharename,
2295                              struct security_descriptor *sd)
2296 {
2297         struct smbcli_tree *tree;
2298         TALLOC_CTX *tmp_ctx;
2299         struct dcerpc_pipe *p;
2300         struct dcerpc_binding_handle *b;
2301         NTSTATUS status;
2302         struct sec_desc_buf i;
2303         struct srvsvc_NetShareSetInfo r;
2304         union srvsvc_NetShareInfo info;
2305         uint32_t error = 0;
2306
2307         if (!(tmp_ctx = talloc_new(mem_ctx))) {
2308                 torture_comment(tctx, "talloc_new failed\n");
2309                 return NT_STATUS_NO_MEMORY;
2310         }
2311
2312         if (!NT_STATUS_IS_OK(secondary_tcon(tctx, tmp_ctx, sess, "IPC$", &tree))) {
2313                 torture_comment(tctx, "secondary_tcon failed\n");
2314                 talloc_free(tmp_ctx);
2315                 return NT_STATUS_UNSUCCESSFUL;
2316         }
2317
2318         status = pipe_bind_smb(tctx, mem_ctx, tree, "\\pipe\\srvsvc",
2319                                &ndr_table_srvsvc, &p);
2320         if (!NT_STATUS_IS_OK(status)) {
2321                 torture_warning(tctx, "could not bind to srvsvc pipe: %s\n",
2322                          nt_errstr(status));
2323                 talloc_free(tmp_ctx);
2324                 return NT_STATUS_UNSUCCESSFUL;
2325         }
2326         b = p->binding_handle;
2327
2328 #if 0
2329         p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
2330 #endif
2331
2332         r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
2333                                           dcerpc_server_name(p));
2334         r.in.share_name = sharename;
2335         r.in.level = 1501;
2336         i.sd = sd;
2337         info.info1501 = &i;
2338         r.in.info = &info;
2339         r.in.parm_error = &error;
2340
2341         status = dcerpc_srvsvc_NetShareSetInfo_r(b, tmp_ctx, &r);
2342         if (!NT_STATUS_IS_OK(status)) {
2343                 torture_comment(tctx, "srvsvc_NetShareSetInfo failed: %s\n",
2344                          nt_errstr(status));
2345         }
2346         if (!W_ERROR_IS_OK(r.out.result)) {
2347                 torture_comment(tctx, "srvsvc_NetShareSetInfo failed: %s\n",
2348                         win_errstr(r.out.result));
2349                 status = werror_to_ntstatus(r.out.result);
2350         }
2351         talloc_free(tmp_ctx);
2352         return status;
2353 }
2354
2355 bool try_tcon(struct torture_context *tctx,
2356               TALLOC_CTX *mem_ctx,
2357               struct security_descriptor *orig_sd,
2358               struct smbcli_session *session,
2359               const char *sharename, const struct dom_sid *user_sid,
2360               unsigned int access_mask, NTSTATUS expected_tcon,
2361               NTSTATUS expected_mkdir)
2362 {
2363         TALLOC_CTX *tmp_ctx;
2364         struct smbcli_tree *rmdir_tree, *tree;
2365         struct dom_sid *domain_sid;
2366         uint32_t rid;
2367         struct security_descriptor *sd;
2368         NTSTATUS status;
2369         bool ret = true;
2370
2371         if (!(tmp_ctx = talloc_new(mem_ctx))) {
2372                 torture_comment(tctx, "talloc_new failed\n");
2373                 return false;
2374         }
2375
2376         status = secondary_tcon(tctx, tmp_ctx, session, sharename, &rmdir_tree);
2377         if (!NT_STATUS_IS_OK(status)) {
2378                 torture_comment(tctx, "first tcon to delete dir failed\n");
2379                 talloc_free(tmp_ctx);
2380                 return false;
2381         }
2382
2383         smbcli_rmdir(rmdir_tree, "sharesec_testdir");
2384
2385         if (!NT_STATUS_IS_OK(dom_sid_split_rid(tmp_ctx, user_sid,
2386                                                &domain_sid, &rid))) {
2387                 torture_comment(tctx, "dom_sid_split_rid failed\n");
