s4:RPC-NETLOGON: remove useless rpc callback
[ira/wip.git] / source4 / torture / rpc / netlogon.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    test suite for netlogon rpc operations
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8    Copyright (C) Tim Potter      2003
9    Copyright (C) Matthias Dieter Wallnöfer            2009
10    
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20    
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "lib/events/events.h"
27 #include "lib/cmdline/popt_common.h"
28 #include "torture/rpc/rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
34 #include "libcli/security/security.h"
35 #include "lib/ldb/include/ldb.h"
36 #include "lib/util/util_ldb.h"
37 #include "lib/ldb_wrap.h"
38
39 #define TEST_MACHINE_NAME "torturetest"
40 #define TEST_MACHINE_DNS_SUFFIX "torturedomain"
41
42 static bool test_LogonUasLogon(struct torture_context *tctx, 
43                                struct dcerpc_pipe *p)
44 {
45         NTSTATUS status;
46         struct netr_LogonUasLogon r;
47         struct netr_UasInfo *info = NULL;
48
49         r.in.server_name = NULL;
50         r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51         r.in.workstation = TEST_MACHINE_NAME;
52         r.out.info = &info;
53
54         status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55         torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
56
57         return true;
58 }
59
60 static bool test_LogonUasLogoff(struct torture_context *tctx,
61                                 struct dcerpc_pipe *p)
62 {
63         NTSTATUS status;
64         struct netr_LogonUasLogoff r;
65         struct netr_UasLogoffInfo info;
66
67         r.in.server_name = NULL;
68         r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69         r.in.workstation = TEST_MACHINE_NAME;
70         r.out.info = &info;
71
72         status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73         torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
74
75         return true;
76 }
77
78 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79                                   struct cli_credentials *credentials,
80                                   struct netlogon_creds_CredentialState **creds_out)
81 {
82         NTSTATUS status;
83         struct netr_ServerReqChallenge r;
84         struct netr_ServerAuthenticate a;
85         struct netr_Credential credentials1, credentials2, credentials3;
86         struct netlogon_creds_CredentialState *creds;
87         const struct samr_Password *mach_password;
88         const char *machine_name;
89
90         mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91         machine_name = cli_credentials_get_workstation(credentials);
92
93         torture_comment(tctx, "Testing ServerReqChallenge\n");
94
95         r.in.server_name = NULL;
96         r.in.computer_name = machine_name;
97         r.in.credentials = &credentials1;
98         r.out.return_credentials = &credentials2;
99
100         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
101
102         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
103         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
104
105         a.in.server_name = NULL;
106         a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
107         a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
108         a.in.computer_name = machine_name;
109         a.in.credentials = &credentials3;
110         a.out.return_credentials = &credentials3;
111
112         creds = netlogon_creds_client_init(tctx, a.in.account_name,
113                                            a.in.computer_name,
114                                            &credentials1, &credentials2, 
115                                            mach_password, &credentials3, 
116                                            0);
117         torture_assert(tctx, creds != NULL, "memory allocation");
118
119
120         torture_comment(tctx, "Testing ServerAuthenticate\n");
121
122         status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
123
124         /* This allows the tests to continue against the more fussy windows 2008 */
125         if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
126                 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, 
127                                               credentials,
128                                               cli_credentials_get_secure_channel_type(credentials),
129                                               creds_out);
130         }
131
132         torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
133
134         torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), 
135                        "Credential chaining failed");
136
137         *creds_out = creds;
138         return true;
139 }
140
141 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
142                             uint32_t negotiate_flags,
143                             struct cli_credentials *machine_credentials,
144                             int sec_chan_type,
145                             struct netlogon_creds_CredentialState **creds_out)
146 {
147         NTSTATUS status;
148         struct netr_ServerReqChallenge r;
149         struct netr_ServerAuthenticate2 a;
150         struct netr_Credential credentials1, credentials2, credentials3;
151         struct netlogon_creds_CredentialState *creds;
152         const struct samr_Password *mach_password;
153         const char *machine_name;
154
155         mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
156         machine_name = cli_credentials_get_workstation(machine_credentials);
157
158         torture_comment(tctx, "Testing ServerReqChallenge\n");
159
160
161         r.in.server_name = NULL;
162         r.in.computer_name = machine_name;
163         r.in.credentials = &credentials1;
164         r.out.return_credentials = &credentials2;
165
166         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
167
168         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
169         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
170
171         a.in.server_name = NULL;
172         a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
173         a.in.secure_channel_type = sec_chan_type;
174         a.in.computer_name = machine_name;
175         a.in.negotiate_flags = &negotiate_flags;
176         a.out.negotiate_flags = &negotiate_flags;
177         a.in.credentials = &credentials3;
178         a.out.return_credentials = &credentials3;
179
180         creds = netlogon_creds_client_init(tctx, a.in.account_name,
181                                            a.in.computer_name, 
182                                            &credentials1, &credentials2, 
183                                            mach_password, &credentials3, 
184                                            negotiate_flags);
185
186         torture_assert(tctx, creds != NULL, "memory allocation");
187
188         torture_comment(tctx, "Testing ServerAuthenticate2\n");
189
190         status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
191         torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
192
193         torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), 
194                 "Credential chaining failed");
195
196         torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
197
198         *creds_out = creds;
199         return true;
200 }
201
202
203 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
204                             uint32_t negotiate_flags,
205                             struct cli_credentials *machine_credentials,
206                             struct netlogon_creds_CredentialState **creds_out)
207 {
208         NTSTATUS status;
209         struct netr_ServerReqChallenge r;
210         struct netr_ServerAuthenticate3 a;
211         struct netr_Credential credentials1, credentials2, credentials3;
212         struct netlogon_creds_CredentialState *creds;
213         struct samr_Password mach_password;
214         uint32_t rid;
215         const char *machine_name;
216         const char *plain_pass;
217
218         machine_name = cli_credentials_get_workstation(machine_credentials);
219         plain_pass = cli_credentials_get_password(machine_credentials);
220
221         torture_comment(tctx, "Testing ServerReqChallenge\n");
222
223         r.in.server_name = NULL;
224         r.in.computer_name = machine_name;
225         r.in.credentials = &credentials1;
226         r.out.return_credentials = &credentials2;
227
228         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
229
230         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
231         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
232
233         E_md4hash(plain_pass, mach_password.hash);
234
235         a.in.server_name = NULL;
236         a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
237         a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
238         a.in.computer_name = machine_name;
239         a.in.negotiate_flags = &negotiate_flags;
240         a.in.credentials = &credentials3;
241         a.out.return_credentials = &credentials3;
242         a.out.negotiate_flags = &negotiate_flags;
243         a.out.rid = &rid;
244
245         creds = netlogon_creds_client_init(tctx, a.in.account_name,
246                                            a.in.computer_name,
247                                            &credentials1, &credentials2, 
248                                            &mach_password, &credentials3,
249                                            negotiate_flags);
250         
251         torture_assert(tctx, creds != NULL, "memory allocation");
252
253         torture_comment(tctx, "Testing ServerAuthenticate3\n");
254
255         status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
256         torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
257         torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
258
259         torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
260         
261         /* Prove that requesting a challenge again won't break it */
262         status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
263         torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
264
265         *creds_out = creds;
266         return true;
267 }
268
269 /*
270   try a change password for our machine account
271 */
272 static bool test_SetPassword(struct torture_context *tctx, 
273                              struct dcerpc_pipe *p,
274                              struct cli_credentials *machine_credentials)
275 {
276         NTSTATUS status;
277         struct netr_ServerPasswordSet r;
278         const char *password;
279         struct netlogon_creds_CredentialState *creds;
280         struct netr_Authenticator credential, return_authenticator;
281         struct samr_Password new_password;
282
283         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
284                 return false;
285         }
286
287         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
288         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
289         r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
290         r.in.computer_name = TEST_MACHINE_NAME;
291         r.in.credential = &credential;
292         r.in.new_password = &new_password;
293         r.out.return_authenticator = &return_authenticator;
294
295         password = generate_random_password(tctx, 8, 255);
296         E_md4hash(password, new_password.hash);
297
298         netlogon_creds_des_encrypt(creds, &new_password);
299
300         torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
301         torture_comment(tctx, "Changing machine account password to '%s'\n", 
302                         password);
303
304         netlogon_creds_client_authenticator(creds, &credential);
305
306         status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
307         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
308
309         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
310                 torture_comment(tctx, "Credential chaining failed\n");
311         }
312
313         /* by changing the machine password twice we test the
314            credentials chaining fully, and we verify that the server
315            allows the password to be set to the same value twice in a
316            row (match win2k3) */
317         torture_comment(tctx, 
318                 "Testing a second ServerPasswordSet on machine account\n");
319         torture_comment(tctx, 
320                 "Changing machine account password to '%s' (same as previous run)\n", password);
321
322         netlogon_creds_client_authenticator(creds, &credential);
323
324         status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
325         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
326
327         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
328                 torture_comment(tctx, "Credential chaining failed\n");
329         }
330
331         cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
332
333         torture_assert(tctx, 
334                 test_SetupCredentials(p, tctx, machine_credentials, &creds), 
335                 "ServerPasswordSet failed to actually change the password");
336
337         return true;
338 }
339
340 /*
341   try a change password for our machine account
342 */
343 static bool test_SetPassword_flags(struct torture_context *tctx,
344                                    struct dcerpc_pipe *p,
345                                    struct cli_credentials *machine_credentials,
346                                    uint32_t negotiate_flags)
347 {
348         NTSTATUS status;
349         struct netr_ServerPasswordSet r;
350         const char *password;
351         struct netlogon_creds_CredentialState *creds;
352         struct netr_Authenticator credential, return_authenticator;
353         struct samr_Password new_password;
354
355         if (!test_SetupCredentials2(p, tctx, negotiate_flags,
356                                     machine_credentials,
357                                     cli_credentials_get_secure_channel_type(machine_credentials),
358                                     &creds)) {
359                 return false;
360         }
361
362         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
363         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
364         r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
365         r.in.computer_name = TEST_MACHINE_NAME;
366         r.in.credential = &credential;
367         r.in.new_password = &new_password;
368         r.out.return_authenticator = &return_authenticator;
369
370         password = generate_random_password(tctx, 8, 255);
371         E_md4hash(password, new_password.hash);
372
373         netlogon_creds_des_encrypt(creds, &new_password);
374
375         torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
376         torture_comment(tctx, "Changing machine account password to '%s'\n",
377                         password);
378
379         netlogon_creds_client_authenticator(creds, &credential);
380
381         status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
382         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
383
384         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
385                 torture_comment(tctx, "Credential chaining failed\n");
386         }
387
388         /* by changing the machine password twice we test the
389            credentials chaining fully, and we verify that the server
390            allows the password to be set to the same value twice in a
