Copyright (C) Andrew Tridgell 2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
- Copyright (C) Guenther Deschner 2008,2009
+ Copyright (C) Guenther Deschner 2008-2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "libcli/security/security.h"
#include "torture/rpc/rpc.h"
#include "param/param.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_proto.h"
+#include "../libcli/auth/schannel.h"
#include <unistd.h>
enum torture_samr_choice {
TORTURE_SAMR_PASSWORDS,
TORTURE_SAMR_PASSWORDS_PWDLASTSET,
+ TORTURE_SAMR_PASSWORDS_BADPWDCOUNT,
+ TORTURE_SAMR_PASSWORDS_LOCKOUT,
TORTURE_SAMR_USER_ATTRIBUTES,
TORTURE_SAMR_USER_PRIVILEGES,
TORTURE_SAMR_OTHER,
TORTURE_SAMR_MANY_ALIASES
};
+struct torture_samr_context {
+ struct policy_handle handle;
+ struct cli_credentials *machine_credentials;
+ enum torture_samr_choice choice;
+ uint32_t num_objects_large_dc;
+};
+
static bool test_QueryUserInfo(struct dcerpc_pipe *p,
struct torture_context *tctx,
struct policy_handle *handle);
uint8_t old_lm_hash[16], new_lm_hash[16];
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
torture_comment(tctx, "Testing ChangePasswordUser3\n");
&& (!null_nttime(last_password_change) || !dominfo->min_password_age)) {
if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) {
- if (reject && (reject->reason != SAMR_REJECT_OTHER)) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
}
if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) &&
(last_password_change + dominfo->min_password_age > t)) {
- if (reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
} else if ((dominfo->min_password_length > 0) &&
(strlen(newpass) < dominfo->min_password_length)) {
- if (reject->reason != SAMR_REJECT_TOO_SHORT) {
- torture_warning(tctx, "expected SAMR_REJECT_TOO_SHORT (%d), got %d\n",
- SAMR_REJECT_TOO_SHORT, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n",
+ SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason);
return false;
}
} else if ((dominfo->password_history_length > 0) &&
strequal(oldpass, newpass)) {
- if (reject->reason != SAMR_REJECT_IN_HISTORY) {
- torture_warning(tctx, "expected SAMR_REJECT_IN_HISTORY (%d), got %d\n",
- SAMR_REJECT_IN_HISTORY, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n",
+ SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason);
return false;
}
} else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) {
- if (reject->reason != SAMR_REJECT_COMPLEXITY) {
- torture_warning(tctx, "expected SAMR_REJECT_COMPLEXITY (%d), got %d\n",
- SAMR_REJECT_COMPLEXITY, reject->reason);
+ if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n",
+ SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason);
return false;
}
}
- if (reject->reason == SAMR_REJECT_TOO_SHORT) {
+ if (reject->extendedFailureReason == SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
/* retry with adjusted size */
return test_ChangePasswordUser3(p, tctx, account_string,
dominfo->min_password_length,
}
} else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
- if (reject && reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
/* Perhaps the server has a 'min password age' set? */
uint8_t old_nt_hash[16], new_nt_hash[16];
NTTIME t;
struct samr_DomInfo1 *dominfo = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
new_random_pass = samr_very_rand_pass(tctx, 128);
status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
- if (reject && reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
/* Perhaps the server has a 'min password age' set? */
status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
- if (reject && reject->reason != SAMR_REJECT_OTHER) {
- torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
- SAMR_REJECT_OTHER, reject->reason);
+ if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+ torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+ SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
return false;
}
/* Perhaps the server has a 'min password age' set? */
return true;
}
+static bool test_GetAliasMembership(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle)
+{
+ struct samr_GetAliasMembership r;
+ struct lsa_SidArray sids;
+ struct samr_Ids rids;
+ NTSTATUS status;
+
+ torture_comment(tctx, "Testing GetAliasMembership\n");
+
+ if (torture_setting_bool(tctx, "samba4", false)) {
+ torture_skip(tctx, "skipping GetAliasMembership against s4");
+ }
+
+ r.in.domain_handle = domain_handle;
+ r.in.sids = &sids;
+ r.out.rids = &rids;
+
+ sids.num_sids = 0;
+ sids.sids = talloc_zero_array(tctx, struct lsa_SidPtr, sids.num_sids);
+
+ status = dcerpc_samr_GetAliasMembership(p, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "samr_GetAliasMembership failed");
+
+ torture_assert_int_equal(tctx, sids.num_sids, rids.count,
+ "protocol misbehaviour");
+
+ sids.num_sids = 1;
+ sids.sids = talloc_zero_array(tctx, struct lsa_SidPtr, sids.num_sids);
+ sids.sids[0].sid = dom_sid_parse_talloc(tctx, "S-1-5-32-1-2-3-1");
+
+ status = dcerpc_samr_GetAliasMembership(p, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status,
+ "samr_GetAliasMembership failed");
+
+#if 0
+ /* only true for w2k8 it seems
+ * win7, xp, w2k3 will return a 0 length array pointer */
+
+ if (rids.ids && (rids.count == 0)) {
+ torture_fail(tctx, "samr_GetAliasMembership returned 0 count and a rids array");
+ }
+#endif
+ if (!rids.ids && rids.count) {
+ torture_fail(tctx, "samr_GetAliasMembership returned non-0 count but no rids");
+ }
+
+ return true;
+}
+
static bool test_TestPrivateFunctionsUser(struct dcerpc_pipe *p, struct torture_context *tctx,
struct policy_handle *user_handle)
{
static bool test_SamLogon(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct cli_credentials *test_credentials,
- NTSTATUS expected_result)
+ NTSTATUS expected_result,
+ bool interactive)
{
NTSTATUS status;
struct netr_LogonSamLogonEx r;
union netr_LogonLevel logon;
union netr_Validation validation;
uint8_t authoritative;
+ struct netr_IdentityInfo identity;
struct netr_NetworkInfo ninfo;
+ struct netr_PasswordInfo pinfo;
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
int flags = CLI_CRED_NTLM_AUTH;
uint32_t samlogon_flags = 0;
+ struct netlogon_creds_CredentialState *creds;
+ struct netr_Authenticator a;
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
if (lp_client_lanman_auth(tctx->lp_ctx)) {
flags |= CLI_CRED_LANMAN_AUTH;
}
