9fca10f1b081f74915259e66ca951abfb672fb61
[gd/samba-autobuild/.git] / source4 / torture / rpc / remote_pac.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    test suite for netlogon PAC operations
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2012
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "auth/auth.h"
24 #include "auth/auth_sam_reply.h"
25 #include "auth/gensec/gensec.h"
26 #include "system/kerberos.h"
27 #include "auth/kerberos/kerberos.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/credentials/credentials_krb5.h"
30 #include "lib/cmdline/popt_common.h"
31 #include "torture/rpc/torture_rpc.h"
32 #include "libcli/auth/libcli_auth.h"
33 #include "libcli/security/security.h"
34 #include "librpc/gen_ndr/ndr_netlogon_c.h"
35 #include "librpc/gen_ndr/ndr_krb5pac.h"
36 #include "librpc/gen_ndr/ndr_samr_c.h"
37 #include "param/param.h"
38
39 #define TEST_MACHINE_NAME_BDC "torturepacbdc"
40 #define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
41 #define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes"
42 #define TEST_MACHINE_NAME_S2U4SELF_BDC "tests2u4selfbdc"
43 #define TEST_MACHINE_NAME_S2U4SELF_WKSTA "tests2u4selfwk"
44
45 struct pac_data {
46         DATA_BLOB pac_blob;
47         struct PAC_SIGNATURE_DATA *pac_srv_sig;
48         struct PAC_SIGNATURE_DATA *pac_kdc_sig;
49 };
50
51 /* A helper function which avoids touching the local databases to
52  * generate the session info, as we just want to verify the PAC
53  * details, not the full local token */
54 static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
55                                                TALLOC_CTX *mem_ctx,
56                                                struct smb_krb5_context *smb_krb5_context,
57                                                DATA_BLOB *pac_blob,
58                                                const char *principal_name,
59                                                const struct tsocket_address *remote_address,
60                                                uint32_t session_info_flags,
61                                                struct auth_session_info **session_info)
62 {
63         NTSTATUS nt_status;
64         struct auth_user_info_dc *user_info_dc;
65         TALLOC_CTX *tmp_ctx;
66         struct pac_data *pac_data;
67
68         tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
69         NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
70
71         auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data);
72
73         pac_data->pac_blob = data_blob_dup_talloc(pac_data, *pac_blob);
74         if (pac_data->pac_blob.length != pac_blob->length) {
75                 talloc_free(tmp_ctx);
76                 return NT_STATUS_NO_MEMORY;
77         }
78
79         pac_data->pac_srv_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
80         if (!pac_data->pac_srv_sig) {
81                 talloc_free(tmp_ctx);
82                 return NT_STATUS_NO_MEMORY;
83         }
84         pac_data->pac_kdc_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
85         if (!pac_data->pac_kdc_sig) {
86                 talloc_free(tmp_ctx);
87                 return NT_STATUS_NO_MEMORY;
88         }
89
90         nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
91                                                       *pac_blob,
92                                                       smb_krb5_context->krb5_context,
93                                                       &user_info_dc,
94                                                       pac_data->pac_srv_sig,
95                                                       pac_data->pac_kdc_sig);
96         if (!NT_STATUS_IS_OK(nt_status)) {
97                 talloc_free(tmp_ctx);
98                 return nt_status;
99         }
100
101         talloc_steal(pac_data, pac_data->pac_srv_sig);
102         talloc_steal(pac_data, pac_data->pac_kdc_sig);
103
104         if (user_info_dc->info->authenticated) {
105                 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
106         }
107
108         session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
109         nt_status = auth_generate_session_info(mem_ctx,
110                                                NULL,
111                                                NULL,
112                                                user_info_dc, session_info_flags,
113                                                session_info);
114         if (!NT_STATUS_IS_OK(nt_status)) {
115                 talloc_free(tmp_ctx);
116                 return nt_status;
117         }
118
119         talloc_free(tmp_ctx);
120         return nt_status;
121 }
122
123 /* Check to see if we can pass the PAC across to the NETLOGON server for validation */
124
125 static const struct PAC_BUFFER *get_pac_buffer(const struct PAC_DATA *pac_data,
126                                                enum PAC_TYPE type)
127 {
128         const struct PAC_BUFFER *pac_buf = NULL;
129         uint32_t i;
130
131         for (i = 0; i < pac_data->num_buffers; ++i) {
132                 pac_buf = &pac_data->buffers[i];
133
134                 if (pac_buf->type == type) {
135                         break;
136                 }
137         }
138
139         return pac_buf;
140 }
141
142 /* Also happens to be a really good one-step verfication of our Kerberos stack */
143
144 static bool test_PACVerify(struct torture_context *tctx,
145                            struct dcerpc_pipe *p1,
146                            struct cli_credentials *credentials,
147                            enum netr_SchannelType secure_channel_type,
148                            const char *test_machine_name,
