#include "torture/torture.h"
#include "system/time.h"
#include "librpc/gen_ndr/lsa.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "libcli/security/security.h"
#include "torture/rpc/rpc.h"
+#include "param/param.h"
#include <unistd.h>
#define TEST_ACCOUNT_NAME "samrtorturetest"
+#define TEST_ACCOUNT_NAME_PWD "samrpwdlastset"
#define TEST_ALIASNAME "samrtorturetestalias"
#define TEST_GROUPNAME "samrtorturetestgroup"
#define TEST_MACHINENAME "samrtestmach$"
const char *test_account_name;
uint32_t user_extra_flags = 0;
- if (base_acct_flags == ACB_NORMAL) {
- /* When created, accounts are expired by default */
- user_extra_flags = ACB_PW_EXPIRED;
+
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ if (base_acct_flags == ACB_NORMAL) {
+ /* When created, accounts are expired by default */
+ user_extra_flags = ACB_PW_EXPIRED;
+ }
}
s.in.user_handle = handle;
q0.in.level = 12;
do { TESTCALL(QueryUserInfo, q0) } while (0);
- TEST_USERINFO_STRING(2, comment, 1, comment, "xx2-1 comment", 0);
- TEST_USERINFO_STRING(2, comment, 21, comment, "xx2-21 comment", 0);
- TEST_USERINFO_STRING(21, comment, 21, comment, "xx21-21 comment",
- SAMR_FIELD_COMMENT);
+ /* Samba 3 cannot store comment fields atm. - gd */
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ TEST_USERINFO_STRING(2, comment, 1, comment, "xx2-1 comment", 0);
+ TEST_USERINFO_STRING(2, comment, 21, comment, "xx2-21 comment", 0);
+ TEST_USERINFO_STRING(21, comment, 21, comment, "xx21-21 comment",
+ SAMR_FIELD_COMMENT);
+ }
test_account_name = talloc_asprintf(tctx, "%sxx7-1", base_account_name);
TEST_USERINFO_STRING(7, account_name, 1, account_name, base_account_name, 0);
SAMR_FIELD_PARAMETERS);
TEST_USERINFO_BINARYSTRING(21, parameters, 20, parameters, "xx21-20 parameters",
SAMR_FIELD_PARAMETERS);
+ /* also empty user parameters are allowed */
+ TEST_USERINFO_BINARYSTRING(20, parameters, 21, parameters, "", 0);
+ TEST_USERINFO_BINARYSTRING(21, parameters, 21, parameters, "",
+ SAMR_FIELD_PARAMETERS);
+ TEST_USERINFO_BINARYSTRING(21, parameters, 20, parameters, "",
+ SAMR_FIELD_PARAMETERS);
- TEST_USERINFO_INT(2, country_code, 2, country_code, __LINE__, 0);
- TEST_USERINFO_INT(2, country_code, 21, country_code, __LINE__, 0);
- TEST_USERINFO_INT(21, country_code, 21, country_code, __LINE__,
- SAMR_FIELD_COUNTRY_CODE);
- TEST_USERINFO_INT(21, country_code, 2, country_code, __LINE__,
- SAMR_FIELD_COUNTRY_CODE);
-
- TEST_USERINFO_INT(2, code_page, 21, code_page, __LINE__, 0);
- TEST_USERINFO_INT(21, code_page, 21, code_page, __LINE__,
- SAMR_FIELD_CODE_PAGE);
- TEST_USERINFO_INT(21, code_page, 2, code_page, __LINE__,
- SAMR_FIELD_CODE_PAGE);
-
- TEST_USERINFO_INT(17, acct_expiry, 21, acct_expiry, __LINE__, 0);
- TEST_USERINFO_INT(17, acct_expiry, 5, acct_expiry, __LINE__, 0);
- TEST_USERINFO_INT(21, acct_expiry, 21, acct_expiry, __LINE__,
- SAMR_FIELD_ACCT_EXPIRY);
- TEST_USERINFO_INT(21, acct_expiry, 5, acct_expiry, __LINE__,
- SAMR_FIELD_ACCT_EXPIRY);
- TEST_USERINFO_INT(21, acct_expiry, 17, acct_expiry, __LINE__,
- SAMR_FIELD_ACCT_EXPIRY);
+ /* Samba 3 cannot store country_code and copy_page atm. - gd */
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ TEST_USERINFO_INT(2, country_code, 2, country_code, __LINE__, 0);
+ TEST_USERINFO_INT(2, country_code, 21, country_code, __LINE__, 0);
+ TEST_USERINFO_INT(21, country_code, 21, country_code, __LINE__,
+ SAMR_FIELD_COUNTRY_CODE);
+ TEST_USERINFO_INT(21, country_code, 2, country_code, __LINE__,
+ SAMR_FIELD_COUNTRY_CODE);
+
+ TEST_USERINFO_INT(2, code_page, 21, code_page, __LINE__, 0);
+ TEST_USERINFO_INT(21, code_page, 21, code_page, __LINE__,
+ SAMR_FIELD_CODE_PAGE);
+ TEST_USERINFO_INT(21, code_page, 2, code_page, __LINE__,
+ SAMR_FIELD_CODE_PAGE);
+ }
+
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ TEST_USERINFO_INT(17, acct_expiry, 21, acct_expiry, __LINE__, 0);
+ TEST_USERINFO_INT(17, acct_expiry, 5, acct_expiry, __LINE__, 0);
+ TEST_USERINFO_INT(21, acct_expiry, 21, acct_expiry, __LINE__,
+ SAMR_FIELD_ACCT_EXPIRY);
+ TEST_USERINFO_INT(21, acct_expiry, 5, acct_expiry, __LINE__,
+ SAMR_FIELD_ACCT_EXPIRY);
+ TEST_USERINFO_INT(21, acct_expiry, 17, acct_expiry, __LINE__,
+ SAMR_FIELD_ACCT_EXPIRY);
+ } else {
+ /* Samba 3 can only store seconds / time_t in passdb - gd */
+ NTTIME nt;
+ unix_to_nt_time(&nt, time(NULL) + __LINE__);
+ TEST_USERINFO_INT(17, acct_expiry, 21, acct_expiry, nt, 0);
+ unix_to_nt_time(&nt, time(NULL) + __LINE__);
+ TEST_USERINFO_INT(17, acct_expiry, 5, acct_expiry, nt, 0);
+ unix_to_nt_time(&nt, time(NULL) + __LINE__);
+ TEST_USERINFO_INT(21, acct_expiry, 21, acct_expiry, nt, SAMR_FIELD_ACCT_EXPIRY);
+ unix_to_nt_time(&nt, time(NULL) + __LINE__);
+ TEST_USERINFO_INT(21, acct_expiry, 5, acct_expiry, nt, SAMR_FIELD_ACCT_EXPIRY);
+ unix_to_nt_time(&nt, time(NULL) + __LINE__);
