NETLOGON pipe improvements
[ira/wip.git] / source4 / torture / rpc / netlogon.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    test suite for netlogon rpc operations
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8    Copyright (C) Tim Potter      2003
9    
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "torture/torture.h"
26 #include "lib/events/events.h"
27 #include "auth/auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "torture/rpc/rpc.h"
31 #include "torture/rpc/netlogon.h"
32 #include "../lib/crypto/crypto.h"
33 #include "libcli/auth/libcli_auth.h"
34 #include "librpc/gen_ndr/ndr_netlogon_c.h"
35 #include "librpc/gen_ndr/ndr_netlogon.h"
36 #include "librpc/gen_ndr/ndr_lsa_c.h"
37 #include "param/param.h"
38 #include "libcli/security/security.h"
39
40 #define TEST_MACHINE_NAME "torturetest"
41
42 static bool test_LogonUasLogon(struct torture_context *tctx, 
43                                struct dcerpc_pipe *p)
44 {
45         NTSTATUS status;
46         struct netr_LogonUasLogon r;
47         struct netr_UasInfo *info = NULL;
48
49         r.in.server_name = NULL;
50         r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51         r.in.workstation = TEST_MACHINE_NAME;
52         r.out.info = &info;
53
54         status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55         torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
56
57         return true;
58 }
59
60 static bool test_LogonUasLogoff(struct torture_context *tctx,
61                                 struct dcerpc_pipe *p)
62 {
63         NTSTATUS status;
64         struct netr_LogonUasLogoff r;
65         struct netr_UasLogoffInfo info;
66
67         r.in.server_name = NULL;
68         r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69         r.in.workstation = TEST_MACHINE_NAME;
70         r.out.info = &info;
71
72         status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73         torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
74
75         return true;
76 }
77
78 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79                                   struct cli_credentials *credentials,
80                                   struct netlogon_creds_CredentialState **creds_out)
81 {
82         NTSTATUS status;
83         struct netr_ServerReqChallenge r;
84         struct netr_ServerAuthenticate a;
85         struct netr_Credential credentials1, credentials2, credentials3;
86         struct netlogon_creds_CredentialState *creds;
87         const struct samr_Password *mach_password;
88         const char *machine_name;
89
90         mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91         machine_name = cli_credentials_get_workstation(credentials);
92
93         torture_comment(tctx, "Testing ServerReqChallenge\n");
94
95         r.in.server_name = NULL;
96         r.in.computer_name = machine_name;
97         r.in.credentials = &credentials1;
98         r.out.return_credentials = &credentials2;
99
100         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
101
102         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
103         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
104
105         a.in.server_name = NULL;
106         a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
107         a.in.secure_channel_type = SEC_CHAN_BDC;
108         a.in.computer_name = machine_name;
109         a.in.credentials = &credentials3;
110         a.out.return_credentials = &credentials3;
111
112         creds = netlogon_creds_client_init(tctx, a.in.account_name,
113                                            a.in.computer_name,
114                                            &credentials1, &credentials2, 
115                                            mach_password, &credentials3, 
116                                            0);
117         torture_assert(tctx, creds != NULL, "memory allocation");
118
119
120         torture_comment(tctx, "Testing ServerAuthenticate\n");
121
122         status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
123
124         /* This allows the tests to continue against the more fussy windows 2008 */
125         if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
126                 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, 
127                                               credentials, SEC_CHAN_BDC, creds_out);
128         }
129
130         torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
131
132         torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), 
133                        "Credential chaining failed");
134
135         *creds_out = creds;
136         return true;
137 }
138
139 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
140                             uint32_t negotiate_flags,
141                             struct cli_credentials *machine_credentials,
142                             int sec_chan_type,
143                             struct netlogon_creds_CredentialState **creds_out)
144 {
145         NTSTATUS status;
146         struct netr_ServerReqChallenge r;
147         struct netr_ServerAuthenticate2 a;
148         struct netr_Credential credentials1, credentials2, credentials3;
149         struct netlogon_creds_CredentialState *creds;
150         const struct samr_Password *mach_password;
151         const char *machine_name;
152
153         mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
154         machine_name = cli_credentials_get_workstation(machine_credentials);
155
156         torture_comment(tctx, "Testing ServerReqChallenge\n");
157
158
159         r.in.server_name = NULL;
160         r.in.computer_name = machine_name;
161         r.in.credentials = &credentials1;
162         r.out.return_credentials = &credentials2;
163
164         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
165
166         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
167         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
168
169         a.in.server_name = NULL;
170         a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
171         a.in.secure_channel_type = sec_chan_type;
172         a.in.computer_name = machine_name;
173         a.in.negotiate_flags = &negotiate_flags;
174         a.out.negotiate_flags = &negotiate_flags;
175         a.in.credentials = &credentials3;
176         a.out.return_credentials = &credentials3;
177
178         creds = netlogon_creds_client_init(tctx, a.in.account_name,
179                                            a.in.computer_name, 
180                                            &credentials1, &credentials2, 
181                                            mach_password, &credentials3, 
182                                            negotiate_flags);
183
184         torture_assert(tctx, creds != NULL, "memory allocation");
185
186         torture_comment(tctx, "Testing ServerAuthenticate2\n");
187
188         status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
189         torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
190
191         torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), 
192                 "Credential chaining failed");
193
194         torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
195
196         *creds_out = creds;
197         return true;
198 }
199
200
201 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
202                             uint32_t negotiate_flags,
203                             struct cli_credentials *machine_credentials,
204                             struct netlogon_creds_CredentialState **creds_out)
205 {
206         NTSTATUS status;
207         struct netr_ServerReqChallenge r;
208         struct netr_ServerAuthenticate3 a;
209         struct netr_Credential credentials1, credentials2, credentials3;
210         struct netlogon_creds_CredentialState *creds;
211         struct samr_Password mach_password;
212         uint32_t rid;
213         const char *machine_name;
214         const char *plain_pass;
215
216         machine_name = cli_credentials_get_workstation(machine_credentials);
217         plain_pass = cli_credentials_get_password(machine_credentials);
218
219         torture_comment(tctx, "Testing ServerReqChallenge\n");
220
221         r.in.server_name = NULL;
222         r.in.computer_name = machine_name;
223         r.in.credentials = &credentials1;
224         r.out.return_credentials = &credentials2;
225
226         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
227
228         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
229         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
230
231         E_md4hash(plain_pass, mach_password.hash);
232
233         a.in.server_name = NULL;
234         a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
235         a.in.secure_channel_type = SEC_CHAN_BDC;
236         a.in.computer_name = machine_name;
237         a.in.negotiate_flags = &negotiate_flags;
238         a.in.credentials = &credentials3;
239         a.out.return_credentials = &credentials3;
240         a.out.negotiate_flags = &negotiate_flags;
241         a.out.rid = &rid;
242
243         creds = netlogon_creds_client_init(tctx, a.in.account_name,
244                                            a.in.computer_name,
245                                            &credentials1, &credentials2, 
246                                            &mach_password, &credentials3,
247                                            negotiate_flags);
248         
249         torture_assert(tctx, creds != NULL, "memory allocation");
250
251         torture_comment(tctx, "Testing ServerAuthenticate3\n");
252
253         status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
254         torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
255         torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
256
257         torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
258         
259         /* Prove that requesting a challenge again won't break it */
260         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
261         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
262
263         *creds_out = creds;
264         return true;
265 }
266
267 /*
268   try a change password for our machine account
269 */
270 static bool test_SetPassword(struct torture_context *tctx, 
271                              struct dcerpc_pipe *p,
272                              struct cli_credentials *machine_credentials)
273 {
274         NTSTATUS status;
275         struct netr_ServerPasswordSet r;
276         const char *password;
277         struct netlogon_creds_CredentialState *creds;
278         struct netr_Authenticator credential, return_authenticator;
279         struct samr_Password new_password;
280
281         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
282                 return false;
283         }
284
285         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
286         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
287         r.in.secure_channel_type = SEC_CHAN_BDC;
288         r.in.computer_name = TEST_MACHINE_NAME;
289         r.in.credential = &credential;
290         r.in.new_password = &new_password;
291         r.out.return_authenticator = &return_authenticator;
292
293         password = generate_random_str(tctx, 8);
294         E_md4hash(password, new_password.hash);
295
296         netlogon_creds_des_encrypt(creds, &new_password);
297
298         torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
299         torture_comment(tctx, "Changing machine account password to '%s'\n", 
300                         password);
301
302         netlogon_creds_client_authenticator(creds, &credential);
303
304         status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
305         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
306
307         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
308                 torture_comment(tctx, "Credential chaining failed\n");
309         }
310
311         /* by changing the machine password twice we test the
312            credentials chaining fully, and we verify that the server
313            allows the password to be set to the same value twice in a
314            row (match win2k3) */
315         torture_comment(tctx, 
316                 "Testing a second ServerPasswordSet on machine account\n");
317         torture_comment(tctx, 
318                 "Changing machine account password to '%s' (same as previous run)\n", password);
319
320         netlogon_creds_client_authenticator(creds, &credential);
321
322         status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
323         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
324
325         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
326                 torture_comment(tctx, "Credential chaining failed\n");
327         }
328
329         cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
330