149                            uint32_t negotiate_flags)
150 {
151         NTSTATUS status;
152         bool pkinit_in_use = torture_setting_bool(tctx, "pkinit_in_use", false);
153         bool expect_pac_upn_dns_info = torture_setting_bool(tctx, "expect_pac_upn_dns_info", true);
154         size_t num_pac_buffers;
155
156         struct netr_LogonSamLogon r;
157
158         union netr_LogonLevel logon;
159         union netr_Validation validation;
160         uint8_t authoritative;
161         struct netr_Authenticator return_authenticator;
162
163         struct netr_GenericInfo generic;
164         struct netr_Authenticator auth, auth2;
165
166         struct netlogon_creds_CredentialState *creds;
167         struct gensec_security *gensec_client_context;
168         struct gensec_security *gensec_server_context;
169         struct cli_credentials *client_creds;
170         struct cli_credentials *server_creds;
171
172         DATA_BLOB client_to_server, server_to_client, pac_wrapped, payload;
173         struct PAC_Validate pac_wrapped_struct;
174         struct PAC_DATA pac_data_struct;
175
176         enum ndr_err_code ndr_err;
177
178         struct auth4_context *auth_context;
179         struct auth_session_info *session_info;
180         struct pac_data *pac_data;
181         const struct PAC_BUFFER *pac_buf = NULL;
182
183         struct dcerpc_pipe *p = NULL;
184         struct dcerpc_binding_handle *b = NULL;
185         TALLOC_CTX *tmp_ctx = talloc_new(tctx);
186         torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
187
188         torture_comment(tctx,
189                 "Testing PAC Verify (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n",
190                 secure_channel_type, test_machine_name, negotiate_flags);
191
192         /*
193          * Copy the credentials in order to use a different MEMORY krb5 ccache
194          * for each client/server setup. The MEMORY cache identifier is a
195          * pointer to the creds container. If we copy it the pointer changes and
196          * we will get a new clean memory cache.
197          */
198         client_creds = cli_credentials_shallow_copy(tmp_ctx,
199                                                     cmdline_credentials);
200         torture_assert(tctx, client_creds, "Failed to copy of credentials");
201         if (!pkinit_in_use) {
202                 /* Invalidate the gss creds container to allocate a new MEMORY ccache */
203                 cli_credentials_invalidate_ccache(client_creds, CRED_SPECIFIED);
204         }
205
206         server_creds = cli_credentials_shallow_copy(tmp_ctx,
207                                                     credentials);
208         torture_assert(tctx, server_creds, "Failed to copy of credentials");
209
210         if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
211                                     server_creds, secure_channel_type,
212                                     &creds)) {
213                 return false;
214         }
215         if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
216                                        DCERPC_SIGN | DCERPC_SEAL, &p)) {
217                 return false;
218         }
219         b = p->binding_handle;
220
221         auth_context = talloc_zero(tmp_ctx, struct auth4_context);
222         torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
223
224         auth_context->generate_session_info_pac = test_generate_session_info_pac;
225
226         status = gensec_client_start(tctx, &gensec_client_context,
227                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
228         torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
229
230         status = gensec_set_target_hostname(gensec_client_context, test_machine_name);
231
232         status = gensec_set_credentials(gensec_client_context, client_creds);
233         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
234
235         status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
236         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
237
238         status = gensec_server_start(tctx,
239                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
240                                      auth_context, &gensec_server_context);
241         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
242
243         status = gensec_set_credentials(gensec_server_context, server_creds);
244         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
245
246         status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
247         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
248
249         server_to_client = data_blob(NULL, 0);
250
251         do {
252                 /* Do a client-server update dance */
253                 status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server);
254                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
255                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
256                 }
257
258                 status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
259                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
260                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
261                 }
262
263                 if (NT_STATUS_IS_OK(status)) {
264                         break;
265                 }
266         } while (1);
267
268         /* Extract the PAC using Samba's code */
269
270         status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info);
271         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
272
273         pac_data = talloc_get_type(auth_context->private_data, struct pac_data);