2388                 talloc_free(tmp_ctx);
2389                 return false;
2390         }
2391
2392         sd = security_descriptor_dacl_create(
2393                 tmp_ctx, 0, "S-1-5-32-544",
2394                 dom_sid_string(mem_ctx, dom_sid_add_rid(mem_ctx, domain_sid,
2395                                                         DOMAIN_RID_USERS)),
2396                 dom_sid_string(mem_ctx, user_sid),
2397                 SEC_ACE_TYPE_ACCESS_ALLOWED, access_mask, 0, NULL);
2398         if (sd == NULL) {
2399                 torture_comment(tctx, "security_descriptor_dacl_create failed\n");
2400                 talloc_free(tmp_ctx);
2401                 return false;
2402         }
2403
2404         status = set_sharesec(tctx, mem_ctx, session, sharename, sd);
2405         if (!NT_STATUS_IS_OK(status)) {
2406                 torture_comment(tctx, "custom set_sharesec failed: %s\n",
2407                          nt_errstr(status));
2408                 talloc_free(tmp_ctx);
2409                 return false;
2410         }
2411
2412         status = secondary_tcon(tctx, tmp_ctx, session, sharename, &tree);
2413         if (!NT_STATUS_EQUAL(status, expected_tcon)) {
2414                 torture_comment(tctx, "Expected %s, got %s\n", nt_errstr(expected_tcon),
2415                          nt_errstr(status));
2416                 ret = false;
2417                 goto done;
2418         }
2419
2420         if (!NT_STATUS_IS_OK(status)) {
2421                 /* An expected non-access, no point in trying to write */
2422                 goto done;
2423         }
2424
2425         status = smbcli_mkdir(tree, "sharesec_testdir");
2426         if (!NT_STATUS_EQUAL(status, expected_mkdir)) {
2427                 torture_warning(tctx, "Expected %s, got %s\n",
2428                          nt_errstr(expected_mkdir), nt_errstr(status));
2429                 ret = false;
2430         }
2431
2432  done:
2433         smbcli_rmdir(rmdir_tree, "sharesec_testdir");
2434
2435         status = set_sharesec(tctx, mem_ctx, session, sharename, orig_sd);
2436         if (!NT_STATUS_IS_OK(status)) {
2437                 torture_comment(tctx, "custom set_sharesec failed: %s\n",
2438                          nt_errstr(status));
2439                 talloc_free(tmp_ctx);
2440                 return false;
2441         }
2442
2443         talloc_free(tmp_ctx);
2444         return ret;
2445 }
2446
2447 static bool torture_samba3_rpc_sharesec(struct torture_context *torture)
2448 {
2449         TALLOC_CTX *mem_ctx;
2450         bool ret = true;
2451         struct smbcli_state *cli;
2452         struct security_descriptor *sd;
2453         struct dom_sid *user_sid;
2454
2455         if (!(mem_ctx = talloc_new(torture))) {
2456                 return false;
2457         }
2458
2459         if (!(torture_open_connection_share(
2460                       mem_ctx, &cli, torture, torture_setting_string(torture, "host", NULL),
2461                       "IPC$", torture->ev))) {
2462                 torture_comment(torture, "IPC$ connection failed\n");
2463                 talloc_free(mem_ctx);
2464                 return false;
2465         }
2466
2467         if (!(user_sid = whoami(torture, mem_ctx, cli->tree))) {
2468                 torture_comment(torture, "whoami failed\n");
2469                 talloc_free(mem_ctx);
2470                 return false;
2471         }
2472
2473         sd = get_sharesec(torture, mem_ctx, cli->session,
2474                           torture_setting_string(torture, "share", NULL));
2475
2476         ret &= try_tcon(torture, mem_ctx, sd, cli->session,
2477                         torture_setting_string(torture, "share", NULL),
2478                         user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK);
2479