331         torture_assert(tctx, 
332                 test_SetupCredentials(p, tctx, machine_credentials, &creds), 
333                 "ServerPasswordSet failed to actually change the password");
334
335         return true;
336 }
337
338 /*
339   generate a random password for password change tests
340 */
341 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
342 {
343         int i;
344         DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
345         generate_random_buffer(password.data, password.length);
346
347         for (i=0; i < len; i++) {
348                 if (((uint16_t *)password.data)[i] == 0) {
349                         ((uint16_t *)password.data)[i] = 1;
350                 }
351         }
352
353         return password;
354 }
355
356 /*
357   try a change password for our machine account
358 */
359 static bool test_SetPassword2(struct torture_context *tctx, 
360                               struct dcerpc_pipe *p, 
361                               struct cli_credentials *machine_credentials)
362 {
363         NTSTATUS status;
364         struct netr_ServerPasswordSet2 r;
365         const char *password;
366         DATA_BLOB new_random_pass;
367         struct netlogon_creds_CredentialState *creds;
368         struct samr_CryptPassword password_buf;
369         struct samr_Password nt_hash;
370         struct netr_Authenticator credential, return_authenticator;
371         struct netr_CryptPassword new_password;
372
373         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
374                 return false;
375         }
376
377         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
378         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
379         r.in.secure_channel_type = SEC_CHAN_BDC;
380         r.in.computer_name = TEST_MACHINE_NAME;
381         r.in.credential = &credential;
382         r.in.new_password = &new_password;
383         r.out.return_authenticator = &return_authenticator;
384
385         password = generate_random_str(tctx, 8);
386         encode_pw_buffer(password_buf.data, password, STR_UNICODE);
387         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
388
389         memcpy(new_password.data, password_buf.data, 512);
390         new_password.length = IVAL(password_buf.data, 512);
391
392         torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
393         torture_comment(tctx, "Changing machine account password to '%s'\n", password);
394
395         netlogon_creds_client_authenticator(creds, &credential);
396
397         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
398         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
399
400         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
401                 torture_comment(tctx, "Credential chaining failed\n");
402         }
403
404         cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
405
406         if (!torture_setting_bool(tctx, "dangerous", false)) {
407                 torture_comment(tctx, 
408                         "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
409         } else {
410                 /* by changing the machine password to ""
411                  * we check if the server uses password restrictions
412                  * for ServerPasswordSet2
413                  * (win2k3 accepts "")
414                  */
415                 password = "";
416                 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
417                 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
418                 
419                 memcpy(new_password.data, password_buf.data, 512);
420                 new_password.length = IVAL(password_buf.data, 512);
421                 
422                 torture_comment(tctx, 
423                         "Testing ServerPasswordSet2 on machine account\n");
424                 torture_comment(tctx, 
425                         "Changing machine account password to '%s'\n", password);
426                 
427                 netlogon_creds_client_authenticator(creds, &credential);
428                 
429                 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
430                 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
431                 
432                 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
433                         torture_comment(tctx, "Credential chaining failed\n");
434                 }
435                 
436                 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
437         }
438
439         torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), 
440                 "ServerPasswordSet failed to actually change the password");
441
442         /* now try a random password */
443         password = generate_random_str(tctx, 8);
444         encode_pw_buffer(password_buf.data, password, STR_UNICODE);
445         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
446
447         memcpy(new_password.data, password_buf.data, 512);
448         new_password.length = IVAL(password_buf.data, 512);
449
450         torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
451         torture_comment(tctx, "Changing machine account password to '%s'\n", password);
452
453         netlogon_creds_client_authenticator(creds, &credential);
454
455         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
456         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
457
458         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
459                 torture_comment(tctx, "Credential chaining failed\n");
460         }
461
462         /* by changing the machine password twice we test the
463            credentials chaining fully, and we verify that the server
464            allows the password to be set to the same value twice in a
465            row (match win2k3) */
466         torture_comment(tctx, 
467                 "Testing a second ServerPasswordSet2 on machine account\n");
468         torture_comment(tctx, 
469                 "Changing machine account password to '%s' (same as previous run)\n", password);
470
471         netlogon_creds_client_authenticator(creds, &credential);
472
473         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
474         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
475
476         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
477                 torture_comment(tctx, "Credential chaining failed\n");
478         }
479
480         cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
481
482         torture_assert (tctx, 
483                 test_SetupCredentials(p, tctx, machine_credentials, &creds), 
484                 "ServerPasswordSet failed to actually change the password");
485
486         new_random_pass = netlogon_very_rand_pass(tctx, 128);
487
488         /* now try a random stream of bytes for a password */
489         set_pw_in_buffer(password_buf.data, &new_random_pass);
490
491         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
492
493         memcpy(new_password.data, password_buf.data, 512);
494         new_password.length = IVAL(password_buf.data, 512);
495
496         torture_comment(tctx, 
497                 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
498
499         netlogon_creds_client_authenticator(creds, &credential);
500
501         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
502         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
503
504         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
505                 torture_comment(tctx, "Credential chaining failed\n");
506         }
507
508         mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
509
510         cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
511         cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
512
513         torture_assert (tctx, 
514                 test_SetupCredentials(p, tctx, machine_credentials, &creds), 
515                 "ServerPasswordSet failed to actually change the password");
516
517         return true;
518 }
519
520 static bool test_GetPassword(struct torture_context *tctx,
521                              struct dcerpc_pipe *p,
522                              struct cli_credentials *machine_credentials)
523 {
524         struct netr_ServerPasswordGet r;
525         struct netlogon_creds_CredentialState *creds;
526         struct netr_Authenticator credential;
527         NTSTATUS status;
528         struct netr_Authenticator return_authenticator;
529         struct samr_Password password;
530
531         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
532                 return false;
533         }
534
535         netlogon_creds_client_authenticator(creds, &credential);
536
537         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
538         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
539         r.in.secure_channel_type = SEC_CHAN_BDC;
540         r.in.computer_name = TEST_MACHINE_NAME;
541         r.in.credential = &credential;
542         r.out.return_authenticator = &return_authenticator;
543         r.out.password = &password;
544
545         status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
546         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
547
548         return true;
549 }
550
551 static bool test_GetTrustPasswords(struct torture_context *tctx,
552                                    struct dcerpc_pipe *p,
553                                    struct cli_credentials *machine_credentials)
554 {
555         struct netr_ServerTrustPasswordsGet r;
556         struct netlogon_creds_CredentialState *creds;
557         struct netr_Authenticator credential;
558         NTSTATUS status;
559         struct netr_Authenticator return_authenticator;
560         struct samr_Password password, password2;
561
562         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
563                 return false;
564         }
565
566         netlogon_creds_client_authenticator(creds, &credential);
567
568         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
569         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
570         r.in.secure_channel_type = SEC_CHAN_BDC;
571         r.in.computer_name = TEST_MACHINE_NAME;
572         r.in.credential = &credential;
573         r.out.return_authenticator = &return_authenticator;
574         r.out.password = &password;
575         r.out.password2 = &password2;
576
577         status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
578         torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
579
580         return true;
581 }
582
583 /*
584   try a netlogon SamLogon
585 */
586 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
587                               struct cli_credentials *credentials, 
588                               struct netlogon_creds_CredentialState *creds)
589 {
590         NTSTATUS status;
591         struct netr_LogonSamLogon r;
592         struct netr_Authenticator auth, auth2;
593         union netr_LogonLevel logon;
594         union netr_Validation validation;
595         uint8_t authoritative;
596         struct netr_NetworkInfo ninfo;
597         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
598         int i;
599         int flags = CLI_CRED_NTLM_AUTH;
600         if (lp_client_lanman_auth(tctx->lp_ctx)) {
601                 flags |= CLI_CRED_LANMAN_AUTH;
602         }
603
604         if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
605                 flags |= CLI_CRED_NTLMv2_AUTH;
606         }
607
608         cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, 
609                                                  &ninfo.identity_info.account_name.string,
610                                                  &ninfo.identity_info.domain_name.string);
611         
612         generate_random_buffer(ninfo.challenge, 
613                                sizeof(ninfo.challenge));
614         chal = data_blob_const(ninfo.challenge, 
615                                sizeof(ninfo.challenge));
616
617         names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials), 
618                                                 cli_credentials_get_domain(credentials));
619
620         status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, 
621                                                    &flags, 
622                                                    chal,
623                                                    names_blob,
624                                                    &lm_resp, &nt_resp,
625                                                    NULL, NULL);
626         torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
627
628         ninfo.lm.data = lm_resp.data;
629         ninfo.lm.length = lm_resp.length;
630
631         ninfo.nt.data = nt_resp.data;
632         ninfo.nt.length = nt_resp.length;
633
634         ninfo.identity_info.parameter_control = 0;
