* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_username(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
+const char *cli_credentials_get_username(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred);
}
- /* If we have a principal set on this, we want to login with "" domain and user@realm */
- if (cred->username_obtained < cred->principal_obtained) {
- return cli_credentials_get_principal(cred, mem_ctx);
- }
-
if (cred->username_obtained == CRED_CALLBACK) {
cred->username = cred->username_cb(cred);
cred->username_obtained = CRED_SPECIFIED;
}
- return talloc_reference(mem_ctx, cred->username);
+ return cred->username;
}
BOOL cli_credentials_set_username(struct cli_credentials *cred,
if (cred->principal_obtained < cred->username_obtained) {
if (cred->domain_obtained > cred->realm_obtained) {
- return NULL;
+ return talloc_asprintf(mem_ctx, "%s@%s",
+ cli_credentials_get_username(cred),
+ cli_credentials_get_domain(cred));
} else {
return talloc_asprintf(mem_ctx, "%s@%s",
- cli_credentials_get_username(cred, mem_ctx),
+ cli_credentials_get_username(cred),
cli_credentials_get_realm(cred));
}
}
realm = krb5_princ_realm(cred->ccache->smb_krb5_context->krb5_context, princ);
- cli_credentials_set_realm(cred, *realm, obtained);
cli_credentials_set_principal(cred, name, obtained);
free(name);
cli_credentials_set_machine_account(cred);
}
- /* If we have a principal set on this, we want to login with "" domain and user@realm */
- if (cred->domain_obtained < cred->principal_obtained) {
- return "";
- }
-
if (cred->domain_obtained == CRED_CALLBACK) {
cred->domain = cred->domain_cb(cred);
cred->domain_obtained = CRED_SPECIFIED;
return False;
}
+void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
+ const char **username,
+ const char **domain)
+{
+ if (cred->principal_obtained > cred->username_obtained) {
+ *domain = talloc_strdup(mem_ctx, "");
+ *username = cli_credentials_get_principal(cred, mem_ctx);
+ } else {
+ *domain = cli_credentials_get_domain(cred);
+ *username = cli_credentials_get_username(cred);
+ }
+}
+
/**
* Obtain the Kerberos realm for this credentials context.
* @param cred credentials context
BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
{
TALLOC_CTX *tmp_ctx = talloc_new(cred);
- const char *username = cli_credentials_get_username(cred, tmp_ctx);
+ const char *username = cli_credentials_get_username(cred);
/* Yes, it is deliberate that we die if we have a NULL pointer
* here - anonymous is "", not NULL, which is 'never specified,
struct netr_LogonSamLogonWithFlags r_flags;
struct netr_Authenticator auth, auth2;
struct creds_CredentialState *creds;
-
+ NTSTATUS expected_error;
DATA_BLOB chall;
};
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
}
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
if (break_which == NO_NT && !lm_good) {
- printf("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!");
+ *error_string = strdup("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!");
return False;
}
memset(lm_key_expected+8, '\0', 8);
if (memcmp(lm_key_expected, user_session_key,
16) != 0) {
- printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
+ *error_string = strdup("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
printf("user_session_key:\n");
dump_data(1, user_session_key, sizeof(user_session_key));
printf("expected:\n");
default:
if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
- printf("NT Session Key does not match expectations!\n");
+ *error_string = strdup("NT Session Key does not match expectations!\n");
printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
printf("expected:\n");
user_session_key,
error_string);
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
user_session_key,
error_string);
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
+ return False;
+ }
+
if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
return break_which == BREAK_BOTH;
}
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
+
switch (break_which) {
case NO_NT:
if (memcmp(lmv2_session_key.data, user_session_key,
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
}
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
user_session_key,
error_string);
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct creds_CredentialState *creds,
const char *account_domain, const char *account_name,
- const char *plain_pass,
+ const char *plain_pass, NTSTATUS expected_error,
int n_subtests)
{
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_SamLogon function-level context");
samlogon_state.password = plain_pass;
samlogon_state.p = p;
samlogon_state.creds = creds;
-
+ samlogon_state.expected_error = expected_error;
samlogon_state.chall = data_blob_talloc(fn_ctx, NULL, 8);
generate_random_buffer(samlogon_state.chall.data, 8);
struct creds_CredentialState *creds,
const char *workstation_name,
const char *account_domain, const char *account_name,
- const char *plain_pass)
+ const char *plain_pass, NTSTATUS expected_error)
{
NTSTATUS status;
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
talloc_free(fn_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - %s\n",
- account_name, account_domain, nt_errstr(status));
+ if (!NT_STATUS_EQUAL(expected_error, status)) {
+ printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - expected %s got %s\n",
+ account_domain, account_name, nt_errstr(expected_error), nt_errstr(status));
return False;
}
NTSTATUS status;
struct dcerpc_pipe *p;
struct dcerpc_binding *b;
- struct cli_credentials *credentials;
+ struct cli_credentials *machine_credentials;
TALLOC_CTX *mem_ctx = talloc_init("torture_rpc_netlogon");
BOOL ret = True;
struct test_join *join_ctx;
struct creds_CredentialState *creds;
- struct {
- const char *domain;
- const char *username;
- const char *password;
- BOOL network_login;
- } usercreds[] = {
- {
- cli_credentials_get_domain(cmdline_credentials),
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_password(cmdline_credentials),
- True
- },
- {
- cli_credentials_get_realm(cmdline_credentials),
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_password(cmdline_credentials),
- True
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_domain(cmdline_credentials)
- ),
- cli_credentials_get_password(cmdline_credentials),
- False