2480         ret &= try_tcon(torture, mem_ctx, sd, cli->session,
2481                         torture_setting_string(torture, "share", NULL),
2482                         user_sid, SEC_FILE_READ_DATA, NT_STATUS_OK,
2483                         NT_STATUS_MEDIA_WRITE_PROTECTED);
2484
2485         ret &= try_tcon(torture, mem_ctx, sd, cli->session,
2486                         torture_setting_string(torture, "share", NULL),
2487                         user_sid, SEC_FILE_ALL, NT_STATUS_OK, NT_STATUS_OK);
2488
2489         talloc_free(mem_ctx);
2490         return ret;
2491 }
2492
2493 static bool torture_samba3_rpc_lsa(struct torture_context *torture)
2494 {
2495         struct dcerpc_pipe *p;
2496         struct dcerpc_binding_handle *b;
2497         struct policy_handle lsa_handle;
2498
2499         torture_assert_ntstatus_ok(torture,
2500                 torture_rpc_connection(torture, &p, &ndr_table_lsarpc),
2501                 "failed to setup lsarpc");
2502
2503         b = p->binding_handle;
2504
2505         {
2506                 struct lsa_ObjectAttribute attr;
2507                 struct lsa_OpenPolicy2 o;
2508                 o.in.system_name = talloc_asprintf(
2509                         torture, "\\\\%s", dcerpc_server_name(p));
2510                 ZERO_STRUCT(attr);
2511                 o.in.attr = &attr;
2512                 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2513                 o.out.handle = &lsa_handle;
2514
2515                 torture_assert_ntstatus_ok(torture,
2516                         dcerpc_lsa_OpenPolicy2_r(b, torture, &o),
2517                         "dcerpc_lsa_OpenPolicy2 failed");
2518                 torture_assert_ntstatus_ok(torture, o.out.result,
2519                         "dcerpc_lsa_OpenPolicy2 failed");
2520         }
2521
2522         {
2523                 int i;
2524                 int levels[] = { 2,3,5,6 };
2525
2526                 for (i=0; i<ARRAY_SIZE(levels); i++) {
2527                         struct lsa_QueryInfoPolicy r;
2528                         union lsa_PolicyInformation *info = NULL;
2529                         r.in.handle = &lsa_handle;
2530                         r.in.level = levels[i];
2531                         r.out.info = &info;
2532
2533                         torture_assert_ntstatus_ok(torture,
2534                                 dcerpc_lsa_QueryInfoPolicy_r(b, torture, &r),
2535                                 talloc_asprintf(torture, "dcerpc_lsa_QueryInfoPolicy level %d failed", levels[i]));
2536                         torture_assert_ntstatus_ok(torture, r.out.result,
2537                                 talloc_asprintf(torture, "dcerpc_lsa_QueryInfoPolicy level %d failed", levels[i]));
2538                 }
2539         }
2540
2541         return true;
2542 }
2543
2544 static NTSTATUS get_servername(TALLOC_CTX *mem_ctx, struct smbcli_tree *tree,
2545                                char **name)
2546 {
2547         struct rap_WserverGetInfo r;
2548         NTSTATUS status;
2549         char servername[17];
2550
2551         r.in.level = 0;
2552         r.in.bufsize = 0xffff;
2553
2554         status = smbcli_rap_netservergetinfo(tree, mem_ctx, &r);
2555         if (!NT_STATUS_IS_OK(status)) {
2556                 return status;
2557         }
2558
2559         memcpy(servername, r.out.info.info0.name, 16);
2560         servername[16] = '\0';
2561
2562         if (!pull_ascii_talloc(mem_ctx, name, servername, NULL)) {
2563                 return NT_STATUS_NO_MEMORY;
2564         }
2565
2566         return NT_STATUS_OK;
2567 }
2568
2569 static bool rap_get_servername(struct torture_context *tctx,
2570                                char **servername)
2571 {
2572         struct smbcli_state *cli;
2573
2574         torture_assert(tctx,
