r9166: This checks more of auth subsystem in the PAC test.

author Andrew Bartlett <abartlet@samba.org>

Sat, 6 Aug 2005 23:07:21 +0000 (23:07 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 18:31:26 +0000 (13:31 -0500)
author Andrew Bartlett <abartlet@samba.org>
Sat, 6 Aug 2005 23:07:21 +0000 (23:07 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:31:26 +0000 (13:31 -0500)
diff --git a/source/torture/auth/pac.c b/source/torture/auth/pac.c

index 74a31af890ab36b0b02577069c3af8ae0a9b0d7b..43a9fd44b59270575dd3da74dee5f2d0fee8a45a 100644 (file)
--- a/source/torture/auth/pac.c
+++ b/source/torture/auth/pac.c
@@ -34,6 +34,8 @@ static BOOL torture_pac_self_check(void)
         TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check");
         DATA_BLOB tmp_blob;
         struct PAC_DATA *pac_data;
+       struct PAC_LOGON_INFO *logon_info;
+       union netr_Validation validation;
  
         /* Generate a nice, arbitary keyblock */
         uint8_t server_bytes[16];
@@ -46,6 +48,7 @@ static BOOL torture_pac_self_check(void)
         struct smb_krb5_context *smb_krb5_context;
  
         struct auth_serversupplied_info *server_info;
+       struct auth_serversupplied_info *server_info_out;
  
         ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
  
@@ -62,10 +65,10 @@ static BOOL torture_pac_self_check(void)
                                  server_bytes, sizeof(server_bytes),
                                  &server_keyblock);
         if (ret) {
-               DEBUG(1, ("Server Keyblock encoding failed: %s\n", 
-                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                    ret, mem_ctx)));
-
+               printf("Server Keyblock encoding failed: %s\n", 
+                      smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                 ret, mem_ctx));
+               
                 talloc_free(mem_ctx);
                 return False;
         }
@@ -75,10 +78,10 @@ static BOOL torture_pac_self_check(void)
                                  krbtgt_bytes, sizeof(krbtgt_bytes),
                                  &krbtgt_keyblock);
         if (ret) {
-               DEBUG(1, ("KRBTGT Keyblock encoding failed: %s\n", 
-                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                    ret, mem_ctx)));
-
+               printf("KRBTGT Keyblock encoding failed: %s\n", 
+                      smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                 ret, mem_ctx));
+       
                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                             &server_keyblock);
                 talloc_free(mem_ctx);
@@ -105,9 +108,9 @@ static BOOL torture_pac_self_check(void)
                                   &tmp_blob);
         
         if (ret) {
-               DEBUG(1, ("PAC encoding failed: %s\n", 
-                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                    ret, mem_ctx)));
+               printf("PAC encoding failed: %s\n", 
+                      smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                 ret, mem_ctx));
  
                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                             &krbtgt_keyblock);
@@ -126,18 +129,64 @@ static BOOL torture_pac_self_check(void)
                                         &krbtgt_keyblock,
                                         &server_keyblock);
  
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+               DEBUG(1, ("PAC decoding failed: %s\n", 
+                         nt_errstr(nt_status)));
+
+               talloc_free(mem_ctx);
+               return False;
+       }
+
+       /* Now check that we can read it back */
+       nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
+                                           tmp_blob,
+                                           smb_krb5_context,
+                                           &krbtgt_keyblock,
+                                           &server_keyblock);
+       
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+               printf("PAC decoding (for logon info) failed: %s\n", 
+                      nt_errstr(nt_status));
+               
+               talloc_free(mem_ctx);
+               return False;
+       }
+       
         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                     &krbtgt_keyblock);
         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                     &server_keyblock);
-       if (ret) {
-               DEBUG(1, ("PAC decoding failed: %s\n", 
-                         nt_errstr(nt_status)));
  
+       validation.sam3 = &logon_info->info3;
+       nt_status = make_server_info_netlogon_validation(mem_ctx,
+                                                        "",
+                                                        3, &validation,
+                                                        &server_info_out); 
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               printf("PAC decoding (make server info) failed: %s\n", 
+                      nt_errstr(nt_status));
+               
                 talloc_free(mem_ctx);
                 return False;
         }
-
+       
+       if (!dom_sid_equal(server_info->account_sid, 
+                          server_info_out->account_sid)) {
+               printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
+                      dom_sid_string(mem_ctx, server_info->account_sid), 
+                      dom_sid_string(mem_ctx, server_info_out->account_sid));
+               talloc_free(mem_ctx);
+               return False;
+       }
+       
         talloc_free(mem_ctx);
         return True;
  }
@@ -196,6 +245,11 @@ static BOOL torture_pac_saved_check(void)
         TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
         DATA_BLOB tmp_blob, validate_blob;
         struct PAC_DATA *pac_data;
+       struct PAC_LOGON_INFO *logon_info;
+       union netr_Validation validation;
+
+       struct auth_serversupplied_info *server_info_out;
+
         krb5_keyblock server_keyblock;
         krb5_keyblock krbtgt_keyblock;
         uint8_t server_bytes[16];
@@ -255,9 +309,9 @@ static BOOL torture_pac_saved_check(void)
         }
  
         tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
-
+       
         /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
-
+       
         dump_data(10,tmp_blob.data,tmp_blob.length);
  