635         ninfo.identity_info.logon_id_low = 0;
636         ninfo.identity_info.logon_id_high = 0;
637         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
638
639         logon.network = &ninfo;
640
641         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
642         r.in.computer_name = cli_credentials_get_workstation(credentials);
643         r.in.credential = &auth;
644         r.in.return_authenticator = &auth2;
645         r.in.logon_level = 2;
646         r.in.logon = &logon;
647         r.out.validation = &validation;
648         r.out.authoritative = &authoritative;
649
650         d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
651         
652         for (i=2;i<3;i++) {
653                 ZERO_STRUCT(auth2);
654                 netlogon_creds_client_authenticator(creds, &auth);
655                 
656                 r.in.validation_level = i;
657                 
658                 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
659                 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
660                 
661                 torture_assert(tctx, netlogon_creds_client_check(creds, 
662                                                                  &r.out.return_authenticator->cred), 
663                         "Credential chaining failed");
664         }
665
666         r.in.credential = NULL;
667
668         for (i=2;i<=3;i++) {
669
670                 r.in.validation_level = i;
671
672                 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
673
674                 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
675                 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, 
676                         "LogonSamLogon expected INVALID_PARAMETER");
677
678         }
679
680         return true;
681 }
682
683 /*
684   try a netlogon SamLogon
685 */
686 static bool test_SamLogon(struct torture_context *tctx, 
687                           struct dcerpc_pipe *p,
688                           struct cli_credentials *credentials)
689 {
690         struct netlogon_creds_CredentialState *creds;
691
692         if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
693                 return false;
694         }
695
696         return test_netlogon_ops(p, tctx, credentials, creds);
697 }
698
699 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
700 static uint64_t sequence_nums[3];
701
702 /*
703   try a netlogon DatabaseSync
704 */
705 static bool test_DatabaseSync(struct torture_context *tctx, 
706                               struct dcerpc_pipe *p,
707                               struct cli_credentials *machine_credentials)
708 {
709         NTSTATUS status;
710         struct netr_DatabaseSync r;
711         struct netlogon_creds_CredentialState *creds;
712         const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; 
713         int i;
714         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
715         struct netr_Authenticator credential, return_authenticator;
716
717         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
718                 return false;
719         }
720
721         ZERO_STRUCT(return_authenticator);
722
723         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
724         r.in.computername = TEST_MACHINE_NAME;
725         r.in.preferredmaximumlength = (uint32_t)-1;
726         r.in.return_authenticator = &return_authenticator;
727         r.out.delta_enum_array = &delta_enum_array;
728         r.out.return_authenticator = &return_authenticator;
729
730         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
731
732                 uint32_t sync_context = 0;
733
734                 r.in.database_id = database_ids[i];
735                 r.in.sync_context = &sync_context;
736                 r.out.sync_context = &sync_context;
737
738                 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
739
740                 do {
741                         netlogon_creds_client_authenticator(creds, &credential);
742
743                         r.in.credential = &credential;
744
745                         status = dcerpc_netr_DatabaseSync(p, tctx, &r);
746                         if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
747                             break;
748
749                         /* Native mode servers don't do this */
750                         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
751                                 return true;
752                         }
753                         torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
754
755                         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
756                                 torture_comment(tctx, "Credential chaining failed\n");
757                         }
758
759                         if (delta_enum_array &&
760                             delta_enum_array->num_deltas > 0 &&
761                             delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
762                             delta_enum_array->delta_enum[0].delta_union.domain) {
763                                 sequence_nums[r.in.database_id] = 
764                                         delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
765                                 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
766                                        r.in.database_id, 
767                                        (unsigned long long)sequence_nums[r.in.database_id]);
768                         }
769                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
770         }
771
772         return true;
773 }
774
775
776 /*
777   try a netlogon DatabaseDeltas
778 */
779 static bool test_DatabaseDeltas(struct torture_context *tctx, 
780                                 struct dcerpc_pipe *p,
781                                 struct cli_credentials *machine_credentials)
782 {
783         NTSTATUS status;
784         struct netr_DatabaseDeltas r;
785         struct netlogon_creds_CredentialState *creds;
786         struct netr_Authenticator credential;
787         struct netr_Authenticator return_authenticator;
788         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
789         const uint32_t database_ids[] = {0, 1, 2}; 
790         int i;
791
792         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
793                 return false;
794         }
795
796         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
797         r.in.computername = TEST_MACHINE_NAME;
798         r.in.preferredmaximumlength = (uint32_t)-1;
799         ZERO_STRUCT(r.in.return_authenticator);
800         r.out.return_authenticator = &return_authenticator;
801         r.out.delta_enum_array = &delta_enum_array;
802
803         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
804                 r.in.database_id = database_ids[i];
805                 r.in.sequence_num = &sequence_nums[r.in.database_id];
806
807                 if (*r.in.sequence_num == 0) continue;
808
809                 *r.in.sequence_num -= 1;
810
811                 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n", 
812                        r.in.database_id, (unsigned long long)*r.in.sequence_num);
813
814                 do {
815                         netlogon_creds_client_authenticator(creds, &credential);
816
817                         status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
818                         if (NT_STATUS_EQUAL(status, 
819                                              NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
820                                 torture_comment(tctx, "not considering %s to be an error\n",
821                                        nt_errstr(status));
822                                 return true;
823                         }
824                         if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) 
825                             break;
826
827                         torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
828
829                         if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
830                                 torture_comment(tctx, "Credential chaining failed\n");
831                         }
832
833                         (*r.in.sequence_num)++;
834                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
835         }
836
837         return true;
838 }
839
840 static bool test_DatabaseRedo(struct torture_context *tctx,
841                               struct dcerpc_pipe *p,
842                               struct cli_credentials *machine_credentials)
843 {
844         NTSTATUS status;
845         struct netr_DatabaseRedo r;
846         struct netlogon_creds_CredentialState *creds;
847         struct netr_Authenticator credential;
848         struct netr_Authenticator return_authenticator;
849         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
850         struct netr_ChangeLogEntry e;
851         struct dom_sid null_sid, *sid;
852         int i,d;
853
854         ZERO_STRUCT(null_sid);
855
856         sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
857
858         {
859
860         struct {
861                 uint32_t rid;
862                 uint16_t flags;
863                 uint8_t db_index;
864                 uint8_t delta_type;
865                 struct dom_sid sid;
866                 const char *name;
867                 NTSTATUS expected_error;
868                 uint32_t expected_num_results;
869                 uint8_t expected_delta_type_1;
870                 uint8_t expected_delta_type_2;
871                 const char *comment;
872         } changes[] = {
873
874                 /* SAM_DATABASE_DOMAIN */
875
876                 {
877                         .rid                    = 0,
878                         .flags                  = 0,
879                         .db_index               = SAM_DATABASE_DOMAIN,
880                         .delta_type             = NETR_DELTA_MODIFY_COUNT,
881                         .sid                    = null_sid,
882                         .name                   = NULL,
883                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED,
884                         .expected_num_results   = 0,
885                         .comment                = "NETR_DELTA_MODIFY_COUNT"
886                 },
887                 {
888                         .rid                    = 0,
889                         .flags                  = 0,
890                         .db_index               = SAM_DATABASE_DOMAIN,
891                         .delta_type             = 0,
892                         .sid                    = null_sid,
893                         .name                   = NULL,
894                         .expected_error         = NT_STATUS_OK,
895                         .expected_num_results   = 1,
896                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
897                         .comment                = "NULL DELTA"
898                 },
899                 {
900                         .rid                    = 0,
901                         .flags                  = 0,
902                         .db_index               = SAM_DATABASE_DOMAIN,
903                         .delta_type             = NETR_DELTA_DOMAIN,
904                         .sid                    = null_sid,
905                         .name                   = NULL,
906                         .expected_error         = NT_STATUS_OK,
907                         .expected_num_results   = 1,
908                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
909                         .comment                = "NETR_DELTA_DOMAIN"
910                 },
911                 {
912                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
913                         .flags                  = 0,
914                         .db_index               = SAM_DATABASE_DOMAIN,
915                         .delta_type             = NETR_DELTA_USER,
916                         .sid                    = null_sid,
917                         .name                   = NULL,
918                         .expected_error         = NT_STATUS_OK,
919                         .expected_num_results   = 1,
920                         .expected_delta_type_1  = NETR_DELTA_USER,
921                         .comment                = "NETR_DELTA_USER by rid 500"
922                 },
923                 {
924                         .rid                    = DOMAIN_RID_GUEST,
925                         .flags                  = 0,
926                         .db_index               = SAM_DATABASE_DOMAIN,
927                         .delta_type             = NETR_DELTA_USER,
928                         .sid                    = null_sid,
929                         .name                   = NULL,