2575                 torture_open_connection_share(tctx, &cli, tctx, torture_setting_string(tctx, "host", NULL),
2576                                               "IPC$", tctx->ev),
2577                 "IPC$ connection failed");
2578
2579         torture_assert_ntstatus_ok(tctx,
2580                 get_servername(tctx, cli->tree, servername),
2581                 "get_servername failed");
2582
2583         talloc_free(cli);
2584
2585         return true;
2586 }
2587
2588 static bool find_printers(struct torture_context *tctx,
2589                           struct dcerpc_pipe *p,
2590                           const char ***printers,
2591                           int *num_printers)
2592 {
2593         struct srvsvc_NetShareEnum r;
2594         struct srvsvc_NetShareInfoCtr info_ctr;
2595         struct srvsvc_NetShareCtr1 c1_in;
2596         struct srvsvc_NetShareCtr1 *c1;
2597         uint32_t totalentries = 0;
2598         int i;
2599         struct dcerpc_binding_handle *b = p->binding_handle;
2600
2601         ZERO_STRUCT(c1_in);
2602         info_ctr.level = 1;
2603         info_ctr.ctr.ctr1 = &c1_in;
2604
2605         r.in.server_unc = talloc_asprintf(
2606                 tctx, "\\\\%s", dcerpc_server_name(p));
2607         r.in.info_ctr = &info_ctr;
2608         r.in.max_buffer = (uint32_t)-1;
2609         r.in.resume_handle = NULL;
2610         r.out.totalentries = &totalentries;
2611         r.out.info_ctr = &info_ctr;
2612
2613         torture_assert_ntstatus_ok(tctx,
2614                 dcerpc_srvsvc_NetShareEnum_r(b, tctx, &r),
2615                 "NetShareEnum level 1 failed");
2616         torture_assert_werr_ok(tctx, r.out.result,
2617                 "NetShareEnum level 1 failed");
2618
2619         *printers = NULL;
2620         *num_printers = 0;
2621         c1 = r.out.info_ctr->ctr.ctr1;
2622         for (i=0; i<c1->count; i++) {
2623                 if (c1->array[i].type != STYPE_PRINTQ) {
2624                         continue;
2625                 }
2626                 if (!add_string_to_array(tctx, c1->array[i].name,
2627                                          printers, num_printers)) {
2628                         return false;
2629                 }
2630         }
2631
2632         return true;
2633 }
2634
2635 static bool enumprinters(struct torture_context *tctx,
2636                          struct dcerpc_binding_handle *b,
2637                          const char *servername, int level, int *num_printers)
2638 {
2639         struct spoolss_EnumPrinters r;
2640         DATA_BLOB blob;
2641         uint32_t needed;
2642         uint32_t count;
2643         union spoolss_PrinterInfo *info;
2644
2645         r.in.flags = PRINTER_ENUM_LOCAL;
2646         r.in.server = talloc_asprintf(tctx, "\\\\%s", servername);
2647         r.in.level = level;
2648         r.in.buffer = NULL;
2649         r.in.offered = 0;
2650         r.out.needed = &needed;
2651         r.out.count = &count;
2652         r.out.info = &info;
2653
2654         torture_assert_ntstatus_ok(tctx,
2655                 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
2656                 "dcerpc_spoolss_EnumPrinters failed");
2657         torture_assert_werr_equal(tctx, r.out.result, WERR_INSUFFICIENT_BUFFER,
2658                 "EnumPrinters unexpected return code should be WERR_INSUFFICIENT_BUFFER");
2659
2660         blob = data_blob_talloc_zero(tctx, needed);
2661         if (blob.data == NULL) {
2662                 return false;
2663         }
2664
2665         r.in.buffer = &blob;
2666         r.in.offered = needed;
2667
2668         torture_assert_ntstatus_ok(tctx,
2669                 dcerpc_spoolss_EnumPrinters_r(b, tctx, &r),
2670                 "dcerpc_spoolss_EnumPrinters failed");
2671         torture_assert_werr_ok(tctx, r.out.result,
2672                 "dcerpc_spoolss_EnumPrinters failed");
