source4/torture/rpc/samsync.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for netlogon rpc operations
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
   8    Copyright (C) Tim Potter      2003
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "librpc/gen_ndr/ndr_netlogon.h"
  27 #include "auth/auth.h"
  28 #include "dlinklist.h"
  29 #include "lib/crypto/crypto.h"
  30 #include "system/time.h"
  31
  32 #define TEST_MACHINE_NAME "samsynctest"
  33
  34 /*
  35   try a netlogon SamLogon
  36 */
  37 static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  38                               struct creds_CredentialState *creds,
  39                               const char *domain, const char *username,
  40                               struct samr_Password *lm_hash,
  41                               struct samr_Password *nt_hash,
  42                               struct netr_SamInfo3 **info3)
  43 {
  44         NTSTATUS status;
  45         struct netr_LogonSamLogon r;
  46         struct netr_Authenticator auth, auth2;
  47         struct netr_NetworkInfo ninfo;
  48
  49         ninfo.identity_info.domain_name.string = domain;
  50         ninfo.identity_info.parameter_control = 0;
  51         ninfo.identity_info.logon_id_low = 0;
  52         ninfo.identity_info.logon_id_high = 0;
  53         ninfo.identity_info.account_name.string = username;
  54         ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
  55         generate_random_buffer(ninfo.challenge,
  56                                sizeof(ninfo.challenge));
  57         if (nt_hash) {
  58                 ninfo.nt.length = 24;
  59                 ninfo.nt.data = talloc(mem_ctx, 24);
  60                 SMBOWFencrypt(nt_hash->hash, ninfo.challenge, ninfo.nt.data);
  61         } else {
  62                 ninfo.nt.length = 0;
  63                 ninfo.nt.data = NULL;
  64         }
  65
  66         if (lm_hash) {
  67                 ninfo.lm.length = 24;
  68                 ninfo.lm.data = talloc(mem_ctx, 24);
  69                 SMBOWFencrypt(lm_hash->hash, ninfo.challenge, ninfo.lm.data);
  70         } else {
  71                 ninfo.lm.length = 0;
  72                 ninfo.lm.data = NULL;
  73         }
  74
  75         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  76         r.in.workstation = TEST_MACHINE_NAME;
  77         r.in.credential = &auth;
  78         r.in.return_authenticator = &auth2;
  79         r.in.logon_level = 2;
  80         r.in.logon.network = &ninfo;
  81
  82         ZERO_STRUCT(auth2);
  83         creds_client_authenticator(creds, &auth);
  84
  85         r.in.validation_level = 3;
  86
  87         status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
  88
  89         if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
  90                 printf("Credential chaining failed\n");
  91         }
  92
  93         if (info3) {
  94                 *info3 = r.out.validation.sam3;
  95         }
  96
  97         return status;
  98 }
  99
 100 struct samsync_state {
 101 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
 102         uint64_t seq_num[3];
 103         char *domain_name[2];
 104         struct samsync_secret *secrets;
 105         struct samsync_trusted_domain *trusted_domains;
 106         struct creds_CredentialState *creds;
 107         struct policy_handle *connect_handle;
 108         struct policy_handle *domain_handle[2];
 109         struct dom_sid *sid[2];
 110         struct dcerpc_pipe *p;
 111         struct dcerpc_pipe *p_samr;
 112         struct dcerpc_pipe *p_lsa;
 113         struct policy_handle *lsa_handle;
 114 };
 115
 116 struct samsync_secret {
 117         struct samsync_secret *prev, *next;
 118         DATA_BLOB secret;
 119         char *name;
 120 };
 121
 122 struct samsync_trusted_domain {
 123         struct samsync_trusted_domain *prev, *next;
 124         struct dom_sid *sid;
 125         char *name;
 126 };
 127
 128 static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx,
 129                                                  struct samsync_state *samsync_state,
 130                                                  const char *domain,
 131                                                  struct dom_sid **sid)
 132 {
 133         struct samr_String name;
 134         struct samr_OpenDomain o;
 135         struct samr_LookupDomain l;
 136         struct policy_handle *domain_handle = talloc_p(mem_ctx, struct policy_handle);
 137         NTSTATUS nt_status;
 138
 139         name.string = domain;
 140         l.in.connect_handle = samsync_state->connect_handle;
 141         l.in.domain = &name;
 142
 143         nt_status = dcerpc_samr_LookupDomain(samsync_state->p_samr, mem_ctx, &l);
 144         if (!NT_STATUS_IS_OK(nt_status)) {
 145                 printf("LookupDomain failed - %s\n", nt_errstr(nt_status));
 146                 return NULL;
 147         }
 148
 149         o.in.connect_handle = samsync_state->connect_handle;
 150         o.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
 151         o.in.sid = l.out.sid;
 152         o.out.domain_handle = domain_handle;
 153
 154         if (sid) {
 155                 *sid = l.out.sid;
 156         }
 157
 158         nt_status = dcerpc_samr_OpenDomain(samsync_state->p_samr, mem_ctx, &o);
 159         if (!NT_STATUS_IS_OK(nt_status)) {
 160                 printf("OpenDomain failed - %s\n", nt_errstr(nt_status));
 161                 return NULL;
 162         }
 163
 164         return domain_handle;
 165 }
 166
 167