+ TEST_USERINFO_INT(21, acct_expiry, 17, acct_expiry, nt, SAMR_FIELD_ACCT_EXPIRY);
+ }
TEST_USERINFO_INT(4, logon_hours.bits[3], 3, logon_hours.bits[3], 1, 0);
TEST_USERINFO_INT(4, logon_hours.bits[3], 5, logon_hours.bits[3], 2, 0);
(base_acct_flags | ACB_DISABLED | user_extra_flags),
0);
#endif
+
+ /* Samba3 cannot store these atm */
+ if (!torture_setting_bool(tctx, "samba3", false)) {
/* The 'store plaintext' flag does stick */
TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
(base_acct_flags | ACB_DISABLED | ACB_ENC_TXT_PWD_ALLOWED),
(base_acct_flags | ACB_DISABLED | ACB_NO_AUTH_DATA_REQD),
(base_acct_flags | ACB_DISABLED | ACB_NO_AUTH_DATA_REQD | user_extra_flags),
0);
-
+ }
TEST_USERINFO_INT_EXP(21, acct_flags, 21, acct_flags,
(base_acct_flags | ACB_DISABLED),
(base_acct_flags | ACB_DISABLED | user_extra_flags),
return ret;
}
+static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *tctx,
+ struct policy_handle *handle, char **password)
+{
+ NTSTATUS status;
+ struct samr_SetUserInfo s;
+ union samr_UserInfo u;
+ bool ret = true;
+ DATA_BLOB session_key;
+ char *newpass;
+ struct samr_GetUserPwInfo pwp;
+ struct samr_PwInfo info;
+ int policy_min_pw_len = 0;
+ uint8_t lm_hash[16], nt_hash[16];
+
+ pwp.in.user_handle = handle;
+ pwp.out.info = &info;
+
+ status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp);
+ if (NT_STATUS_IS_OK(status)) {
+ policy_min_pw_len = pwp.out.info->min_password_length;
+ }
+ newpass = samr_rand_pass(tctx, policy_min_pw_len);
+
+ s.in.user_handle = handle;
+ s.in.info = &u;
+ s.in.level = 18;
+
+ ZERO_STRUCT(u);
+
+ u.info18.nt_pwd_active = true;
+ u.info18.lm_pwd_active = true;
+
+ E_md4hash(newpass, nt_hash);
+ E_deshash(newpass, lm_hash);
+
+ status = dcerpc_fetch_session_key(p, &session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("SetUserInfo level %u - no session key - %s\n",
+ s.in.level, nt_errstr(status));
+ return false;
+ }
+
+ {
+ DATA_BLOB in,out;
+ in = data_blob_const(nt_hash, 16);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ memcpy(u.info18.nt_pwd.hash, out.data, out.length);
+ }
+ {
+ DATA_BLOB in,out;
+ in = data_blob_const(lm_hash, 16);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ memcpy(u.info18.lm_pwd.hash, out.data, out.length);
+ }
+
+ torture_comment(tctx, "Testing SetUserInfo level 18 (set password hash)\n");
+
+ status = dcerpc_samr_SetUserInfo(p, tctx, &s);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("SetUserInfo level %u failed - %s\n",
+ s.in.level, nt_errstr(status));
+ ret = false;
+ } else {
+ *password = newpass;
+ }
+
+ return ret;
+}
+
+static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *tctx,
+ struct policy_handle *handle, uint32_t fields_present,
+ char **password)
+{
+ NTSTATUS status;
+ struct samr_SetUserInfo s;
+ union samr_UserInfo u;
+ bool ret = true;
+ DATA_BLOB session_key;
+ char *newpass;
+ struct samr_GetUserPwInfo pwp;
+ struct samr_PwInfo info;
+ int policy_min_pw_len = 0;
+ uint8_t lm_hash[16], nt_hash[16];
+
+ pwp.in.user_handle = handle;
+ pwp.out.info = &info;
+
+ status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp);
+ if (NT_STATUS_IS_OK(status)) {
+ policy_min_pw_len = pwp.out.info->min_password_length;
+ }
+ newpass = samr_rand_pass(tctx, policy_min_pw_len);
+
+ s.in.user_handle = handle;
+ s.in.info = &u;
+ s.in.level = 21;
+
+ E_md4hash(newpass, nt_hash);
+ E_deshash(newpass, lm_hash);
+
+ ZERO_STRUCT(u);
+
+ u.info21.fields_present = fields_present;
+
+ if (fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
+ u.info21.lm_owf_password.length = 16;
+ u.info21.lm_owf_password.size = 16;
+ u.info21.lm_owf_password.array = (uint16_t *)lm_hash;
+ u.info21.lm_password_set = true;
+ }
+
+ if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
+ u.info21.nt_owf_password.length = 16;
+ u.info21.nt_owf_password.size = 16;
+ u.info21.nt_owf_password.array = (uint16_t *)nt_hash;
+ u.info21.nt_password_set = true;
+ }
+
+ status = dcerpc_fetch_session_key(p, &session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("SetUserInfo level %u - no session key - %s\n",
+ s.in.level, nt_errstr(status));
+ return false;
+ }
+
+ if (fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info21.lm_owf_password.array,
+ u.info21.lm_owf_password.length);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ u.info21.lm_owf_password.array = (uint16_t *)out.data;
+ }
+
+ if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info21.nt_owf_password.array,
+ u.info21.nt_owf_password.length);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ u.info21.nt_owf_password.array = (uint16_t *)out.data;
+ }
+
+ torture_comment(tctx, "Testing SetUserInfo level 21 (set password hash)\n");
+
+ status = dcerpc_samr_SetUserInfo(p, tctx, &s);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("SetUserInfo level %u failed - %s\n",