cli_credentials_get_ntlm_username_domain(test_credentials, tctx,
- &ninfo.identity_info.account_name.string,
- &ninfo.identity_info.domain_name.string);
+ &identity.account_name.string,
+ &identity.domain_name.string);
+
+ identity.parameter_control =
+ MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
+ MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+ identity.logon_id_low = 0;
+ identity.logon_id_high = 0;
+ identity.workstation.string = cli_credentials_get_workstation(test_credentials);
+
+ if (interactive) {
+ netlogon_creds_client_authenticator(creds, &a);
- generate_random_buffer(ninfo.challenge,
- sizeof(ninfo.challenge));
- chal = data_blob_const(ninfo.challenge,
- sizeof(ninfo.challenge));
+ if (!E_deshash(cli_credentials_get_password(test_credentials), pinfo.lmpassword.hash)) {
+ ZERO_STRUCT(pinfo.lmpassword.hash);
+ }
+ E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash);
- names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(test_credentials),
- cli_credentials_get_domain(test_credentials));
+ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16);
+ netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16);
+ } else {
+ netlogon_creds_des_encrypt(creds, &pinfo.lmpassword);
+ netlogon_creds_des_encrypt(creds, &pinfo.ntpassword);
+ }
- status = cli_credentials_get_ntlm_response(test_credentials, tctx,
- &flags,
- chal,
- names_blob,
- &lm_resp, &nt_resp,
- NULL, NULL);
- torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
+ pinfo.identity_info = identity;
+ logon.password = &pinfo;
- ninfo.lm.data = lm_resp.data;
- ninfo.lm.length = lm_resp.length;
+ r.in.logon_level = NetlogonInteractiveInformation;
+ } else {
+ generate_random_buffer(ninfo.challenge,
+ sizeof(ninfo.challenge));
+ chal = data_blob_const(ninfo.challenge,
+ sizeof(ninfo.challenge));
- ninfo.nt.data = nt_resp.data;
- ninfo.nt.length = nt_resp.length;
+ names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(test_credentials),
+ cli_credentials_get_domain(test_credentials));
- ninfo.identity_info.parameter_control =
- MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
- MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
- ninfo.identity_info.logon_id_low = 0;
- ninfo.identity_info.logon_id_high = 0;
- ninfo.identity_info.workstation.string = cli_credentials_get_workstation(test_credentials);
+ status = cli_credentials_get_ntlm_response(test_credentials, tctx,
+ &flags,
+ chal,
+ names_blob,
+ &lm_resp, &nt_resp,
+ NULL, NULL);
+ torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
- logon.network = &ninfo;
+ ninfo.lm.data = lm_resp.data;
+ ninfo.lm.length = lm_resp.length;
+
+ ninfo.nt.data = nt_resp.data;
+ ninfo.nt.length = nt_resp.length;
+
+ ninfo.identity_info = identity;
+ logon.network = &ninfo;
+
+ r.in.logon_level = NetlogonNetworkInformation;
+ }
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(test_credentials);
- r.in.logon_level = NetlogonNetworkInformation;
r.in.logon = &logon;
r.in.flags = &samlogon_flags;
r.out.flags = &samlogon_flags;
r.out.validation = &validation;
r.out.authoritative = &authoritative;
- torture_comment(tctx, "Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
+ torture_comment(tctx, "Testing LogonSamLogon with name %s\n", identity.account_name.string);
r.in.validation_level = 6;
struct cli_credentials *machine_creds,
const char *acct_name,
char *password,
- NTSTATUS expected_samlogon_result)
+ NTSTATUS expected_samlogon_result,
+ bool interactive)
{
bool ret = true;
struct cli_credentials *test_credentials;
cli_credentials_set_password(test_credentials,
password, CRED_SPECIFIED);
- torture_comment(tctx, "testing samlogon as %s password: %s\n",
- acct_name, password);
+ torture_comment(tctx, "testing samlogon (%s) as %s password: %s\n",
+ interactive ? "interactive" : "network", acct_name, password);
if (!test_SamLogon(tctx, p, test_credentials,
- expected_samlogon_result)) {
+ expected_samlogon_result, interactive)) {
torture_warning(tctx, "new password did not work\n");
ret = false;
}
machine_creds,
acct_name,
*password,
- expected_samlogon_result)) {
+ expected_samlogon_result,
+ false)) {
ret = false;
}
return ret;
}
+static bool setup_schannel_netlogon_pipe(struct torture_context *tctx,
+ struct cli_credentials *credentials,
+ struct dcerpc_pipe **p)
+{
+ struct dcerpc_binding *b;
+
+ torture_assert_ntstatus_ok(tctx, torture_rpc_binding(tctx, &b),
+ "failed to get rpc binding");
+
+ /* We have to use schannel, otherwise the SamLogonEx fails
+ * with INTERNAL_ERROR */
+
+ b->flags &= ~DCERPC_AUTH_OPTIONS;
+ b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_pipe_connect_b(tctx, p, b, &ndr_table_netlogon,
+ credentials, tctx->ev, tctx->lp_ctx),
+ "failed to bind to netlogon");
+
+ return true;
+}
+
static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
struct torture_context *tctx,
uint32_t acct_flags,
struct cli_credentials *machine_credentials)
{
int s = 0, q = 0, f = 0, l = 0, z = 0;
- struct dcerpc_binding *b;
bool ret = true;
int delay = 50000;
bool set_levels[] = { false, true };
SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT | SAMR_FIELD_EXPIRED_FLAG,
SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT | SAMR_FIELD_LAST_PWD_CHANGE | SAMR_FIELD_EXPIRED_FLAG
};
- NTSTATUS status;
struct dcerpc_pipe *np = NULL;
if (torture_setting_bool(tctx, "samba3", false)) {
delay);
}
- status = torture_rpc_binding(tctx, &b);
- if (!NT_STATUS_IS_OK(status)) {
- ret = false;
- return ret;
- }
-
- /* We have to use schannel, otherwise the SamLogonEx fails
- * with INTERNAL_ERROR */
-
- b->flags &= ~DCERPC_AUTH_OPTIONS;
- b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
-
- status = dcerpc_pipe_connect_b(tctx, &np, b,
- &ndr_table_netlogon,
- machine_credentials, tctx->ev, tctx->lp_ctx);
-
- if (!NT_STATUS_IS_OK(status)) {
- torture_warning(tctx, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status));
- ret = false;
- return ret;
- }
+ torture_assert(tctx, setup_schannel_netlogon_pipe(tctx, machine_credentials, &np), "");
/* set to 1 to enable testing for all possible opcode
(SetUserInfo, SetUserInfo2, QueryUserInfo, QueryUserInfo2)
#undef TEST_SET_LEVELS
#undef TEST_QUERY_LEVELS
+ talloc_free(np);
+
+ return ret;
+}
+
+static bool test_QueryUserInfo_badpwdcount(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint32_t *badpwdcount)
+{
+ union samr_UserInfo *info;
+ struct samr_QueryUserInfo r;