391            row (match win2k3) */
392         torture_comment(tctx,
393                 "Testing a second ServerPasswordSet on machine account\n");
394         torture_comment(tctx,
395                 "Changing machine account password to '%s' (same as previous run)\n", password);
396
397         netlogon_creds_client_authenticator(creds, &credential);
398
399         status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
400         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
401
402         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
403                 torture_comment(tctx, "Credential chaining failed\n");
404         }
405
406         cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
407
408         torture_assert(tctx,
409                 test_SetupCredentials(p, tctx, machine_credentials, &creds),
410                 "ServerPasswordSet failed to actually change the password");
411
412         return true;
413 }
414
415
416 /*
417   generate a random password for password change tests
418 */
419 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
420 {
421         int i;
422         DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
423         generate_random_buffer(password.data, password.length);
424
425         for (i=0; i < len; i++) {
426                 if (((uint16_t *)password.data)[i] == 0) {
427                         ((uint16_t *)password.data)[i] = 1;
428                 }
429         }
430
431         return password;
432 }
433
434 /*
435   try a change password for our machine account
436 */
437 static bool test_SetPassword2(struct torture_context *tctx, 
438                               struct dcerpc_pipe *p, 
439                               struct cli_credentials *machine_credentials)
440 {
441         NTSTATUS status;
442         struct netr_ServerPasswordSet2 r;
443         const char *password;
444         DATA_BLOB new_random_pass;
445         struct netlogon_creds_CredentialState *creds;
446         struct samr_CryptPassword password_buf;
447         struct samr_Password nt_hash;
448         struct netr_Authenticator credential, return_authenticator;
449         struct netr_CryptPassword new_password;
450
451         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
452                 return false;
453         }
454
455         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
456         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
457         r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
458         r.in.computer_name = TEST_MACHINE_NAME;
459         r.in.credential = &credential;
460         r.in.new_password = &new_password;
461         r.out.return_authenticator = &return_authenticator;
462
463         password = generate_random_password(tctx, 8, 255);
464         encode_pw_buffer(password_buf.data, password, STR_UNICODE);
465         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
466
467         memcpy(new_password.data, password_buf.data, 512);
468         new_password.length = IVAL(password_buf.data, 512);
469
470         torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
471         torture_comment(tctx, "Changing machine account password to '%s'\n", password);
472
473         netlogon_creds_client_authenticator(creds, &credential);
474
475         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
476         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
477
478         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
479                 torture_comment(tctx, "Credential chaining failed\n");
480         }
481
482         cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
483
484         if (!torture_setting_bool(tctx, "dangerous", false)) {
485                 torture_comment(tctx, 
486                         "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
487         } else {
488                 /* by changing the machine password to ""
489                  * we check if the server uses password restrictions
490                  * for ServerPasswordSet2
491                  * (win2k3 accepts "")
492                  */
493                 password = "";
494                 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
495                 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
496                 
497                 memcpy(new_password.data, password_buf.data, 512);
498                 new_password.length = IVAL(password_buf.data, 512);
499                 
500                 torture_comment(tctx, 
501                         "Testing ServerPasswordSet2 on machine account\n");
502                 torture_comment(tctx, 
503                         "Changing machine account password to '%s'\n", password);
504                 
505                 netlogon_creds_client_authenticator(creds, &credential);
506                 
507                 status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
508                 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
509                 
510                 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
511                         torture_comment(tctx, "Credential chaining failed\n");
512                 }
513                 
514                 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
515         }
516
517         torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), 
518                 "ServerPasswordSet failed to actually change the password");
519
520         /* now try a random password */
521         password = generate_random_password(tctx, 8, 255);
522         encode_pw_buffer(password_buf.data, password, STR_UNICODE);
523         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
524
525         memcpy(new_password.data, password_buf.data, 512);
526         new_password.length = IVAL(password_buf.data, 512);
527
528         torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
529         torture_comment(tctx, "Changing machine account password to '%s'\n", password);
530
531         netlogon_creds_client_authenticator(creds, &credential);
532
533         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
534         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
535
536         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
537                 torture_comment(tctx, "Credential chaining failed\n");
538         }
539
540         /* by changing the machine password twice we test the
541            credentials chaining fully, and we verify that the server
542            allows the password to be set to the same value twice in a
543            row (match win2k3) */
544         torture_comment(tctx, 
545                 "Testing a second ServerPasswordSet2 on machine account\n");
546         torture_comment(tctx, 
547                 "Changing machine account password to '%s' (same as previous run)\n", password);
548
549         netlogon_creds_client_authenticator(creds, &credential);
550
551         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
552         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
553
554         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
555                 torture_comment(tctx, "Credential chaining failed\n");
556         }
557
558         cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
559
560         torture_assert (tctx, 
561                 test_SetupCredentials(p, tctx, machine_credentials, &creds), 
562                 "ServerPasswordSet failed to actually change the password");
563
564         new_random_pass = netlogon_very_rand_pass(tctx, 128);
565
566         /* now try a random stream of bytes for a password */
567         set_pw_in_buffer(password_buf.data, &new_random_pass);
568
569         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
570
571         memcpy(new_password.data, password_buf.data, 512);
572         new_password.length = IVAL(password_buf.data, 512);
573
574         torture_comment(tctx, 
575                 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
576
577         netlogon_creds_client_authenticator(creds, &credential);
578
579         status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
580         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
581
582         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
583                 torture_comment(tctx, "Credential chaining failed\n");
584         }
585
586         mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
587
588         cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
589         cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
590
591         torture_assert (tctx, 
592                 test_SetupCredentials(p, tctx, machine_credentials, &creds), 
593                 "ServerPasswordSet failed to actually change the password");
594
595         return true;
596 }
597
598 static bool test_GetPassword(struct torture_context *tctx,
599                              struct dcerpc_pipe *p,
600                              struct cli_credentials *machine_credentials)
601 {
602         struct netr_ServerPasswordGet r;
603         struct netlogon_creds_CredentialState *creds;
604         struct netr_Authenticator credential;
605         NTSTATUS status;
606         struct netr_Authenticator return_authenticator;
607         struct samr_Password password;
608
609         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
610                 return false;
611         }
612
613         netlogon_creds_client_authenticator(creds, &credential);
614
615         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
616         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
617         r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
618         r.in.computer_name = TEST_MACHINE_NAME;
619         r.in.credential = &credential;
620         r.out.return_authenticator = &return_authenticator;
621         r.out.password = &password;
622
623         status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
624         torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
625
626         return true;
627 }
628
629 static bool test_GetTrustPasswords(struct torture_context *tctx,
630                                    struct dcerpc_pipe *p,
631                                    struct cli_credentials *machine_credentials)
632 {
633         struct netr_ServerTrustPasswordsGet r;
634         struct netlogon_creds_CredentialState *creds;
635         struct netr_Authenticator credential;
636         NTSTATUS status;
637         struct netr_Authenticator return_authenticator;
638         struct samr_Password password, password2;
639
640         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
641                 return false;
642         }
643
644         netlogon_creds_client_authenticator(creds, &credential);
645
646         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
647         r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
648         r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
649         r.in.computer_name = TEST_MACHINE_NAME;
650         r.in.credential = &credential;
651         r.out.return_authenticator = &return_authenticator;
652         r.out.password = &password;
653         r.out.password2 = &password2;
654
655         status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
656         torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
657
658         return true;
659 }
660
661 /*
662   try a netlogon SamLogon
663 */
664 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
665                               struct cli_credentials *credentials, 
666                               struct netlogon_creds_CredentialState *creds)
667 {
668         NTSTATUS status;
669         struct netr_LogonSamLogon r;
670         struct netr_Authenticator auth, auth2;
671         union netr_LogonLevel logon;
672         union netr_Validation validation;
673         uint8_t authoritative;
674         struct netr_NetworkInfo ninfo;
675         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
676         int i;
677         int flags = CLI_CRED_NTLM_AUTH;
678         if (lp_client_lanman_auth(tctx->lp_ctx)) {
679                 flags |= CLI_CRED_LANMAN_AUTH;
680         }
681
682         if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
683                 flags |= CLI_CRED_NTLMv2_AUTH;
684         }
685
686         cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, 
687                                                  &ninfo.identity_info.account_name.string,
688                                                  &ninfo.identity_info.domain_name.string);
689         
690         generate_random_buffer(ninfo.challenge, 
691                                sizeof(ninfo.challenge));
692         chal = data_blob_const(ninfo.challenge, 
693                                sizeof(ninfo.challenge));
694
695         names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials), 
696                                                 cli_credentials_get_domain(credentials));
697
698         status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, 
699                                                    &flags, 
700                                                    chal,
701                                                    names_blob,
702                                                    &lm_resp, &nt_resp,
703                                                    NULL, NULL);
704         torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
705
706         ninfo.lm.data = lm_resp.data;
707         ninfo.lm.length = lm_resp.length;
708
709         ninfo.nt.data = nt_resp.data;
710         ninfo.nt.length = nt_resp.length;
711
712         ninfo.identity_info.parameter_control = 0;
713         ninfo.identity_info.logon_id_low = 0;
714         ninfo.identity_info.logon_id_high = 0;
715         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
716
717         logon.network = &ninfo;
718
719         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
720         r.in.computer_name = cli_credentials_get_workstation(credentials);
721         r.in.credential = &auth;
722         r.in.return_authenticator = &auth2;
723         r.in.logon_level = 2;
724         r.in.logon = &logon;
725         r.out.validation = &validation;
726         r.out.authoritative = &authoritative;
727
728         d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
729         
730         for (i=2;i<3;i++) {
731                 ZERO_STRUCT(auth2);
732                 netlogon_creds_client_authenticator(creds, &auth);
733                 
734                 r.in.validation_level = i;
735                 
736                 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
737                 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
738                 
739                 torture_assert(tctx, netlogon_creds_client_check(creds, 
740                                                                  &r.out.return_authenticator->cred), 
741                         "Credential chaining failed");
742         }
743
744         r.in.credential = NULL;
745
746         for (i=2;i<=3;i++) {
747
748                 r.in.validation_level = i;
749
750                 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
751
752                 status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
753                 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, 
754                         "LogonSamLogon expected INVALID_PARAMETER");
755
756         }
757
758         return true;
759 }
760
761 /*
762   try a netlogon SamLogon
763 */
764 static bool test_SamLogon(struct torture_context *tctx, 