+ s.in.level, nt_errstr(status));
+ ret = false;
+ } else {
+ *password = newpass;
+ }
+
+ /* try invalid length */
+ if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
+
+ u.info21.nt_owf_password.length++;
+
+ status = dcerpc_samr_SetUserInfo(p, tctx, &s);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ printf("SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
+ s.in.level, nt_errstr(status));
+ ret = false;
+ }
+ }
+
+ if (fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
+
+ u.info21.lm_owf_password.length++;
+
+ status = dcerpc_samr_SetUserInfo(p, tctx, &s);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ printf("SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
+ s.in.level, nt_errstr(status));
+ ret = false;
+ }
+ }
+
+ return ret;
+}
+
static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
struct torture_context *tctx,
struct policy_handle *handle,
uint16_t level,
uint32_t fields_present,
char **password, uint8_t password_expired,
- bool use_setinfo2, NTSTATUS expected_error)
+ bool use_setinfo2,
+ bool *matched_expected_error)
{
NTSTATUS status;
+ NTSTATUS expected_error = NT_STATUS_OK;
struct samr_SetUserInfo s;
struct samr_SetUserInfo2 s2;
union samr_UserInfo u;
struct samr_PwInfo info;
int policy_min_pw_len = 0;
const char *comment = NULL;
+ uint8_t lm_hash[16], nt_hash[16];
pwp.in.user_handle = handle;
pwp.out.info = &info;
}
if (fields_present & SAMR_FIELD_COMMENT) {
- comment = talloc_asprintf(tctx, "comment: %d\n", time(NULL));
+ comment = talloc_asprintf(tctx, "comment: %ld\n", time(NULL));
}
ZERO_STRUCT(u);
switch (level) {
+ case 18:
+ E_md4hash(newpass, nt_hash);
+ E_deshash(newpass, lm_hash);
+
+ u.info18.nt_pwd_active = true;
+ u.info18.lm_pwd_active = true;
+ u.info18.password_expired = password_expired;
+
+ memcpy(u.info18.lm_pwd.hash, lm_hash, 16);
+ memcpy(u.info18.nt_pwd.hash, nt_hash, 16);
+
+ break;
case 21:
+ E_md4hash(newpass, nt_hash);
+ E_deshash(newpass, lm_hash);
+
u.info21.fields_present = fields_present;
u.info21.password_expired = password_expired;
u.info21.comment.string = comment;
+ if (fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
+ u.info21.lm_owf_password.length = 16;
+ u.info21.lm_owf_password.size = 16;
+ u.info21.lm_owf_password.array = (uint16_t *)lm_hash;
+ u.info21.lm_password_set = true;
+ }
+
+ if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
+ u.info21.nt_owf_password.length = 16;
+ u.info21.nt_owf_password.size = 16;
+ u.info21.nt_owf_password.array = (uint16_t *)nt_hash;
+ u.info21.nt_password_set = true;
+ }
+
break;
case 23:
u.info23.info.fields_present = fields_present;
MD5Final(confounded_session_key.data, &ctx);
switch (level) {
+ case 18:
+ {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info18.nt_pwd.hash, 16);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ memcpy(u.info18.nt_pwd.hash, out.data, out.length);
+ }
+ {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info18.lm_pwd.hash, 16);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ memcpy(u.info18.lm_pwd.hash, out.data, out.length);
+ }
+
+ break;
+ case 21:
+ if (fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info21.lm_owf_password.array,
+ u.info21.lm_owf_password.length);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ u.info21.lm_owf_password.array = (uint16_t *)out.data;
+ }
+ if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info21.nt_owf_password.array,
+ u.info21.nt_owf_password.length);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ u.info21.nt_owf_password.array = (uint16_t *)out.data;
+ }
+ break;
case 23:
arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
break;
status = dcerpc_samr_SetUserInfo(p, tctx, &s);
}
+ if (!NT_STATUS_IS_OK(status)) {
+ if (fields_present == 0) {
+ expected_error = NT_STATUS_INVALID_PARAMETER;
+ }
+ if (fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+ expected_error = NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
if (!NT_STATUS_IS_OK(expected_error)) {
if (use_setinfo2) {
torture_assert_ntstatus_equal(tctx,
s.out.result,
expected_error, "SetUserInfo failed");
}
+ *matched_expected_error = true;
return true;
}
use_setinfo2 ? "2":"", level, nt_errstr(status));
ret = false;
} else {
- if (level != 21) {
- *password = newpass;
- }
+ *password = newpass;
}
return ret;
ZERO_STRUCT(u);
- u.info25.info.fields_present = SAMR_FIELD_PASSWORD;
+ u.info25.info.fields_present = SAMR_FIELD_NT_PASSWORD_PRESENT;
set_pw_in_buffer(u.info25.password.data, &new_random_pass);
return true;
}
+static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *tctx,
+ struct cli_credentials *machine_credentials,
+ struct cli_credentials *test_credentials,
+ struct netlogon_creds_CredentialState *creds,
+ NTSTATUS expected_result)
+{