274
275         torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context");
276         torture_assert(tctx, pac_data->pac_srv_sig != NULL, "pac_srv_sig not present");
277         torture_assert(tctx, pac_data->pac_kdc_sig != NULL, "pac_kdc_sig not present");
278
279         ndr_err = ndr_pull_struct_blob(&pac_data->pac_blob, tmp_ctx, &pac_data_struct,
280                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
281         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
282
283         num_pac_buffers = 4;
284         if (expect_pac_upn_dns_info) {
285                 num_pac_buffers += 1;
286         }
287         if (pkinit_in_use) {
288                 num_pac_buffers += 1;
289         }
290
291         torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version");
292         torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers");
293
294         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_LOGON_INFO);
295         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_LOGON_INFO");
296         torture_assert(tctx,
297                        pac_buf->info != NULL,
298                        "PAC_TYPE_LOGON_INFO info");
299
300         if (pkinit_in_use) {
301                 pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CREDENTIAL_INFO);
302                 torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CREDENTIAL_INFO");
303                 torture_assert(tctx,
304                                pac_buf->info != NULL,
305                                "PAC_TYPE_CREDENTIAL_INFO info");
306         }
307
308         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_LOGON_NAME);
309         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_LOGON_NAME");
310         torture_assert(tctx,
311                        pac_buf->info != NULL,
312                        "PAC_TYPE_LOGON_NAME info");
313
314         if (expect_pac_upn_dns_info) {
315                 pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_UPN_DNS_INFO);
316                 torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_UPN_DNS_INFO");
317                 torture_assert(tctx,
318                                pac_buf->info != NULL,
319                                "PAC_TYPE_UPN_DNS_INFO info");
320         }
321
322         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_SRV_CHECKSUM);
323         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_SRV_CHECKSUM");
324         torture_assert(tctx,
325                        pac_buf->info != NULL,
326                        "PAC_TYPE_SRV_CHECKSUM info");
327
328         pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_KDC_CHECKSUM);
329         torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_KDC_CHECKSUM");
330         torture_assert(tctx,
331                        pac_buf->info != NULL,
332                        "PAC_TYPE_KDC_CHECKSUM info");
333
334         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
335         pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type;
336         pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length;
337         pac_wrapped_struct.ChecksumAndSignature = payload
338                 = data_blob_talloc(tmp_ctx, NULL,
339                                    pac_wrapped_struct.ChecksumLength
340                                    + pac_wrapped_struct.SignatureLength);
341         memcpy(&payload.data[0],
342                pac_data->pac_srv_sig->signature.data,
343                pac_wrapped_struct.ChecksumLength);
344         memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
345                pac_data->pac_kdc_sig->signature.data,
346                pac_wrapped_struct.SignatureLength);
347
348         ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct,
349                                        (ndr_push_flags_fn_t)ndr_push_PAC_Validate);
350         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
351
352         torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
353         if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
354                 netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
355         } else {
356                 netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
357         }
358
359         generic.length = pac_wrapped.length;
360         generic.data = pac_wrapped.data;
361
362         /* Validate it over the netlogon pipe */
363
364         generic.identity_info.parameter_control = 0;
365         generic.identity_info.logon_id_high = 0;
366         generic.identity_info.logon_id_low = 0;
367         generic.identity_info.domain_name.string = session_info->info->domain_name;
368         generic.identity_info.account_name.string = session_info->info->account_name;
369         generic.identity_info.workstation.string = test_machine_name;
370
371         generic.package_name.string = "Kerberos";
372
373         logon.generic = &generic;
374
375         ZERO_STRUCT(auth2);
376         netlogon_creds_client_authenticator(creds, &auth);
377         r.in.credential = &auth;
378         r.in.return_authenticator = &auth2;
379         r.in.logon = &logon;
380         r.in.logon_level = NetlogonGenericInformation;
381         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
382         r.in.computer_name = cli_credentials_get_workstation(server_creds);
383         r.in.validation_level = NetlogonValidationGenericInfo2;
384         r.out.validation = &validation;
385         r.out.authoritative = &authoritative;
386         r.out.return_authenticator = &return_authenticator;
387
388         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
389                 "LogonSamLogon failed");