 168 #define TEST_UINT64_EQUAL(i1, i2) do {\
 169         if (i1 != i2) {\
 170               printf("uint64 mismatch: " #i1 ": 0x%08x%08x (%lld) != " #i2 ": 0x%08x%08x (%lld)\n", \
 171                      (uint32_t)(i1 >> 32), (uint32_t)(i1 & 0xFFFFFFFF), i1, \
 172                      (uint32_t)(i2 >> 32), (uint32_t)(i2 & 0xFFFFFFFF), i2);\
 173               ret = False;\
 174         } \
 175 } while (0)
 176 #define TEST_INT_EQUAL(i1, i2) do {\
 177         if (i1 != i2) {\
 178               printf("integer mismatch: " #i1 ":%d != " #i2 ": %d\n", \
 179                      i1, i2);\
 180               ret = False;\
 181         } \
 182 } while (0)
 183 #define TEST_TIME_EQUAL(t1, t2) do {\
 184         if (t1 != t2) {\
 185               printf("NTTIME mismatch: " #t1 ":%s != " #t2 ": %s\n", \
 186                      nt_time_string(mem_ctx, t1),  nt_time_string(mem_ctx, t2));\
 187               ret = False;\
 188         } \
 189 } while (0)
 190 #define TEST_STRING_EQUAL(s1, s2) do {\
 191         if (!((!s1.string || s1.string[0]=='\0') && (!s2.string || s2.string[0]=='\0')) \
 192             && strcmp_safe(s1.string, s2.string) != 0) {\
 193               printf("string mismatch: " #s1 ":%s != " #s2 ": %s\n", \
 194                      s1.string, s2.string);\
 195               ret = False;\
 196         } \
 197 } while (0)
 198
 199 static BOOL samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 200                            int database_id, struct netr_DELTA_ENUM *delta)
 201 {
 202         struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain;
 203         struct dom_sid *dom_sid;
 204         struct samr_QueryDomainInfo q[14]; /* q[0] will be unused simple for clarity */
 205         uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13};
 206         NTSTATUS nt_status;
 207         int i;
 208         BOOL ret = True;
 209
 210         samsync_state->seq_num[database_id] =
 211                 domain->sequence_num;
 212         switch (database_id) {
 213         case SAM_DATABASE_DOMAIN:
 214                 break;
 215         case SAM_DATABASE_BUILTIN:
 216                 if (StrCaseCmp("BUILTIN", domain->domain_name.string) != 0) {
 217                         printf("BUILTIN domain has different name: %s\n", domain->domain_name.string);
 218                 }
 219                 break;
 220         case SAM_DATABASE_PRIVS:
 221                 printf("DOMAIN entry on privs DB!\n");
 222                 return False;
 223                 break;
 224         }
 225
 226         if (!samsync_state->domain_name[database_id]) {
 227                 samsync_state->domain_name[database_id] =
 228                         talloc_reference(samsync_state, domain->domain_name.string);
 229         } else {
 230                 if (StrCaseCmp(samsync_state->domain_name[database_id], domain->domain_name.string) != 0) {
 231                         printf("Domain has name varies!: %s != %s\n", samsync_state->domain_name[database_id],
 232                                domain->domain_name.string);
 233                         return False;
 234                 }
 235         }
 236
 237         if (!samsync_state->domain_handle[database_id]) {
 238                 samsync_state->domain_handle[database_id]
 239                         = samsync_open_domain(mem_ctx, samsync_state, samsync_state->domain_name[database_id],
 240                                               &dom_sid);
 241         }
 242         if (samsync_state->domain_handle[database_id]) {
 243                 samsync_state->sid[database_id] = talloc_reference(samsync_state, dom_sid);
 244         }
 245
 246         printf("\tsequence_nums[%d/%s]=%llu\n",
 247                database_id, domain->domain_name.string,
 248                samsync_state->seq_num[database_id]);
 249
 250         for (i=0;i<ARRAY_SIZE(levels);i++) {
 251                 q[levels[i]].in.domain_handle = samsync_state->domain_handle[database_id];
 252                 q[levels[i]].in.level = levels[i];
 253
 254                 nt_status = dcerpc_samr_QueryDomainInfo(samsync_state->p_samr, mem_ctx, &q[levels[i]]);
 255
 256                 if (!NT_STATUS_IS_OK(nt_status)) {
 257                         printf("QueryDomainInfo level %u failed - %s\n",
 258                                q[levels[i]].in.level, nt_errstr(nt_status));
 259                         return False;
 260                 }
 261         }
 262
 263         TEST_STRING_EQUAL(q[5].out.info->info5.domain_name, domain->domain_name);
 264
 265         TEST_STRING_EQUAL(q[2].out.info->info2.comment, domain->comment);
 266         TEST_STRING_EQUAL(q[4].out.info->info4.comment, domain->comment);
 267         TEST_TIME_EQUAL(q[2].out.info->info2.force_logoff_time, domain->force_logoff_time);
 268         TEST_TIME_EQUAL(q[3].out.info->info3.force_logoff_time, domain->force_logoff_time);
 269
 270         TEST_TIME_EQUAL(q[1].out.info->info1.min_password_length, domain->min_password_length);
 271         TEST_TIME_EQUAL(q[1].out.info->info1.password_history_length, domain->password_history_length);
 272         TEST_TIME_EQUAL(q[1].out.info->info1.max_password_age, domain->max_password_age);
 273         TEST_TIME_EQUAL(q[1].out.info->info1.min_password_age, domain->min_password_age);
 274
 275         TEST_UINT64_EQUAL(q[8].out.info->info8.sequence_num,
 276                         domain->sequence_num);
 277         TEST_TIME_EQUAL(q[8].out.info->info8.domain_create_time,
 278                         domain->domain_create_time);