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_realm(cmdline_credentials)
- ),
- cli_credentials_get_password(cmdline_credentials),
- True
- },
-#if 0
- {
- lp_parm_string(-1, "torture", "userdomain"),
- TEST_USER_NAME,
- NULL,
- True
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- TEST_USER_NAME,
- lp_realm()),
- NULL,
- True
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- TEST_USER_NAME,
- lp_parm_string(-1, "torture", "userdomain")),
- NULL,
- False
- }
-#endif
- };
-
- credentials = cli_credentials_init(mem_ctx);
+ machine_credentials = cli_credentials_init(mem_ctx);
test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME);
/* We only need to join as a workstation here, and in future,
return False;
}
- usercreds[3].password = user_password;
- usercreds[4].password = user_password;
- usercreds[5].password = user_password;
#endif
status = dcerpc_parse_binding(mem_ctx, binding, &b);
b->flags &= ~DCERPC_AUTH_OPTIONS;
b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
- cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
- cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED);
- cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED);
- cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED);
- cli_credentials_set_secure_channel_type(credentials,
+ cli_credentials_set_workstation(machine_credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
+ cli_credentials_set_domain(machine_credentials, lp_workgroup(), CRED_SPECIFIED);
+ cli_credentials_set_realm(machine_credentials, lp_realm(), CRED_SPECIFIED);
+ cli_credentials_set_username(machine_credentials, test_machine_account, CRED_SPECIFIED);
+ cli_credentials_set_password(machine_credentials, machine_password, CRED_SPECIFIED);
+ cli_credentials_set_secure_channel_type(machine_credentials,
SEC_CHAN_WKSTA);
status = dcerpc_pipe_connect_b(mem_ctx, &p, b,
DCERPC_NETLOGON_UUID,
DCERPC_NETLOGON_VERSION,
- credentials, NULL);
+ machine_credentials, NULL);
if (!NT_STATUS_IS_OK(status)) {
printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status));
goto failed;
}
- /* Try all the tests for different username forms */
- for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
+ {
- if (!test_InteractiveLogon(p, mem_ctx, creds,
- TEST_MACHINE_NAME,
- usercreds[ci].domain,
- usercreds[ci].username,
- usercreds[ci].password)) {
- ret = False;
- }
+ struct {
+ const char *domain;
+ const char *username;
+ const char *password;
+ BOOL network_login;
+ NTSTATUS expected_interactive_error;
+ NTSTATUS expected_network_error;
+ } usercreds[] = {
+ {
+ cli_credentials_get_domain(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_password(cmdline_credentials),
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ cli_credentials_get_realm(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_password(cmdline_credentials),
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_domain(cmdline_credentials)
+ ),
+ cli_credentials_get_password(cmdline_credentials),
+ False,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_realm(cmdline_credentials)
+ ),
+ cli_credentials_get_password(cmdline_credentials),
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ cli_credentials_get_domain(machine_credentials),
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_password(machine_credentials),
+ True,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+ {
+ cli_credentials_get_realm(machine_credentials),
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_password(machine_credentials),
+ True,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_domain(machine_credentials)
+ ),
+ cli_credentials_get_password(machine_credentials),
+ False,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_realm(machine_credentials)
+ ),
+ cli_credentials_get_password(machine_credentials),
+ True,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+#if 0
+ {
+ lp_parm_string(-1, "torture", "userdomain"),
+ TEST_USER_NAME,
+ user_password,
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ TEST_USER_NAME,
+ lp_realm()),
+ user_password,
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ TEST_USER_NAME,
+ lp_parm_string(-1, "torture", "userdomain")),
+ user_password,
+ False,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ }
+#endif
+ };
- if (usercreds[ci].network_login) {
- if (!test_SamLogon(p, mem_ctx, creds,
- usercreds[ci].domain,
- usercreds[ci].username,
- usercreds[ci].password,
- 0)) {
+ /* Try all the tests for different username forms */
+ for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
+
+ if (!test_InteractiveLogon(p, mem_ctx, creds,
+ TEST_MACHINE_NAME,
+ usercreds[ci].domain,
+ usercreds[ci].username,
+ usercreds[ci].password,
+ usercreds[ci].expected_interactive_error)) {
ret = False;
}
+
+ if (usercreds[ci].network_login) {
+ if (!test_SamLogon(p, mem_ctx, creds,
+ usercreds[ci].domain,
+ usercreds[ci].username,
+ usercreds[ci].password,
+ usercreds[ci].expected_network_error,
+ 0)) {
+ ret = False;
+ }
+ }
}
- }
- /* Using the first username form, try the different
- * credentials flag setups, on only one of the tests (checks
- * session key encryption) */
-
- for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
- if (!test_InteractiveLogon(p, mem_ctx, creds,
- TEST_MACHINE_NAME,
- usercreds[0].domain,
- usercreds[0].username,
- usercreds[0].password)) {
- ret = False;
- }
-
- if (usercreds[ci].network_login) {
- if (!test_SamLogon(p, mem_ctx, creds,
- usercreds[0].domain,
- usercreds[0].username,
- usercreds[0].password,
- 1)) {
+ /* Using the first username form, try the different
+ * credentials flag setups, on only one of the tests (checks
+ * session key encryption) */
+
+ for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
+ if (!test_InteractiveLogon(p, mem_ctx, creds,
+ TEST_MACHINE_NAME,
+ usercreds[0].domain,
+ usercreds[0].username,
+ usercreds[0].password,
+ usercreds[0].expected_interactive_error)) {
ret = False;
}
+
+ if (usercreds[ci].network_login) {
+ if (!test_SamLogon(p, mem_ctx, creds,
+ usercreds[0].domain,
+ usercreds[0].username,
+ usercreds[0].password,
+ usercreds[0].expected_network_error,
+ 1)) {
+ ret = False;
+ }
+ }
}
- }
+ }
failed:
talloc_free(mem_ctx);
git.samba.org / bbaumbach / samba-autobuild / .git / commitdiff