2673
2674         *num_printers = count;
2675
2676         return true;
2677 }
2678
2679 static bool getprinterinfo(struct torture_context *tctx,
2680                            struct dcerpc_binding_handle *b,
2681                            struct policy_handle *handle, int level,
2682                            union spoolss_PrinterInfo **res)
2683 {
2684         struct spoolss_GetPrinter r;
2685         DATA_BLOB blob;
2686         uint32_t needed;
2687
2688         r.in.handle = handle;
2689         r.in.level = level;
2690         r.in.buffer = NULL;
2691         r.in.offered = 0;
2692         r.out.needed = &needed;
2693
2694         torture_assert_ntstatus_ok(tctx,
2695                 dcerpc_spoolss_GetPrinter_r(b, tctx, &r),
2696                 "dcerpc_spoolss_GetPrinter failed");
2697         torture_assert_werr_equal(tctx, r.out.result, WERR_INSUFFICIENT_BUFFER,
2698                 "GetPrinter unexpected return code should be WERR_INSUFFICIENT_BUFFER");
2699
2700         r.in.handle = handle;
2701         r.in.level = level;
2702         blob = data_blob_talloc_zero(tctx, needed);
2703         if (blob.data == NULL) {
2704                 return false;
2705         }
2706         r.in.buffer = &blob;
2707         r.in.offered = needed;
2708
2709         torture_assert_ntstatus_ok(tctx,
2710                 dcerpc_spoolss_GetPrinter_r(b, tctx, &r),
2711                 "dcerpc_spoolss_GetPrinter failed");
2712         torture_assert_werr_ok(tctx, r.out.result,
2713                 "dcerpc_spoolss_GetPrinter failed");
2714
2715         if (res != NULL) {
2716                 *res = talloc_steal(tctx, r.out.info);
2717         }
2718
2719         return true;
2720 }
2721
2722 static bool torture_samba3_rpc_spoolss(struct torture_context *torture)
2723 {
2724         struct dcerpc_pipe *p, *p2;
2725         struct dcerpc_binding_handle *b;
2726         struct policy_handle server_handle, printer_handle;
2727         const char **printers;
2728         int num_printers;
2729         struct spoolss_UserLevel1 userlevel1;
2730         char *servername;
2731
2732         torture_assert(torture,
2733                 rap_get_servername(torture, &servername),
2734                 "failed to rap servername");
2735
2736         torture_assert_ntstatus_ok(torture,
2737                 torture_rpc_connection(torture, &p2, &ndr_table_srvsvc),
2738                 "failed to setup srvsvc");
2739
2740         torture_assert(torture,
2741                 find_printers(torture, p2, &printers, &num_printers),
2742                 "failed to find printers via srvsvc");
2743
2744         talloc_free(p2);
2745
2746         if (num_printers == 0) {
2747                 torture_skip(torture, "Did not find printers\n");
2748                 return true;
2749         }
2750
2751         torture_assert_ntstatus_ok(torture,
2752                 torture_rpc_connection(torture, &p, &ndr_table_spoolss),
2753                 "failed to setup spoolss");
2754
2755         b = p->binding_handle;
2756
2757         ZERO_STRUCT(userlevel1);
2758         userlevel1.client = talloc_asprintf(
2759                 torture, "\\\\%s", lp_netbios_name(torture->lp_ctx));
2760         userlevel1.user = cli_credentials_get_username(cmdline_credentials);
2761         userlevel1.build = 2600;
2762         userlevel1.major = 3;
2763         userlevel1.minor = 0;
2764         userlevel1.processor = 0;
2765
2766         {
2767                 struct spoolss_OpenPrinterEx r;
2768
2769                 ZERO_STRUCT(r);
2770                 r.in.printername = talloc_asprintf(torture, "\\\\%s",
2771                                                    servername);
2772                 r.in.datatype = NULL;
2773                 r.in.access_mask = 0;
2774                 r.in.level = 1;