 279         TEST_TIME_EQUAL(q[13].out.info->info13.domain_create_time,
 280                         domain->domain_create_time);
 281
 282         return ret;
 283 }
 284
 285 static BOOL samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 286                            int database_id, struct netr_DELTA_ENUM *delta)
 287 {
 288         struct netr_DELTA_POLICY *policy = delta->delta_union.policy;
 289
 290         samsync_state->seq_num[database_id] =
 291                 policy->sequence_num;
 292
 293         if (!samsync_state->domain_name[SAM_DATABASE_DOMAIN]) {
 294                 samsync_state->domain_name[SAM_DATABASE_DOMAIN] =
 295                         talloc_reference(samsync_state, policy->primary_domain_name.string);
 296         } else {
 297                 if (StrCaseCmp(samsync_state->domain_name[SAM_DATABASE_DOMAIN], policy->primary_domain_name.string) != 0) {
 298                         printf("PRIMARY domain has name varies between DOMAIN and POLICY!: %s != %s\n", samsync_state->domain_name[SAM_DATABASE_DOMAIN],
 299                                policy->primary_domain_name.string);
 300                         return False;
 301                 }
 302         }
 303
 304         if (!sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
 305                 printf("Domain SID from POLICY (%s) does not match domain sid from SAMR (%s)\n",
 306                        dom_sid_string(mem_ctx, policy->sid), dom_sid_string(mem_ctx, samsync_state->sid[SAM_DATABASE_DOMAIN]));
 307                 return False;
 308         }
 309
 310         printf("\tsequence_nums[%d/PRIVS]=%llu\n",
 311                database_id,
 312                samsync_state->seq_num[database_id]);
 313         return True;
 314 }
 315
 316 static BOOL samsync_handle_user(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 317                                 int database_id, struct netr_DELTA_ENUM *delta)
 318 {
 319         uint32 rid = delta->delta_id_union.rid;
 320         struct netr_DELTA_USER *user = delta->delta_union.user;
 321         struct netr_SamInfo3 *info3;
 322         struct samr_Password lm_hash;
 323         struct samr_Password nt_hash;
 324         struct samr_Password *lm_hash_p = NULL;
 325         struct samr_Password *nt_hash_p = NULL;
 326         const char *domain = samsync_state->domain_name[database_id];
 327         const char *username = user->account_name.string;
 328         NTSTATUS nt_status;
 329         BOOL ret = True;
 330
 331         struct samr_OpenUser r;
 332         struct samr_QueryUserInfo q;
 333         struct policy_handle user_handle;
 334
 335         if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) {
 336                 printf("SamSync needs domain information before the users\n");
 337                 return False;
 338         }
 339
 340         r.in.domain_handle = samsync_state->domain_handle[database_id];
 341         r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
 342         r.in.rid = rid;
 343         r.out.user_handle = &user_handle;
 344
 345         nt_status = dcerpc_samr_OpenUser(samsync_state->p_samr, mem_ctx, &r);
 346         if (!NT_STATUS_IS_OK(nt_status)) {
 347                 printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(nt_status));
 348                 return False;
 349         }
 350
 351         q.in.user_handle = &user_handle;
 352         q.in.level = 21;
 353
 354         nt_status = dcerpc_samr_QueryUserInfo(samsync_state->p_samr, mem_ctx, &q);
 355         if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &user_handle)) {
 356                 return False;
 357         }
 358
 359         if (!NT_STATUS_IS_OK(nt_status)) {
 360                 printf("QueryUserInfo level %u failed - %s\n",
 361                        q.in.level, nt_errstr(nt_status));
 362                 return False;
 363         }
 364
 365         TEST_STRING_EQUAL(q.out.info->info21.account_name, user->account_name);
 366         TEST_STRING_EQUAL(q.out.info->info21.full_name, user->full_name);
 367         TEST_INT_EQUAL(q.out.info->info21.rid, user->rid);
 368         TEST_INT_EQUAL(q.out.info->info21.primary_gid, user->primary_gid);
 369         TEST_STRING_EQUAL(q.out.info->info21.home_directory, user->home_directory);
 370         TEST_STRING_EQUAL(q.out.info->info21.home_drive, user->home_drive);
 371         TEST_STRING_EQUAL(q.out.info->info21.logon_script, user->logon_script);
 372         TEST_STRING_EQUAL(q.out.info->info21.description, user->description);
 373         TEST_STRING_EQUAL(q.out.info->info21.workstations, user->workstations);
 374
 375         TEST_TIME_EQUAL(q.out.info->info21.last_logon, user->last_logon);
 376         TEST_TIME_EQUAL(q.out.info->info21.last_logoff, user->last_logoff);
 377
 378
 379         TEST_INT_EQUAL(q.out.info->info21.logon_hours.units_per_week,
 380                        user->logon_hours.units_per_week);
 381         if (ret) {
 382                 if (memcmp(q.out.info->info21.logon_hours.bitmap, user->logon_hours.bitmap,
 383                            q.out.info->info21.logon_hours.units_per_week/8) != 0) {
 384                         printf("Logon hours mismatch\n");
 385                         ret = False;
 386                 }
 387         }
 388
 389         TEST_INT_EQUAL(q.out.info->info21.bad_password_count,
 390                        user->bad_password_count);
 391         TEST_INT_EQUAL(q.out.info->info21.logon_count,
 392                        user->logon_count);
 393
 394         TEST_TIME_EQUAL(q.out.info->info21.last_password_change,