765                           struct dcerpc_pipe *p,
766                           struct cli_credentials *credentials)
767 {
768         struct netlogon_creds_CredentialState *creds;
769
770         if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
771                 return false;
772         }
773
774         return test_netlogon_ops(p, tctx, credentials, creds);
775 }
776
777 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
778 static uint64_t sequence_nums[3];
779
780 /*
781   try a netlogon DatabaseSync
782 */
783 static bool test_DatabaseSync(struct torture_context *tctx, 
784                               struct dcerpc_pipe *p,
785                               struct cli_credentials *machine_credentials)
786 {
787         NTSTATUS status;
788         struct netr_DatabaseSync r;
789         struct netlogon_creds_CredentialState *creds;
790         const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; 
791         int i;
792         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
793         struct netr_Authenticator credential, return_authenticator;
794
795         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
796                 return false;
797         }
798
799         ZERO_STRUCT(return_authenticator);
800
801         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
802         r.in.computername = TEST_MACHINE_NAME;
803         r.in.preferredmaximumlength = (uint32_t)-1;
804         r.in.return_authenticator = &return_authenticator;
805         r.out.delta_enum_array = &delta_enum_array;
806         r.out.return_authenticator = &return_authenticator;
807
808         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
809
810                 uint32_t sync_context = 0;
811
812                 r.in.database_id = database_ids[i];
813                 r.in.sync_context = &sync_context;
814                 r.out.sync_context = &sync_context;
815
816                 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
817
818                 do {
819                         netlogon_creds_client_authenticator(creds, &credential);
820
821                         r.in.credential = &credential;
822
823                         status = dcerpc_netr_DatabaseSync(p, tctx, &r);
824                         if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
825                             break;
826
827                         /* Native mode servers don't do this */
828                         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
829                                 return true;
830                         }
831                         torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
832
833                         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
834                                 torture_comment(tctx, "Credential chaining failed\n");
835                         }
836
837                         if (delta_enum_array &&
838                             delta_enum_array->num_deltas > 0 &&
839                             delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
840                             delta_enum_array->delta_enum[0].delta_union.domain) {
841                                 sequence_nums[r.in.database_id] = 
842                                         delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
843                                 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
844                                        r.in.database_id, 
845                                        (unsigned long long)sequence_nums[r.in.database_id]);
846                         }
847                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
848         }
849
850         return true;
851 }
852
853
854 /*
855   try a netlogon DatabaseDeltas
856 */
857 static bool test_DatabaseDeltas(struct torture_context *tctx, 
858                                 struct dcerpc_pipe *p,
859                                 struct cli_credentials *machine_credentials)
860 {
861         NTSTATUS status;
862         struct netr_DatabaseDeltas r;
863         struct netlogon_creds_CredentialState *creds;
864         struct netr_Authenticator credential;
865         struct netr_Authenticator return_authenticator;
866         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
867         const uint32_t database_ids[] = {0, 1, 2}; 
868         int i;
869
870         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
871                 return false;
872         }
873
874         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
875         r.in.computername = TEST_MACHINE_NAME;
876         r.in.preferredmaximumlength = (uint32_t)-1;
877         ZERO_STRUCT(r.in.return_authenticator);
878         r.out.return_authenticator = &return_authenticator;
879         r.out.delta_enum_array = &delta_enum_array;
880
881         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
882                 r.in.database_id = database_ids[i];
883                 r.in.sequence_num = &sequence_nums[r.in.database_id];
884
885                 if (*r.in.sequence_num == 0) continue;
886
887                 *r.in.sequence_num -= 1;
888
889                 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n", 
890                        r.in.database_id, (unsigned long long)*r.in.sequence_num);
891
892                 do {
893                         netlogon_creds_client_authenticator(creds, &credential);
894
895                         status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
896                         if (NT_STATUS_EQUAL(status, 
897                                              NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
898                                 torture_comment(tctx, "not considering %s to be an error\n",
899                                        nt_errstr(status));
900                                 return true;
901                         }
902                         if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) 
903                             break;
904
905                         torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
906
907                         if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
908                                 torture_comment(tctx, "Credential chaining failed\n");
909                         }
910
911                         (*r.in.sequence_num)++;
912                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
913         }
914
915         return true;
916 }
917
918 static bool test_DatabaseRedo(struct torture_context *tctx,
919                               struct dcerpc_pipe *p,
920                               struct cli_credentials *machine_credentials)
921 {
922         NTSTATUS status;
923         struct netr_DatabaseRedo r;
924         struct netlogon_creds_CredentialState *creds;
925         struct netr_Authenticator credential;
926         struct netr_Authenticator return_authenticator;
927         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
928         struct netr_ChangeLogEntry e;
929         struct dom_sid null_sid, *sid;
930         int i,d;
931
932         ZERO_STRUCT(null_sid);
933
934         sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
935
936         {
937
938         struct {
939                 uint32_t rid;
940                 uint16_t flags;
941                 uint8_t db_index;
942                 uint8_t delta_type;
943                 struct dom_sid sid;
944                 const char *name;
945                 NTSTATUS expected_error;
946                 uint32_t expected_num_results;
947                 uint8_t expected_delta_type_1;
948                 uint8_t expected_delta_type_2;
949                 const char *comment;
950         } changes[] = {
951
952                 /* SAM_DATABASE_DOMAIN */
953
954                 {
955                         .rid                    = 0,
956                         .flags                  = 0,
957                         .db_index               = SAM_DATABASE_DOMAIN,
958                         .delta_type             = NETR_DELTA_MODIFY_COUNT,
959                         .sid                    = null_sid,
960                         .name                   = NULL,
961                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED,
962                         .expected_num_results   = 0,
963                         .comment                = "NETR_DELTA_MODIFY_COUNT"
964                 },
965                 {
966                         .rid                    = 0,
967                         .flags                  = 0,
968                         .db_index               = SAM_DATABASE_DOMAIN,
969                         .delta_type             = 0,
970                         .sid                    = null_sid,
971                         .name                   = NULL,
972                         .expected_error         = NT_STATUS_OK,
973                         .expected_num_results   = 1,
974                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
975                         .comment                = "NULL DELTA"
976                 },
977                 {
978                         .rid                    = 0,
979                         .flags                  = 0,
980                         .db_index               = SAM_DATABASE_DOMAIN,
981                         .delta_type             = NETR_DELTA_DOMAIN,
982                         .sid                    = null_sid,
983                         .name                   = NULL,
984                         .expected_error         = NT_STATUS_OK,
985                         .expected_num_results   = 1,
986                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
987                         .comment                = "NETR_DELTA_DOMAIN"
988                 },
989                 {
990                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
991                         .flags                  = 0,
992                         .db_index               = SAM_DATABASE_DOMAIN,
993                         .delta_type             = NETR_DELTA_USER,
994                         .sid                    = null_sid,
995                         .name                   = NULL,
996                         .expected_error         = NT_STATUS_OK,
997                         .expected_num_results   = 1,
998                         .expected_delta_type_1  = NETR_DELTA_USER,
999                         .comment                = "NETR_DELTA_USER by rid 500"
1000                 },
1001                 {
1002                         .rid                    = DOMAIN_RID_GUEST,
1003                         .flags                  = 0,
1004                         .db_index               = SAM_DATABASE_DOMAIN,
1005                         .delta_type             = NETR_DELTA_USER,
1006                         .sid                    = null_sid,
1007                         .name                   = NULL,
1008                         .expected_error         = NT_STATUS_OK,
1009                         .expected_num_results   = 1,
1010                         .expected_delta_type_1  = NETR_DELTA_USER,
1011                         .comment                = "NETR_DELTA_USER by rid 501"
1012                 },
1013                 {
1014                         .rid                    = 0,
1015                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1016                         .db_index               = SAM_DATABASE_DOMAIN,
1017                         .delta_type             = NETR_DELTA_USER,
1018                         .sid                    = *sid,
1019                         .name                   = NULL,
1020                         .expected_error         = NT_STATUS_OK,
1021                         .expected_num_results   = 1,
1022                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
1023                         .comment                = "NETR_DELTA_USER by sid and flags"
1024                 },
1025                 {
1026                         .rid                    = 0,
1027                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1028                         .db_index               = SAM_DATABASE_DOMAIN,
1029                         .delta_type             = NETR_DELTA_USER,
1030                         .sid                    = null_sid,
1031                         .name                   = NULL,
1032                         .expected_error         = NT_STATUS_OK,
1033                         .expected_num_results   = 1,
1034                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
1035                         .comment                = "NETR_DELTA_USER by null_sid and flags"
1036                 },
1037                 {
1038                         .rid                    = 0,
1039                         .flags                  = NETR_CHANGELOG_NAME_INCLUDED,
1040                         .db_index               = SAM_DATABASE_DOMAIN,
1041                         .delta_type             = NETR_DELTA_USER,
1042                         .sid                    = null_sid,
1043                         .name                   = "administrator",
1044                         .expected_error         = NT_STATUS_OK,
1045                         .expected_num_results   = 1,
1046                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
1047                         .comment                = "NETR_DELTA_USER by name 'administrator'"
1048                 },
1049                 {
1050                         .rid                    = DOMAIN_RID_ADMINS,
1051                         .flags                  = 0,
1052                         .db_index               = SAM_DATABASE_DOMAIN,
1053                         .delta_type             = NETR_DELTA_GROUP,
1054                         .sid                    = null_sid,
1055                         .name                   = NULL,
1056                         .expected_error         = NT_STATUS_OK,
1057                         .expected_num_results   = 2,
1058                         .expected_delta_type_1  = NETR_DELTA_GROUP,
1059                         .expected_delta_type_2  = NETR_DELTA_GROUP_MEMBER,
1060                         .comment                = "NETR_DELTA_GROUP by rid 512"
1061                 },
1062                 {
1063                         .rid                    = DOMAIN_RID_ADMINS,
1064                         .flags                  = 0,
1065                         .db_index               = SAM_DATABASE_DOMAIN,
1066                         .delta_type             = NETR_DELTA_GROUP_MEMBER,
1067                         .sid                    = null_sid,
1068                         .name                   = NULL,
1069                         .expected_error         = NT_STATUS_OK,
1070                         .expected_num_results   = 2,
1071                         .expected_delta_type_1  = NETR_DELTA_GROUP,
1072                         .expected_delta_type_2  = NETR_DELTA_GROUP_MEMBER,
1073                         .comment                = "NETR_DELTA_GROUP_MEMBER by rid 512"
1074                 },
1075
1076
1077                 /* SAM_DATABASE_BUILTIN */
1078
1079                 {
1080                         .rid                    = 0,
1081                         .flags                  = 0,
1082                         .db_index               = SAM_DATABASE_BUILTIN,
1083                         .delta_type             = NETR_DELTA_MODIFY_COUNT,
1084                         .sid                    = null_sid,
1085                         .name                   = NULL,