+
+ r.in.user_handle = handle;
+ r.in.level = 3;
+ r.out.info = &info;
+
+ torture_comment(tctx, "Testing QueryUserInfo level %d", r.in.level);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo(p, tctx, &r),
+ "failed to query userinfo");
+
+ *badpwdcount = info->info3.bad_password_count;
+
+ torture_comment(tctx, " (bad password count: %d)\n", *badpwdcount);
+
+ return true;
+}
+
+static bool test_SetUserInfo_acct_flags(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *user_handle,
+ uint32_t acct_flags)
+{
+ struct samr_SetUserInfo r;
+ union samr_UserInfo user_info;
+
+ torture_comment(tctx, "Testing SetUserInfo level 16\n");
+
+ user_info.info16.acct_flags = acct_flags;
+
+ r.in.user_handle = user_handle;
+ r.in.level = 16;
+ r.in.info = &user_info;
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo(p, tctx, &r),
+ "failed to set account flags");
+
+ return true;
+}
+
+static bool test_reset_badpwdcount(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *user_handle,
+ uint32_t acct_flags,
+ char **password)
+{
+ torture_assert(tctx, test_SetUserPass(p, tctx, user_handle, password),
+ "failed to set password");
+
+ torture_comment(tctx, "Testing SetUserInfo level 16 (enable account)\n");
+
+ torture_assert(tctx,
+ test_SetUserInfo_acct_flags(p, tctx, user_handle,
+ acct_flags & ~ACB_DISABLED),
+ "failed to enable user");
+
+ torture_assert(tctx, test_SetUserPass(p, tctx, user_handle, password),
+ "failed to set password");
+
+ return true;
+}
+
+static bool test_SetDomainInfo(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ enum samr_DomainInfoClass level,
+ union samr_DomainInfo *info)
+{
+ struct samr_SetDomainInfo r;
+
+ r.in.domain_handle = domain_handle;
+ r.in.level = level;
+ r.in.info = info;
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_samr_SetDomainInfo(p, tctx, &r),
+ "failed to set domain info");
+
+ return true;
+}
+
+static bool test_SetDomainInfo_ntstatus(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ enum samr_DomainInfoClass level,
+ union samr_DomainInfo *info,
+ NTSTATUS expected)
+{
+ struct samr_SetDomainInfo r;
+
+ r.in.domain_handle = domain_handle;
+ r.in.level = level;
+ r.in.info = info;
+
+ torture_assert_ntstatus_equal(tctx,
+ dcerpc_samr_SetDomainInfo(p, tctx, &r),
+ expected,
+ "");
+
+ return true;
+}
+
+static bool test_QueryDomainInfo2_level(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *domain_handle,
+ enum samr_DomainInfoClass level,
+ union samr_DomainInfo **q_info)
+{
+ struct samr_QueryDomainInfo2 r;
+
+ r.in.domain_handle = domain_handle;
+ r.in.level = level;
+ r.out.info = q_info;
+
+ torture_assert_ntstatus_ok(tctx,
+ dcerpc_samr_QueryDomainInfo2(p, tctx, &r),
+ "failed to query domain info");
+
+ return true;
+}
+
+static bool test_Password_badpwdcount(struct dcerpc_pipe *p,
+ struct dcerpc_pipe *np,
+ struct torture_context *tctx,
+ uint32_t acct_flags,
+ const char *acct_name,
+ struct policy_handle *domain_handle,
+ struct policy_handle *user_handle,
+ char **password,
+ struct cli_credentials *machine_credentials,
+ const char *comment,
+ bool disable,
+ bool interactive,
+ NTSTATUS expected_success_status,
+ struct samr_DomInfo1 *info1,
+ struct samr_DomInfo12 *info12)
+{
+ union samr_DomainInfo info;
+ char **passwords;
+ int i;
+ uint32_t badpwdcount, tmp;
+ uint32_t password_history_length = 12;
+ uint32_t lockout_threshold = 15;
+
+ torture_comment(tctx, "\nTesting bad pwd count with: %s\n", comment);
+
+ torture_assert(tctx, password_history_length < lockout_threshold,
+ "password history length needs to be smaller than account lockout threshold for this test");
+
+
+ /* set policies */
+
+ info.info1 = *info1;
+ info.info1.password_history_length = password_history_length;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainPasswordInformation, &info),
+ "failed to set password history length");
+
+ info.info12 = *info12;
+ info.info12.lockout_threshold = lockout_threshold;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainLockoutInformation, &info),
+ "failed to set lockout threshold");
+
+ /* reset bad pwd count */
+
+ torture_assert(tctx,
+ test_reset_badpwdcount(p, tctx, user_handle, acct_flags, password), "");
+
+
+ /* enable or disable account */
+ if (disable) {
+ torture_assert(tctx,
+ test_SetUserInfo_acct_flags(p, tctx, user_handle,
+ acct_flags | ACB_DISABLED),
+ "failed to disable user");
+ } else {
+ torture_assert(tctx,
+ test_SetUserInfo_acct_flags(p, tctx, user_handle,
+ acct_flags & ~ACB_DISABLED),
+ "failed to enable user");
+ }
+
+
+ /* setup password history */
+
+ passwords = talloc_array(tctx, char *, password_history_length);
+
+ for (i=0; i < password_history_length; i++) {
+
+ torture_assert(tctx, test_SetUserPass(p, tctx, user_handle, password),
+ "failed to set password");
+ passwords[i] = talloc_strdup(tctx, *password);
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
+ acct_name, passwords[i],
+ expected_success_status, interactive)) {
+ torture_fail(tctx, "failed to auth with latest password");
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+
+ torture_assert_int_equal(tctx, badpwdcount, 0, "expected badpwdcount to be 0");
+ }
+
+
+ /* test with wrong password */
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
+ acct_name, "random_crap",
+ NT_STATUS_WRONG_PASSWORD, interactive)) {
+ torture_fail(tctx, "succeeded to authenticate with wrong password");
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+
+ torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
+
+
+ /* test with latest good password */
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials, acct_name,
+ passwords[password_history_length-1],
+ expected_success_status, interactive)) {
+ torture_fail(tctx, "succeeded to authenticate with wrong password");
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+
+ if (disable) {
+ torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
+ } else {
+ /* only enabled accounts get the bad pwd count reset upon
+ * successful logon */
+ torture_assert_int_equal(tctx, badpwdcount, 0, "expected badpwdcount to be 0");
+ }
+
+ tmp = badpwdcount;
+
+
+ /* test password history */
+
+ for (i=0; i < password_history_length; i++) {
+
+ torture_comment(tctx, "Testing bad password count behavior with "
+ "password #%d of #%d\n", i, password_history_length);
+