2775                 r.in.userlevel.level1 = &userlevel1;
2776                 r.out.handle = &server_handle;
2777
2778                 torture_assert_ntstatus_ok(torture,
2779                         dcerpc_spoolss_OpenPrinterEx_r(b, torture, &r),
2780                         "dcerpc_spoolss_OpenPrinterEx failed");
2781                 torture_assert_werr_ok(torture, r.out.result,
2782                         "dcerpc_spoolss_OpenPrinterEx failed");
2783         }
2784
2785         {
2786                 struct spoolss_ClosePrinter r;
2787
2788                 r.in.handle = &server_handle;
2789                 r.out.handle = &server_handle;
2790
2791                 torture_assert_ntstatus_ok(torture,
2792                         dcerpc_spoolss_ClosePrinter_r(b, torture, &r),
2793                         "dcerpc_spoolss_ClosePrinter failed");
2794                 torture_assert_werr_ok(torture, r.out.result,
2795                         "dcerpc_spoolss_ClosePrinter failed");
2796         }
2797
2798         {
2799                 struct spoolss_OpenPrinterEx r;
2800
2801                 ZERO_STRUCT(r);
2802                 r.in.printername = talloc_asprintf(
2803                         torture, "\\\\%s\\%s", servername, printers[0]);
2804                 r.in.datatype = NULL;
2805                 r.in.access_mask = 0;
2806                 r.in.level = 1;
2807                 r.in.userlevel.level1 = &userlevel1;
2808                 r.out.handle = &printer_handle;
2809
2810                 torture_assert_ntstatus_ok(torture,
2811                         dcerpc_spoolss_OpenPrinterEx_r(b, torture, &r),
2812                         "dcerpc_spoolss_OpenPrinterEx failed");
2813                 torture_assert_werr_ok(torture, r.out.result,
2814                         "dcerpc_spoolss_OpenPrinterEx failed");
2815         }
2816
2817         {
2818                 int i;
2819
2820                 for (i=0; i<8; i++) {
2821                         torture_assert(torture,
2822                                 getprinterinfo(torture, b, &printer_handle, i, NULL),
2823                                 talloc_asprintf(torture, "getprinterinfo %d failed", i));
2824                 }
2825         }
2826
2827         {
2828                 struct spoolss_ClosePrinter r;
2829
2830                 r.in.handle = &printer_handle;
2831                 r.out.handle = &printer_handle;
2832
2833                 torture_assert_ntstatus_ok(torture,
2834                         dcerpc_spoolss_ClosePrinter_r(b, torture, &r),
2835                         "dcerpc_spoolss_ClosePrinter failed");
2836                 torture_assert_werr_ok(torture, r.out.result,
2837                         "dcerpc_spoolss_ClosePrinter failed");
2838         }
2839
2840         {
2841                 int num_enumerated;
2842
2843                 torture_assert(torture,
2844                         enumprinters(torture, b, servername, 1, &num_enumerated),
2845                         "enumprinters failed");
2846
2847                 torture_assert_int_equal(torture, num_printers, num_enumerated,
2848                         "netshareenum / enumprinters lvl 1 numprinter mismatch");
2849         }
2850
2851         {
2852                 int num_enumerated;
2853
2854                 torture_assert(torture,
2855                         enumprinters(torture, b, servername, 2, &num_enumerated),
2856                         "enumprinters failed");
2857
2858                 torture_assert_int_equal(torture, num_printers, num_enumerated,
2859                         "netshareenum / enumprinters lvl 2 numprinter mismatch");
2860         }
2861
2862         return true;
2863 }
2864
2865 static bool torture_samba3_rpc_wkssvc(struct torture_context *torture)
2866 {
2867         struct dcerpc_pipe *p;