         /* Decode and verify the signaure on the PAC */
@@ -278,6 +332,52 @@ static BOOL torture_pac_saved_check(void)
                 return False;
         }
  
+       /* Parse the PAC again, for the logon info this time */
+       nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
+                                           tmp_blob,
+                                           smb_krb5_context,
+                                           &krbtgt_keyblock,
+                                           &server_keyblock);
+
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+               printf("PAC decoding (for logon info) failed: %s\n", 
+                         nt_errstr(nt_status));
+
+               talloc_free(mem_ctx);
+               return False;
+       }
+
+       validation.sam3 = &logon_info->info3;
+       nt_status = make_server_info_netlogon_validation(mem_ctx,
+                                                        "",
+                                                        3, &validation,
+                                                        &server_info_out); 
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                   &server_keyblock);
+
+               printf("PAC decoding (make server info) failed: %s\n", 
+                      nt_errstr(nt_status));
+               
+               talloc_free(mem_ctx);
+               return False;
+       }
+
+       if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
+                          server_info_out->account_sid)) {
+               printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
+                      "S-1-5-21-3048156945-3961193616-3706469200-1005", 
+                      dom_sid_string(mem_ctx, server_info_out->account_sid));
+               talloc_free(mem_ctx);
+               return False;
+       }
+
         ret = kerberos_encode_pac(mem_ctx, 
                                   pac_data,
                                   smb_krb5_context->krb5_context,
diff --git a/source/torture/rpc/samlogon.c b/source/torture/rpc/samlogon.c

index e219e9c1401e7ea26aa4b0ce94b1588c924110d7..607dbaec8a32e53a7711792a6383596a841c88f8 100644 (file)
--- a/source/torture/rpc/samlogon.c
+++ b/source/torture/rpc/samlogon.c
@@ -1259,10 +1259,11 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  /*
    test an ADS style interactive domain logon
  */
-static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
-                                 struct creds_CredentialState *creds, 
-                                 const char *account_domain, const char *account_name,
-                                 const char *plain_pass)
+BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
+                          struct creds_CredentialState *creds, 
+                          const char *workstation_name,
+                          const char *account_domain, const char *account_name,
+                          const char *plain_pass)
  {
         NTSTATUS status;
         TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
@@ -1290,7 +1291,7 @@ static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
         pinfo.identity_info.logon_id_low = 0;
         pinfo.identity_info.logon_id_high = 0;
         pinfo.identity_info.account_name.string = account_name;
-       pinfo.identity_info.workstation.string = TEST_MACHINE_NAME;
+       pinfo.identity_info.workstation.string = workstation_name;
  
         if (!E_deshash(plain_pass, pinfo.lmpassword.hash)) {
                 ZERO_STRUCT(pinfo.lmpassword.hash);
@@ -1491,6 +1492,7 @@ BOOL torture_rpc_samlogon(void)
         for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
                 
                 if (!test_InteractiveLogon(p, mem_ctx, creds,
+                                          TEST_MACHINE_NAME,
                                            usercreds[ci].domain,
                                            usercreds[ci].username,
                                            usercreds[ci].password)) {
@@ -1514,6 +1516,7 @@ BOOL torture_rpc_samlogon(void)
  
         for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
                 if (!test_InteractiveLogon(p, mem_ctx, creds,
+                                          TEST_MACHINE_NAME,
                                            usercreds[0].domain,
                                            usercreds[0].username,
                                            usercreds[0].password)) {
diff --git a/source/torture/rpc/xplogin.c b/source/torture/rpc/xplogin.c

index c841267d9739886df12b61a1786044344b11d35f..acf7a416577cf6c25bb549007db2ab637663b08f 100644 (file)
--- a/source/torture/rpc/xplogin.c
+++ b/source/torture/rpc/xplogin.c
@@ -29,6 +29,7 @@
  #include "libcli/composite/composite.h"
  