 395                        user->last_password_change);
 396         TEST_TIME_EQUAL(q.out.info->info21.acct_expiry,
 397                        user->acct_expiry);
 398
 399         TEST_INT_EQUAL(q.out.info->info21.logon_hours.units_per_week,
 400                        user->logon_hours.units_per_week);
 401
 402         TEST_INT_EQUAL(q.out.info->info21.acct_flags, user->acct_flags);
 403         TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present);
 404         TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present);
 405         TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired);
 406
 407         TEST_STRING_EQUAL(q.out.info->info21.comment, user->comment);
 408         TEST_STRING_EQUAL(q.out.info->info21.parameters, user->parameters);
 409
 410         TEST_INT_EQUAL(q.out.info->info21.country_code, user->country_code);
 411         TEST_INT_EQUAL(q.out.info->info21.code_page, user->code_page);
 412
 413         TEST_STRING_EQUAL(q.out.info->info21.profile_path, user->profile_path);
 414
 415         if (user->lm_password_present) {
 416                 sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0);
 417                 lm_hash_p = &lm_hash;
 418         }
 419         if (user->nt_password_present) {
 420                 sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0);
 421                 nt_hash_p = &nt_hash;
 422         }
 423
 424         if (user->user_private_info.SensitiveData) {
 425                 DATA_BLOB data;
 426                 struct netr_USER_KEYS keys;
 427                 data.data = user->user_private_info.SensitiveData;
 428                 data.length = user->user_private_info.DataLength;
 429                 creds_arcfour_crypt(samsync_state->creds, data.data, data.length);
 430 #if 0
 431                 printf("Sensitive Data for %s:\n", username);
 432                 dump_data(0, data.data, data.length);
 433 #endif
 434                 nt_status = ndr_pull_struct_blob(&data, mem_ctx, &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
 435                 if (NT_STATUS_IS_OK(nt_status)) {
 436                         if (keys.keys.keys2.lmpassword.length == 16) {
 437                                 sam_rid_crypt(rid, keys.keys.keys2.lmpassword.pwd.hash, lm_hash.hash, 0);
 438                                 lm_hash_p = &lm_hash;
 439                         }
 440                         if (keys.keys.keys2.ntpassword.length == 16) {
 441                                 sam_rid_crypt(rid, keys.keys.keys2.ntpassword.pwd.hash, nt_hash.hash, 0);
 442                                 nt_hash_p = &nt_hash;
 443                         }
 444                 }
 445
 446         }
 447
 448         nt_status = test_SamLogon(samsync_state->p, mem_ctx, samsync_state->creds,
 449                                   domain,
 450                                   username,
 451                                   lm_hash_p,
 452                                   nt_hash_p,
 453                                   &info3);
 454
 455         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
 456                 if (user->acct_flags & ACB_DISABLED) {
 457                         return True;
 458                 }
 459         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)) {
 460                 if (user->acct_flags & ACB_WSTRUST) {
 461                         return True;
 462                 }
 463         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)) {
 464                 if (user->acct_flags & ACB_SVRTRUST) {
 465                         return True;
 466                 }
 467         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
 468                 if (user->acct_flags & ACB_DOMTRUST) {
 469                         return True;
 470                 }
 471         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
 472                 if (user->acct_flags & ACB_DOMTRUST) {
 473                         return True;
 474                 }
 475         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
 476                 if (user->acct_flags & ACB_AUTOLOCK) {
 477                         return True;
 478                 }
 479         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
 480                 if (!lm_hash_p && !nt_hash_p) {
 481                         return True;
 482                 }
 483         } else if (NT_STATUS_IS_OK(nt_status)) {
 484                 TEST_INT_EQUAL(user->rid, info3->base.rid);
 485                 TEST_INT_EQUAL(user->primary_gid, info3->base.primary_gid);
 486                 TEST_INT_EQUAL(user->acct_flags, info3->base.acct_flags);
 487                 TEST_STRING_EQUAL(user->account_name, info3->base.account_name);
 488                 TEST_STRING_EQUAL(user->full_name, info3->base.full_name);
 489                 TEST_STRING_EQUAL(user->logon_script, info3->base.logon_script);
 490                 TEST_STRING_EQUAL(user->profile_path, info3->base.profile_path);
 491                 TEST_STRING_EQUAL(user->home_directory, info3->base.home_directory);
 492                 TEST_STRING_EQUAL(user->home_drive, info3->base.home_drive);
 493                 TEST_STRING_EQUAL(user->logon_script, info3->base.logon_script);
 494
 495
 496                 TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon);
 497                 TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry);
 498                 TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change);
 499
 500                 /* Does the concept of a logoff time ever really