+ NTSTATUS status;
+ struct netr_LogonSamLogon r;
+ struct netr_Authenticator auth, auth2;
+ union netr_LogonLevel logon;
+ union netr_Validation validation;
+ uint8_t authoritative;
+ struct netr_NetworkInfo ninfo;
+ DATA_BLOB names_blob, chal, lm_resp, nt_resp;
+ int flags = CLI_CRED_NTLM_AUTH;
+
+ if (lp_client_lanman_auth(tctx->lp_ctx)) {
+ flags |= CLI_CRED_LANMAN_AUTH;
+ }
+
+ if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
+ flags |= CLI_CRED_NTLMv2_AUTH;
+ }
+
+ cli_credentials_get_ntlm_username_domain(test_credentials, tctx,
+ &ninfo.identity_info.account_name.string,
+ &ninfo.identity_info.domain_name.string);
+
+ generate_random_buffer(ninfo.challenge,
+ sizeof(ninfo.challenge));
+ chal = data_blob_const(ninfo.challenge,
+ sizeof(ninfo.challenge));
+
+ names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(machine_credentials),
+ cli_credentials_get_domain(machine_credentials));
+
+ status = cli_credentials_get_ntlm_response(test_credentials, tctx,
+ &flags,
+ chal,
+ names_blob,
+ &lm_resp, &nt_resp,
+ NULL, NULL);
+ torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
+
+ ninfo.lm.data = lm_resp.data;
+ ninfo.lm.length = lm_resp.length;
+
+ ninfo.nt.data = nt_resp.data;
+ ninfo.nt.length = nt_resp.length;
+
+ ninfo.identity_info.parameter_control =
+ MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
+ MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+ ninfo.identity_info.logon_id_low = 0;
+ ninfo.identity_info.logon_id_high = 0;
+ ninfo.identity_info.workstation.string = cli_credentials_get_workstation(machine_credentials);
+
+ logon.network = &ninfo;
+
+ r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+ r.in.computer_name = cli_credentials_get_workstation(machine_credentials);
+ r.in.credential = &auth;
+ r.in.return_authenticator = &auth2;
+ r.in.logon_level = 2;
+ r.in.logon = &logon;
+ r.out.validation = &validation;
+ r.out.authoritative = &authoritative;
+
+ d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
+
+ ZERO_STRUCT(auth2);
+ netlogon_creds_client_authenticator(creds, &auth);
+
+ r.in.validation_level = 2;
+
+ status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
+ if (!NT_STATUS_IS_OK(status)) {
+ torture_assert_ntstatus_equal(tctx, status, expected_result, "LogonSamLogon failed");
+ return true;
+ } else {
+ torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
+ }
+
+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
+ "Credential chaining failed");
+
+ return true;
+}
+
+static bool test_SamLogon(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *machine_credentials,
+ struct cli_credentials *test_credentials,
+ NTSTATUS expected_result)
+{
+ struct netlogon_creds_CredentialState *creds;
+
+ if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
+ return false;
+ }
+
+ return test_SamLogon_Creds(p, tctx, machine_credentials, test_credentials,
+ creds, expected_result);
+}
+
+static bool test_SamLogon_with_creds(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *machine_creds,
+ const char *acct_name,
+ char *password,
+ NTSTATUS expected_samlogon_result)
+{
+ bool ret = true;
+ struct cli_credentials *test_credentials;
+
+ test_credentials = cli_credentials_init(tctx);
+
+ cli_credentials_set_workstation(test_credentials,
+ TEST_ACCOUNT_NAME_PWD, CRED_SPECIFIED);
+ cli_credentials_set_domain(test_credentials,
+ lp_workgroup(tctx->lp_ctx), CRED_SPECIFIED);
+ cli_credentials_set_username(test_credentials,
+ acct_name, CRED_SPECIFIED);
+ cli_credentials_set_password(test_credentials,
+ password, CRED_SPECIFIED);
+ cli_credentials_set_secure_channel_type(test_credentials, SEC_CHAN_BDC);
+
+ printf("testing samlogon as %s@%s password: %s\n",
+ acct_name, TEST_ACCOUNT_NAME_PWD, password);
+
+ if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
+ expected_samlogon_result)) {
+ torture_warning(tctx, "new password did not work\n");
+ ret = false;
+ }
+
+ return ret;
+}
+
static bool test_SetPassword_level(struct dcerpc_pipe *p,
+ struct dcerpc_pipe *np,
struct torture_context *tctx,
struct policy_handle *handle,
uint16_t level,
uint32_t fields_present,
uint8_t password_expired,
- NTSTATUS expected_error,
+ bool *matched_expected_error,
bool use_setinfo2,
+ const char *acct_name,
char **password,
+ struct cli_credentials *machine_creds,
bool use_queryinfo2,
- NTTIME *pwdlastset)
+ NTTIME *pwdlastset,
+ NTSTATUS expected_samlogon_result)
{
const char *fields = NULL;
bool ret = true;
use_setinfo2 ? "2":"", level, password_expired,
fields ? fields : "");
- switch (level) {
- case 21:
- case 23:
- case 24:
- case 25:
- case 26:
- if (!test_SetUserPass_level_ex(p, tctx, handle, level,
- fields_present,
- password,
- password_expired,
- use_setinfo2,
- expected_error)) {
- ret = false;
- }
- break;
- default:
- return false;