+ /* - network samlogon will succeed auth and not
+ * increase badpwdcount for 2 last entries
+ * - interactive samlogon only for the last one */
+
+ if (i == password_history_length - 1 ||
+ (i == password_history_length - 2 && !interactive)) {
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
+ acct_name, passwords[i],
+ expected_success_status, interactive)) {
+ torture_fail(tctx, talloc_asprintf(tctx, "succeeded to authenticate with old password (#%d of #%d in history)", i, password_history_length));
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+
+ if (disable) {
+ /* torture_comment(tctx, "expecting bad pwd count to *NOT INCREASE* for pwd history entry %d\n", i); */
+ torture_assert_int_equal(tctx, badpwdcount, tmp, "unexpected badpwdcount");
+ } else {
+ /* torture_comment(tctx, "expecting bad pwd count to be 0 for pwd history entry %d\n", i); */
+ torture_assert_int_equal(tctx, badpwdcount, 0, "expected badpwdcount to be 0");
+ }
+
+ tmp = badpwdcount;
+
+ continue;
+ }
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
+ acct_name, passwords[i],
+ NT_STATUS_WRONG_PASSWORD, interactive)) {
+ torture_fail(tctx, talloc_asprintf(tctx, "succeeded to authenticate with old password (#%d of #%d in history)", i, password_history_length));
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+
+ /* - network samlogon will fail auth but not increase
+ * badpwdcount for 3rd last entry
+ * - interactive samlogon for 3rd and 2nd last entry */
+
+ if (i == password_history_length - 3 ||
+ (i == password_history_length - 2 && interactive)) {
+ /* torture_comment(tctx, "expecting bad pwd count to *NOT INCREASE * by one for pwd history entry %d\n", i); */
+ torture_assert_int_equal(tctx, badpwdcount, tmp, "unexpected badpwdcount");
+ } else {
+ /* torture_comment(tctx, "expecting bad pwd count to increase by one for pwd history entry %d\n", i); */
+ torture_assert_int_equal(tctx, badpwdcount, tmp + 1, "unexpected badpwdcount");
+ }
+
+ tmp = badpwdcount;
+ }
+
+ return true;
+}
+
+static bool test_Password_badpwdcount_wrap(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ uint32_t acct_flags,
+ const char *acct_name,
+ struct policy_handle *domain_handle,
+ struct policy_handle *user_handle,
+ char **password,
+ struct cli_credentials *machine_credentials)
+{
+ union samr_DomainInfo *q_info, s_info;
+ struct samr_DomInfo1 info1, _info1;
+ struct samr_DomInfo12 info12, _info12;
+ bool ret = true;
+ struct dcerpc_pipe *np;
+ int i;
+
+ struct {
+ const char *comment;
+ bool disabled;
+ bool interactive;
+ NTSTATUS expected_success_status;
+ } creds[] = {
+ {
+ .comment = "network logon (disabled account)",
+ .disabled = true,
+ .interactive = false,
+ .expected_success_status= NT_STATUS_ACCOUNT_DISABLED
+ },
+ {
+ .comment = "network logon (enabled account)",
+ .disabled = false,
+ .interactive = false,
+ .expected_success_status= NT_STATUS_OK
+ },
+ {
+ .comment = "interactive logon (disabled account)",
+ .disabled = true,
+ .interactive = true,
+ .expected_success_status= NT_STATUS_ACCOUNT_DISABLED
+ },
+ {
+ .comment = "interactive logon (enabled account)",
+ .disabled = false,
+ .interactive = true,
+ .expected_success_status= NT_STATUS_OK
+ },
+ };
+
+ torture_assert(tctx, setup_schannel_netlogon_pipe(tctx, machine_credentials, &np), "");
+
+ /* backup old policies */
+
+ torture_assert(tctx,
+ test_QueryDomainInfo2_level(p, tctx, domain_handle,
+ DomainPasswordInformation, &q_info),
+ "failed to query domain info level 1");
+
+ info1 = q_info->info1;
+ _info1 = info1;
+
+ torture_assert(tctx,
+ test_QueryDomainInfo2_level(p, tctx, domain_handle,
+ DomainLockoutInformation, &q_info),
+ "failed to query domain info level 12");
+
+ info12 = q_info->info12;
+ _info12 = info12;
+
+ /* run tests */
+
+ for (i=0; i < ARRAY_SIZE(creds); i++) {
+
+ /* skip trust tests for now */
+ if (acct_flags & ACB_WSTRUST ||
+ acct_flags & ACB_SVRTRUST ||
+ acct_flags & ACB_DOMTRUST) {
+ continue;
+ }
+
+ ret &= test_Password_badpwdcount(p, np, tctx, acct_flags, acct_name,
+ domain_handle, user_handle, password,
+ machine_credentials,
+ creds[i].comment,
+ creds[i].disabled,
+ creds[i].interactive,
+ creds[i].expected_success_status,
+ &_info1, &_info12);
+ if (!ret) {
+ torture_warning(tctx, "TEST #%d (%s) failed\n", i, creds[i].comment);
+ } else {
+ torture_comment(tctx, "TEST #%d (%s) succeeded\n", i, creds[i].comment);
+ }
+ }
+
+ /* restore policies */
+
+ s_info.info1 = info1;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainPasswordInformation, &s_info),
+ "failed to set password information");
+
+ s_info.info12 = info12;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainLockoutInformation, &s_info),
+ "failed to set lockout information");
+
+ return ret;
+}
+
+static bool test_QueryUserInfo_acct_flags(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint32_t *acct_flags)
+{
+ union samr_UserInfo *info;
+ struct samr_QueryUserInfo r;
+
+ r.in.user_handle = handle;
+ r.in.level = 16;
+ r.out.info = &info;
+
+ torture_comment(tctx, "Testing QueryUserInfo level %d", r.in.level);
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo(p, tctx, &r),
+ "failed to query userinfo");
+
+ *acct_flags = info->info16.acct_flags;
+
+ torture_comment(tctx, " (acct_flags: 0x%08x)\n", *acct_flags);
+
+ return true;
+}
+
+static bool test_Password_lockout(struct dcerpc_pipe *p,
+ struct dcerpc_pipe *np,
+ struct torture_context *tctx,
+ uint32_t acct_flags,
+ const char *acct_name,
+ struct policy_handle *domain_handle,
+ struct policy_handle *user_handle,
+ char **password,
+ struct cli_credentials *machine_credentials,
+ const char *comment,
+ bool disable,
+ bool interactive,
+ NTSTATUS expected_success_status,
+ struct samr_DomInfo1 *info1,
+ struct samr_DomInfo12 *info12)
+{
+ union samr_DomainInfo info;
+ uint32_t badpwdcount;
+ uint32_t password_history_length = 1;
+ uint64_t lockout_threshold = 1;
+ uint32_t lockout_seconds = 5;
+ uint64_t delta_time_factor = 10 * 1000 * 1000;
+
+ torture_comment(tctx, "\nTesting account lockout: %s\n", comment);
+
+ /* set policies */
+
+ info.info1 = *info1;
+
+ torture_comment(tctx, "setting password history lenght.\n");
+ info.info1.password_history_length = password_history_length;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainPasswordInformation, &info),
+ "failed to set password history length");
+
+ info.info12 = *info12;