390
391         torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
392
393         /* This will break the signature nicely (even in the crypto wrapping), check we get a logon failure */
394         generic.data[generic.length-1]++;
395
396         logon.generic = &generic;
397
398         ZERO_STRUCT(auth2);
399         netlogon_creds_client_authenticator(creds, &auth);
400         r.in.credential = &auth;
401         r.in.return_authenticator = &auth2;
402         r.in.logon_level = NetlogonGenericInformation;
403         r.in.logon = &logon;
404         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
405         r.in.computer_name = cli_credentials_get_workstation(server_creds);
406         r.in.validation_level = NetlogonValidationGenericInfo2;
407
408         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
409                 "LogonSamLogon failed");
410
411         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
412
413         torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
414                        "Credential chaining failed");
415
416         /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */
417         generic.length--;
418
419         logon.generic = &generic;
420
421         ZERO_STRUCT(auth2);
422         netlogon_creds_client_authenticator(creds, &auth);
423         r.in.credential = &auth;
424         r.in.return_authenticator = &auth2;
425         r.in.logon_level = NetlogonGenericInformation;
426         r.in.logon = &logon;
427         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
428         r.in.computer_name = cli_credentials_get_workstation(server_creds);
429         r.in.validation_level = NetlogonValidationGenericInfo2;
430
431         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
432                 "LogonSamLogon failed");
433
434         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
435
436         torture_assert(tctx, netlogon_creds_client_check(creds,
437                                                          &r.out.return_authenticator->cred),
438                        "Credential chaining failed");
439
440         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
441         pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type;
442
443         /* Break the SignatureType */
444         pac_wrapped_struct.SignatureType++;
445
446         pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length;
447         pac_wrapped_struct.ChecksumAndSignature = payload
448                 = data_blob_talloc(tmp_ctx, NULL,
449                                    pac_wrapped_struct.ChecksumLength
450                                    + pac_wrapped_struct.SignatureLength);
451         memcpy(&payload.data[0],
452                pac_data->pac_srv_sig->signature.data,
453                pac_wrapped_struct.ChecksumLength);
454         memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
455                pac_data->pac_kdc_sig->signature.data,
456                pac_wrapped_struct.SignatureLength);
457
458         ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct,
459                                        (ndr_push_flags_fn_t)ndr_push_PAC_Validate);
460         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
461
462         torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
463         if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
464                 netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
465         } else {
466                 netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
467         }
468
469         generic.length = pac_wrapped.length;
470         generic.data = pac_wrapped.data;
471
472         logon.generic = &generic;
473
474         ZERO_STRUCT(auth2);
475         netlogon_creds_client_authenticator(creds, &auth);
476         r.in.credential = &auth;
477         r.in.return_authenticator = &auth2;
478         r.in.logon_level = NetlogonGenericInformation;
479         r.in.logon = &logon;
480         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
481         r.in.computer_name = cli_credentials_get_workstation(server_creds);
482         r.in.validation_level = NetlogonValidationGenericInfo2;
483
484         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
485                 "LogonSamLogon failed");
486
487         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
488
489         torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
490                        "Credential chaining failed");
491
492         pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length;
493         pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type;
494         pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length;
495
496         pac_wrapped_struct.ChecksumAndSignature = payload
497                 = data_blob_talloc(tmp_ctx, NULL,
498                                    pac_wrapped_struct.ChecksumLength
499                                    + pac_wrapped_struct.SignatureLength);
500         memcpy(&payload.data[0],
501                pac_data->pac_srv_sig->signature.data,
502                pac_wrapped_struct.ChecksumLength);
503         memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
504                pac_data->pac_kdc_sig->signature.data,
505                pac_wrapped_struct.SignatureLength);
506
507         /* Break the signature length */
508         pac_wrapped_struct.SignatureLength++;
509
510         ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct,
511                                        (ndr_push_flags_fn_t)ndr_push_PAC_Validate);
512         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
513