+ if (!test_SetUserPass_level_ex(p, tctx, handle, level,
+ fields_present,
+ password,
+ password_expired,
+ use_setinfo2,
+ matched_expected_error)) {
+ ret = false;
}
if (!test_QueryUserInfo_pwdlastset(p, tctx, handle,
ret = false;
}
+ if (*matched_expected_error == true) {
+ return ret;
+ }
+
+ if (!test_SamLogon_with_creds(tctx, np,
+ machine_creds,
+ acct_name,
+ *password,
+ expected_samlogon_result)) {
+ ret = false;
+ }
+
return ret;
}
static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
struct torture_context *tctx,
uint32_t acct_flags,
+ const char *acct_name,
struct policy_handle *handle,
- char **password)
+ char **password,
+ struct cli_credentials *machine_credentials)
{
- int i, s = 0, q = 0;
+ int s = 0, q = 0, f = 0, l = 0, z = 0;
bool ret = true;
int delay = 500000;
bool set_levels[] = { false, true };
bool query_levels[] = { false, true };
-
- struct {
- uint16_t level;
- uint8_t password_expired_nonzero;
- uint32_t fields_present;
- bool query_info2;
- bool set_info2;
- NTSTATUS set_error;
- } pwd_tests[] = {
-
- /* level 21 */
- {
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_LAST_PWD_CHANGE,
- .set_error = NT_STATUS_ACCESS_DENIED
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present = 0,
- .set_error = NT_STATUS_INVALID_PARAMETER
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_COMMENT,
-
-#if 0
- /* FIXME */
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_PASSWORD |
- SAMR_FIELD_PASSWORD2 |
- SAMR_FIELD_LAST_PWD_CHANGE,
- .query_info2 = false,
- .set_error = NT_STATUS_ACCESS_DENIED
-#endif
-
- /* level 23 */
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_LAST_PWD_CHANGE,
- .set_error = NT_STATUS_ACCESS_DENIED
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_LAST_PWD_CHANGE |
- SAMR_FIELD_PASSWORD |
- SAMR_FIELD_PASSWORD2,
- .set_error = NT_STATUS_ACCESS_DENIED
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_LAST_PWD_CHANGE |
- SAMR_FIELD_PASSWORD |
- SAMR_FIELD_PASSWORD2 |
- SAMR_FIELD_EXPIRED_FLAG,
- .set_error = NT_STATUS_ACCESS_DENIED
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_PASSWORD |
- SAMR_FIELD_PASSWORD2 |
- SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_PASSWORD |
- SAMR_FIELD_PASSWORD2,
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_COMMENT,
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = 0,
- .set_error = NT_STATUS_INVALID_PARAMETER
- },{
-
- /* level 24 */
-
- .level = 24,
- .password_expired_nonzero = 1
- },{
- .level = 24,
- .password_expired_nonzero = 24
- },{
-
- /* level 25 */
-
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_LAST_PWD_CHANGE,
- .set_error = NT_STATUS_ACCESS_DENIED
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_EXPIRED_FLAG,
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_PASSWORD |
- SAMR_FIELD_PASSWORD2 |
- SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_PASSWORD |
- SAMR_FIELD_PASSWORD2,
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_COMMENT,
- },{
-
- /* level 26 */
-
- .level = 26,
- .password_expired_nonzero = 1
- },{
- .level = 26,
- .password_expired_nonzero = 24
- }
+ uint32_t levels[] = { 18, 21, 23, 24, 25, 26 };
+ uint32_t nonzeros[] = { 1, 24 };
+ uint32_t fields_present[] = {
+ 0,
+ SAMR_FIELD_EXPIRED_FLAG,
+ SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_EXPIRED_FLAG | SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_COMMENT,
+ SAMR_FIELD_NT_PASSWORD_PRESENT,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT | SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_EXPIRED_FLAG,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT | SAMR_FIELD_EXPIRED_FLAG,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT | SAMR_FIELD_LAST_PWD_CHANGE | SAMR_FIELD_EXPIRED_FLAG
};
+ NTSTATUS status;
+ struct dcerpc_pipe *np = NULL;
if (torture_setting_bool(tctx, "samba3", false)) {
delay = 1000000;
delay);
}
+ status = torture_rpc_connection(tctx, &np, &ndr_table_netlogon);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
/* set to 1 to enable testing for all possible opcode
(SetUserInfo, SetUserInfo2, QueryUserInfo, QueryUserInfo2)
combinations */
#define TEST_SET_LEVELS 1
#define TEST_QUERY_LEVELS 1
#endif
- for (i=0; i<ARRAY_SIZE(pwd_tests); i++) {
+ for (l=0; l<ARRAY_SIZE(levels); l++) {
+ for (z=0; z<ARRAY_SIZE(nonzeros); z++) {
+ for (f=0; f<ARRAY_SIZE(fields_present); f++) {
#ifdef TEST_SET_LEVELS
for (s=0; s<ARRAY_SIZE(set_levels); s++) {
#endif
#endif
NTTIME pwdlastset_old = 0;
NTTIME pwdlastset_new = 0;
+ bool matched_expected_error = false;
+ NTSTATUS expected_samlogon_result = NT_STATUS_ACCOUNT_DISABLED;
torture_comment(tctx, "------------------------------\n"
"Testing pwdLastSet attribute for flags: 0x%08x "
"(s: %d (l: %d), q: %d)\n",
- acct_flags, s, pwd_tests[i].level, q);
+ acct_flags, s, levels[l], q);
+