930                         .expected_error         = NT_STATUS_OK,
931                         .expected_num_results   = 1,
932                         .expected_delta_type_1  = NETR_DELTA_USER,
933                         .comment                = "NETR_DELTA_USER by rid 501"
934                 },
935                 {
936                         .rid                    = 0,
937                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
938                         .db_index               = SAM_DATABASE_DOMAIN,
939                         .delta_type             = NETR_DELTA_USER,
940                         .sid                    = *sid,
941                         .name                   = NULL,
942                         .expected_error         = NT_STATUS_OK,
943                         .expected_num_results   = 1,
944                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
945                         .comment                = "NETR_DELTA_USER by sid and flags"
946                 },
947                 {
948                         .rid                    = 0,
949                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
950                         .db_index               = SAM_DATABASE_DOMAIN,
951                         .delta_type             = NETR_DELTA_USER,
952                         .sid                    = null_sid,
953                         .name                   = NULL,
954                         .expected_error         = NT_STATUS_OK,
955                         .expected_num_results   = 1,
956                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
957                         .comment                = "NETR_DELTA_USER by null_sid and flags"
958                 },
959                 {
960                         .rid                    = 0,
961                         .flags                  = NETR_CHANGELOG_NAME_INCLUDED,
962                         .db_index               = SAM_DATABASE_DOMAIN,
963                         .delta_type             = NETR_DELTA_USER,
964                         .sid                    = null_sid,
965                         .name                   = "administrator",
966                         .expected_error         = NT_STATUS_OK,
967                         .expected_num_results   = 1,
968                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
969                         .comment                = "NETR_DELTA_USER by name 'administrator'"
970                 },
971                 {
972                         .rid                    = DOMAIN_RID_ADMINS,
973                         .flags                  = 0,
974                         .db_index               = SAM_DATABASE_DOMAIN,
975                         .delta_type             = NETR_DELTA_GROUP,
976                         .sid                    = null_sid,
977                         .name                   = NULL,
978                         .expected_error         = NT_STATUS_OK,
979                         .expected_num_results   = 2,
980                         .expected_delta_type_1  = NETR_DELTA_GROUP,
981                         .expected_delta_type_2  = NETR_DELTA_GROUP_MEMBER,
982                         .comment                = "NETR_DELTA_GROUP by rid 512"
983                 },
984                 {
985                         .rid                    = DOMAIN_RID_ADMINS,
986                         .flags                  = 0,
987                         .db_index               = SAM_DATABASE_DOMAIN,
988                         .delta_type             = NETR_DELTA_GROUP_MEMBER,
989                         .sid                    = null_sid,
990                         .name                   = NULL,
991                         .expected_error         = NT_STATUS_OK,
992                         .expected_num_results   = 2,
993                         .expected_delta_type_1  = NETR_DELTA_GROUP,
994                         .expected_delta_type_2  = NETR_DELTA_GROUP_MEMBER,
995                         .comment                = "NETR_DELTA_GROUP_MEMBER by rid 512"
996                 },
997
998
999                 /* SAM_DATABASE_BUILTIN */
1000
1001                 {
1002                         .rid                    = 0,
1003                         .flags                  = 0,
1004                         .db_index               = SAM_DATABASE_BUILTIN,
1005                         .delta_type             = NETR_DELTA_MODIFY_COUNT,
1006                         .sid                    = null_sid,
1007                         .name                   = NULL,
1008                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1009                         .expected_num_results   = 0,
1010                         .comment                = "NETR_DELTA_MODIFY_COUNT"
1011                 },
1012                 {
1013                         .rid                    = 0,
1014                         .flags                  = 0,
1015                         .db_index               = SAM_DATABASE_BUILTIN,
1016                         .delta_type             = NETR_DELTA_DOMAIN,
1017                         .sid                    = null_sid,
1018                         .name                   = NULL,
1019                         .expected_error         = NT_STATUS_OK,
1020                         .expected_num_results   = 1,
1021                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
1022                         .comment                = "NETR_DELTA_DOMAIN"
1023                 },
1024                 {
1025                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
1026                         .flags                  = 0,
1027                         .db_index               = SAM_DATABASE_BUILTIN,
1028                         .delta_type             = NETR_DELTA_USER,
1029                         .sid                    = null_sid,
1030                         .name                   = NULL,
1031                         .expected_error         = NT_STATUS_OK,
1032                         .expected_num_results   = 1,
1033                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
1034                         .comment                = "NETR_DELTA_USER by rid 500"
1035                 },
1036                 {
1037                         .rid                    = 0,
1038                         .flags                  = 0,
1039                         .db_index               = SAM_DATABASE_BUILTIN,
1040                         .delta_type             = NETR_DELTA_USER,
1041                         .sid                    = null_sid,
1042                         .name                   = NULL,
1043                         .expected_error         = NT_STATUS_OK,
1044                         .expected_num_results   = 1,
1045                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
1046                         .comment                = "NETR_DELTA_USER"
1047                 },
1048                 {
1049                         .rid                    = 544,
1050                         .flags                  = 0,
1051                         .db_index               = SAM_DATABASE_BUILTIN,
1052                         .delta_type             = NETR_DELTA_ALIAS,
1053                         .sid                    = null_sid,
1054                         .name                   = NULL,
1055                         .expected_error         = NT_STATUS_OK,
1056                         .expected_num_results   = 2,
1057                         .expected_delta_type_1  = NETR_DELTA_ALIAS,
1058                         .expected_delta_type_2  = NETR_DELTA_ALIAS_MEMBER,
1059                         .comment                = "NETR_DELTA_ALIAS by rid 544"
1060                 },
1061                 {
1062                         .rid                    = 544,
1063                         .flags                  = 0,
1064                         .db_index               = SAM_DATABASE_BUILTIN,
1065                         .delta_type             = NETR_DELTA_ALIAS_MEMBER,
1066                         .sid                    = null_sid,
1067                         .name                   = NULL,
1068                         .expected_error         = NT_STATUS_OK,
1069                         .expected_num_results   = 2,
1070                         .expected_delta_type_1  = NETR_DELTA_ALIAS,
1071                         .expected_delta_type_2  = NETR_DELTA_ALIAS_MEMBER,
1072                         .comment                = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1073                 },
1074                 {
1075                         .rid                    = 544,
1076                         .flags                  = 0,
1077                         .db_index               = SAM_DATABASE_BUILTIN,
1078                         .delta_type             = 0,
1079                         .sid                    = null_sid,
1080                         .name                   = NULL,
1081                         .expected_error         = NT_STATUS_OK,
1082                         .expected_num_results   = 1,
1083                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
1084                         .comment                = "NULL DELTA by rid 544"
1085                 },
1086                 {
1087                         .rid                    = 544,
1088                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1089                         .db_index               = SAM_DATABASE_BUILTIN,
1090                         .delta_type             = 0,
1091                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1092                         .name                   = NULL,
1093                         .expected_error         = NT_STATUS_OK,
1094                         .expected_num_results   = 1,
1095                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
1096                         .comment                = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1097                 },
1098                 {
1099                         .rid                    = 544,
1100                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1101                         .db_index               = SAM_DATABASE_BUILTIN,
1102                         .delta_type             = NETR_DELTA_ALIAS,
1103                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1104                         .name                   = NULL,
1105                         .expected_error         = NT_STATUS_OK,
1106                         .expected_num_results   = 2,
1107                         .expected_delta_type_1  = NETR_DELTA_ALIAS,
1108                         .expected_delta_type_2  = NETR_DELTA_ALIAS_MEMBER,
1109                         .comment                = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1110                 },
1111                 {
1112                         .rid                    = 0,
1113                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1114                         .db_index               = SAM_DATABASE_BUILTIN,
1115                         .delta_type             = NETR_DELTA_ALIAS,
1116                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1117                         .name                   = NULL,
1118                         .expected_error         = NT_STATUS_OK,
1119                         .expected_num_results   = 1,
1120                         .expected_delta_type_1  = NETR_DELTA_DELETE_ALIAS,
1121                         .comment                = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1122                 },
1123
1124                 /* SAM_DATABASE_PRIVS */
1125
1126                 {
1127                         .rid                    = 0,
1128                         .flags                  = 0,
1129                         .db_index               = SAM_DATABASE_PRIVS,
1130                         .delta_type             = 0,
1131                         .sid                    = null_sid,
1132                         .name                   = NULL,
1133                         .expected_error         = NT_STATUS_ACCESS_DENIED,
1134                         .expected_num_results   = 0,
1135                         .comment                = "NULL DELTA"
1136                 },
1137                 {
1138                         .rid                    = 0,
1139                         .flags                  = 0,
1140                         .db_index               = SAM_DATABASE_PRIVS,
1141                         .delta_type             = NETR_DELTA_MODIFY_COUNT,
1142                         .sid                    = null_sid,
1143                         .name                   = NULL,
1144                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1145                         .expected_num_results   = 0,