1086                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1087                         .expected_num_results   = 0,
1088                         .comment                = "NETR_DELTA_MODIFY_COUNT"
1089                 },
1090                 {
1091                         .rid                    = 0,
1092                         .flags                  = 0,
1093                         .db_index               = SAM_DATABASE_BUILTIN,
1094                         .delta_type             = NETR_DELTA_DOMAIN,
1095                         .sid                    = null_sid,
1096                         .name                   = NULL,
1097                         .expected_error         = NT_STATUS_OK,
1098                         .expected_num_results   = 1,
1099                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
1100                         .comment                = "NETR_DELTA_DOMAIN"
1101                 },
1102                 {
1103                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
1104                         .flags                  = 0,
1105                         .db_index               = SAM_DATABASE_BUILTIN,
1106                         .delta_type             = NETR_DELTA_USER,
1107                         .sid                    = null_sid,
1108                         .name                   = NULL,
1109                         .expected_error         = NT_STATUS_OK,
1110                         .expected_num_results   = 1,
1111                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
1112                         .comment                = "NETR_DELTA_USER by rid 500"
1113                 },
1114                 {
1115                         .rid                    = 0,
1116                         .flags                  = 0,
1117                         .db_index               = SAM_DATABASE_BUILTIN,
1118                         .delta_type             = NETR_DELTA_USER,
1119                         .sid                    = null_sid,
1120                         .name                   = NULL,
1121                         .expected_error         = NT_STATUS_OK,
1122                         .expected_num_results   = 1,
1123                         .expected_delta_type_1  = NETR_DELTA_DELETE_USER,
1124                         .comment                = "NETR_DELTA_USER"
1125                 },
1126                 {
1127                         .rid                    = 544,
1128                         .flags                  = 0,
1129                         .db_index               = SAM_DATABASE_BUILTIN,
1130                         .delta_type             = NETR_DELTA_ALIAS,
1131                         .sid                    = null_sid,
1132                         .name                   = NULL,
1133                         .expected_error         = NT_STATUS_OK,
1134                         .expected_num_results   = 2,
1135                         .expected_delta_type_1  = NETR_DELTA_ALIAS,
1136                         .expected_delta_type_2  = NETR_DELTA_ALIAS_MEMBER,
1137                         .comment                = "NETR_DELTA_ALIAS by rid 544"
1138                 },
1139                 {
1140                         .rid                    = 544,
1141                         .flags                  = 0,
1142                         .db_index               = SAM_DATABASE_BUILTIN,
1143                         .delta_type             = NETR_DELTA_ALIAS_MEMBER,
1144                         .sid                    = null_sid,
1145                         .name                   = NULL,
1146                         .expected_error         = NT_STATUS_OK,
1147                         .expected_num_results   = 2,
1148                         .expected_delta_type_1  = NETR_DELTA_ALIAS,
1149                         .expected_delta_type_2  = NETR_DELTA_ALIAS_MEMBER,
1150                         .comment                = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1151                 },
1152                 {
1153                         .rid                    = 544,
1154                         .flags                  = 0,
1155                         .db_index               = SAM_DATABASE_BUILTIN,
1156                         .delta_type             = 0,
1157                         .sid                    = null_sid,
1158                         .name                   = NULL,
1159                         .expected_error         = NT_STATUS_OK,
1160                         .expected_num_results   = 1,
1161                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
1162                         .comment                = "NULL DELTA by rid 544"
1163                 },
1164                 {
1165                         .rid                    = 544,
1166                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1167                         .db_index               = SAM_DATABASE_BUILTIN,
1168                         .delta_type             = 0,
1169                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1170                         .name                   = NULL,
1171                         .expected_error         = NT_STATUS_OK,
1172                         .expected_num_results   = 1,
1173                         .expected_delta_type_1  = NETR_DELTA_DOMAIN,
1174                         .comment                = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1175                 },
1176                 {
1177                         .rid                    = 544,
1178                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1179                         .db_index               = SAM_DATABASE_BUILTIN,
1180                         .delta_type             = NETR_DELTA_ALIAS,
1181                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1182                         .name                   = NULL,
1183                         .expected_error         = NT_STATUS_OK,
1184                         .expected_num_results   = 2,
1185                         .expected_delta_type_1  = NETR_DELTA_ALIAS,
1186                         .expected_delta_type_2  = NETR_DELTA_ALIAS_MEMBER,
1187                         .comment                = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1188                 },
1189                 {
1190                         .rid                    = 0,
1191                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1192                         .db_index               = SAM_DATABASE_BUILTIN,
1193                         .delta_type             = NETR_DELTA_ALIAS,
1194                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1195                         .name                   = NULL,
1196                         .expected_error         = NT_STATUS_OK,
1197                         .expected_num_results   = 1,
1198                         .expected_delta_type_1  = NETR_DELTA_DELETE_ALIAS,
1199                         .comment                = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1200                 },
1201
1202                 /* SAM_DATABASE_PRIVS */
1203
1204                 {
1205                         .rid                    = 0,
1206                         .flags                  = 0,
1207                         .db_index               = SAM_DATABASE_PRIVS,
1208                         .delta_type             = 0,
1209                         .sid                    = null_sid,
1210                         .name                   = NULL,
1211                         .expected_error         = NT_STATUS_ACCESS_DENIED,
1212                         .expected_num_results   = 0,
1213                         .comment                = "NULL DELTA"
1214                 },
1215                 {
1216                         .rid                    = 0,
1217                         .flags                  = 0,
1218                         .db_index               = SAM_DATABASE_PRIVS,
1219                         .delta_type             = NETR_DELTA_MODIFY_COUNT,
1220                         .sid                    = null_sid,
1221                         .name                   = NULL,
1222                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1223                         .expected_num_results   = 0,
1224                         .comment                = "NETR_DELTA_MODIFY_COUNT"
1225                 },
1226                 {
1227                         .rid                    = 0,
1228                         .flags                  = 0,
1229                         .db_index               = SAM_DATABASE_PRIVS,
1230                         .delta_type             = NETR_DELTA_POLICY,
1231                         .sid                    = null_sid,
1232                         .name                   = NULL,
1233                         .expected_error         = NT_STATUS_OK,
1234                         .expected_num_results   = 1,
1235                         .expected_delta_type_1  = NETR_DELTA_POLICY,
1236                         .comment                = "NETR_DELTA_POLICY"
1237                 },
1238                 {
1239                         .rid                    = 0,
1240                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1241                         .db_index               = SAM_DATABASE_PRIVS,
1242                         .delta_type             = NETR_DELTA_POLICY,
1243                         .sid                    = null_sid,
1244                         .name                   = NULL,
1245                         .expected_error         = NT_STATUS_OK,
1246                         .expected_num_results   = 1,
1247                         .expected_delta_type_1  = NETR_DELTA_POLICY,
1248                         .comment                = "NETR_DELTA_POLICY by null sid and flags"
1249                 },
1250                 {
1251                         .rid                    = 0,
1252                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1253                         .db_index               = SAM_DATABASE_PRIVS,
1254                         .delta_type             = NETR_DELTA_POLICY,
1255                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1256                         .name                   = NULL,
1257                         .expected_error         = NT_STATUS_OK,
1258                         .expected_num_results   = 1,
1259                         .expected_delta_type_1  = NETR_DELTA_POLICY,
1260                         .comment                = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1261                 },
1262                 {
1263                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
1264                         .flags                  = 0,
1265                         .db_index               = SAM_DATABASE_PRIVS,
1266                         .delta_type             = NETR_DELTA_ACCOUNT,
1267                         .sid                    = null_sid,
1268                         .name                   = NULL,
1269                         .expected_error         = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1270                         .expected_num_results   = 0,
1271                         .comment                = "NETR_DELTA_ACCOUNT by rid 500"
1272                 },
1273                 {
1274                         .rid                    = 0,
1275                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1276                         .db_index               = SAM_DATABASE_PRIVS,
1277                         .delta_type             = NETR_DELTA_ACCOUNT,
1278                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1279                         .name                   = NULL,
1280                         .expected_error         = NT_STATUS_OK,
1281                         .expected_num_results   = 1,
1282                         .expected_delta_type_1  = NETR_DELTA_ACCOUNT,
1283                         .comment                = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1284                 },
1285                 {
1286                         .rid                    = 0,
1287                         .flags                  = NETR_CHANGELOG_SID_INCLUDED |
1288                                                   NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1289                         .db_index               = SAM_DATABASE_PRIVS,
1290                         .delta_type             = NETR_DELTA_ACCOUNT,
1291                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1292                         .name                   = NULL,
1293                         .expected_error         = NT_STATUS_OK,
1294                         .expected_num_results   = 1,
1295                         .expected_delta_type_1  = NETR_DELTA_ACCOUNT,
1296                         .comment                = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1297                 },
1298                 {
1299                         .rid                    = 0,
1300                         .flags                  = NETR_CHANGELOG_SID_INCLUDED |
1301                                                   NETR_CHANGELOG_NAME_INCLUDED,
1302                         .db_index               = SAM_DATABASE_PRIVS,
1303                         .delta_type             = NETR_DELTA_ACCOUNT,
1304                         .sid                    = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1305                         .name                   = NULL,
1306                         .expected_error         = NT_STATUS_INVALID_PARAMETER,
1307                         .expected_num_results   = 0,
1308                         .comment                = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1309                 },
1310                 {
1311                         .rid                    = DOMAIN_RID_ADMINISTRATOR,
1312                         .flags                  = NETR_CHANGELOG_SID_INCLUDED,
1313                         .db_index               = SAM_DATABASE_PRIVS,
1314                         .delta_type             = NETR_DELTA_ACCOUNT,
1315                         .sid                    = *sid,
1316                         .name                   = NULL,
1317                         .expected_error         = NT_STATUS_OK,
1318                         .expected_num_results   = 1,
1319                         .expected_delta_type_1  = NETR_DELTA_DELETE_ACCOUNT,
1320                         .comment                = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1321                 },
1322                 {
1323                         .rid                    = 0,
1324                         .flags                  = NETR_CHANGELOG_NAME_INCLUDED,
1325                         .db_index               = SAM_DATABASE_PRIVS,
1326                         .delta_type             = NETR_DELTA_SECRET,
1327                         .sid                    = null_sid,
1328                         .name                   = "IsurelydontexistIhope",
1329                         .expected_error         = NT_STATUS_OK,
1330                         .expected_num_results   = 1,
1331                         .expected_delta_type_1  = NETR_DELTA_DELETE_SECRET,
1332                         .comment                = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1333                 },
1334                 {
1335                         .rid                    = 0,
1336                         .flags                  = NETR_CHANGELOG_NAME_INCLUDED,
1337                         .db_index               = SAM_DATABASE_PRIVS,
1338                         .delta_type             = NETR_DELTA_SECRET,