514         torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
515         if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
516                 netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
517         } else {
518                 netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
519         }
520
521         generic.length = pac_wrapped.length;
522         generic.data = pac_wrapped.data;
523
524         logon.generic = &generic;
525
526         ZERO_STRUCT(auth2);
527         netlogon_creds_client_authenticator(creds, &auth);
528         r.in.credential = &auth;
529         r.in.return_authenticator = &auth2;
530         r.in.logon_level = NetlogonGenericInformation;
531         r.in.logon = &logon;
532         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
533         r.in.computer_name = cli_credentials_get_workstation(server_creds);
534         r.in.validation_level = NetlogonValidationGenericInfo2;
535
536         torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
537                 "LogonSamLogon failed");
538
539         torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
540
541         torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
542                        "Credential chaining failed");
543
544         talloc_free(tmp_ctx);
545
546         return true;
547 }
548
549 static bool test_PACVerify_bdc_arcfour(struct torture_context *tctx,
550                                        struct dcerpc_pipe *p,
551                                        struct cli_credentials *credentials)
552 {
553         return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC,
554                               TEST_MACHINE_NAME_BDC,
555                               NETLOGON_NEG_AUTH2_ADS_FLAGS);
556 }
557
558 static bool test_PACVerify_bdc_aes(struct torture_context *tctx,
559                                    struct dcerpc_pipe *p,
560                                    struct cli_credentials *credentials)
561 {
562         return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC,
563                               TEST_MACHINE_NAME_BDC,
564                               NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
565 }
566
567 static bool test_PACVerify_workstation_arcfour(struct torture_context *tctx,
568                                                struct dcerpc_pipe *p,
569                                                struct cli_credentials *credentials)
570 {
571         return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
572                               TEST_MACHINE_NAME_WKSTA,
573                               NETLOGON_NEG_AUTH2_ADS_FLAGS);
574 }
575
576 static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
577                                            struct dcerpc_pipe *p,
578                                            struct cli_credentials *credentials)
579 {
580         return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
581                               TEST_MACHINE_NAME_WKSTA,
582                               NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
583 }
584
585 static bool test_PACVerify_workstation_des(struct torture_context *tctx,
586                                            struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx)
587 {
588         struct samr_SetUserInfo r;
589         union samr_UserInfo user_info;
590         struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx);
591         struct smb_krb5_context *smb_krb5_context;
592         krb5_error_code ret;
593
594         ret = cli_credentials_get_krb5_context(cmdline_credentials, tctx->lp_ctx, &smb_krb5_context);
595         torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed");
596
597         if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) {
598                 torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes");
599         }
600
601         /* Mark this workstation with DES-only */
602         user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST;
603         r.in.user_handle = torture_join_samr_user_policy(join_ctx);
604         r.in.level = 16;
605         r.in.info = &user_info;
606
607         torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r),
608                 "failed to set DES info account flags");
609         torture_assert_ntstatus_ok(tctx, r.out.result,
610                 "failed to set DES into account flags");
611
612         return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
613                               TEST_MACHINE_NAME_WKSTA_DES,
614                               NETLOGON_NEG_AUTH2_ADS_FLAGS);
615 }
616
617
618 /* Check various ways to get the PAC, in particular check the group membership and other details between the PAC from a normal kinit, S2U4Self and a SamLogon */
619 #ifdef SAMBA4_USES_HEIMDAL
620 static bool test_S2U4Self(struct torture_context *tctx,
621                           struct dcerpc_pipe *p1,
622                           struct cli_credentials *credentials,
623                           enum netr_SchannelType secure_channel_type,
624                           const char *test_machine_name,
625                           uint32_t negotiate_flags)
626 {
627         NTSTATUS status;
628         struct dcerpc_pipe *p = NULL;
629         struct dcerpc_binding_handle *b = NULL;
630
631         struct netr_LogonSamLogon r;
632
633         union netr_LogonLevel logon;
634         union netr_Validation validation;
635         uint8_t authoritative;
636
637         struct netr_Authenticator auth, auth2;
638
639         DATA_BLOB client_to_server, server_to_client;
640
641         struct netlogon_creds_CredentialState *creds;
642         struct gensec_security *gensec_client_context;