+ info.info12.lockout_threshold = lockout_threshold;
+
+ /* set lockout duration < lockout window: should fail */
+ info.info12.lockout_duration = ~(lockout_seconds * delta_time_factor);
+ info.info12.lockout_window = ~((lockout_seconds + 1) * delta_time_factor);
+
+ torture_assert(tctx,
+ test_SetDomainInfo_ntstatus(p, tctx, domain_handle,
+ DomainLockoutInformation, &info,
+ NT_STATUS_INVALID_PARAMETER),
+ "setting lockout duration < lockout window gave unexpected result");
+
+ info.info12.lockout_duration = 0;
+ info.info12.lockout_window = 0;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainLockoutInformation, &info),
+ "failed to set lockout window and duration to 0");
+
+
+ /* set lockout duration of 5 seconds */
+ info.info12.lockout_duration = ~(lockout_seconds * delta_time_factor);
+ info.info12.lockout_window = ~(lockout_seconds * delta_time_factor);
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainLockoutInformation, &info),
+ "failed to set lockout window and duration to 5 seconds");
+
+ /* reset bad pwd count */
+
+ torture_assert(tctx,
+ test_reset_badpwdcount(p, tctx, user_handle, acct_flags, password), "");
+
+
+ /* enable or disable account */
+
+ if (disable) {
+ torture_assert(tctx,
+ test_SetUserInfo_acct_flags(p, tctx, user_handle,
+ acct_flags | ACB_DISABLED),
+ "failed to disable user");
+ } else {
+ torture_assert(tctx,
+ test_SetUserInfo_acct_flags(p, tctx, user_handle,
+ acct_flags & ~ACB_DISABLED),
+ "failed to enable user");
+ }
+
+
+ /* test logon with right password */
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
+ acct_name, *password,
+ expected_success_status, interactive)) {
+ torture_fail(tctx, "failed to auth with latest password");
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+ torture_assert_int_equal(tctx, badpwdcount, 0, "expected badpwdcount to be 0");
+
+
+ /* test with wrong password ==> lockout */
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
+ acct_name, "random_crap",
+ NT_STATUS_WRONG_PASSWORD, interactive)) {
+ torture_fail(tctx, "succeeded to authenticate with wrong password");
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+ torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
+
+ torture_assert(tctx,
+ test_QueryUserInfo_acct_flags(p, tctx, user_handle, &acct_flags), "");
+ torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
+ "expected account to be locked");
+
+
+ /* test with good password */
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials, acct_name,
+ *password,
+ NT_STATUS_ACCOUNT_LOCKED_OUT, interactive))
+ {
+ torture_fail(tctx, "authenticate did not return NT_STATUS_ACCOUNT_LOCKED_OUT");
+ }
+
+ /* bad pwd count should not get updated */
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+ torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
+
+ /* curiously, windows does _not_ set the autlock flag */
+ torture_assert(tctx,
+ test_QueryUserInfo_acct_flags(p, tctx, user_handle, &acct_flags), "");
+ torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
+ "expected account to be locked");
+
+
+ /* with bad password */
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
+ acct_name, "random_crap2",
+ NT_STATUS_ACCOUNT_LOCKED_OUT, interactive))
+ {
+ torture_fail(tctx, "authenticate did not return NT_STATUS_ACCOUNT_LOCKED_OUT");
+ }
+
+ /* bad pwd count should not get updated */
+ torture_assert(tctx,
+ test_QueryUserInfo_badpwdcount(p, tctx, user_handle, &badpwdcount), "");
+ torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
+
+ /* curiously, windows does _not_ set the autlock flag */
+ torture_assert(tctx,
+ test_QueryUserInfo_acct_flags(p, tctx, user_handle, &acct_flags), "");
+ torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
+ "expected account to be locked");
+
+
+ /* let lockout duration expire ==> unlock */
+
+ torture_comment(tctx, "let lockout duration expire...\n");
+ sleep(lockout_seconds + 1);
+
+ if (!test_SamLogon_with_creds(tctx, np, machine_credentials, acct_name,
+ *password,
+ expected_success_status, interactive))
+ {
+ torture_fail(tctx, "failed to authenticate after lockout expired");
+ }
+
+ torture_assert(tctx,
+ test_QueryUserInfo_acct_flags(p, tctx, user_handle, &acct_flags), "");
+ torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
+ "expected account not to be locked");
+
+ return true;
+}
+
+static bool test_Password_lockout_wrap(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ uint32_t acct_flags,
+ const char *acct_name,
+ struct policy_handle *domain_handle,
+ struct policy_handle *user_handle,
+ char **password,
+ struct cli_credentials *machine_credentials)
+{
+ union samr_DomainInfo *q_info, s_info;
+ struct samr_DomInfo1 info1, _info1;
+ struct samr_DomInfo12 info12, _info12;
+ bool ret = true;
+ struct dcerpc_pipe *np;
+ int i;
+
+ struct {
+ const char *comment;
+ bool disabled;
+ bool interactive;
+ NTSTATUS expected_success_status;
+ } creds[] = {
+ {
+ .comment = "network logon (disabled account)",
+ .disabled = true,
+ .interactive = false,
+ .expected_success_status= NT_STATUS_ACCOUNT_DISABLED
+ },
+ {
+ .comment = "network logon (enabled account)",
+ .disabled = false,
+ .interactive = false,
+ .expected_success_status= NT_STATUS_OK
+ },
+ {
+ .comment = "interactive logon (disabled account)",
+ .disabled = true,
+ .interactive = true,
+ .expected_success_status= NT_STATUS_ACCOUNT_DISABLED
+ },
+ {
+ .comment = "interactive logon (enabled account)",
+ .disabled = false,
+ .interactive = true,
+ .expected_success_status= NT_STATUS_OK
+ },
+ };
+
+ torture_assert(tctx, setup_schannel_netlogon_pipe(tctx, machine_credentials, &np), "");
+
+ /* backup old policies */
+
+ torture_assert(tctx,
+ test_QueryDomainInfo2_level(p, tctx, domain_handle,
+ DomainPasswordInformation, &q_info),
+ "failed to query domain info level 1");
+
+ info1 = q_info->info1;
+ _info1 = info1;
+
+ torture_assert(tctx,
+ test_QueryDomainInfo2_level(p, tctx, domain_handle,
+ DomainLockoutInformation, &q_info),
+ "failed to query domain info level 12");
+
+ info12 = q_info->info12;
+ _info12 = info12;
+
+ /* run tests */
+
+ for (i=0; i < ARRAY_SIZE(creds); i++) {
+
+ /* skip trust tests for now */
+ if (acct_flags & ACB_WSTRUST ||
+ acct_flags & ACB_SVRTRUST ||
+ acct_flags & ACB_DOMTRUST) {
+ continue;
+ }
+
+ ret &= test_Password_lockout(p, np, tctx, acct_flags, acct_name,