+ switch (levels[l]) {
+ case 21:
+ case 23:
+ case 25:
+ if (!((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT))) {
+ expected_samlogon_result = NT_STATUS_WRONG_PASSWORD;
+ }
+ break;
+ }
+
/* set #1 */
/* set a password and force password change (pwdlastset 0) by
* setting the password expired flag to a non-0 value */
- if (!test_SetPassword_level(p, tctx, handle,
- pwd_tests[i].level,
- pwd_tests[i].fields_present,
- pwd_tests[i].password_expired_nonzero,
- pwd_tests[i].set_error,
+ if (!test_SetPassword_level(p, np, tctx, handle,
+ levels[l],
+ fields_present[f],
+ nonzeros[z],
+ &matched_expected_error,
set_levels[s],
+ acct_name,
password,
+ machine_credentials,
query_levels[q],
- &pwdlastset_old)) {
+ &pwdlastset_old,
+ expected_samlogon_result)) {
ret = false;
}
- if (!NT_STATUS_IS_OK(pwd_tests[i].set_error)) {
+ if (matched_expected_error == true) {
/* skipping on expected failure */
continue;
}
/* pwdlastset must be 0 afterwards, except for a level 21, 23 and 25
* set without the SAMR_FIELD_EXPIRED_FLAG */
- switch (pwd_tests[i].level) {
+ switch (levels[l]) {
case 21:
case 23:
case 25:
if ((pwdlastset_new != 0) &&
- !(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG)) {
+ !(fields_present[f] & SAMR_FIELD_EXPIRED_FLAG)) {
torture_comment(tctx, "not considering a non-0 "
"pwdLastSet as a an error as the "
"SAMR_FIELD_EXPIRED_FLAG has not "
break;
}
+ switch (levels[l]) {
+ case 21:
+ case 23:
+ case 25:
+ if (((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
+ (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not increasing\n");
+ ret = false;
+ }
+ break;
+ default:
+ if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not increasing\n");
+ ret = false;
+ }
+ break;
+ }
+
usleep(delay);
/* set #2 */
/* set a password, pwdlastset needs to get updated (increased
* value), password_expired value used here is 0 */
- if (!test_SetPassword_level(p, tctx, handle, pwd_tests[i].level,
- pwd_tests[i].fields_present,
+ if (!test_SetPassword_level(p, np, tctx, handle,
+ levels[l],
+ fields_present[f],
0,
- pwd_tests[i].set_error,
+ &matched_expected_error,
set_levels[s],
+ acct_name,
password,
+ machine_credentials,
query_levels[q],
- &pwdlastset_new)) {
-
+ &pwdlastset_new,
+ expected_samlogon_result)) {
ret = false;
}
/* when a password has been changed, pwdlastset must not be 0 afterwards
* and must be larger then the old value */
- switch (pwd_tests[i].level) {
+ switch (levels[l]) {
case 21:
case 23:
case 25:
* password has been changed, old and new pwdlastset
* need to be the same value */
- if (!(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG) &&
- !((pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD) ||
- (pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD2)))
+ if (!(fields_present[f] & SAMR_FIELD_EXPIRED_FLAG) &&
+ !((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)))
{
torture_assert_int_equal(tctx, pwdlastset_old,
pwdlastset_new, "pwdlastset must be equal");
}
}
+ switch (levels[l]) {
+ case 21:
+ case 23:
+ case 25:
+ if (((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
+ (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not increasing\n");
+ ret = false;
+ }
+ break;
+ default:
+ if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not increasing\n");
+ ret = false;
+ }
+ break;
+ }
+
pwdlastset_old = pwdlastset_new;
usleep(delay);
+ /* set #2b */
+
+ /* set a password, pwdlastset needs to get updated (increased
+ * value), password_expired value used here is 0 */
+
+ if (!test_SetPassword_level(p, np, tctx, handle,
+ levels[l],
+ fields_present[f],
+ 0,
+ &matched_expected_error,
+ set_levels[s],
+ acct_name,
+ password,
+ machine_credentials,
+ query_levels[q],
+ &pwdlastset_new,
+ expected_samlogon_result)) {
+ ret = false;
+ }
+
+ /* when a password has been changed, pwdlastset must not be 0 afterwards
+ * and must be larger then the old value */
+
+ switch (levels[l]) {
+ case 21:
+ case 23:
+ case 25:
+
+ /* if no password has been changed, old and new pwdlastset
+ * need to be the same value */
+
+ if (!((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)))
+ {
+ torture_assert_int_equal(tctx, pwdlastset_old,
+ pwdlastset_new, "pwdlastset must be equal");
+ break;
+ }
+ default:
+ if (pwdlastset_old >= pwdlastset_new) {
+ torture_warning(tctx, "pwdLastSet test failed: "
+ "expected last pwdlastset (%lld) < new pwdlastset (%lld)\n",
+ pwdlastset_old, pwdlastset_new);
+ ret = false;
+ }
+ if (pwdlastset_new == 0) {
+ torture_warning(tctx, "pwdLastSet test failed: "
+ "expected non-0 pwdlastset, got: %lld\n",
+ pwdlastset_new);
+ ret = false;
+ }
+ }
+
/* set #3 */
/* set a password and force password change (pwdlastset 0) by
* setting the password expired flag to a non-0 value */
- if (!test_SetPassword_level(p, tctx, handle, pwd_tests[i].level,