643         struct gensec_security *gensec_server_context;
644         struct cli_credentials *client_creds;
645         struct cli_credentials *server_creds;
646
647         struct auth4_context *auth_context;
648         struct auth_session_info *kinit_session_info;
649         struct auth_session_info *s2u4self_session_info;
650         struct auth_user_info_dc *netlogon_user_info_dc;
651
652         struct netr_NetworkInfo ninfo;
653         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
654         size_t i;
655         int flags = CLI_CRED_NTLMv2_AUTH;
656
657         struct dom_sid *builtin_domain;
658
659         TALLOC_CTX *tmp_ctx = talloc_new(tctx);
660
661         torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
662
663         torture_comment(tctx,
664                 "Testing S4U2SELF (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n",
665                 secure_channel_type, test_machine_name, negotiate_flags);
666
667         /*
668          * Copy the credentials in order to use a different MEMORY krb5 ccache
669          * for each client/server setup. The MEMORY cache identifier is a
670          * pointer to the creds container. If we copy it the pointer changes and
671          * we will get a new clean memory cache.
672          */
673         client_creds = cli_credentials_shallow_copy(tmp_ctx,
674                                                     cmdline_credentials);
675         torture_assert(tctx, client_creds, "Failed to copy of credentials");
676
677         server_creds = cli_credentials_shallow_copy(tmp_ctx,
678                                                     credentials);
679         torture_assert(tctx, server_creds, "Failed to copy of credentials");
680
681         if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
682                                     server_creds, secure_channel_type,
683                                     &creds)) {
684                 return false;
685         }
686         if (!test_SetupCredentialsPipe(p1, tctx, server_creds, creds,
687                                        DCERPC_SIGN | DCERPC_SEAL, &p)) {
688                 return false;
689         }
690         b = p->binding_handle;
691
692         auth_context = talloc_zero(tmp_ctx, struct auth4_context);
693         torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
694
695         auth_context->generate_session_info_pac = test_generate_session_info_pac;
696
697         /* First, do a normal Kerberos connection */
698
699         status = gensec_client_start(tctx, &gensec_client_context,
700                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
701         torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
702
703         status = gensec_set_target_hostname(gensec_client_context, test_machine_name);
704
705         status = gensec_set_credentials(gensec_client_context, client_creds);
706         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
707
708         status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
709         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
710
711         status = gensec_server_start(tctx,
712                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
713                                      auth_context, &gensec_server_context);
714         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
715
716         status = gensec_set_credentials(gensec_server_context, server_creds);
717         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
718
719         status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
720         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
721
722         server_to_client = data_blob(NULL, 0);
723
724         do {
725                 /* Do a client-server update dance */
726                 status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server);
727                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
728                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
729                 }
730
731                 status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
732                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
733                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
734                 }
735
736                 if (NT_STATUS_IS_OK(status)) {
737                         break;
738                 }
739         } while (1);
740
741         /* Extract the PAC using Samba's code */
742
743         status = gensec_session_info(gensec_server_context, gensec_server_context, &kinit_session_info);
744         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
745
746
747         /* Now do the dance with S2U4Self */
748
749         /* Wipe out any existing ccache */
750         cli_credentials_invalidate_ccache(client_creds, CRED_SPECIFIED);
751         cli_credentials_invalidate_ccache(server_creds, CRED_SPECIFIED);
752         cli_credentials_set_impersonate_principal(server_creds,
753                         cli_credentials_get_principal(client_creds, tmp_ctx),
754                         talloc_asprintf(tmp_ctx, "host/%s", test_machine_name));
755
756         status = gensec_client_start(tctx, &gensec_client_context,
757                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
758         torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
759
760         status = gensec_set_target_hostname(gensec_client_context, test_machine_name);
761
762         /* We now set the same credentials on both client and server contexts */
763         status = gensec_set_credentials(gensec_client_context, server_creds);