 501                  * exist? (not in any sensible way, according to the
 502                  * doco I read -- abartlet) */
 503
 504                 /* This copes with the two different versions of 0 I see */
 505                 if (!((user->last_logoff == 0)
 506                       && (info3->base.last_logoff == 0x7fffffffffffffffLL))) {
 507                         TEST_TIME_EQUAL(user->last_logoff, info3->base.last_logoff);
 508                 }
 509                 return ret;
 510         } else {
 511                 printf("Could not validate password for user %s\\%s: %s\n",
 512                        domain, username, nt_errstr(nt_status));
 513                 return False;
 514         }
 515         return False;
 516 }
 517
 518 static BOOL samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 519                                   int database_id, struct netr_DELTA_ENUM *delta)
 520 {
 521         struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
 522         const char *name = delta->delta_id_union.name;
 523         struct samsync_secret *new = talloc_p(samsync_state, struct samsync_secret);
 524         struct lsa_QuerySecret q;
 525         struct lsa_OpenSecret o;
 526         struct policy_handle sec_handle;
 527         struct lsa_DATA_BUF_PTR bufp1;
 528         NTTIME new_mtime;
 529         BOOL ret = True;
 530         DATA_BLOB lsa_blob1, lsa_blob_out, session_key;
 531         NTSTATUS status;
 532
 533         creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data,
 534                             secret->current_cipher.maxlen);
 535
 536         creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data,
 537                             secret->old_cipher.maxlen);
 538
 539         new->name = talloc_reference(new, name);
 540         new->secret = data_blob_talloc(new, secret->current_cipher.cipher_data, secret->current_cipher.maxlen);
 541
 542         DLIST_ADD(samsync_state->secrets, new);
 543
 544         o.in.handle = samsync_state->lsa_handle;
 545         o.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
 546         o.in.name.name = name;
 547         o.out.sec_handle = &sec_handle;
 548
 549         status = dcerpc_lsa_OpenSecret(samsync_state->p_lsa, mem_ctx, &o);
 550         if (!NT_STATUS_IS_OK(status)) {
 551                 printf("OpenSecret failed - %s\n", nt_errstr(status));
 552                 ret = False;
 553         }
 554
 555         status = dcerpc_fetch_session_key(samsync_state->p_lsa, &session_key);
 556         if (!NT_STATUS_IS_OK(status)) {
 557                 printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
 558                 ret = False;
 559         }
 560
 561
 562         ZERO_STRUCT(new_mtime);
 563
 564         /* fetch the secret back again */
 565         q.in.handle = &sec_handle;
 566         q.in.new_val = &bufp1;
 567         q.in.new_mtime = &new_mtime;
 568         q.in.old_val = NULL;
 569         q.in.old_mtime = NULL;
 570
 571         bufp1.buf = NULL;
 572
 573         status = dcerpc_lsa_QuerySecret(samsync_state->p_lsa, mem_ctx, &q);
 574         if (!NT_STATUS_IS_OK(status)) {
 575                 printf("QuerySecret failed - %s\n", nt_errstr(status));
 576                 ret = False;
 577         }
 578
 579         if (q.out.new_val->buf == NULL) {
 580                 printf("No secret buffer returned\n");
 581                 ret = False;
 582         } else {
 583                 lsa_blob1.data = q.out.new_val->buf->data;
 584                 lsa_blob1.length = q.out.new_val->buf->length;
 585
 586                 lsa_blob_out = data_blob(NULL, lsa_blob1.length);
 587
 588                 sess_crypt_blob(&lsa_blob_out, &lsa_blob1, &session_key, 0);
 589
 590                 if (new->secret.length != lsa_blob_out.length) {
 591                         printf("Returned secret %s doesn't match: %d != %d\n",
 592                                new->name, new->secret.length, lsa_blob_out.length);
 593                         ret = False;
 594                 }
 595
 596                 if (memcmp(lsa_blob_out.data,
 597                            new->secret.data, new->secret.length) != 0) {
 598                         printf("Returned secret %s doesn't match: \n",
 599                                new->name);
 600                         DEBUG(1, ("SamSync Secret:\n"));
 601                         dump_data(1, new->secret.data, new->secret.length);
 602                         DEBUG(1, ("LSA Secret:\n"));
 603                         dump_data(1, lsa_blob_out.data, lsa_blob_out.length);
 604                         ret = False;
 605                 }
 606         }
 607
 608         return ret;
 609 }
 610
 611 static BOOL samsync_handle_trusted_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
 612                                           int database_id, struct netr_DELTA_ENUM *delta)
 613 {
 614         struct netr_DELTA_TRUSTED_DOMAIN *trusted_domain = delta->delta_union.trusted_domain;
 615         struct dom_sid *dom_sid = delta->delta_id_union.sid;
 616
 617         struct samsync_trusted_domain *new = talloc_p(samsync_state, struct samsync_trusted_domain);
 618         new->name = talloc_reference(new, trusted_domain->domain_name.string);
 619         new->sid = talloc_reference(new, dom_sid);
 620
 621         DLIST_ADD(samsync_state->trusted_domains, new);
 622
 623         return True;
 624 }
 625
 626 /*
 627   try a netlogon DatabaseSync
 628 */
 629 static BOOL test_DatabaseSync(struct samsync_state *samsync_state,