1339                         .sid                    = null_sid,
1340                         .name                   = "G$BCKUPKEY_P",
1341                         .expected_error         = NT_STATUS_OK,
1342                         .expected_num_results   = 1,
1343                         .expected_delta_type_1  = NETR_DELTA_SECRET,
1344                         .comment                = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1345                 }
1346         };
1347
1348         ZERO_STRUCT(return_authenticator);
1349
1350         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1351         r.in.computername = TEST_MACHINE_NAME;
1352         r.in.return_authenticator = &return_authenticator;
1353         r.out.return_authenticator = &return_authenticator;
1354         r.out.delta_enum_array = &delta_enum_array;
1355
1356         for (d=0; d<3; d++) {
1357                 const char *database = NULL;
1358
1359                 switch (d) {
1360                 case 0:
1361                         database = "SAM";
1362                         break;
1363                 case 1:
1364                         database = "BUILTIN";
1365                         break;
1366                 case 2:
1367                         database = "LSA";
1368                         break;
1369                 default:
1370                         break;
1371                 }
1372
1373                 torture_comment(tctx, "Testing DatabaseRedo\n");
1374
1375                 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1376                         return false;
1377                 }
1378
1379                 for (i=0;i<ARRAY_SIZE(changes);i++) {
1380
1381                         if (d != changes[i].db_index) {
1382                                 continue;
1383                         }
1384
1385                         netlogon_creds_client_authenticator(creds, &credential);
1386
1387                         r.in.credential = &credential;
1388
1389                         e.serial_number1        = 0;
1390                         e.serial_number2        = 0;
1391                         e.object_rid            = changes[i].rid;
1392                         e.flags                 = changes[i].flags;
1393                         e.db_index              = changes[i].db_index;
1394                         e.delta_type            = changes[i].delta_type;
1395
1396                         switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1397                         case NETR_CHANGELOG_SID_INCLUDED:
1398                                 e.object.object_sid             = changes[i].sid;
1399                                 break;
1400                         case NETR_CHANGELOG_NAME_INCLUDED:
1401                                 e.object.object_name            = changes[i].name;
1402                                 break;
1403                         default:
1404                                 break;
1405                         }
1406
1407                         r.in.change_log_entry = e;
1408
1409                         torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1410                                 database, changes[i].comment);
1411
1412                         status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1413                         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1414                                 return true;
1415                         }
1416
1417                         torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1418                         if (delta_enum_array) {
1419                                 torture_assert_int_equal(tctx,
1420                                         delta_enum_array->num_deltas,
1421                                         changes[i].expected_num_results,
1422                                         changes[i].comment);
1423                                 if (delta_enum_array->num_deltas > 0) {
1424                                         torture_assert_int_equal(tctx,
1425                                                 delta_enum_array->delta_enum[0].delta_type,
1426                                                 changes[i].expected_delta_type_1,
1427                                                 changes[i].comment);
1428                                 }
1429                                 if (delta_enum_array->num_deltas > 1) {
1430                                         torture_assert_int_equal(tctx,
1431                                                 delta_enum_array->delta_enum[1].delta_type,
1432                                                 changes[i].expected_delta_type_2,
1433                                                 changes[i].comment);
1434                                 }
1435                         }
1436
1437                         if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1438                                 torture_comment(tctx, "Credential chaining failed\n");
1439                                 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1440                                         return false;
1441                                 }
1442                         }
1443                 }
1444         }
1445         }
1446
1447         return true;
1448 }
1449
1450 /*
1451   try a netlogon AccountDeltas
1452 */
1453 static bool test_AccountDeltas(struct torture_context *tctx, 
1454                                struct dcerpc_pipe *p,
1455                                struct cli_credentials *machine_credentials)
1456 {
1457         NTSTATUS status;
1458         struct netr_AccountDeltas r;
1459         struct netlogon_creds_CredentialState *creds;
1460
1461         struct netr_AccountBuffer buffer;
1462         uint32_t count_returned = 0;
1463         uint32_t total_entries = 0;
1464         struct netr_UAS_INFO_0 recordid;
1465         struct netr_Authenticator return_authenticator;
1466
1467         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1468                 return false;
1469         }
1470
1471         ZERO_STRUCT(return_authenticator);
1472
1473         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1474         r.in.computername = TEST_MACHINE_NAME;
1475         r.in.return_authenticator = &return_authenticator;
1476         netlogon_creds_client_authenticator(creds, &r.in.credential);
1477         ZERO_STRUCT(r.in.uas);
1478         r.in.count=10;
1479         r.in.level=0;
1480         r.in.buffersize=100;
1481         r.out.buffer = &buffer;
1482         r.out.count_returned = &count_returned;
1483         r.out.total_entries = &total_entries;
1484         r.out.recordid = &recordid;
1485         r.out.return_authenticator = &return_authenticator;
1486
1487         /* w2k3 returns "NOT IMPLEMENTED" for this call */
1488         status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1489         torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1490
1491         return true;
1492 }
1493
1494 /*
1495   try a netlogon AccountSync
1496 */
1497 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p, 
1498                              struct cli_credentials *machine_credentials)
1499 {
1500         NTSTATUS status;
1501         struct netr_AccountSync r;
1502         struct netlogon_creds_CredentialState *creds;
1503
1504         struct netr_AccountBuffer buffer;
1505         uint32_t count_returned = 0;
1506         uint32_t total_entries = 0;
1507         uint32_t next_reference = 0;
1508         struct netr_UAS_INFO_0 recordid;
1509         struct netr_Authenticator return_authenticator;
1510
1511         ZERO_STRUCT(recordid);
1512         ZERO_STRUCT(return_authenticator);
1513
1514         if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1515                 return false;
1516         }
1517
1518         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1519         r.in.computername = TEST_MACHINE_NAME;
1520         r.in.return_authenticator = &return_authenticator;
1521         netlogon_creds_client_authenticator(creds, &r.in.credential);
1522         r.in.recordid = &recordid;
1523         r.in.reference=0;
1524         r.in.level=0;
1525         r.in.buffersize=100;
1526         r.out.buffer = &buffer;
1527         r.out.count_returned = &count_returned;
1528         r.out.total_entries = &total_entries;
1529         r.out.next_reference = &next_reference;
1530         r.out.recordid = &recordid;
1531         r.out.return_authenticator = &return_authenticator;
1532
1533         /* w2k3 returns "NOT IMPLEMENTED" for this call */
1534         status = dcerpc_netr_AccountSync(p, tctx, &r);
1535         torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1536
1537         return true;
1538 }
1539
1540 /*
1541   try a netlogon GetDcName
1542 */
1543 static bool test_GetDcName(struct torture_context *tctx, 
1544                            struct dcerpc_pipe *p)
1545 {
1546         NTSTATUS status;
1547         struct netr_GetDcName r;
1548         const char *dcname = NULL;
1549
1550         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1551         r.in.domainname = lp_workgroup(tctx->lp_ctx);
1552         r.out.dcname = &dcname;
1553
1554         status = dcerpc_netr_GetDcName(p, tctx, &r);
1555         torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1556         torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1557
1558         torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1559
1560         return true;
1561 }
1562
1563 static const char *function_code_str(TALLOC_CTX *mem_ctx,
1564                                      enum netr_LogonControlCode function_code)
1565 {
1566         switch (function_code) {
1567         case NETLOGON_CONTROL_QUERY:
1568                 return "NETLOGON_CONTROL_QUERY";
1569         case NETLOGON_CONTROL_REPLICATE:
1570                 return "NETLOGON_CONTROL_REPLICATE";
1571         case NETLOGON_CONTROL_SYNCHRONIZE:
1572                 return "NETLOGON_CONTROL_SYNCHRONIZE";
1573         case NETLOGON_CONTROL_PDC_REPLICATE:
1574                 return "NETLOGON_CONTROL_PDC_REPLICATE";
1575         case NETLOGON_CONTROL_REDISCOVER:
1576                 return "NETLOGON_CONTROL_REDISCOVER";
1577         case NETLOGON_CONTROL_TC_QUERY:
1578                 return "NETLOGON_CONTROL_TC_QUERY";
1579         case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1580                 return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
1581         case NETLOGON_CONTROL_FIND_USER:
1582                 return "NETLOGON_CONTROL_FIND_USER";
1583         case NETLOGON_CONTROL_CHANGE_PASSWORD:
1584                 return "NETLOGON_CONTROL_CHANGE_PASSWORD";
1585         case NETLOGON_CONTROL_TC_VERIFY:
1586                 return "NETLOGON_CONTROL_TC_VERIFY";
1587         case NETLOGON_CONTROL_FORCE_DNS_REG:
1588                 return "NETLOGON_CONTROL_FORCE_DNS_REG";
1589         case NETLOGON_CONTROL_QUERY_DNS_REG:
1590                 return "NETLOGON_CONTROL_QUERY_DNS_REG";
1591         case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1592                 return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
1593         case NETLOGON_CONTROL_TRUNCATE_LOG:
1594                 return "NETLOGON_CONTROL_TRUNCATE_LOG";
1595         case NETLOGON_CONTROL_SET_DBFLAG:
1596                 return "NETLOGON_CONTROL_SET_DBFLAG";
1597         case NETLOGON_CONTROL_BREAKPOINT:
1598                 return "NETLOGON_CONTROL_BREAKPOINT";
1599         default:
1600                 return talloc_asprintf(mem_ctx, "unknown function code: %d",
1601                                        function_code);
1602         }
1603 }
1604
1605
1606 /*
1607   try a netlogon LogonControl 
1608 */
1609 static bool test_LogonControl(struct torture_context *tctx, 
1610                               struct dcerpc_pipe *p,
1611                               struct cli_credentials *machine_credentials)
1612
1613 {
1614         NTSTATUS status;
1615         struct netr_LogonControl r;
1616         union netr_CONTROL_QUERY_INFORMATION query;
1617         int i,f;
1618         enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
1619
1620         uint32_t function_codes[] = {
1621                 NETLOGON_CONTROL_QUERY,
1622                 NETLOGON_CONTROL_REPLICATE,
1623                 NETLOGON_CONTROL_SYNCHRONIZE,
1624                 NETLOGON_CONTROL_PDC_REPLICATE,
1625                 NETLOGON_CONTROL_REDISCOVER,
1626                 NETLOGON_CONTROL_TC_QUERY,
1627                 NETLOGON_CONTROL_TRANSPORT_NOTIFY,
1628                 NETLOGON_CONTROL_FIND_USER,
1629                 NETLOGON_CONTROL_CHANGE_PASSWORD,
1630                 NETLOGON_CONTROL_TC_VERIFY,
1631                 NETLOGON_CONTROL_FORCE_DNS_REG,
1632                 NETLOGON_CONTROL_QUERY_DNS_REG,
1633                 NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
1634                 NETLOGON_CONTROL_TRUNCATE_LOG,
1635                 NETLOGON_CONTROL_SET_DBFLAG,
1636                 NETLOGON_CONTROL_BREAKPOINT
1637         };
1638
1639         if (machine_credentials) {
1640                 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
1641         }
1642
1643         torture_comment(tctx, "testing LogonControl with secure channel type: %d\n",
1644                 secure_channel_type);
1645
1646         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1647         r.in.function_code = 1;
1648         r.out.query = &query;
1649
1650         for (f=0;f<ARRAY_SIZE(function_codes); f++) {
1651         for (i=1;i<5;i++) {
1652
1653                 r.in.function_code = function_codes[f];
1654                 r.in.level = i;
1655
1656                 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
1657                                 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1658
1659                 status = dcerpc_netr_LogonControl(p, tctx, &r);
1660                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1661
1662                 switch (r.in.level) {
1663                 case 1:
1664                         switch (r.in.function_code) {
1665                         case NETLOGON_CONTROL_REPLICATE:
1666                         case NETLOGON_CONTROL_SYNCHRONIZE:
1667                         case NETLOGON_CONTROL_PDC_REPLICATE:
1668                         case NETLOGON_CONTROL_BREAKPOINT:
1669                         case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1670                                 if ((secure_channel_type == SEC_CHAN_BDC) ||
1671                                     (secure_channel_type == SEC_CHAN_WKSTA)) {
1672                                         torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1673                                                 "LogonControl returned unexpected error code");
1674                                 } else {
1675                                         torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1676                                                 "LogonControl returned unexpected error code");
1677                                 }
1678                                 break;
1679
1680                         case NETLOGON_CONTROL_REDISCOVER:
1681                         case NETLOGON_CONTROL_TC_QUERY:
1682                         case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1683                         case NETLOGON_CONTROL_FIND_USER:
1684                         case NETLOGON_CONTROL_CHANGE_PASSWORD:
1685                         case NETLOGON_CONTROL_TC_VERIFY:
1686                         case NETLOGON_CONTROL_FORCE_DNS_REG:
1687                         case NETLOGON_CONTROL_QUERY_DNS_REG:
1688                         case NETLOGON_CONTROL_SET_DBFLAG:
1689                                 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1690                                         "LogonControl returned unexpected error code");
1691                                 break;
1692                         case NETLOGON_CONTROL_TRUNCATE_LOG:
1693                                 if ((secure_channel_type == SEC_CHAN_BDC) ||
1694                                     (secure_channel_type == SEC_CHAN_WKSTA)) {
1695                                         torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1696                                                 "LogonControl returned unexpected error code");
1697                                 } else {
1698                                         torture_assert_werr_ok(tctx, r.out.result,
1699                                                 "LogonControl returned unexpected result");
1700                                 }
1701                                 break;
1702                         default:
1703                                 torture_assert_werr_ok(tctx, r.out.result,
1704                                         "LogonControl returned unexpected result");
1705                                 break;
1706                         }
1707                         break;
1708                 case 2:
1709                         torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1710                                 "LogonControl returned unexpected error code");
1711                         break;
1712                 default:
1713                         torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL,
1714                                 "LogonControl returned unexpected error code");
1715                         break;
1716                 }
1717         }
1718         }
1719
1720         return true;
1721 }
1722
1723
1724 /*
1725   try a netlogon GetAnyDCName
1726 */
1727 static bool test_GetAnyDCName(struct torture_context *tctx, 
1728                               struct dcerpc_pipe *p)
1729 {
1730         NTSTATUS status;
1731         struct netr_GetAnyDCName r;
1732         const char *dcname = NULL;
1733
1734         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1735         r.in.domainname = lp_workgroup(tctx->lp_ctx);
1736         r.out.dcname = &dcname;
1737
1738         status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1739         torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1740         torture_assert_werr_ok(tctx, r.out.result, "GetAnyDCName");
1741
1742         if (dcname) {
1743             torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1744         }
1745
1746         return true;
1747 }
1748
1749
1750 /*
1751   try a netlogon LogonControl2
1752 */
1753 static bool test_LogonControl2(struct torture_context *tctx, 
1754                                struct dcerpc_pipe *p,
1755                                struct cli_credentials *machine_credentials)
1756
1757 {
1758         NTSTATUS status;
1759         struct netr_LogonControl2 r;
1760         union netr_CONTROL_DATA_INFORMATION data;
1761         union netr_CONTROL_QUERY_INFORMATION query;
1762         int i;
1763
1764         data.domain = lp_workgroup(tctx->lp_ctx);
1765
1766         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1767
1768         r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1769         r.in.data = &data;
1770         r.out.query = &query;
1771
1772         for (i=1;i<4;i++) {
1773                 r.in.level = i;
1774
1775                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1776                        i, r.in.function_code);
1777
1778                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1779                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1780         }
1781
1782         data.domain = lp_workgroup(tctx->lp_ctx);
1783
1784         r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1785         r.in.data = &data;
1786
1787         for (i=1;i<4;i++) {
1788                 r.in.level = i;
1789
1790                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1791                        i, r.in.function_code);
1792
1793                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1794                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1795         }
1796
1797         data.domain = lp_workgroup(tctx->lp_ctx);
1798
1799         r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1800         r.in.data = &data;
1801
1802         for (i=1;i<4;i++) {
1803                 r.in.level = i;
1804
1805                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1806                        i, r.in.function_code);
1807
1808                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1809                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1810         }
1811
1812         data.debug_level = ~0;
1813
1814         r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1815         r.in.data = &data;
1816
1817         for (i=1;i<4;i++) {
1818                 r.in.level = i;
1819
1820                 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n", 
1821                        i, r.in.function_code);
1822
1823                 status = dcerpc_netr_LogonControl2(p, tctx, &r);
1824                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1825         }
1826
1827         return true;
1828 }
1829
1830 /*
1831   try a netlogon DatabaseSync2
1832 */
1833 static bool test_DatabaseSync2(struct torture_context *tctx, 
1834                                struct dcerpc_pipe *p,
1835                                struct cli_credentials *machine_credentials)
1836 {
1837         NTSTATUS status;
1838         struct netr_DatabaseSync2 r;
1839         struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1840         struct netr_Authenticator return_authenticator, credential;
1841
1842         struct netlogon_creds_CredentialState *creds;
1843         const uint32_t database_ids[] = {0, 1, 2}; 
1844         int i;
1845
1846         if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS, 
1847                                     machine_credentials,
1848                                     cli_credentials_get_secure_channel_type(machine_credentials),
1849                                     &creds)) {
1850                 return false;
1851         }
1852
1853         ZERO_STRUCT(return_authenticator);
1854
1855         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1856         r.in.computername = TEST_MACHINE_NAME;
1857         r.in.preferredmaximumlength = (uint32_t)-1;
1858         r.in.return_authenticator = &return_authenticator;
1859         r.out.return_authenticator = &return_authenticator;
1860         r.out.delta_enum_array = &delta_enum_array;
1861
1862         for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1863
1864                 uint32_t sync_context = 0;
1865
1866                 r.in.database_id = database_ids[i];
1867                 r.in.sync_context = &sync_context;
1868                 r.out.sync_context = &sync_context;
1869                 r.in.restart_state = 0;
1870
1871                 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1872
1873                 do {
1874                         netlogon_creds_client_authenticator(creds, &credential);
1875
1876                         r.in.credential = &credential;
1877
1878                         status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1879                         if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1880                             break;
1881
1882                         /* Native mode servers don't do this */
1883                         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1884                                 return true;
1885                         }
1886
1887                         torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1888
1889                         if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
1890                                 torture_comment(tctx, "Credential chaining failed\n");
1891                         }
1892
1893                 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1894         }
1895
1896         return true;
1897 }
1898
1899
1900 /*
1901   try a netlogon LogonControl2Ex
1902 */
1903 static bool test_LogonControl2Ex(struct torture_context *tctx, 
1904                                  struct dcerpc_pipe *p,
1905                                  struct cli_credentials *machine_credentials)
1906
1907 {
1908         NTSTATUS status;
1909         struct netr_LogonControl2Ex r;
1910         union netr_CONTROL_DATA_INFORMATION data;
1911         union netr_CONTROL_QUERY_INFORMATION query;
1912         int i;
1913
1914         data.domain = lp_workgroup(tctx->lp_ctx);
1915
1916         r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1917
1918         r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1919         r.in.data = &data;
1920         r.out.query = &query;
1921
1922         for (i=1;i<4;i++) {
1923                 r.in.level = i;
1924
1925                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1926                        i, r.in.function_code);
1927
1928                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1929                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1930         }
1931
1932         data.domain = lp_workgroup(tctx->lp_ctx);
1933
1934         r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1935         r.in.data = &data;
1936
1937         for (i=1;i<4;i++) {
1938                 r.in.level = i;
1939
1940                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1941                        i, r.in.function_code);
1942
1943                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1944                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1945         }
1946
1947         data.domain = lp_workgroup(tctx->lp_ctx);
1948
1949         r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1950         r.in.data = &data;
1951
1952         for (i=1;i<4;i++) {
1953                 r.in.level = i;
1954
1955                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1956                        i, r.in.function_code);
1957
1958                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1959                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1960         }
1961
1962         data.debug_level = ~0;
1963
1964         r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1965         r.in.data = &data;
1966
1967         for (i=1;i<4;i++) {
1968                 r.in.level = i;
1969
1970                 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", 
1971                        i, r.in.function_code);
1972
1973                 status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1974                 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1975         }
1976
1977         return true;
1978 }
1979
1980 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, 
1981                                                    struct dcerpc_pipe *p, const char *trusted_domain_name) 
1982 {
1983         NTSTATUS status;
1984         struct netr_DsRGetForestTrustInformation r;
1985         struct lsa_ForestTrustInformation info, *info_ptr;
1986
1987         info_ptr = &info;
1988
1989         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1990         r.in.trusted_domain_name = trusted_domain_name;
1991         r.in.flags = 0;
1992         r.out.forest_trust_info = &info_ptr;
1993
1994         torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1995
1996         status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1997         torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1998         torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1999
2000         return true;
2001 }
2002
2003 /*
2004   try a netlogon netr_DsrEnumerateDomainTrusts
2005 */
2006 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, 
2007                                           struct dcerpc_pipe *p)
2008 {
2009         NTSTATUS status;
2010         struct netr_DsrEnumerateDomainTrusts r;
2011         struct netr_DomainTrustList trusts;
2012         int i;
2013
2014         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2015         r.in.trust_flags = 0x3f;
2016         r.out.trusts = &trusts;
2017
2018         status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
2019         torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
2020         torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
2021
2022         /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
2023          * will show non-forest trusts and all UPN suffixes of the own forest
2024          * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
2025
2026         if (r.out.trusts->count) {
2027                 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
2028                         return false;
2029                 }
2030         }
2031
2032         for (i=0; i<r.out.trusts->count; i++) {
2033
2034                 /* get info for transitive forest trusts */
2035
2036                 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
2037                         if (!test_netr_DsRGetForestTrustInformation(tctx, p, 
2038                                                                     r.out.trusts->array[i].dns_name)) {
2039                                 return false;
2040                         }
2041                 }
2042         }
2043
2044         return true;
2045 }
2046
2047 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
2048                                                   struct dcerpc_pipe *p)
2049 {
2050         NTSTATUS status;
2051         struct netr_NetrEnumerateTrustedDomains r;
2052         struct netr_Blob trusted_domains_blob;
2053
2054         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2055         r.out.trusted_domains_blob = &trusted_domains_blob;
2056
2057         status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
2058         torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
2059         torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
2060
2061         return true;
2062 }
2063
2064 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
2065                                                     struct dcerpc_pipe *p)
2066 {
2067         NTSTATUS status;
2068         struct netr_NetrEnumerateTrustedDomainsEx r;
2069         struct netr_DomainTrustList dom_trust_list;
2070
2071         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2072         r.out.dom_trust_list = &dom_trust_list;
2073
2074         status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
2075         torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
2076         torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
2077
2078         return true;
2079 }
2080
2081
2082 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
2083                                      const char *computer_name, 
2084                                      const char *expected_site) 
2085 {
2086         NTSTATUS status;
2087         struct netr_DsRGetSiteName r;
2088         const char *site = NULL;
2089
2090         if (torture_setting_bool(tctx, "samba4", false))
2091                 torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
2092
2093         r.in.computer_name              = computer_name;
2094         r.out.site                      = &site;
2095         torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