1146                         .comment                = "NETR_DELTA_MODIFY_COUNT"
1147                 },
1148                 {
1149                         .rid                    = 0,
1150                         .flags                  = 0,
1151                         .db_index               = SAM_DATABASE_PRIVS,
1152                         .delta_type             = NETR_DELTA_POLICY,
1153                         .sid                    = null_sid,
1154                         .name                   = NULL,
1155                         .expected_error         = NT_STATUS_OK,
1156                         .expected_num_results   = 1,
1157                         .expected_delta_type_1  = NETR_DELTA_POLICY,
1158                         .comment                = "NETR_DELTA_POLICY"
1159                 },
1160                 {
1161                         .rid                    = 0,
1162                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1163                         .db_index               = SAM_DATABASE_PRIVS,
1164                         .delta_type             = NETR_DELTA_POLICY,
1165                         .sid                    = null_sid,
1166                         .name                   = NULL,
1167                         .expected_error         = NT_STATUS_OK,
1168                         .expected_num_results   = 1,
1169                         .expected_delta_type_1  = NETR_DELTA_POLICY,
1170                         .comment                = "NETR_DELTA_POLICY by null sid and flags"
1171                 },
1172                 {
1173                         .rid                    = 0,
1174                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1175                         .db_index               = SAM_DATABASE_PRIVS,
1176                         .delta_type             = NETR_DELTA_POLICY,
1177                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1178                         .name                   = NULL,
1179                         .expected_error         = NT_STATUS_OK,
1180                         .expected_num_results   = 1,
1181                         .expected_delta_type_1  = NETR_DELTA_POLICY,
1182                         .comment                = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1183                 },
1184                 {
1185                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
1186                         .flags                  = 0,
1187                         .db_index               = SAM_DATABASE_PRIVS,
1188                         .delta_type             = NETR_DELTA_ACCOUNT,
1189                         .sid                    = null_sid,
1190                         .name                   = NULL,
1191                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1192                         .expected_num_results   = 0,
1193                         .comment                = "NETR_DELTA_ACCOUNT by rid 500"
1194                 },
1195                 {
1196                         .rid                    = 0,
1197                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1198                         .db_index               = SAM_DATABASE_PRIVS,
1199                         .delta_type             = NETR_DELTA_ACCOUNT,
1200                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1201                         .name                   = NULL,
1202                         .expected_error         = NT_STATUS_OK,
1203                         .expected_num_results   = 1,
1204                         .expected_delta_type_1  = NETR_DELTA_ACCOUNT,
1205                         .comment                = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1206                 },
1207                 {
1208                         .rid                    = 0,
1209                         .flags                  = NETR_CHANGELOG_SID_INCLUDED |
1210                                                   NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1211                         .db_index               = SAM_DATABASE_PRIVS,
1212                         .delta_type             = NETR_DELTA_ACCOUNT,
1213                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1214                         .name                   = NULL,
1215                         .expected_error         = NT_STATUS_OK,
1216                         .expected_num_results   = 1,
1217                         .expected_delta_type_1  = NETR_DELTA_ACCOUNT,
1218                         .comment                = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1219                 },
1220                 {
1221                         .rid                    = 0,
1222                         .flags                  = NETR_CHANGELOG_SID_INCLUDED |
1223                                                   NETR_CHANGELOG_NAME_INCLUDED,
1224                         .db_index               = SAM_DATABASE_PRIVS,
1225                         .delta_type             = NETR_DELTA_ACCOUNT,
1226                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1227                         .name                   = NULL,
1228                         .expected_error         = NT_STATUS_INVALID_PARAMETER,
1229                         .expected_num_results   = 0,
1230                         .comment                = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1231                 },
1232                 {
1233                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
1234                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1235                         .db_index               = SAM_DATABASE_PRIVS,
1236                         .delta_type             = NETR_DELTA_ACCOUNT,
1237                         .sid                    = *sid,
1238                         .name                   = NULL,
1239                         .expected_error         = NT_STATUS_OK,
1240                         .expected_num_results   = 1,
1241                         .expected_delta_type_1  = NETR_DELTA_DELETE_ACCOUNT,
1242                         .comment                = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1243                 },
1244                 {
1245                         .rid                    = 0,
1246                         .flags                  = NETR_CHANGELOG_NAME_INCLUDED,
1247                         .db_index               = SAM_DATABASE_PRIVS,
1248                         .delta_type             = NETR_DELTA_SECRET,
1249                         .sid                    = null_sid,
1250                         .name                   = "IsurelydontexistIhope",
1251                         .expected_error         = NT_STATUS_OK,
1252                         .expected_num_results   = 1,
1253                         .expected_delta_type_1  = NETR_DELTA_DELETE_SECRET,
1254                         .comment                = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1255                 },
1256                 {
1257                         .rid                    = 0,
1258                         .flags                  = NETR_CHANGELOG_NAME_INCLUDED,
1259                         .db_index               = SAM_DATABASE_PRIVS,
1260                         .delta_type             = NETR_DELTA_SECRET,
1261                         .sid                    = null_sid,
1262                         .name                   = "G$BCKUPKEY_P",
1263                         .expected_error         = NT_STATUS_OK,
1264                         .expected_num_results   = 1,
1265                         .expected_delta_type_1  = NETR_DELTA_SECRET,
1266                         .comment                = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1267                 }
1268         };
1269
1270         ZERO_STRUCT(return_authenticator);
1271
1272         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1273         r.in.computername = TEST_MACHINE_NAME;
1274         r.in.return_authenticator = &return_authenticator;
1275         r.out.return_authenticator = &return_authenticator;
1276         r.out.delta_enum_array = &delta_enum_array;
1277
1278         for (d=0; d<3; d++) {
1279
1280                 const char *database;
1281
1282                 switch (d) {
1283                 case 0:
1284                         database = "SAM";
1285                         break;
1286                 case 1:
1287                         database = "BUILTIN";
1288                         break;
1289                 case 2:
1290                         database = "LSA";
1291                         break;
1292                 default:
1293                         break;
1294                 }
1295
1296                 torture_comment(tctx, "Testing DatabaseRedo\n");
1297
1298                 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1299                         return false;
1300                 }
1301
1302                 for (i=0;i<ARRAY_SIZE(changes);i++) {
1303
1304                         if (d != changes[i].db_index) {
1305                                 continue;
1306                         }
1307
1308                         netlogon_creds_client_authenticator(creds, &credential);
1309
1310                         r.in.credential = &credential;
1311
1312                         e.serial_number1        = 0;
1313                         e.serial_number2        = 0;
1314                         e.object_rid            = changes[i].rid;
1315                         e.flags                 = changes[i].flags;
1316                         e.db_index              = changes[i].db_index;
1317                         e.delta_type            = changes[i].delta_type;
1318
1319                         switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1320                         case NETR_CHANGELOG_SID_INCLUDED:
1321                                 e.object.object_sid             = changes[i].sid;
1322                                 break;
1323                         case NETR_CHANGELOG_NAME_INCLUDED:
1324                                 e.object.object_name            = changes[i].name;
1325                                 break;
1326                         default:
1327                                 break;
1328                         }
1329
1330                         r.in.change_log_entry = e;
1331
1332                         torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1333                                 database, changes[i].comment);
1334
1335                         status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1336                         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1337                                 return true;
1338                         }
1339
1340                         torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1341                         if (delta_enum_array) {
1342                                 torture_assert_int_equal(tctx,
1343                                         delta_enum_array->num_deltas,
1344                                         changes[i].expected_num_results,
1345                                         changes[i].comment);
1346                                 if (delta_enum_array->num_deltas > 0) {
1347                                         torture_assert_int_equal(tctx,
1348                                                 delta_enum_array->delta_enum[0].delta_type,
1349                                                 changes[i].expected_delta_type_1,
1350                                                 changes[i].comment);
1351                                 }
1352                                 if (delta_enum_array->num_deltas > 1) {
1353                                         torture_assert_int_equal(tctx,
1354                                                 delta_enum_array->delta_enum[1].delta_type,
1355                                                 changes[i].expected_delta_type_2,
1356                                                 changes[i].comment);
1357                                 }
1358                         }
1359
1360                         if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1361                                 torture_comment(tctx, "Credential chaining failed\n");
1362                                 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1363                                         return false;
1364                                 }
1365                         }
1366                 }
1367         }
1368         }
1369
1370         return true;
1371 }
1372
1373 /*
1374   try a netlogon AccountDeltas
1375 */
1376 static bool test_AccountDeltas(struct torture_context *tctx, 
1377                                struct dcerpc_pipe *p,
1378                                struct cli_credentials *machine_credentials)
1379 {
1380         NTSTATUS status;
1381         struct netr_AccountDeltas r;