- pwd_tests[i].fields_present,
- pwd_tests[i].password_expired_nonzero,
- pwd_tests[i].set_error,
+ if (!test_SetPassword_level(p, np, tctx, handle,
+ levels[l],
+ fields_present[f],
+ nonzeros[z],
+ &matched_expected_error,
set_levels[s],
+ acct_name,
password,
+ machine_credentials,
query_levels[q],
- &pwdlastset_new)) {
+ &pwdlastset_new,
+ expected_samlogon_result)) {
ret = false;
}
/* pwdlastset must be 0 afterwards, except for a level 21, 23 and 25
* set without the SAMR_FIELD_EXPIRED_FLAG */
- switch (pwd_tests[i].level) {
+ switch (levels[l]) {
case 21:
case 23:
case 25:
if ((pwdlastset_new != 0) &&
- !(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG)) {
+ !(fields_present[f] & SAMR_FIELD_EXPIRED_FLAG)) {
torture_comment(tctx, "not considering a non-0 "
"pwdLastSet as a an error as the "
"SAMR_FIELD_EXPIRED_FLAG has not "
* password has been changed, old and new pwdlastset
* need to be the same value */
- if (!(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG) &&
- !((pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD) ||
- (pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD2)))
+ if (!(fields_present[f] & SAMR_FIELD_EXPIRED_FLAG) &&
+ !((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)))
{
torture_assert_int_equal(tctx, pwdlastset_old,
pwdlastset_new, "pwdlastset must be equal");
}
break;
}
+
+ switch (levels[l]) {
+ case 21:
+ case 23:
+ case 25:
+ if (((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
+ (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not increasing\n");
+ ret = false;
+ }
+ break;
+ default:
+ if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not increasing\n");
+ ret = false;
+ }
+ break;
+ }
+
+ /* if the level we are testing does not have a fields_present
+ * field, skip all fields present tests by setting f to to
+ * arraysize */
+ switch (levels[l]) {
+ case 18:
+ case 24:
+ case 26:
+ f = ARRAY_SIZE(fields_present);
+ break;
+ }
+
#ifdef TEST_QUERY_LEVELS
}
#endif
#ifdef TEST_SET_LEVELS
}
#endif
- }
+ } /* fields present */
+ } /* nonzeros */
+ } /* levels */
#undef TEST_SET_LEVELS
#undef TEST_QUERY_LEVELS
struct policy_handle *user_handle,
struct policy_handle *domain_handle,
uint32_t base_acct_flags,
- const char *base_acct_name, enum torture_samr_choice which_ops)
+ const char *base_acct_name, enum torture_samr_choice which_ops,
+ struct cli_credentials *machine_credentials)
{
char *password = NULL;
struct samr_QueryUserInfo q;
int i;
uint32_t rid;
const uint32_t password_fields[] = {
- SAMR_FIELD_PASSWORD,
- SAMR_FIELD_PASSWORD2,
- SAMR_FIELD_PASSWORD | SAMR_FIELD_PASSWORD2,
+ SAMR_FIELD_NT_PASSWORD_PRESENT,
+ SAMR_FIELD_LM_PASSWORD_PRESENT,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT,
0
};
ret = false;
}
+ if (torture_setting_bool(tctx, "samba4", false)) {
+ printf("skipping Set Password level 18 and 21 against Samba4\n");
+ } else {
+
+ if (!test_SetUserPass_18(p, tctx, user_handle, &password)) {
+ ret = false;
+ }
+
+ if (!test_ChangePasswordUser3(p, tctx, base_acct_name, 0, &password, NULL, 0, false)) {
+ ret = false;
+ }
+
+ for (i = 0; password_fields[i]; i++) {
+
+ if (password_fields[i] == SAMR_FIELD_LM_PASSWORD_PRESENT) {
+ /* we need to skip as that would break
+ * the ChangePasswordUser3 verify */
+ continue;
+ }
+
+ if (!test_SetUserPass_21(p, tctx, user_handle, password_fields[i], &password)) {
+ ret = false;
+ }
+
+ /* check it was set right */
+ if (!test_ChangePasswordUser3(p, tctx, base_acct_name, 0, &password, NULL, 0, false)) {
+ ret = false;
+ }
+ }
+ }
+
q.in.user_handle = user_handle;
q.in.level = 5;
q.out.info = &info;
printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
info->info5.acct_flags,
expected_flags);
- ret = false;
+ /* FIXME: GD */
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret = false;
+ }
}
if (info->info5.rid != rid) {
printf("QuerUserInfo level 5 failed, it returned %u when we expected rid of %u\n",
/* test last password change timestamp behaviour */
if (!test_SetPassword_pwdlastset(p, tctx, base_acct_flags,
- user_handle, &password)) {
+ base_acct_name,
+ user_handle, &password,
+ machine_credentials)) {
ret = false;
}
struct policy_handle *domain_handle,
struct policy_handle *user_handle_out,
struct dom_sid *domain_sid,
- enum torture_samr_choice which_ops)
+ enum torture_samr_choice which_ops,
+ struct cli_credentials *machine_credentials)
{
TALLOC_CTX *user_ctx;
}
if (!test_user_ops(p, tctx, &user_handle, domain_handle,
- acct_flags, name.string, which_ops)) {
+ acct_flags, name.string, which_ops,
+ machine_credentials)) {
ret = false;
}
static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx,
struct policy_handle *domain_handle,
struct dom_sid *domain_sid,
- enum torture_samr_choice which_ops)
+ enum torture_samr_choice which_ops,