 630                               TALLOC_CTX *mem_ctx)
 631 {
 632         NTSTATUS status;
 633         struct netr_DatabaseSync r;
 634         const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
 635         int i, d;
 636         BOOL ret = True;
 637         struct samsync_trusted_domain *t;
 638         struct samsync_secret *s;
 639
 640         const char *domain, *username;
 641
 642         r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(samsync_state->p));
 643         r.in.computername = TEST_MACHINE_NAME;
 644         r.in.preferredmaximumlength = (uint32_t)-1;
 645         ZERO_STRUCT(r.in.return_authenticator);
 646
 647         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
 648                 r.in.sync_context = 0;
 649                 r.in.database_id = database_ids[i];
 650
 651                 printf("Testing DatabaseSync of id %d\n", r.in.database_id);
 652
 653                 do {
 654                         creds_client_authenticator(samsync_state->creds, &r.in.credential);
 655
 656                         status = dcerpc_netr_DatabaseSync(samsync_state->p, mem_ctx, &r);
 657                         if (!NT_STATUS_IS_OK(status) &&
 658                             !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
 659                                 printf("DatabaseSync - %s\n", nt_errstr(status));
 660                                 ret = False;
 661                                 break;
 662                         }
 663
 664                         if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator.cred)) {
 665                                 printf("Credential chaining failed\n");
 666                         }
 667
 668                         r.in.sync_context = r.out.sync_context;
 669
 670                         for (d=0; d < r.out.delta_enum_array->num_deltas; d++) {
 671                                 switch (r.out.delta_enum_array->delta_enum[d].delta_type) {
 672                                 case NETR_DELTA_DOMAIN:
 673                                         ret &= samsync_handle_domain(mem_ctx, samsync_state,
 674                                                                      r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
 675                                         break;
 676                                 case NETR_DELTA_USER:
 677                                         ret &= samsync_handle_user(mem_ctx, samsync_state,
 678                                                                    r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
 679                                         break;
 680                                 case NETR_DELTA_TRUSTED_DOMAIN:
 681                                         ret &= samsync_handle_trusted_domain(mem_ctx, samsync_state,
 682                                                                              r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
 683                                         break;
 684                                 case NETR_DELTA_SECRET:
 685                                         ret &= samsync_handle_secret(mem_ctx, samsync_state,
 686                                                                      r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
 687                                         break;
 688                                 case NETR_DELTA_POLICY:
 689                                         ret &= samsync_handle_policy(mem_ctx, samsync_state,
 690                                                                      r.in.database_id, &r.out.delta_enum_array->delta_enum[d]);
 691                                         break;
 692                                 }
 693                         }
 694                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
 695
 696         }
 697
 698         domain = samsync_state->domain_name[SAM_DATABASE_DOMAIN];
 699         if (!domain) {
 700                 printf("Never got a DOMAIN object in samsync!\n");
 701                 return False;
 702         }
 703
 704         username = talloc_asprintf(mem_ctx, "%s$", domain);
 705         for (t=samsync_state->trusted_domains; t; t=t->next) {
 706                 char *secret_name = talloc_asprintf(mem_ctx, "G$$%s", t->name);
 707                 for (s=samsync_state->secrets; s; s=s->next) {
 708                         printf("Checking secret %s against %s\n",
 709                                s->name, secret_name);
 710                         if (StrCaseCmp(s->name, secret_name) == 0) {
 711                                 NTSTATUS nt_status;
 712                                 struct samr_Password nt_hash;
 713                                 mdfour(nt_hash.hash, s->secret.data, s->secret.length);
 714
 715                                 printf("Checking password for %s\\%s\n", t->name, username);
 716                                 nt_status = test_SamLogon(samsync_state->p, mem_ctx, samsync_state->creds,
 717                                                           t->name,
 718                                                           username,
 719                                                           NULL,
 720                                                           &nt_hash,
 721                                                           NULL);
 722                                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
 723                                         printf("Could not verify trust password to %s: %s\n",