764         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
765
766         status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
767         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
768
769         status = gensec_server_start(tctx,
770                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
771                                      auth_context, &gensec_server_context);
772         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
773
774         status = gensec_set_credentials(gensec_server_context, server_creds);
775         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
776
777         status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
778         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
779
780         server_to_client = data_blob(NULL, 0);
781
782         do {
783                 /* Do a client-server update dance */
784                 status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server);
785                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
786                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
787                 }
788
789                 status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
790                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
791                         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
792                 }
793
794                 if (NT_STATUS_IS_OK(status)) {
795                         break;
796                 }
797         } while (1);
798
799         /* Don't pollute the remaining tests with the changed credentials */
800         cli_credentials_invalidate_ccache(server_creds, CRED_SPECIFIED);
801         cli_credentials_set_target_service(server_creds, NULL);
802         cli_credentials_set_impersonate_principal(server_creds, NULL, NULL);
803
804         /* Extract the PAC using Samba's code */
805
806         status = gensec_session_info(gensec_server_context, gensec_server_context, &s2u4self_session_info);
807         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
808
809         cli_credentials_get_ntlm_username_domain(client_creds, tctx,
810                                                  &ninfo.identity_info.account_name.string,
811                                                  &ninfo.identity_info.domain_name.string);
812
813         /* Now try with SamLogon */
814         generate_random_buffer(ninfo.challenge,
815                                sizeof(ninfo.challenge));
816         chal = data_blob_const(ninfo.challenge,
817                                sizeof(ninfo.challenge));
818
819         names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(server_creds),
820                                                 cli_credentials_get_domain(server_creds));
821
822         status = cli_credentials_get_ntlm_response(client_creds, tctx,
823                                                    &flags,
824                                                    chal,
825                                                    NULL, /* server_timestamp */
826                                                    names_blob,
827                                                    &lm_resp, &nt_resp,
828                                                    NULL, NULL);
829         torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
830
831         ninfo.lm.data = lm_resp.data;
832         ninfo.lm.length = lm_resp.length;
833
834         ninfo.nt.data = nt_resp.data;
835         ninfo.nt.length = nt_resp.length;
836
837         ninfo.identity_info.parameter_control = 0;
838         ninfo.identity_info.logon_id_low = 0;
839         ninfo.identity_info.logon_id_high = 0;
840         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(server_creds);
841
842         logon.network = &ninfo;
843
844         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
845         r.in.computer_name = cli_credentials_get_workstation(server_creds);
846         r.in.credential = &auth;
847         r.in.return_authenticator = &auth2;
848         r.in.logon_level = NetlogonNetworkInformation;
849         r.in.logon = &logon;
850         r.out.validation = &validation;
851         r.out.authoritative = &authoritative;
852
853         ZERO_STRUCT(auth2);
854         netlogon_creds_client_authenticator(creds, &auth);
855
856         r.in.validation_level = 3;
857
858         status = dcerpc_netr_LogonSamLogon_r(b, tctx, &r);
859         torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
860
861         torture_assert(tctx, netlogon_creds_client_check(creds,
862                                                          &r.out.return_authenticator->cred),
863                        "Credential chaining failed");
864
865         torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
866
867         status = make_user_info_dc_netlogon_validation(tmp_ctx,
868                                                       ninfo.identity_info.account_name.string,
869                                                       r.in.validation_level,
870                                                       r.out.validation,
871                                                           true, /* This user was authenticated */
872                                                       &netlogon_user_info_dc);
873
874         torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed");
875
876         torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
877                                  kinit_session_info->info->account_name, "Account name differs for kinit-based PAC");
878         torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