2096
2097         status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
2098         torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2099         torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
2100         torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
2101
2102         r.in.computer_name              = talloc_asprintf(tctx, "\\\\%s", computer_name);
2103         torture_comment(tctx, 
2104                         "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
2105
2106         status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
2107         torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2108         torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
2109
2110         return true;
2111 }
2112
2113 /*
2114   try a netlogon netr_DsRGetDCName
2115 */
2116 static bool test_netr_DsRGetDCName(struct torture_context *tctx, 
2117                                    struct dcerpc_pipe *p)
2118 {
2119         NTSTATUS status;
2120         struct netr_DsRGetDCName r;
2121         struct netr_DsRGetDCNameInfo *info = NULL;
2122
2123         r.in.server_unc         = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2124         r.in.domain_name        = lp_dnsdomain(tctx->lp_ctx);
2125         r.in.domain_guid        = NULL;
2126         r.in.site_guid          = NULL;
2127         r.in.flags              = DS_RETURN_DNS_NAME;
2128         r.out.info              = &info;
2129
2130         status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
2131         torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2132         torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2133         return test_netr_DsRGetSiteName(p, tctx, 
2134                                        info->dc_unc,
2135                                        info->dc_site_name);
2136 }
2137
2138 /*
2139   try a netlogon netr_DsRGetDCNameEx
2140 */
2141 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, 
2142                                      struct dcerpc_pipe *p)
2143 {
2144         NTSTATUS status;
2145         struct netr_DsRGetDCNameEx r;
2146         struct netr_DsRGetDCNameInfo *info = NULL;
2147
2148         r.in.server_unc         = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2149         r.in.domain_name        = lp_dnsdomain(tctx->lp_ctx);
2150         r.in.domain_guid        = NULL;
2151         r.in.site_name          = NULL;
2152         r.in.flags              = DS_RETURN_DNS_NAME;
2153         r.out.info              = &info;
2154
2155         status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
2156         torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2157         torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2158
2159         return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2160                                         info->dc_site_name);
2161 }
2162
2163 /*
2164   try a netlogon netr_DsRGetDCNameEx2
2165 */
2166 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx, 
2167                                       struct dcerpc_pipe *p)
2168 {
2169         NTSTATUS status;
2170         struct netr_DsRGetDCNameEx2 r;
2171         struct netr_DsRGetDCNameInfo *info = NULL;
2172
2173         r.in.server_unc         = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2174         r.in.client_account     = NULL;
2175         r.in.mask               = 0x00000000;
2176         r.in.domain_name        = lp_dnsdomain(tctx->lp_ctx);
2177         r.in.domain_guid        = NULL;
2178         r.in.site_name          = NULL;
2179         r.in.flags              = DS_RETURN_DNS_NAME;
2180         r.out.info              = &info;
2181
2182         torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
2183
2184         status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
2185         torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2186         torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2187
2188         torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
2189         r.in.client_account     = TEST_MACHINE_NAME"$";
2190         r.in.mask               = ACB_SVRTRUST;
2191         r.in.flags              = DS_RETURN_FLAT_NAME;
2192         r.out.info              = &info;
2193
2194         status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
2195         torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2196         torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2197         return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2198                                         info->dc_site_name);
2199 }
2200
2201 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx, 
2202                                             struct dcerpc_pipe *p)
2203 {
2204         NTSTATUS status;
2205         struct netr_DsrGetDcSiteCoverageW r;
2206         struct DcSitesCtr *ctr = NULL;
2207
2208         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2209         r.out.ctr = &ctr;
2210
2211         status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
2212         torture_assert_ntstatus_ok(tctx, status, "failed");
2213         torture_assert_werr_ok(tctx, r.out.result, "failed");
2214
2215         return true;
2216 }
2217
2218 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
2219                                              struct dcerpc_pipe *p)
2220 {
2221         NTSTATUS status;
2222         struct netr_DsRAddressToSitenamesW r;
2223         struct netr_DsRAddress addr;
2224         struct netr_DsRAddressToSitenamesWCtr *ctr;
2225
2226         ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2227
2228         addr.size = 16;
2229         addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2230
2231         addr.buffer[0] = 2; /* AF_INET */
2232         addr.buffer[4] = 127;
2233         addr.buffer[5] = 0;
2234         addr.buffer[6] = 0;
2235         addr.buffer[7] = 1;
2236
2237         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2238         r.in.count = 1;
2239         r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2240         r.in.addresses[0] = addr;
2241         r.out.ctr = &ctr;
2242
2243         status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2244         torture_assert_ntstatus_ok(tctx, status, "failed");
2245         torture_assert_werr_ok(tctx, r.out.result, "failed");
2246
2247         return true;
2248 }
2249
2250 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2251                                                struct dcerpc_pipe *p)
2252 {
2253         NTSTATUS status;
2254         struct netr_DsRAddressToSitenamesExW r;
2255         struct netr_DsRAddress addr;
2256         struct netr_DsRAddressToSitenamesExWCtr *ctr;
2257
2258         ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2259
2260         addr.size = 16;
2261         addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2262
2263         addr.buffer[0] = 2; /* AF_INET */
2264         addr.buffer[4] = 127;
2265         addr.buffer[5] = 0;
2266         addr.buffer[6] = 0;
2267         addr.buffer[7] = 1;
2268
2269         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2270         r.in.count = 1;
2271         r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2272         r.in.addresses[0] = addr;
2273         r.out.ctr = &ctr;
2274
2275         status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2276         torture_assert_ntstatus_ok(tctx, status, "failed");
2277         torture_assert_werr_ok(tctx, r.out.result, "failed");
2278
2279         return true;
2280 }
2281
2282 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2283                                          struct dcerpc_pipe *p,
2284                                          struct cli_credentials *machine_credentials)
2285 {
2286         NTSTATUS status;
2287         struct netr_ServerGetTrustInfo r;
2288
2289         struct netr_Authenticator a;
2290         struct netr_Authenticator return_authenticator;
2291         struct samr_Password new_owf_password;
2292         struct samr_Password old_owf_password;
2293         struct netr_TrustInfo *trust_info;
2294
2295         struct netlogon_creds_CredentialState *creds;
2296
2297         if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2298                                     machine_credentials, &creds)) {
2299                 return false;
2300         }
2301
2302         netlogon_creds_client_authenticator(creds, &a);
2303
2304         r.in.server_name                = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2305         r.in.account_name               = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2306         r.in.secure_channel_type        = cli_credentials_get_secure_channel_type(machine_credentials);
2307         r.in.computer_name              = TEST_MACHINE_NAME;
2308         r.in.credential                 = &a;
2309
2310         r.out.return_authenticator      = &return_authenticator;
2311         r.out.new_owf_password          = &new_owf_password;
2312         r.out.old_owf_password          = &old_owf_password;
2313         r.out.trust_info                = &trust_info;
2314
2315         status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
2316         torture_assert_ntstatus_ok(tctx, status, "failed");
2317         torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2318
2319         return true;
2320 }
2321
2322
2323 static bool test_GetDomainInfo(struct torture_context *tctx, 
2324                                struct dcerpc_pipe *p,
2325                                struct cli_credentials *machine_credentials)
2326 {
2327         NTSTATUS status;
2328         struct netr_LogonGetDomainInfo r;
2329         struct netr_WorkstationInformation q1;
2330         struct netr_Authenticator a;
2331         struct netlogon_creds_CredentialState *creds;
2332         struct netr_OsVersion os;
2333         union netr_WorkstationInfo query;
2334         union netr_DomainInfo info;
2335         const char* const attrs[] = { "dNSHostName", "operatingSystem",
2336                 "operatingSystemServicePack", "operatingSystemVersion",
2337                 "servicePrincipalName", NULL };
2338         char *url;
2339         struct ldb_context *sam_ctx = NULL;
2340         struct ldb_message **res;
2341         struct ldb_message_element *spn_el;
2342         int ret, i;
2343         char *version_str;
2344         const char *old_dnsname = NULL;
2345         char **spns = NULL;
2346         int num_spns = 0;
2347         char *temp_str;
2348
2349         torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2350
2351         if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, 
2352                                     machine_credentials, &creds)) {
2353                 return false;
2354         }
2355
2356         /* We won't double-check this when we are over 'local' transports */
2357         if (dcerpc_server_name(p)) {
2358                 /* Set up connection to SAMDB on DC */
2359                 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2360                 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2361                                            NULL,
2362                                            cmdline_credentials,
2363                                            0);
2364                 
2365                 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2366         }
2367
2368         torture_comment(tctx, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
2369         netlogon_creds_client_authenticator(creds, &a);
2370
2371         ZERO_STRUCT(r);
2372         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2373         r.in.computer_name = TEST_MACHINE_NAME;
2374         r.in.credential = &a;
2375         r.in.level = 1;
2376         r.in.return_authenticator = &a;
2377         r.in.query = &query;
2378         r.out.return_authenticator = &a;
2379         r.out.info = &info;
2380
2381         ZERO_STRUCT(os);
2382         os.os.MajorVersion = 123;
2383         os.os.MinorVersion = 456;
2384         os.os.BuildNumber = 789;
2385         os.os.CSDVersion = "Service Pack 10";
2386         os.os.ServicePackMajor = 10;
2387         os.os.ServicePackMinor = 1;
2388         os.os.SuiteMask = NETR_VER_SUITE_SINGLEUSERTS;
2389         os.os.ProductType = NETR_VER_NT_SERVER;
2390         os.os.Reserved = 0;
2391
2392         version_str = talloc_asprintf(tctx, "%d.%d (%d)", os.os.MajorVersion,
2393                 os.os.MinorVersion, os.os.BuildNumber);
2394
2395         ZERO_STRUCT(q1);
2396         q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
2397                 TEST_MACHINE_DNS_SUFFIX);
2398         q1.sitename = "Default-First-Site-Name";
2399         q1.os_version.os = &os;
2400         q1.os_name.string = talloc_asprintf(tctx,
2401                                             "Tortured by Samba4 RPC-NETLOGON: %s",
2402                                             timestring(tctx, time(NULL)));
2403
2404         /* The workstation handles the "servicePrincipalName" and DNS hostname
2405            updates */
2406         q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2407
2408         query.workstation_info = &q1;
2409
2410         if (sam_ctx) {
2411                 /* Gets back the old DNS hostname in AD */
2412                 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2413                                    "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2414                 old_dnsname =
2415                         ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL);
2416                 
2417                 /* Gets back the "servicePrincipalName"s in AD */
2418                 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2419                 if (spn_el != NULL) {
2420                         for (i=0; i < spn_el->num_values; i++) {
2421                                 spns = talloc_realloc(tctx, spns, char *, i + 1);
2422                                 spns[i] = (char *) spn_el->values[i].data;
2423                         }
2424                         num_spns = i;
2425                 }
2426         }
2427
2428         status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2429         torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2430         torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2431
2432         msleep(250);
2433
2434         if (sam_ctx) {
2435                 /* AD workstation infos entry check */
2436                 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2437                                    "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2438                 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2439                 torture_assert_str_equal(tctx,
2440                                          ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2441                                          q1.os_name.string, "'operatingSystem' wrong!");
2442                 torture_assert_str_equal(tctx,
2443                                          ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL),
2444                                          os.os.CSDVersion, "'operatingSystemServicePack' wrong!");
2445                 torture_assert_str_equal(tctx,
2446                                          ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
2447                                          version_str, "'operatingSystemVersion' wrong!");
2448
2449                 if (old_dnsname != NULL) {
2450                         /* If before a DNS hostname was set then it should remain
2451                            the same in combination with the "servicePrincipalName"s.