 724                                                t->name, nt_errstr(nt_status));
 725                                         ret = False;
 726                                 }
 727
 728                                 /* break it */
 729                                 nt_hash.hash[0]++;
 730                                 nt_status = test_SamLogon(samsync_state->p, mem_ctx, samsync_state->creds,
 731                                                           t->name,
 732                                                           username,
 733                                                           NULL,
 734                                                           &nt_hash,
 735                                                           NULL);
 736
 737                                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
 738                                         printf("Verifiction of trust password to %s: should have failed (nologon interdomain trust account), instead: %s\n",
 739                                                t->name, nt_errstr(nt_status));
 740                                         ret = False;
 741                                         ret = False;
 742                                 }
 743
 744                                 break;
 745                         }
 746                 }
 747         }
 748         return ret;
 749 }
 750
 751
 752 /*
 753   try a netlogon DatabaseDeltas
 754 */
 755 static BOOL test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX *mem_ctx)
 756 {
 757         NTSTATUS status;
 758         struct netr_DatabaseDeltas r;
 759         const uint32_t database_ids[] = {0, 1, 2};
 760         int i;
 761         BOOL ret = True;
 762
 763         r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(samsync_state->p));
 764         r.in.computername = TEST_MACHINE_NAME;
 765         r.in.preferredmaximumlength = (uint32_t)-1;
 766         ZERO_STRUCT(r.in.return_authenticator);
 767
 768         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
 769                 r.in.database_id = database_ids[i];
 770                 r.in.sequence_num = samsync_state->seq_num[i];
 771
 772                 if (r.in.sequence_num == 0) continue;
 773
 774                 r.in.sequence_num -= 1;
 775
 776
 777                 printf("Testing DatabaseDeltas of id %d at %llu\n",
 778                        r.in.database_id, r.in.sequence_num);
 779
 780                 do {
 781                         creds_client_authenticator(samsync_state->creds, &r.in.credential);
 782
 783                         status = dcerpc_netr_DatabaseDeltas(samsync_state->p, mem_ctx, &r);
 784                         if (!NT_STATUS_IS_OK(status) &&
 785                             !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
 786                                 printf("DatabaseDeltas - %s\n", nt_errstr(status));
 787                                 ret = False;
 788                                 break;
 789                         }
 790
 791                         if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator.cred)) {
 792                                 printf("Credential chaining failed\n");
 793                         }
 794
 795                         r.in.sequence_num++;
 796                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
 797         }
 798
 799         return ret;
 800 }
 801
 802
 803 /*
 804   try a netlogon DatabaseSync2
 805 */
 806 static BOOL test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 807                                struct creds_CredentialState *creds)
 808 {
 809         NTSTATUS status;
 810         struct netr_DatabaseSync2 r;
 811         const uint32_t database_ids[] = {0, 1, 2};
 812         int i;
 813         BOOL ret = True;
 814
 815         r.in.logon_server = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
 816         r.in.computername = TEST_MACHINE_NAME;
 817         r.in.preferredmaximumlength = (uint32_t)-1;
 818         ZERO_STRUCT(r.in.return_authenticator);
 819
 820         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
 821                 r.in.sync_context = 0;
 822                 r.in.database_id = database_ids[i];
 823                 r.in.restart_state = 0;
 824
 825                 printf("Testing DatabaseSync2 of id %d\n", r.in.database_id);
 826
 827                 do {
 828                         creds_client_authenticator(creds, &r.in.credential);
 829
 830                         status = dcerpc_netr_DatabaseSync2(p, mem_ctx, &r);
 831                         if (!NT_STATUS_IS_OK(status) &&
 832                             !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
 833                                 printf("DatabaseSync2 - %s\n", nt_errstr(status));
 834                                 ret = False;
 835                                 break;
 836                         }
 837
 838                         if (!creds_client_check(creds, &r.out.return_authenticator.cred)) {
 839                                 printf("Credential chaining failed\n");
 840                         }
 841
 842                         r.in.sync_context = r.out.sync_context;
 843                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
 844         }
 845
 846         return ret;
 847 }
 848
 849
 850
 851 BOOL torture_rpc_samsync(void)
 852 {
 853         NTSTATUS status;
 854         TALLOC_CTX *mem_ctx;
 855         BOOL ret = True;
 856         struct test_join *join_ctx;