+ domain_handle, user_handle, password,
+ machine_credentials,
+ creds[i].comment,
+ creds[i].disabled,
+ creds[i].interactive,
+ creds[i].expected_success_status,
+ &_info1, &_info12);
+ if (!ret) {
+ torture_warning(tctx, "TEST #%d (%s) failed\n", i, creds[i].comment);
+ } else {
+ torture_comment(tctx, "TEST #%d (%s) succeeded\n", i, creds[i].comment);
+ }
+ }
+
+ /* restore policies */
+
+ s_info.info1 = info1;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainPasswordInformation, &s_info),
+ "failed to set password information");
+
+ s_info.info12 = info12;
+
+ torture_assert(tctx,
+ test_SetDomainInfo(p, tctx, domain_handle,
+ DomainLockoutInformation, &s_info),
+ "failed to set lockout information");
+
return ret;
}
break;
+ case TORTURE_SAMR_PASSWORDS_BADPWDCOUNT:
+
+ /* test bad pwd count change behaviour */
+ if (!test_Password_badpwdcount_wrap(p, tctx, base_acct_flags,
+ base_acct_name,
+ domain_handle,
+ user_handle, &password,
+ machine_credentials)) {
+ ret = false;
+ }
+
+ if (ret == true) {
+ torture_comment(tctx, "badPwdCount test succeeded\n");
+ } else {
+ torture_warning(tctx, "badPwdCount test failed\n");
+ }
+
+ break;
+
+ case TORTURE_SAMR_PASSWORDS_LOCKOUT:
+
+ if (!test_Password_lockout_wrap(p, tctx, base_acct_flags,
+ base_acct_name,
+ domain_handle,
+ user_handle, &password,
+ machine_credentials))
+ {
+ ret = false;
+ }
+
+ if (ret == true) {
+ torture_comment(tctx, "lockout test succeeded\n");
+ } else {
+ torture_warning(tctx, "lockout test failed\n");
+ }
+
+ break;
+
+
case TORTURE_SAMR_USER_PRIVILEGES: {
struct dcerpc_pipe *lp;
struct torture_context *tctx,
struct policy_handle *domain_handle,
struct dom_sid *domain_sid,
- enum torture_samr_choice which_ops)
+ struct torture_samr_context *ctx)
{
- uint32_t num_total = 1500;
+ uint32_t num_total = ctx->num_objects_large_dc;
uint32_t num_enum = 0;
uint32_t num_disp = 0;
uint32_t num_created = 0;
torture_assert_ntstatus_ok(tctx, status,
"failed to query domain info");
- switch (which_ops) {
+ switch (ctx->choice) {
case TORTURE_SAMR_MANY_ACCOUNTS:
num_anounced = info->general.num_users;
break;
const char *name = NULL;
- switch (which_ops) {
+ switch (ctx->choice) {
case TORTURE_SAMR_MANY_ACCOUNTS:
name = talloc_asprintf(tctx, "%s%04d", TEST_ACCOUNT_NAME, i);
ret &= test_CreateUser(p, tctx, domain_handle, name, &handles[i], domain_sid, 0, NULL, false);
/* enum */
- switch (which_ops) {
+ switch (ctx->choice) {
case TORTURE_SAMR_MANY_ACCOUNTS:
ret &= test_EnumDomainUsers(p, tctx, domain_handle, &num_enum);
break;
/* dispinfo */
- switch (which_ops) {
+ switch (ctx->choice) {
case TORTURE_SAMR_MANY_ACCOUNTS:
ret &= test_QueryDisplayInfo_level(p, tctx, domain_handle, 1, &num_disp);
break;
if (torture_setting_bool(tctx, "samba3", false)) {
ret &= test_samr_handle_Close(p, tctx, &handles[i]);
} else {
- switch (which_ops) {
+ switch (ctx->choice) {
case TORTURE_SAMR_MANY_ACCOUNTS:
ret &= test_DeleteUser(p, tctx, &handles[i]);
break;
talloc_free(handles);
- if (which_ops == TORTURE_SAMR_MANY_ACCOUNTS && num_enum != num_anounced + num_created) {
+ if (ctx->choice == TORTURE_SAMR_MANY_ACCOUNTS && num_enum != num_anounced + num_created) {
torture_comment(tctx,
"unexpected number of results (%u) returned in enum call, expected %u\n",
num_enum, num_anounced + num_created);
struct policy_handle *handle);
static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct policy_handle *handle, struct dom_sid *sid,
- enum torture_samr_choice which_ops,
- struct cli_credentials *machine_credentials)
+ struct torture_samr_context *ctx, struct dom_sid *sid)
{
NTSTATUS status;
struct samr_OpenDomain r;
torture_comment(tctx, "Testing OpenDomain of %s\n", dom_sid_string(tctx, sid));
- r.in.connect_handle = handle;
+ r.in.connect_handle = &ctx->handle;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.in.sid = sid;
r.out.domain_handle = &domain_handle;
/* run the domain tests with the main handle closed - this tests
the servers reference counting */
- torture_assert(tctx, test_samr_handle_Close(p, tctx, handle), "Failed to close SAMR handle");
+ torture_assert(tctx, test_samr_handle_Close(p, tctx, &ctx->handle), "Failed to close SAMR handle");
- switch (which_ops) {
+ switch (ctx->choice) {
case TORTURE_SAMR_PASSWORDS:
case TORTURE_SAMR_USER_PRIVILEGES:
if (!torture_setting_bool(tctx, "samba3", false)) {
- ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, NULL);
+ ret &= test_CreateUser2(p, tctx, &domain_handle, sid, ctx->choice, NULL);
}
- ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, ctx->choice, NULL, true);
if (!ret) {
- torture_warning(tctx, "Testing PASSWORDS or PRIVILAGES on domain %s failed!\n", dom_sid_string(tctx, sid));
+ torture_warning(tctx, "Testing PASSWORDS or PRIVILEGES on domain %s failed!\n", dom_sid_string(tctx, sid));
}
break;
case TORTURE_SAMR_USER_ATTRIBUTES:
if (!torture_setting_bool(tctx, "samba3", false)) {
- ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, NULL);
+ ret &= test_CreateUser2(p, tctx, &domain_handle, sid, ctx->choice, NULL);
}
- ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, ctx->choice, NULL, true);
/* This test needs 'complex' users to validate */
ret &= test_QueryDisplayInfo(p, tctx, &domain_handle);
if (!ret) {
}
break;
case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
+ case TORTURE_SAMR_PASSWORDS_BADPWDCOUNT:
+ case TORTURE_SAMR_PASSWORDS_LOCKOUT:
if (!torture_setting_bool(tctx, "samba3", false)) {
- ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, machine_credentials);
+ ret &= test_CreateUser2(p, tctx, &domain_handle, sid, ctx->choice, ctx->machine_credentials);
}
- ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, machine_credentials, true);
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, ctx->choice, ctx->machine_credentials, true);
if (!ret) {
- torture_warning(tctx, "Testing PASSWORDS PWDLASTSET on domain %s failed!\n", dom_sid_string(tctx, sid));
+ torture_warning(tctx, "Testing PASSWORDS PWDLASTSET or BADPWDCOUNT on domain %s failed!\n", dom_sid_string(tctx, sid));
}
break;
case TORTURE_SAMR_MANY_ACCOUNTS:
case TORTURE_SAMR_MANY_GROUPS:
case TORTURE_SAMR_MANY_ALIASES:
- ret &= test_ManyObjects(p, tctx, &domain_handle, sid, which_ops);
+ ret &= test_ManyObjects(p, tctx, &domain_handle, sid, ctx);
if (!ret) {
torture_warning(tctx, "Testing MANY-{ACCOUNTS,GROUPS,ALIASES} on domain %s failed!\n", dom_sid_string(tctx, sid));