1382         struct netlogon_creds_CredentialState *creds;
1383
1384         struct netr_AccountBuffer buffer;
1385         uint32_t count_returned = 0;
1386         uint32_t total_entries = 0;
1387         struct netr_UAS_INFO_0 recordid;
1388         struct netr_Authenticator return_authenticator;
1389
1390         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1391                 return false;
1392         }
1393
1394         ZERO_STRUCT(return_authenticator);
1395
1396         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1397         r.in.computername = TEST_MACHINE_NAME;
1398         r.in.return_authenticator = &return_authenticator;
1399         netlogon_creds_client_authenticator(creds, &r.in.credential);
1400         ZERO_STRUCT(r.in.uas);
1401         r.in.count=10;
1402         r.in.level=0;
1403         r.in.buffersize=100;
1404         r.out.buffer = &buffer;
1405         r.out.count_returned = &count_returned;
1406         r.out.total_entries = &total_entries;
1407         r.out.recordid = &recordid;
1408         r.out.return_authenticator = &return_authenticator;
1409
1410         /* w2k3 returns "NOT IMPLEMENTED" for this call */
1411         status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1412         torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1413
1414         return true;
1415 }
1416
1417 /*
1418   try a netlogon AccountSync
1419 */
1420 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p, 
1421                              struct cli_credentials *machine_credentials)
1422 {
1423         NTSTATUS status;
1424         struct netr_AccountSync r;
1425         struct netlogon_creds_CredentialState *creds;
1426
1427         struct netr_AccountBuffer buffer;
1428         uint32_t count_returned = 0;
1429         uint32_t total_entries = 0;
1430         uint32_t next_reference = 0;
1431         struct netr_UAS_INFO_0 recordid;
1432         struct netr_Authenticator return_authenticator;
1433
1434         ZERO_STRUCT(recordid);
1435         ZERO_STRUCT(return_authenticator);
1436
1437         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1438                 return false;
1439         }
1440
1441         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1442         r.in.computername = TEST_MACHINE_NAME;
1443         r.in.return_authenticator = &return_authenticator;
1444         netlogon_creds_client_authenticator(creds, &r.in.credential);
1445         r.in.recordid = &recordid;
1446         r.in.reference=0;
1447         r.in.level=0;
1448         r.in.buffersize=100;
1449         r.out.buffer = &buffer;
1450         r.out.count_returned = &count_returned;
1451         r.out.total_entries = &total_entries;
1452         r.out.next_reference = &next_reference;
1453         r.out.recordid = &recordid;
1454         r.out.return_authenticator = &return_authenticator;
1455
1456         /* w2k3 returns "NOT IMPLEMENTED" for this call */
1457         status = dcerpc_netr_AccountSync(p, tctx, &r);
1458         torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1459
1460         return true;
1461 }
1462
1463 /*
1464   try a netlogon GetDcName
1465 */
1466 static bool test_GetDcName(struct torture_context *tctx, 
1467                            struct dcerpc_pipe *p)
1468 {
1469         NTSTATUS status;
1470         struct netr_GetDcName r;
1471         const char *dcname = NULL;
1472
1473         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1474         r.in.domainname = lp_workgroup(tctx->lp_ctx);
1475         r.out.dcname = &dcname;
1476
1477         status = dcerpc_netr_GetDcName(p, tctx, &r);
1478         torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1479         torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1480
1481         torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1482
1483         return true;
1484 }
1485
1486 /*
1487   try a netlogon LogonControl 
1488 */
1489 static bool test_LogonControl(struct torture_context *tctx, 
1490                               struct dcerpc_pipe *p)
1491 {
1492         NTSTATUS status;
1493         struct netr_LogonControl r;
1494         union netr_CONTROL_QUERY_INFORMATION query;
1495         int i;
1496
1497         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1498         r.in.function_code = 1;
1499         r.out.query = &query;
1500
1501         for (i=1;i<4;i++) {
1502                 r.in.level = i;
1503
1504                 torture_comment(tctx, "Testing LogonControl level %d\n", i);
1505
1506                 status = dcerpc_netr_LogonControl(p, tctx, &r);
1507                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1508         }
1509
1510         return true;
1511 }
1512
1513
1514 /*
1515   try a netlogon GetAnyDCName
1516 */
1517 static bool test_GetAnyDCName(struct torture_context *tctx, 
1518                               struct dcerpc_pipe *p)
1519 {
1520         NTSTATUS status;
1521         struct netr_GetAnyDCName r;
1522         const char *dcname = NULL;
1523
1524         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1525         r.in.domainname = lp_workgroup(tctx->lp_ctx);
1526         r.out.dcname = &dcname;
1527
1528         status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1529         torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1530         torture_assert_werr_ok(tctx, r.out.result, "GetAnyDCName");
1531
1532         if (dcname) {
1533             torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1534         }
1535
1536         return true;
1537 }
1538
1539
1540 /*
1541   try a netlogon LogonControl2
1542 */
1543 static bool test_LogonControl2(struct torture_context *tctx, 
1544                                struct dcerpc_pipe *p)
1545 {
1546         NTSTATUS status;
1547         struct netr_LogonControl2 r;
1548         union netr_CONTROL_DATA_INFORMATION data;
1549         union netr_CONTROL_QUERY_INFORMATION query;
1550         int i;
1551
1552         data.domain = lp_workgroup(tctx->lp_ctx);
1553
1554         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1555
1556         r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1557         r.in.data = &data;
1558         r.out.query = &query;
1559
1560         for (i=1;i<4;i++) {
1561                 r.in.level = i;
1562
1563                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1564                        i, r.in.function_code);
1565
1566                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1567                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1568         }
1569
1570         data.domain = lp_workgroup(tctx->lp_ctx);
1571
1572         r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1573         r.in.data = &data;
1574
1575         for (i=1;i<4;i++) {
1576                 r.in.level = i;
1577
1578                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1579                        i, r.in.function_code);
1580
1581                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1582                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1583         }
1584
1585         data.domain = lp_workgroup(tctx->lp_ctx);
1586
1587         r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1588         r.in.data = &data;
1589
1590         for (i=1;i<4;i++) {
1591                 r.in.level = i;
1592
1593                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1594                        i, r.in.function_code);
1595
1596                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1597                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1598         }
1599
1600         data.debug_level = ~0;
1601
1602         r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1603         r.in.data = &data;
1604
1605         for (i=1;i<4;i++) {
1606                 r.in.level = i;
1607
1608                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1609                        i, r.in.function_code);
1610
1611                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1612                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1613         }
1614
1615         return true;
1616 }
1617
1618 /*
1619   try a netlogon DatabaseSync2
1620 */
1621 static bool test_DatabaseSync2(struct torture_context *tctx, 
1622                                struct dcerpc_pipe *p,
1623                                struct cli_credentials *machine_credentials)
1624 {
1625         NTSTATUS status;
1626         struct netr_DatabaseSync2 r;
1627         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1628         struct netr_Authenticator return_authenticator, credential;
1629
1630         struct netlogon_creds_CredentialState *creds;
1631         const uint32_t database_ids[] = {0, 1, 2}; 
1632         int i;
1633
1634         if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS, 
1635                                     machine_credentials,
1636                                     SEC_CHAN_BDC, &creds)) {
1637                 return false;
1638         }
1639
1640         ZERO_STRUCT(return_authenticator);
1641
1642         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1643         r.in.computername = TEST_MACHINE_NAME;
1644         r.in.preferredmaximumlength = (uint32_t)-1;
1645         r.in.return_authenticator = &return_authenticator;
1646         r.out.return_authenticator = &return_authenticator;
1647         r.out.delta_enum_array = &delta_enum_array;
1648
1649         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1650
1651                 uint32_t sync_context = 0;
1652
1653                 r.in.database_id = database_ids[i];
1654                 r.in.sync_context = &sync_context;
1655                 r.out.sync_context = &sync_context;
1656                 r.in.restart_state = 0;
1657
1658                 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1659
1660                 do {
1661                         netlogon_creds_client_authenticator(creds, &credential);
1662
1663                         r.in.credential = &credential;
1664
1665                         status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1666                         if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1667                             break;
1668
1669                         /* Native mode servers don't do this */
1670                         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1671                                 return true;
1672                         }
1673
1674                         torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1675
1676                         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
1677                                 torture_comment(tctx, "Credential chaining failed\n");
1678                         }
1679
1680                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1681         }
1682
1683         return true;
1684 }
1685
1686
1687 /*
1688   try a netlogon LogonControl2Ex
1689 */
1690 static bool test_LogonControl2Ex(struct torture_context *tctx, 
1691                                  struct dcerpc_pipe *p)
1692 {
1693         NTSTATUS status;
1694         struct netr_LogonControl2Ex r;
1695         union netr_CONTROL_DATA_INFORMATION data;
1696         union netr_CONTROL_QUERY_INFORMATION query;
1697         int i;
1698
1699         data.domain = lp_workgroup(tctx->lp_ctx);
1700
1701         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1702
1703         r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1704         r.in.data = &data;
1705         r.out.query = &query;
1706
1707         for (i=1;i<4;i++) {
1708                 r.in.level = i;
1709
1710                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1711                        i, r.in.function_code);
1712
1713                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1714                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1715         }
1716
1717         data.domain = lp_workgroup(tctx->lp_ctx);
1718
1719         r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1720         r.in.data = &data;
1721
1722         for (i=1;i<4;i++) {
1723                 r.in.level = i;
1724
1725                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1726                        i, r.in.function_code);
1727
1728                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1729                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1730         }
1731
1732         data.domain = lp_workgroup(tctx->lp_ctx);
1733
1734         r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1735         r.in.data = &data;
1736
1737         for (i=1;i<4;i++) {
1738                 r.in.level = i;
1739
1740                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1741                        i, r.in.function_code);
1742