2868         struct dcerpc_binding_handle *b;
2869         char *servername;
2870
2871         torture_assert(torture,
2872                 rap_get_servername(torture, &servername),
2873                 "failed to rap servername");
2874
2875         torture_assert_ntstatus_ok(torture,
2876                 torture_rpc_connection(torture, &p, &ndr_table_wkssvc),
2877                 "failed to setup wkssvc");
2878
2879         b = p->binding_handle;
2880
2881         {
2882                 struct wkssvc_NetWkstaInfo100 wks100;
2883                 union wkssvc_NetWkstaInfo info;
2884                 struct wkssvc_NetWkstaGetInfo r;
2885
2886                 r.in.server_name = "\\foo";
2887                 r.in.level = 100;
2888                 info.info100 = &wks100;
2889                 r.out.info = &info;
2890
2891                 torture_assert_ntstatus_ok(torture,
2892                         dcerpc_wkssvc_NetWkstaGetInfo_r(b, torture, &r),
2893                         "dcerpc_wkssvc_NetWksGetInfo failed");
2894                 torture_assert_werr_ok(torture, r.out.result,
2895                         "dcerpc_wkssvc_NetWksGetInfo failed");
2896
2897                 torture_assert_str_equal(torture, servername, r.out.info->info100->server_name,
2898                         "servername RAP / DCERPC inconsistency");
2899         }
2900
2901         return true;
2902 }
2903
2904 static bool winreg_close(struct torture_context *tctx,
2905                          struct dcerpc_binding_handle *b,
2906                          struct policy_handle *handle)
2907 {
2908         struct winreg_CloseKey c;
2909
2910         c.in.handle = c.out.handle = handle;
2911
2912         torture_assert_ntstatus_ok(tctx,
2913                 dcerpc_winreg_CloseKey_r(b, tctx, &c),
2914                 "winreg_CloseKey failed");
2915         torture_assert_werr_ok(tctx, c.out.result,
2916                 "winreg_CloseKey failed");
2917
2918         return true;
2919 }
2920
2921 static bool enumvalues(struct torture_context *tctx,
2922                        struct dcerpc_binding_handle *b,
2923                        struct policy_handle *handle)
2924 {
2925         uint32_t enum_index = 0;
2926
2927         while (1) {
2928                 struct winreg_EnumValue r;
2929                 struct winreg_ValNameBuf name;
2930                 enum winreg_Type type = 0;
2931                 uint8_t buf8[1024];
2932                 NTSTATUS status;
2933                 uint32_t size, length;
2934
2935                 r.in.handle = handle;
2936                 r.in.enum_index = enum_index;
2937                 name.name = "";
2938                 name.size = 1024;
2939                 r.in.name = r.out.name = &name;
2940                 size = 1024;
2941                 length = 5;
2942                 r.in.type = &type;
2943                 r.in.value = buf8;
2944                 r.in.size = &size;
2945                 r.in.length = &length;
2946
2947                 status = dcerpc_winreg_EnumValue_r(b, tctx, &r);
2948                 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2949                         return true;
2950                 }
2951                 enum_index += 1;
2952         }
2953 }
2954
2955 static bool enumkeys(struct torture_context *tctx,
2956                      struct dcerpc_binding_handle *b,
2957                      struct policy_handle *handle,
2958                      int depth)
2959 {
2960         struct winreg_EnumKey r;
2961         struct winreg_StringBuf kclass, name;
2962         NTSTATUS status;
2963         NTTIME t = 0;
2964
2965         if (depth <= 0) {
2966                 return true;
2967         }
2968
2969         kclass.name   = "";
2970         kclass.size   = 1024;
2971
2972         r.in.handle = handle;
2973         r.in.enum_index = 0;