 857         const char *machine_password;
 858         const char *binding = lp_parm_string(-1, "torture", "binding");
 859         struct dcerpc_binding b;
 860         struct samr_Connect c;
 861         struct samr_SetDomainInfo s;
 862         struct policy_handle *domain_policy;
 863
 864         struct lsa_ObjectAttribute attr;
 865         struct lsa_QosInfo qos;
 866         struct lsa_OpenPolicy2 r;
 867
 868         struct samsync_state *samsync_state;
 869
 870         mem_ctx = talloc_init("torture_rpc_netlogon");
 871
 872         join_ctx = torture_join_domain(TEST_MACHINE_NAME, lp_workgroup(), ACB_SVRTRUST,
 873                                        &machine_password);
 874         if (!join_ctx) {
 875                 printf("Failed to join as BDC\n");
 876                 return False;
 877         }
 878
 879         samsync_state = talloc_zero_p(mem_ctx, struct samsync_state);
 880
 881         samsync_state->p_samr = torture_join_samr_pipe(join_ctx);
 882         samsync_state->connect_handle = talloc_zero_p(samsync_state, struct policy_handle);
 883         samsync_state->lsa_handle = talloc_zero_p(samsync_state, struct policy_handle);
 884         c.in.system_name = NULL;
 885         c.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
 886         c.out.connect_handle = samsync_state->connect_handle;
 887
 888         status = dcerpc_samr_Connect(samsync_state->p_samr, mem_ctx, &c);
 889         if (!NT_STATUS_IS_OK(status)) {
 890                 printf("samr_Connect failed\n");
 891                 ret = False;
 892                 goto failed;
 893         }
 894
 895         domain_policy = samsync_open_domain(mem_ctx, samsync_state, lp_workgroup(), NULL);
 896         if (!domain_policy) {
 897                 printf("samrsync_open_domain failed\n");
 898                 ret = False;
 899                 goto failed;
 900         }
 901
 902         s.in.domain_handle = domain_policy;
 903         s.in.level = 4;
 904         s.in.info = talloc_p(mem_ctx, union samr_DomainInfo);
 905
 906         s.in.info->info4.comment.string
 907                 = talloc_asprintf(mem_ctx,
 908                                   "Tortured by Samba4: %s",
 909                                   timestring(mem_ctx, time(NULL)));
 910         status = dcerpc_samr_SetDomainInfo(samsync_state->p_samr, mem_ctx, &s);
 911
 912         if (!NT_STATUS_IS_OK(status)) {
 913                 printf("SetDomainInfo level %u failed - %s\n",
 914                        s.in.level, nt_errstr(status));
 915                 ret = False;
 916                 goto failed;
 917         }
 918
 919
 920         status = dcerpc_parse_binding(mem_ctx, binding, &b);
 921         if (!NT_STATUS_IS_OK(status)) {
 922                 printf("Bad binding string %s\n", binding);
 923                 ret = False;
 924                 goto failed;
 925         }
 926
 927         status = torture_rpc_connection(&samsync_state->p_lsa,
 928                                         DCERPC_LSARPC_NAME,
 929                                         DCERPC_LSARPC_UUID,
 930                                         DCERPC_LSARPC_VERSION);
 931
 932         if (!NT_STATUS_IS_OK(status)) {
 933                 ret = False;
 934                 goto failed;
 935         }
 936
 937         qos.len = 0;
 938         qos.impersonation_level = 2;
 939         qos.context_mode = 1;
 940         qos.effective_only = 0;
 941
 942         attr.len = 0;
 943         attr.root_dir = NULL;
 944         attr.object_name = NULL;
 945         attr.attributes = 0;
 946         attr.sec_desc = NULL;
 947         attr.sec_qos = &qos;
 948
 949         r.in.system_name = "\\";
 950         r.in.attr = &attr;
 951         r.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
 952         r.out.handle = samsync_state->lsa_handle;
 953
 954         status = dcerpc_lsa_OpenPolicy2(samsync_state->p_lsa, mem_ctx, &r);
 955         if (!NT_STATUS_IS_OK(status)) {
 956                 printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
 957                 ret = False;
 958                 goto failed;
 959         }
 960
 961         b.flags &= ~DCERPC_AUTH_OPTIONS;
 962         b.flags |= DCERPC_SCHANNEL_BDC | DCERPC_SIGN | DCERPC_SCHANNEL_128;
 963
 964         status = dcerpc_pipe_connect_b(&samsync_state->p, &b,
 965                                        DCERPC_NETLOGON_UUID,
 966                                        DCERPC_NETLOGON_VERSION,
 967                                        lp_workgroup(),
 968                                        TEST_MACHINE_NAME,
 969                                        machine_password);
 970
 971         if (!NT_STATUS_IS_OK(status)) {
 972                 ret = False;
 973                 goto failed;
 974         }
 975
 976         status = dcerpc_schannel_creds(samsync_state->p->security_state.generic_state, mem_ctx, &samsync_state->creds);
 977         if (!NT_STATUS_IS_OK(status)) {
 978                 ret = False;
 979         }
 980
 981         if (!test_DatabaseSync(samsync_state, mem_ctx)) {
 982                 ret = False;
 983         }
 984
 985         if (!test_DatabaseDeltas(samsync_state, mem_ctx)) {
 986                 ret = False;
 987         }
 988
 989         if (!test_DatabaseSync2(samsync_state->p, mem_ctx, samsync_state->creds)) {
 990                 ret = False;
 991         }
 992 failed:
 993         torture_rpc_close(samsync_state->p);
 994
 995         torture_leave_domain(join_ctx);
 996
 997         talloc_destroy(mem_ctx);
 998
 999         return ret;
1000 }