+ struct cli_credentials *machine_credentials)
{
NTSTATUS status;
struct samr_CreateUser2 r;
}
if (!test_user_ops(p, tctx, &user_handle, domain_handle,
- acct_flags, name.string, which_ops)) {
+ acct_flags, name.string, which_ops,
+ machine_credentials)) {
ret = false;
}
status = dcerpc_samr_SetDomainInfo(p, tctx, &s);
if (!NT_STATUS_IS_OK(status)) {
printf("SetDomainInfo level %u (set comment) failed - %s\n",
- r.in.level, nt_errstr(status));
+ s.in.level, nt_errstr(status));
return false;
}
static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
struct policy_handle *handle, struct dom_sid *sid,
- enum torture_samr_choice which_ops)
+ enum torture_samr_choice which_ops,
+ struct cli_credentials *machine_credentials)
{
NTSTATUS status;
struct samr_OpenDomain r;
switch (which_ops) {
case TORTURE_SAMR_USER_ATTRIBUTES:
case TORTURE_SAMR_PASSWORDS:
- case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
- ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops);
- ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops);
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, NULL);
+ }
+ ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, NULL);
/* This test needs 'complex' users to validate */
ret &= test_QueryDisplayInfo(p, tctx, &domain_handle);
if (!ret) {
printf("Testing PASSWORDS or ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
}
break;
+ case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
+ if (!torture_setting_bool(tctx, "samba3", false)) {
+ ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, machine_credentials);
+ }
+ ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, machine_credentials);
+ if (!ret) {
+ printf("Testing PASSWORDS PWDLASTSET on domain %s failed!\n", dom_sid_string(tctx, sid));
+ }
+ break;
case TORTURE_SAMR_OTHER:
- ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops);
+ ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, NULL);
if (!ret) {
printf("Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
}
static bool test_LookupDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
struct policy_handle *handle, const char *domain,
- enum torture_samr_choice which_ops)
+ enum torture_samr_choice which_ops,
+ struct cli_credentials *machine_credentials)
{
NTSTATUS status;
struct samr_LookupDomain r;
ret = false;
}
- if (!test_OpenDomain(p, tctx, handle, *r.out.sid, which_ops)) {
+ if (!test_OpenDomain(p, tctx, handle, *r.out.sid, which_ops,
+ machine_credentials)) {
ret = false;
}
static bool test_EnumDomains(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct policy_handle *handle, enum torture_samr_choice which_ops)
+ struct policy_handle *handle, enum torture_samr_choice which_ops,
+ struct cli_credentials *machine_credentials)
{
NTSTATUS status;
struct samr_EnumDomains r;
for (i=0;i<sam->count;i++) {
if (!test_LookupDomain(p, tctx, handle,
- sam->entries[i].name.string, which_ops)) {
+ sam->entries[i].name.string, which_ops,
+ machine_credentials)) {
ret = false;
}
}
ret &= test_QuerySecurity(p, torture, &handle);
- ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_OTHER);
+ ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_OTHER, NULL);
ret &= test_SetDsrmPassword(p, torture, &handle);
ret &= test_Connect(p, torture, &handle);
- ret &= test_QuerySecurity(p, torture, &handle);
+ if (!torture_setting_bool(torture, "samba3", false)) {
+ ret &= test_QuerySecurity(p, torture, &handle);
+ }
- ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_USER_ATTRIBUTES);
+ ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_USER_ATTRIBUTES, NULL);
ret &= test_SetDsrmPassword(p, torture, &handle);
ret &= test_Connect(p, torture, &handle);
- ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_PASSWORDS);
+ ret &= test_EnumDomains(p, torture, &handle, TORTURE_SAMR_PASSWORDS, NULL);
ret &= test_samr_handle_Close(p, torture, &handle);
return ret;
}
-bool torture_rpc_samr_passwords_pwdlastset(struct torture_context *torture)
+static bool torture_rpc_samr_pwdlastset(struct torture_context *torture,
+ struct dcerpc_pipe *p2,
+ struct cli_credentials *machine_credentials)
{
NTSTATUS status;
struct dcerpc_pipe *p;
ret &= test_Connect(p, torture, &handle);
ret &= test_EnumDomains(p, torture, &handle,
- TORTURE_SAMR_PASSWORDS_PWDLASTSET);
+ TORTURE_SAMR_PASSWORDS_PWDLASTSET,
+ machine_credentials);
ret &= test_samr_handle_Close(p, torture, &handle);
return ret;
}
+struct torture_suite *torture_rpc_samr_passwords_pwdlastset(TALLOC_CTX *mem_ctx)
+{
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-PWDLASTSET");
+ struct torture_rpc_tcase *tcase;
+
+ tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "samr",
+ &ndr_table_samr,
+ TEST_ACCOUNT_NAME_PWD);
+
+ torture_rpc_tcase_add_test_creds(tcase, "pwdLastSet",
+ torture_rpc_samr_pwdlastset);
+
+ return suite;
+}