2452                            The DNS hostname should also be returned by our
2453                            "LogonGetDomainInfo" call (in the domain info structure). */
2454                         
2455                         torture_assert_str_equal(tctx,
2456                                                  ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2457                                                  old_dnsname, "'DNS hostname' was not set!");
2458                         
2459                         spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2460                         torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)),
2461                                        "'servicePrincipalName's not set!");
2462                         torture_assert(tctx, spn_el->num_values == num_spns,
2463                                        "'servicePrincipalName's incorrect!");
2464                         for (i=0; (i < spn_el->num_values) && (i < num_spns); i++)
2465                                 torture_assert_str_equal(tctx,
2466                                                          (char *) spn_el->values[i].data,
2467                                 spns[i], "'servicePrincipalName's incorrect!");
2468
2469                         torture_assert_str_equal(tctx,
2470                                                  info.domain_info->dns_hostname.string,
2471                                                  old_dnsname,
2472                                                  "Out 'DNS hostname' doesn't match the old one!");
2473                 } else {
2474                         /* If no DNS hostname was set then also now none should be set,
2475                            the "servicePrincipalName"s should remain empty and no DNS
2476                            hostname should be returned by our "LogonGetDomainInfo"
2477                            call (in the domain info structure). */
2478                         
2479                         torture_assert(tctx,
2480                                        ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL,
2481                                        "'DNS hostname' was set!");
2482                         
2483                         spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2484                         torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)),
2485                                        "'servicePrincipalName's were set!");
2486                         
2487                         torture_assert(tctx,
2488                                        info.domain_info->dns_hostname.string == NULL,
2489                                        "Out 'DNS host name' was set!");
2490                 }
2491         }
2492
2493         /* Checks "workstation flags" */
2494         torture_assert(tctx,
2495                 info.domain_info->workstation_flags
2496                 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2497                 "Out 'workstation flags' don't match!");
2498
2499
2500         torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname)\n");
2501         netlogon_creds_client_authenticator(creds, &a);
2502
2503         /* Wipe out the osVersion, and prove which values still 'stick' */
2504         q1.os_version.os = NULL;
2505
2506         /* Change also the DNS hostname to test differences in behaviour */
2507         q1.dns_hostname = talloc_asprintf(tctx, "%s.newdomain",
2508                 TEST_MACHINE_NAME);
2509
2510         /* Let the DC handle the "servicePrincipalName" and DNS hostname
2511            updates */
2512         q1.workstation_flags = 0;
2513
2514         status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2515         torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2516         torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2517
2518         msleep(250);
2519
2520         if (sam_ctx) {
2521                 /* AD workstation infos entry check */
2522                 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2523                                    "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2524                 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2525                 torture_assert_str_equal(tctx,
2526                                          ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2527                                          q1.os_name.string, "'operatingSystem' should stick!");
2528                 torture_assert(tctx,
2529                                ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
2530                                "'operatingSystemServicePack' shouldn't stick!");
2531                 torture_assert(tctx,
2532                                ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
2533                                "'operatingSystemVersion' shouldn't stick!");
2534                 
2535                 /* The DNS host name should have been updated now by the server */
2536                 torture_assert_str_equal(tctx,
2537                                          ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2538                                          q1.dns_hostname, "'DNS host name' didn't change!");
2539                 
2540                 /* Find the two "servicePrincipalName"s which the DC should have been
2541                    updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
2542                    3.5.4.3.9 */
2543                 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2544                 torture_assert(tctx, spn_el != NULL,
2545                                "There should exist 'servicePrincipalName's in AD!");
2546                 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
2547                 for (i=0; i < spn_el->num_values; i++)
2548                         if (strcmp((char *) spn_el->values[i].data, temp_str) == 0)
2549                                 break;
2550                 torture_assert(tctx, i != spn_el->num_values,
2551                                "'servicePrincipalName' HOST/<Netbios name> not found!");
2552                 temp_str = talloc_asprintf(tctx, "HOST/%s", q1.dns_hostname);
2553                 for (i=0; i < spn_el->num_values; i++)
2554                         if (strcmp((char *) spn_el->values[i].data, temp_str) == 0)
2555                                 break;
2556                 torture_assert(tctx, i != spn_el->num_values,
2557                                "'servicePrincipalName' HOST/<FQDN name> not found!");
2558                 
2559                 /* Check that the out DNS hostname was set properly */
2560                 torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string,
2561                                          old_dnsname, "Out 'DNS hostname' doesn't match the old one!");
2562         }
2563
2564         /* Checks "workstation flags" */
2565         torture_assert(tctx,
2566                 info.domain_info->workstation_flags == 0,
2567                 "Out 'workstation flags' don't match!");
2568
2569
2570         torture_comment(tctx, "Testing netr_LogonGetDomainInfo 3rd call (verification of DNS hostname and check for trusted domains)\n");
2571         netlogon_creds_client_authenticator(creds, &a);
2572
2573         /* The workstation handles the "servicePrincipalName" and DNS hostname
2574            updates */
2575         q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2576
2577         status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2578         torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2579         torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2580
2581         msleep(250);
2582
2583         /* Now the in/out DNS hostnames should be the same */
2584         torture_assert_str_equal(tctx,
2585                 info.domain_info->dns_hostname.string,
2586                 query.workstation_info->dns_hostname,
2587                 "In/Out 'DNS hostnames' don't match!");
2588
2589         /* Checks "workstation flags" */
2590         torture_assert(tctx,
2591                 info.domain_info->workstation_flags
2592                 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2593                 "Out 'workstation flags' don't match!");
2594
2595         /* Checks for trusted domains */
2596         torture_assert(tctx,
2597                 (info.domain_info->trusted_domain_count != 0)
2598                 && (info.domain_info->trusted_domains != NULL),
2599                 "Trusted domains have been requested!");
2600
2601
2602         torture_comment(tctx, "Testing netr_LogonGetDomainInfo 4th call (check for trusted domains)\n");
2603         netlogon_creds_client_authenticator(creds, &a);
2604
2605         /* The workstation handles the "servicePrincipalName" and DNS hostname
2606            updates and requests inbound trusts */
2607         q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
2608                 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS;
2609
2610         status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2611         torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2612         torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2613
2614         msleep(250);
2615
2616         /* Checks "workstation flags" */
2617         torture_assert(tctx,
2618                 info.domain_info->workstation_flags
2619                 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
2620                         | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
2621                 "Out 'workstation flags' don't match!");
2622
2623         /* Checks for trusted domains */
2624         torture_assert(tctx,
2625                 (info.domain_info->trusted_domain_count != 0)
2626                 && (info.domain_info->trusted_domains != NULL),
2627                 "Trusted domains have been requested!");
2628
2629         return true;
2630 }
2631
2632 static bool test_GetDomainInfo_async(struct torture_context *tctx, 
2633                                      struct dcerpc_pipe *p,
2634                                      struct cli_credentials *machine_credentials)
2635 {
2636         NTSTATUS status;
2637         struct netr_LogonGetDomainInfo r;
2638         struct netr_WorkstationInformation q1;
2639         struct netr_Authenticator a;
2640 #define ASYNC_COUNT 100
2641         struct netlogon_creds_CredentialState *creds;
2642         struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
2643         struct rpc_request *req[ASYNC_COUNT];
2644         int i;
2645         union netr_WorkstationInfo query;
2646         union netr_DomainInfo info;
2647
2648         torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2649
2650         if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, 
2651                                     machine_credentials, &creds)) {
2652                 return false;
2653         }
2654
2655         ZERO_STRUCT(r);
2656         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2657         r.in.computer_name = TEST_MACHINE_NAME;
2658         r.in.credential = &a;
2659         r.in.level = 1;
2660         r.in.return_authenticator = &a;
2661         r.in.query = &query;
2662         r.out.return_authenticator = &a;
2663         r.out.info = &info;
2664
2665         ZERO_STRUCT(q1);
2666         q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
2667                 TEST_MACHINE_DNS_SUFFIX);
2668         q1.sitename = "Default-First-Site-Name";
2669         q1.os_name.string = "UNIX/Linux or similar";
2670
2671         query.workstation_info = &q1;
2672
2673         for (i=0;i<ASYNC_COUNT;i++) {
2674                 netlogon_creds_client_authenticator(creds, &a);
2675
2676                 creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2677                 req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2678
2679                 /* even with this flush per request a w2k3 server seems to 
2680                    clag with multiple outstanding requests. bleergh. */
2681                 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0, 
2682                                          "event_loop_once failed");
2683         }
2684
2685         for (i=0;i<ASYNC_COUNT;i++) {
2686                 status = dcerpc_netr_LogonGetDomainInfo_recv(req[i]);
2687
2688                 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2689                 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); 
2690
2691                 torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), 
2692                         "Credential chaining failed at async");
2693         }
2694
2695         torture_comment(tctx, 
2696                         "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT);
2697
2698         return true;
2699 }
2700
2701 static bool test_ManyGetDCName(struct torture_context *tctx, 
2702                                struct dcerpc_pipe *p)
2703 {
2704         NTSTATUS status;
2705         struct dcerpc_pipe *p2;
2706         struct lsa_ObjectAttribute attr;
2707         struct lsa_QosInfo qos;
2708         struct lsa_OpenPolicy2 o;
2709         struct policy_handle lsa_handle;
2710         struct lsa_DomainList domains;
2711
2712         struct lsa_EnumTrustDom t;
2713         uint32_t resume_handle = 0;
2714         struct netr_GetAnyDCName d;
2715         const char *dcname = NULL;
2716
2717         int i;
2718
2719         if (p->conn->transport.transport != NCACN_NP) {
2720                 return true;
2721         }
2722
2723         torture_comment(tctx, "Torturing GetDCName\n");
2724
2725         status = dcerpc_secondary_connection(p, &p2, p->binding);
2726         torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2727
2728         status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2729         torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2730
2731         qos.len = 0;
2732         qos.impersonation_level = 2;
2733         qos.context_mode = 1;
2734         qos.effective_only = 0;
2735
2736         attr.len = 0;
2737         attr.root_dir = NULL;
2738         attr.object_name = NULL;
2739         attr.attributes = 0;
2740         attr.sec_desc = NULL;
2741         attr.sec_qos = &qos;
2742
2743         o.in.system_name = "\\";
2744         o.in.attr = &attr;
2745         o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2746         o.out.handle = &lsa_handle;
2747
2748         status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2749         torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2750
2751         t.in.handle = &lsa_handle;
2752         t.in.resume_handle = &resume_handle;
2753         t.in.max_size = 1000;
2754         t.out.domains = &domains;
2755         t.out.resume_handle = &resume_handle;
2756
2757         status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2758
2759         if ((!NT_STATUS_IS_OK(status) &&
2760              (!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2761                 torture_fail(tctx, "Could not list domains");
2762
2763         talloc_free(p2);
2764
2765         d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2766                                             dcerpc_server_name(p));
2767         d.out.dcname = &dcname;
2768
2769         for (i=0; i<domains.count * 4; i++) {
2770                 struct lsa_DomainInfo *info =
2771                         &domains.domains[rand()%domains.count];
2772
2773                 d.in.domainname = info->name.string;
2774
2775                 status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2776                 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2777
2778                 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2779                        dcname ? dcname : "unknown");
2780         }
2781
2782         return true;
2783 }
2784
2785 static bool test_SetPassword_with_flags(struct torture_context *tctx,
2786                                         struct dcerpc_pipe *p,
2787                                         struct cli_credentials *machine_credentials)
2788 {
2789         uint32_t flags[] = { 0, NETLOGON_NEG_STRONG_KEYS };
2790         struct netlogon_creds_CredentialState *creds;
2791         int i;
2792
2793         if (!test_SetupCredentials2(p, tctx, 0,
2794                                     machine_credentials,
2795                                     cli_credentials_get_secure_channel_type(machine_credentials),
2796                                     &creds)) {
2797                 torture_skip(tctx, "DC does not support negotiation of 64bit session keys");
2798         }
2799
2800         for (i=0; i < ARRAY_SIZE(flags); i++) {
2801                 torture_assert(tctx,
2802                         test_SetPassword_flags(tctx, p, machine_credentials, flags[i]),
2803                         talloc_asprintf(tctx, "failed to test SetPassword negotiating with 0x%08x flags", flags[i]));
2804         }
2805
2806         return true;
2807 }
2808
2809 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2810 {
2811         struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2812         struct torture_rpc_tcase *tcase;
2813         struct torture_test *test;
2814
2815         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
2816                                                   &ndr_table_netlogon, TEST_MACHINE_NAME);
2817
2818         torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2819         torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2820         torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2821         torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2822         torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2823         torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2824         torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2825         torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2826         torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2827         torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2828         torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2829         torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2830         torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2831         torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2832         torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2833         torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2834         torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2835         torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2836         torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2837         torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2838         test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2839         test->dangerous = true;
2840         torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2841         torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2842         torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2843         torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2844         torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2845         torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
2846         torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
2847
2848         return suite;
2849 }
2850
2851 struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
2852 {
2853         struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-S3");
2854         struct torture_rpc_tcase *tcase;
2855
2856         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
2857                                                   &ndr_table_netlogon, TEST_MACHINE_NAME);
2858
2859         torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2860         torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2861         torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
2862         torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2863         torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2864
2865         return suite;
2866 }
2867
2868 struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
2869 {
2870         struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-ADMIN");
2871         struct torture_rpc_tcase *tcase;
2872
2873         tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
2874                                                   &ndr_table_netlogon, TEST_MACHINE_NAME);
2875         torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
2876         torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
2877         torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2878
2879         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon",
2880                                                   &ndr_table_netlogon, TEST_MACHINE_NAME);
2881         torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
2882         torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
2883         torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2884
2885         tcase = torture_suite_add_rpc_iface_tcase(suite, "netlogon",
2886                                                   &ndr_table_netlogon);
2887         torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
2888         torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
2889         torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2890
2891         return suite;
2892 }