}
break;
case TORTURE_SAMR_OTHER:
- ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
+ ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, ctx->choice, NULL, true);
if (!ret) {
torture_warning(tctx, "Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
}
ret &= test_RemoveMemberFromForeignDomain(p, tctx, &domain_handle);
ret &= test_CreateAlias(p, tctx, &domain_handle, TEST_ALIASNAME, &alias_handle, sid, true);
ret &= test_CreateDomainGroup(p, tctx, &domain_handle, TEST_GROUPNAME, &group_handle, sid, true);
+ ret &= test_GetAliasMembership(p, tctx, &domain_handle);
ret &= test_QueryDomainInfo(p, tctx, &domain_handle);
ret &= test_QueryDomainInfo2(p, tctx, &domain_handle);
ret &= test_EnumDomainUsers_all(p, tctx, &domain_handle);
torture_assert(tctx, test_samr_handle_Close(p, tctx, &domain_handle), "Failed to close SAMR domain handle");
- torture_assert(tctx, test_Connect(p, tctx, handle), "Faile to re-connect SAMR handle");
+ torture_assert(tctx, test_Connect(p, tctx, &ctx->handle), "Faile to re-connect SAMR handle");
/* reconnect the main handle */
if (!ret) {
}
static bool test_LookupDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct policy_handle *handle, const char *domain,
- enum torture_samr_choice which_ops,
- struct cli_credentials *machine_credentials)
+ struct torture_samr_context *ctx, const char *domain)
{
NTSTATUS status;
struct samr_LookupDomain r;
torture_comment(tctx, "Testing LookupDomain(%s)\n", domain);
/* check for correct error codes */
- r.in.connect_handle = handle;
+ r.in.connect_handle = &ctx->handle;
r.in.domain_name = &n2;
r.out.sid = &sid;
n2.string = NULL;
status = dcerpc_samr_LookupDomain(p, tctx, &r);
torture_assert_ntstatus_equal(tctx, NT_STATUS_NO_SUCH_DOMAIN, status, "LookupDomain expected NT_STATUS_NO_SUCH_DOMAIN");
- r.in.connect_handle = handle;
+ r.in.connect_handle = &ctx->handle;
init_lsa_String(&n1, domain);
r.in.domain_name = &n1;
ret = false;
}
- if (!test_OpenDomain(p, tctx, handle, *r.out.sid, which_ops,
- machine_credentials)) {
+ if (!test_OpenDomain(p, tctx, ctx, *r.out.sid)) {
ret = false;
}
static bool test_EnumDomains(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct policy_handle *handle, enum torture_samr_choice which_ops,
- struct cli_credentials *machine_credentials)
+ struct torture_samr_context *ctx)
{
NTSTATUS status;
struct samr_EnumDomains r;
int i;
bool ret = true;
- r.in.connect_handle = handle;
+ r.in.connect_handle = &ctx->handle;
r.in.resume_handle = &resume_handle;
r.in.buf_size = (uint32_t)-1;
r.out.resume_handle = &resume_handle;
}
for (i=0;i<sam->count;i++) {
- if (!test_LookupDomain(p, tctx, handle,
- sam->entries[i].name.string, which_ops,
- machine_credentials)) {
+ if (!test_LookupDomain(p, tctx, ctx,
+ sam->entries[i].name.string)) {
ret = false;
}
}
}
+static bool test_samr_ValidatePassword(struct dcerpc_pipe *p, struct torture_context *tctx)
+{
+ struct samr_ValidatePassword r;
+ union samr_ValidatePasswordReq req;
+ union samr_ValidatePasswordRep *repp = NULL;
+ NTSTATUS status;
+ const char *passwords[] = { "penguin", "p@ssw0rd", "p@ssw0rd123$", NULL };
+ int i;
+
+ torture_comment(tctx, "testing samr_ValidatePassword\n");
+
+ ZERO_STRUCT(r);
+ r.in.level = NetValidatePasswordReset;
+ r.in.req = &req;
+ r.out.rep = &repp;
+
+ ZERO_STRUCT(req);
+ req.req3.account.string = "non-existant-account-aklsdji";
+
+ for (i=0; passwords[i]; i++) {
+ req.req3.password.string = passwords[i];
+ status = dcerpc_samr_ValidatePassword(p, tctx, &r);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT) &&
+ p->last_fault_code == DCERPC_FAULT_OP_RNG_ERROR) {
+ torture_skip(tctx, "ValidatePassword not supported by server\n");
+ }
+ torture_assert_ntstatus_ok(tctx, status, "samr_ValidatePassword");
+ torture_comment(tctx, "Server %s password '%s' with code %i\n",
+ repp->ctr3.status==SAMR_VALIDATION_STATUS_SUCCESS?"allowed":"refused",
+ req.req3.password.string, repp->ctr3.status);
+ }
+
+ return true;
+}
+
bool torture_rpc_samr(struct torture_context *torture)
{
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx;
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx = talloc_zero(torture, struct torture_samr_context);
+
+ ctx->choice = TORTURE_SAMR_OTHER;
+
+ ret &= test_Connect(p, torture, &ctx->handle);
if (!torture_setting_bool(torture, "samba3", false)) {
- ret &= test_QuerySecurity(p, torture, &handle);
+ ret &= test_QuerySecurity(p, torture, &ctx->handle);
}
- ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_OTHER, NULL);
+ ret &= test_EnumDomains(p, torture, ctx);
- ret &= test_SetDsrmPassword(p, torture, &handle);
+ ret &= test_SetDsrmPassword(p, torture, &ctx->handle);
- ret &= test_Shutdown(p, torture, &handle);
+ ret &= test_Shutdown(p, torture, &ctx->handle);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
return ret;
}
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx;
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx = talloc_zero(torture, struct torture_samr_context);
+
+ ctx->choice = TORTURE_SAMR_USER_ATTRIBUTES;
+
+ ret &= test_Connect(p, torture, &ctx->handle);
if (!torture_setting_bool(torture, "samba3", false)) {
- ret &= test_QuerySecurity(p, torture, &handle);
+ ret &= test_QuerySecurity(p, torture, &ctx->handle);
}
- ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_USER_ATTRIBUTES, NULL);
+ ret &= test_EnumDomains(p, torture, ctx);
- ret &= test_SetDsrmPassword(p, torture, &handle);
+ ret &= test_SetDsrmPassword(p, torture, &ctx->handle);
- ret &= test_Shutdown(p, torture, &handle);
+ ret &= test_Shutdown(p, torture, &ctx->handle);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
return ret;
}
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx;
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx = talloc_zero(torture, struct torture_samr_context);
+
+ ctx->choice = TORTURE_SAMR_PASSWORDS;
+
+ ret &= test_Connect(p, torture, &ctx->handle);
- ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_PASSWORDS, NULL);
+ ret &= test_EnumDomains(p, torture, ctx);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
+
+ ret &= test_samr_ValidatePassword(p, torture);
return ret;
}
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx;
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx = talloc_zero(torture, struct torture_samr_context);
+
+ ctx->choice = TORTURE_SAMR_PASSWORDS_PWDLASTSET;