879                                  s2u4self_session_info->info->account_name, "Account name differs for S2U4Self");
880         torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, kinit_session_info->info->full_name, "Full name differs for kinit-based PAC");
881         torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, s2u4self_session_info->info->full_name, "Full name differs for S2U4Self");
882         torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids, "Different numbers of domain groups for kinit-based PAC");
883         torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s2u4self_session_info->torture->num_dc_sids, "Different numbers of domain groups for S2U4Self");
884
885         builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
886
887         for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
888                 torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[i]), "Different domain groups for kinit-based PAC");
889                 torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s2u4self_session_info->torture->dc_sids[i]), "Different domain groups for S2U4Self");
890                 torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
891                 torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
892                 torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
893         }
894
895         return true;
896 }
897
898 static bool test_S2U4Self_bdc_arcfour(struct torture_context *tctx,
899                                       struct dcerpc_pipe *p,
900                                       struct cli_credentials *credentials)
901 {
902         return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC,
903                              TEST_MACHINE_NAME_S2U4SELF_BDC,
904                              NETLOGON_NEG_AUTH2_ADS_FLAGS);
905 }
906
907 static bool test_S2U4Self_bdc_aes(struct torture_context *tctx,
908                                   struct dcerpc_pipe *p,
909                                   struct cli_credentials *credentials)
910 {
911         return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC,
912                              TEST_MACHINE_NAME_S2U4SELF_BDC,
913                              NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
914 }
915
916 static bool test_S2U4Self_workstation_arcfour(struct torture_context *tctx,
917                                               struct dcerpc_pipe *p,
918                                               struct cli_credentials *credentials)
919 {
920         return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA,
921                              TEST_MACHINE_NAME_S2U4SELF_WKSTA,
922                              NETLOGON_NEG_AUTH2_ADS_FLAGS);
923 }
924
925 static bool test_S2U4Self_workstation_aes(struct torture_context *tctx,
926                                           struct dcerpc_pipe *p,
927                                           struct cli_credentials *credentials)
928 {
929         return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA,
930                              TEST_MACHINE_NAME_S2U4SELF_WKSTA,
931                              NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
932 }
933 #endif
934
935 struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
936 {
937         struct torture_suite *suite = torture_suite_create(mem_ctx, "pac");
938         struct torture_rpc_tcase *tcase;
939
940         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
941                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_BDC);
942         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_bdc_arcfour);
943
944         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-aes",
945                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_BDC);
946         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_bdc_aes);
947
948         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour",
949                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
950         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_workstation_arcfour);
951
952         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes",
953                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
954         torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
955
956         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des",
957                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES);
958         torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des);
959 #ifdef SAMBA4_USES_HEIMDAL
960         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
961                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_BDC);
962         torture_rpc_tcase_add_test_creds(tcase, "s2u4self-arcfour", test_S2U4Self_bdc_arcfour);
963
964         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bcd-aes",
965                                                               &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_BDC);
966         torture_rpc_tcase_add_test_creds(tcase, "s2u4self-aes", test_S2U4Self_bdc_aes);
967
968         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour",
969                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_WKSTA);
970         torture_rpc_tcase_add_test_creds(tcase, "s2u4self-arcfour", test_S2U4Self_workstation_arcfour);
971
972         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes",
973                                                                       &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_WKSTA);
974         torture_rpc_tcase_add_test_creds(tcase, "s2u4self-aes", test_S2U4Self_workstation_aes);
975 #endif
976         return suite;
977 }