1743                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1744                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1745         }
1746
1747         data.debug_level = ~0;
1748
1749         r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1750         r.in.data = &data;
1751
1752         for (i=1;i<4;i++) {
1753                 r.in.level = i;
1754
1755                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1756                        i, r.in.function_code);
1757
1758                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1759                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1760         }
1761
1762         return true;
1763 }
1764
1765 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, 
1766                                                    struct dcerpc_pipe *p, const char *trusted_domain_name) 
1767 {
1768         NTSTATUS status;
1769         struct netr_DsRGetForestTrustInformation r;
1770         struct lsa_ForestTrustInformation info, *info_ptr;
1771
1772         info_ptr = &info;
1773
1774         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1775         r.in.trusted_domain_name = trusted_domain_name;
1776         r.in.flags = 0;
1777         r.out.forest_trust_info = &info_ptr;
1778
1779         torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1780
1781         status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1782         torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1783         torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1784
1785         return true;
1786 }
1787
1788 /*
1789   try a netlogon netr_DsrEnumerateDomainTrusts
1790 */
1791 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, 
1792                                           struct dcerpc_pipe *p)
1793 {
1794         NTSTATUS status;
1795         struct netr_DsrEnumerateDomainTrusts r;
1796         struct netr_DomainTrustList trusts;
1797         int i;
1798
1799         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1800         r.in.trust_flags = 0x3f;
1801         r.out.trusts = &trusts;
1802
1803         status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
1804         torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
1805         torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
1806
1807         /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
1808          * will show non-forest trusts and all UPN suffixes of the own forest
1809          * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
1810
1811         if (r.out.trusts->count) {
1812                 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
1813                         return false;
1814                 }
1815         }
1816
1817         for (i=0; i<r.out.trusts->count; i++) {
1818
1819                 /* get info for transitive forest trusts */
1820
1821                 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1822                         if (!test_netr_DsRGetForestTrustInformation(tctx, p, 
1823                                                                     r.out.trusts->array[i].dns_name)) {
1824                                 return false;
1825                         }
1826                 }
1827         }
1828
1829         return true;
1830 }
1831
1832 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
1833                                                   struct dcerpc_pipe *p)
1834 {
1835         NTSTATUS status;
1836         struct netr_NetrEnumerateTrustedDomains r;
1837         struct netr_Blob trusted_domains_blob;
1838
1839         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1840         r.out.trusted_domains_blob = &trusted_domains_blob;
1841
1842         status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
1843         torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
1844         torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
1845
1846         return true;
1847 }
1848
1849 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
1850                                                     struct dcerpc_pipe *p)
1851 {
1852         NTSTATUS status;
1853         struct netr_NetrEnumerateTrustedDomainsEx r;
1854         struct netr_DomainTrustList dom_trust_list;
1855
1856         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1857         r.out.dom_trust_list = &dom_trust_list;
1858
1859         status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
1860         torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
1861         torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
1862
1863         return true;
1864 }
1865
1866
1867 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
1868                                      const char *computer_name, 
1869                                      const char *expected_site) 
1870 {
1871         NTSTATUS status;
1872         struct netr_DsRGetSiteName r;
1873         const char *site = NULL;
1874
1875         if (torture_setting_bool(tctx, "samba4", false))
1876                 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
1877
1878         r.in.computer_name              = computer_name;
1879         r.out.site                      = &site;
1880         torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
1881
1882         status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1883         torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1884         torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
1885         torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
1886
1887         r.in.computer_name              = talloc_asprintf(tctx, "\\\\%s", computer_name);
1888         torture_comment(tctx, 
1889                         "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
1890
1891         status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1892         torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1893         torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
1894
1895         return true;
1896 }
1897
1898 /*
1899   try a netlogon netr_DsRGetDCName
1900 */
1901 static bool test_netr_DsRGetDCName(struct torture_context *tctx, 
1902                                    struct dcerpc_pipe *p)
1903 {
1904         NTSTATUS status;
1905         struct netr_DsRGetDCName r;
1906         struct netr_DsRGetDCNameInfo *info = NULL;
1907
1908         r.in.server_unc         = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1909         r.in.domain_name        = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1910         r.in.domain_guid        = NULL;
1911         r.in.site_guid          = NULL;
1912         r.in.flags              = DS_RETURN_DNS_NAME;
1913         r.out.info              = &info;
1914
1915         status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
1916         torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
1917         torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
1918         return test_netr_DsRGetSiteName(p, tctx, 
1919                                        info->dc_unc,
1920                                        info->dc_site_name);
1921 }
1922
1923 /*
1924   try a netlogon netr_DsRGetDCNameEx
1925 */
1926 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, 
1927                                      struct dcerpc_pipe *p)
1928 {
1929         NTSTATUS status;
1930         struct netr_DsRGetDCNameEx r;
1931         struct netr_DsRGetDCNameInfo *info = NULL;
1932
1933         r.in.server_unc         = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1934         r.in.domain_name        = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1935         r.in.domain_guid        = NULL;
1936         r.in.site_name          = NULL;
1937         r.in.flags              = DS_RETURN_DNS_NAME;
1938         r.out.info              = &info;
1939
1940         status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
1941         torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
1942         torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
1943
1944         return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1945                                         info->dc_site_name);
1946 }
1947
1948 /*
1949   try a netlogon netr_DsRGetDCNameEx2
1950 */
1951 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx, 
1952                                       struct dcerpc_pipe *p)
1953 {
1954         NTSTATUS status;
1955         struct netr_DsRGetDCNameEx2 r;
1956         struct netr_DsRGetDCNameInfo *info = NULL;
1957
1958         r.in.server_unc         = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1959         r.in.client_account     = NULL;
1960         r.in.mask               = 0x00000000;
1961         r.in.domain_name        = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1962         r.in.domain_guid        = NULL;
1963         r.in.site_name          = NULL;
1964         r.in.flags              = DS_RETURN_DNS_NAME;
1965         r.out.info              = &info;
1966
1967         torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
1968
1969         status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1970         torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1971         torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1972
1973         torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
1974         r.in.client_account     = TEST_MACHINE_NAME"$";
1975         r.in.mask               = ACB_SVRTRUST;
1976         r.in.flags              = DS_RETURN_FLAT_NAME;
1977         r.out.info              = &info;
1978
1979         status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1980         torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1981         torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1982         return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1983                                         info->dc_site_name);
1984 }
1985
1986 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx, 
1987                                             struct dcerpc_pipe *p)
1988 {
1989         NTSTATUS status;
1990         struct netr_DsrGetDcSiteCoverageW r;
1991         struct DcSitesCtr *ctr = NULL;
1992
1993         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1994         r.out.ctr = &ctr;
1995
1996         status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
1997         torture_assert_ntstatus_ok(tctx, status, "failed");
1998         torture_assert_werr_ok(tctx, r.out.result, "failed");
1999
2000         return true;
2001 }
2002
2003 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
2004                                              struct dcerpc_pipe *p)
2005 {
2006         NTSTATUS status;
2007         struct netr_DsRAddressToSitenamesW r;
2008         struct netr_DsRAddress addr;
2009         struct netr_DsRAddressToSitenamesWCtr *ctr;
2010
2011         ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2012
2013         addr.size = 16;
2014         addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2015
2016         addr.buffer[0] = 2; /* AF_INET */
2017         addr.buffer[4] = 127;
2018         addr.buffer[5] = 0;
2019         addr.buffer[6] = 0;
2020         addr.buffer[7] = 1;
2021
2022         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2023         r.in.count = 1;
2024         r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2025         r.in.addresses[0] = addr;
2026         r.out.ctr = &ctr;
2027
2028         status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2029         torture_assert_ntstatus_ok(tctx, status, "failed");
2030         torture_assert_werr_ok(tctx, r.out.result, "failed");
2031
2032         return true;
2033 }
2034
2035 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2036                                                struct dcerpc_pipe *p)
2037 {
2038         NTSTATUS status;
2039         struct netr_DsRAddressToSitenamesExW r;
2040         struct netr_DsRAddress addr;
2041         struct netr_DsRAddressToSitenamesExWCtr *ctr;
2042
2043         ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2044
2045         addr.size = 16;
2046         addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2047
2048         addr.buffer[0] = 2; /* AF_INET */
2049         addr.buffer[4] = 127;
2050         addr.buffer[5] = 0;
2051         addr.buffer[6] = 0;
2052         addr.buffer[7] = 1;
2053
2054         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2055         r.in.count = 1;
2056         r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2057         r.in.addresses[0] = addr;
2058         r.out.ctr = &ctr;
2059
2060         status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2061         torture_assert_ntstatus_ok(tctx, status, "failed");
2062         torture_assert_werr_ok(tctx, r.out.result, "failed");
2063
2064         return true;
2065 }
2066
2067 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2068                                          struct dcerpc_pipe *p,