+ ctx->machine_credentials = machine_credentials;
+
+ ret &= test_Connect(p, torture, &ctx->handle);
- ret &= test_EnumDomains(p, torture, &handle,
- TORTURE_SAMR_PASSWORDS_PWDLASTSET,
- machine_credentials);
+ ret &= test_EnumDomains(p, torture, ctx);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
return ret;
}
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx;
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx = talloc_zero(torture, struct torture_samr_context);
+
+ ctx->choice = TORTURE_SAMR_USER_PRIVILEGES;
+ ctx->machine_credentials = machine_credentials;
- ret &= test_EnumDomains(p, torture, &handle,
- TORTURE_SAMR_USER_PRIVILEGES,
- machine_credentials);
+ ret &= test_Connect(p, torture, &ctx->handle);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_EnumDomains(p, torture, ctx);
+
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
return ret;
}
static bool torture_rpc_samr_many_accounts(struct torture_context *torture,
struct dcerpc_pipe *p2,
- struct cli_credentials *machine_credentials)
+ void *data)
{
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx =
+ talloc_get_type_abort(data, struct torture_samr_context);
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx->choice = TORTURE_SAMR_MANY_ACCOUNTS;
+ ctx->num_objects_large_dc = torture_setting_int(torture, "large_dc",
+ ctx->num_objects_large_dc);
+
+ ret &= test_Connect(p, torture, &ctx->handle);
- ret &= test_EnumDomains(p, torture, &handle,
- TORTURE_SAMR_MANY_ACCOUNTS,
- machine_credentials);
+ ret &= test_EnumDomains(p, torture, ctx);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
return ret;
}
static bool torture_rpc_samr_many_groups(struct torture_context *torture,
struct dcerpc_pipe *p2,
- struct cli_credentials *machine_credentials)
+ void *data)
{
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx =
+ talloc_get_type_abort(data, struct torture_samr_context);
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx->choice = TORTURE_SAMR_MANY_GROUPS;
+ ctx->num_objects_large_dc = torture_setting_int(torture, "large_dc",
+ ctx->num_objects_large_dc);
- ret &= test_EnumDomains(p, torture, &handle,
- TORTURE_SAMR_MANY_GROUPS,
- machine_credentials);
+ ret &= test_Connect(p, torture, &ctx->handle);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_EnumDomains(p, torture, ctx);
+
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
return ret;
}
static bool torture_rpc_samr_many_aliases(struct torture_context *torture,
struct dcerpc_pipe *p2,
- struct cli_credentials *machine_credentials)
+ void *data)
{
NTSTATUS status;
struct dcerpc_pipe *p;
bool ret = true;
- struct policy_handle handle;
+ struct torture_samr_context *ctx =
+ talloc_get_type_abort(data, struct torture_samr_context);
status = torture_rpc_connection(torture, &p, &ndr_table_samr);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- ret &= test_Connect(p, torture, &handle);
+ ctx->choice = TORTURE_SAMR_MANY_ALIASES;
+ ctx->num_objects_large_dc = torture_setting_int(torture, "large_dc",
+ ctx->num_objects_large_dc);
+
+ ret &= test_Connect(p, torture, &ctx->handle);
- ret &= test_EnumDomains(p, torture, &handle,
- TORTURE_SAMR_MANY_ALIASES,
- machine_credentials);
+ ret &= test_EnumDomains(p, torture, ctx);
- ret &= test_samr_handle_Close(p, torture, &handle);
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
return ret;
}
{
struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-LARGE-DC");
struct torture_rpc_tcase *tcase;
+ struct torture_samr_context *ctx;
+
+ tcase = torture_suite_add_rpc_iface_tcase(suite, "samr", &ndr_table_samr);
+
+ ctx = talloc_zero(suite, struct torture_samr_context);
+ ctx->num_objects_large_dc = 150;
+
+ torture_rpc_tcase_add_test_ex(tcase, "many_aliases",
+ torture_rpc_samr_many_aliases, ctx);
+ torture_rpc_tcase_add_test_ex(tcase, "many_groups",
+ torture_rpc_samr_many_groups, ctx);
+ torture_rpc_tcase_add_test_ex(tcase, "many_accounts",
+ torture_rpc_samr_many_accounts, ctx);
+
+ return suite;
+}
+
+static bool torture_rpc_samr_badpwdcount(struct torture_context *torture,
+ struct dcerpc_pipe *p2,
+ struct cli_credentials *machine_credentials)
+{
+ NTSTATUS status;
+ struct dcerpc_pipe *p;
+ bool ret = true;
+ struct torture_samr_context *ctx;
+
+ status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ctx = talloc_zero(torture, struct torture_samr_context);
+
+ ctx->choice = TORTURE_SAMR_PASSWORDS_BADPWDCOUNT;
+ ctx->machine_credentials = machine_credentials;
+
+ ret &= test_Connect(p, torture, &ctx->handle);
+
+ ret &= test_EnumDomains(p, torture, ctx);
+
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
+
+ return ret;
+}
+
+struct torture_suite *torture_rpc_samr_passwords_badpwdcount(TALLOC_CTX *mem_ctx)
+{
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-BADPWDCOUNT");
+ struct torture_rpc_tcase *tcase;
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
&ndr_table_samr,
- TEST_ACCOUNT_NAME);
+ TEST_ACCOUNT_NAME_PWD);
- torture_rpc_tcase_add_test_creds(tcase, "many_aliases",
- torture_rpc_samr_many_aliases);
- torture_rpc_tcase_add_test_creds(tcase, "many_groups",
- torture_rpc_samr_many_groups);
- torture_rpc_tcase_add_test_creds(tcase, "many_accounts",
- torture_rpc_samr_many_accounts);
+ torture_rpc_tcase_add_test_creds(tcase, "badPwdCount",
+ torture_rpc_samr_badpwdcount);
return suite;
}
+
+static bool torture_rpc_samr_lockout(struct torture_context *torture,
+ struct dcerpc_pipe *p2,
+ struct cli_credentials *machine_credentials)
+{
+ NTSTATUS status;
+ struct dcerpc_pipe *p;
+ bool ret = true;
+ struct torture_samr_context *ctx;
+
+ status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ctx = talloc_zero(torture, struct torture_samr_context);
+
+ ctx->choice = TORTURE_SAMR_PASSWORDS_LOCKOUT;
+ ctx->machine_credentials = machine_credentials;
+
+ ret &= test_Connect(p, torture, &ctx->handle);
+
+ ret &= test_EnumDomains(p, torture, ctx);
+
+ ret &= test_samr_handle_Close(p, torture, &ctx->handle);
+
+ return ret;
+}
+
+struct torture_suite *torture_rpc_samr_passwords_lockout(TALLOC_CTX *mem_ctx)
+{
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-LOCKOUT");
+ struct torture_rpc_tcase *tcase;
+
+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
+ &ndr_table_samr,
+ TEST_ACCOUNT_NAME_PWD);
+
+ torture_rpc_tcase_add_test_creds(tcase, "lockout",
+ torture_rpc_samr_lockout);
+
+ return suite;
+}
+
+