2069                                          struct cli_credentials *machine_credentials)
2070 {
2071         NTSTATUS status;
2072         struct netr_ServerGetTrustInfo r;
2073
2074         struct netr_Authenticator a;
2075         struct netr_Authenticator return_authenticator;
2076         struct samr_Password new_owf_password;
2077         struct samr_Password old_owf_password;
2078         struct netr_TrustInfo *trust_info;
2079
2080         struct netlogon_creds_CredentialState *creds;
2081
2082         if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2083                                     machine_credentials, &creds)) {
2084                 return false;
2085         }
2086
2087         netlogon_creds_client_authenticator(creds, &a);
2088
2089         r.in.server_name                = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2090         r.in.account_name               = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2091         r.in.secure_channel_type        = SEC_CHAN_BDC;
2092         r.in.computer_name              = TEST_MACHINE_NAME;
2093         r.in.credential                 = &a;
2094
2095         r.out.return_authenticator      = &return_authenticator;
2096         r.out.new_owf_password          = &new_owf_password;
2097         r.out.old_owf_password          = &old_owf_password;
2098         r.out.trust_info                = &trust_info;
2099
2100         status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
2101         torture_assert_ntstatus_ok(tctx, status, "failed");
2102         torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2103
2104         return true;
2105 }
2106
2107
2108 static bool test_GetDomainInfo(struct torture_context *tctx, 
2109                                struct dcerpc_pipe *p,
2110                                struct cli_credentials *machine_credentials)
2111 {
2112         NTSTATUS status;
2113         struct netr_LogonGetDomainInfo r;
2114         struct netr_DomainQuery1 q1;
2115         struct netr_Authenticator a;
2116         struct netlogon_creds_CredentialState *creds;
2117         union netr_DomainInfo info;
2118
2119         if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, 
2120                                     machine_credentials, &creds)) {
2121                 return false;
2122         }
2123
2124         ZERO_STRUCT(r);
2125
2126         netlogon_creds_client_authenticator(creds, &a);
2127
2128         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2129         r.in.computer_name = TEST_MACHINE_NAME;
2130         r.in.level = 1;
2131         r.in.credential = &a;
2132         r.in.return_authenticator = &a;
2133         r.out.return_authenticator = &a;
2134         r.out.info = &info;
2135
2136         r.in.query.query1 = &q1;
2137         ZERO_STRUCT(q1);
2138         
2139         /* this should really be the fully qualified name */
2140         q1.workstation_domain = TEST_MACHINE_NAME;
2141         q1.workstation_site = "Default-First-Site-Name";
2142         q1.blob2.length = 0;
2143         q1.blob2.size = 0;
2144         q1.blob2.array = NULL;
2145         q1.product.string = "product string";
2146
2147         torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2148
2149         status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2150         torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2151         torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2152
2153         torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n");
2154         netlogon_creds_client_authenticator(creds, &a);
2155
2156         status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2157         torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2158         torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2159
2160         return true;
2161 }
2162
2163
2164 static void async_callback(struct rpc_request *req)
2165 {
2166         int *counter = (int *)req->async.private_data;
2167         if (NT_STATUS_IS_OK(req->status)) {
2168                 (*counter)++;
2169         }
2170 }
2171
2172 static bool test_GetDomainInfo_async(struct torture_context *tctx, 
2173                                      struct dcerpc_pipe *p,
2174                                      struct cli_credentials *machine_credentials)
2175 {
2176         NTSTATUS status;
2177         struct netr_LogonGetDomainInfo r;
2178         struct netr_DomainQuery1 q1;
2179         struct netr_Authenticator a;
2180 #define ASYNC_COUNT 100
2181         struct netlogon_creds_CredentialState *creds;
2182         struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
2183         struct rpc_request *req[ASYNC_COUNT];
2184         int i;
2185         int *async_counter = talloc(tctx, int);
2186         union netr_DomainInfo info;
2187
2188         if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, 
2189                                     machine_credentials, &creds)) {
2190                 return false;
2191         }
2192
2193         ZERO_STRUCT(r);
2194         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2195         r.in.computer_name = TEST_MACHINE_NAME;
2196         r.in.level = 1;
2197         r.in.credential = &a;
2198         r.in.return_authenticator = &a;
2199         r.out.return_authenticator = &a;
2200         r.out.info = &info;
2201
2202         r.in.query.query1 = &q1;
2203         ZERO_STRUCT(q1);
2204         
2205         /* this should really be the fully qualified name */
2206         q1.workstation_domain = TEST_MACHINE_NAME;
2207         q1.workstation_site = "Default-First-Site-Name";
2208         q1.blob2.length = 0;
2209         q1.blob2.size = 0;
2210         q1.blob2.array = NULL;
2211         q1.product.string = "product string";
2212
2213         torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2214
2215         *async_counter = 0;
2216
2217         for (i=0;i<ASYNC_COUNT;i++) {
2218                 netlogon_creds_client_authenticator(creds, &a);
2219
2220                 creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2221                 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2222
2223                 req[i]->async.callback = async_callback;
2224                 req[i]->async.private_data = async_counter;
2225
2226                 /* even with this flush per request a w2k3 server seems to 
2227                    clag with multiple outstanding requests. bleergh. */
2228                 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0, 
2229                                          "event_loop_once failed");
2230         }
2231
2232         for (i=0;i<ASYNC_COUNT;i++) {
2233                 status = dcerpc_ndr_request_recv(req[i]);
2234
2235                 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2236                 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); 
2237
2238                 torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), 
2239                         "Credential chaining failed at async");
2240         }
2241
2242         torture_comment(tctx, 
2243                         "Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
2244
2245         torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
2246
2247         return true;
2248 }
2249
2250 static bool test_ManyGetDCName(struct torture_context *tctx, 
2251                                struct dcerpc_pipe *p)
2252 {
2253         NTSTATUS status;
2254         struct dcerpc_pipe *p2;
2255         struct lsa_ObjectAttribute attr;
2256         struct lsa_QosInfo qos;
2257         struct lsa_OpenPolicy2 o;
2258         struct policy_handle lsa_handle;
2259         struct lsa_DomainList domains;
2260
2261         struct lsa_EnumTrustDom t;
2262         uint32_t resume_handle = 0;
2263         struct netr_GetAnyDCName d;
2264         const char *dcname = NULL;
2265
2266         int i;
2267
2268         if (p->conn->transport.transport != NCACN_NP) {
2269                 return true;
2270         }
2271
2272         torture_comment(tctx, "Torturing GetDCName\n");
2273
2274         status = dcerpc_secondary_connection(p, &p2, p->binding);
2275         torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2276
2277         status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2278         torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2279
2280         qos.len = 0;
2281         qos.impersonation_level = 2;
2282         qos.context_mode = 1;
2283         qos.effective_only = 0;
2284
2285         attr.len = 0;
2286         attr.root_dir = NULL;
2287         attr.object_name = NULL;
2288         attr.attributes = 0;
2289         attr.sec_desc = NULL;
2290         attr.sec_qos = &qos;
2291
2292         o.in.system_name = "\\";
2293         o.in.attr = &attr;
2294         o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2295         o.out.handle = &lsa_handle;
2296
2297         status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2298         torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2299
2300         t.in.handle = &lsa_handle;
2301         t.in.resume_handle = &resume_handle;
2302         t.in.max_size = 1000;
2303         t.out.domains = &domains;
2304         t.out.resume_handle = &resume_handle;
2305
2306         status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2307
2308         if ((!NT_STATUS_IS_OK(status) &&
2309              (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2310                 torture_fail(tctx, "Could not list domains");
2311
2312         talloc_free(p2);
2313
2314         d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2315                                             dcerpc_server_name(p));
2316         d.out.dcname = &dcname;
2317
2318         for (i=0; i<domains.count * 4; i++) {
2319                 struct lsa_DomainInfo *info =
2320                         &domains.domains[rand()%domains.count];
2321
2322                 d.in.domainname = info->name.string;
2323
2324                 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2325                 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2326
2327                 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2328                        dcname ? dcname : "unknown");
2329         }
2330
2331         return true;
2332 }
2333
2334 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2335 {
2336         struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2337         struct torture_rpc_tcase *tcase;
2338         struct torture_test *test;
2339
2340         tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "netlogon", 
2341                                                   &ndr_table_netlogon, TEST_MACHINE_NAME);
2342
2343         torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2344         torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2345         torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2346         torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2347         torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2348         torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2349         torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2350         torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2351         torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2352         torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2353         torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2354         torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2355         torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2356         torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2357         torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2358         torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
2359         torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2360         torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
2361         torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2362         torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2363         torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2364         torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2365         torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2366         test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2367         test->dangerous = true;
2368         torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2369         torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2370         torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2371         torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2372         torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2373         torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
2374         torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
2375
2376         return suite;
2377 }