  #if 0
+
  static NTSTATUS after_negprot(struct smbcli_transport **dst_transport,
                               const char *dest_host, uint16_t port,
                               const char *my_name)
@@ -501,79 +502,6 @@ static NTSTATUS setup_netlogon_creds(struct smbcli_transport *transport,
         return NT_STATUS_OK;
  }
  
-static NTSTATUS torture_samlogon(struct dcerpc_pipe *p,
-                                struct creds_CredentialState *netlogon_creds,
-                                const char *workstation,
-                                const char *domain,
-                                const char *username,
-                                const char *password)
-{
-       TALLOC_CTX *mem_ctx;
-       struct netr_LogonSamLogon log;
-       struct netr_NetworkInfo ninfo;
-       struct netr_Authenticator auth, auth2;
-       uint8_t user_session_key[16];
-       DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
-       DATA_BLOB lmv2_response = data_blob(NULL, 0);
-       DATA_BLOB names_blob;
-       DATA_BLOB chall;
-       NTSTATUS status;
-
-       mem_ctx = talloc_init("torture_samlogon");
-
-       ZERO_STRUCT(user_session_key);
-
-       printf("testing netr_LogonSamLogon\n");
-
-       log.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s",
-                                            dcerpc_server_name(p));
-       log.in.workstation = workstation;
-       log.in.credential = &auth;
-       log.in.return_authenticator = &auth2;
-       log.in.validation_level = 3;
-       log.in.logon_level = 2;
-       log.in.logon.network = &ninfo;
-
-       chall = data_blob_talloc(mem_ctx, NULL, 8);
-       generate_random_buffer(chall.data, 8);  
-
-       names_blob = NTLMv2_generate_names_blob(mem_ctx, workstation,
-                                               lp_workgroup());
-       ZERO_STRUCT(user_session_key);
-
-       if (!SMBNTLMv2encrypt(username, domain, password,
-                             &chall, &names_blob,
-                             &lmv2_response, &ntlmv2_response, 
-                             NULL, NULL)) {
-               data_blob_free(&names_blob);
-               talloc_free(mem_ctx);
-               return NT_STATUS_UNSUCCESSFUL;
-       }
-       data_blob_free(&names_blob);
-
-       ninfo.identity_info.domain_name.string = domain;
-       ninfo.identity_info.parameter_control = 0;
-       ninfo.identity_info.logon_id_low = 0;
-       ninfo.identity_info.logon_id_high = 0;
-       ninfo.identity_info.account_name.string = username;
-       ninfo.identity_info.workstation.string = workstation;
-       memcpy(ninfo.challenge, chall.data, 8);
-       ninfo.nt.data = ntlmv2_response.data;
-       ninfo.nt.length = ntlmv2_response.length;
-       ninfo.lm.data = NULL;
-       ninfo.lm.length = 0;
-
-       ZERO_STRUCT(auth2);
-       creds_client_authenticator(netlogon_creds, &auth);
-
-       log.out.return_authenticator = NULL;
-       status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &log);
-       talloc_free(mem_ctx);
-       data_blob_free(&lmv2_response);
-       data_blob_free(&ntlmv2_response);
-       return status;
-}
-
  static NTSTATUS test_getgroups(struct smbcli_transport *transport,
                                const char *name)
  {
@@ -659,7 +587,7 @@ static NTSTATUS test_getgroups(struct smbcli_transport *transport,
  
         {
                 struct samr_LookupNames l;
-               struct samr_String samr_name;
+               struct lsa_String samr_name;
                 struct samr_OpenUser o;
  
                 samr_name.string = name;
@@ -832,7 +760,7 @@ static NTSTATUS test_getallsids(struct smbcli_transport *transport,
  
         {
                 struct samr_LookupNames l;
-               struct samr_String samr_name;
+               struct lsa_String samr_name;
                 struct samr_OpenUser o;
  
                 samr_name.string = name;
@@ -1038,22 +966,20 @@ static BOOL xp_login(const char *dcname, const char *wksname,
         if (!NT_STATUS_IS_OK(status))
                  return False;
  
-       status = torture_samlogon(netlogon_schannel_pipe,
-                                 netlogon_creds, wksname, domain,
-                                 user1name, user1pw);
-
-       if (!NT_STATUS_IS_OK(status))
-                return False;
-
+       if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx, 
+                                  netlogon_creds, wksname, domain,
+                                  user1name, user1pw)) {
+               return False;
+       }
+               
         talloc_free(netlogon_pipe);
  
-       status = torture_samlogon(netlogon_schannel_pipe,
-                                 netlogon_creds, wksname, domain,
-                                 user2name, user2pw);
-
-       if (!NT_STATUS_IS_OK(status))
-                return False;
-
+       if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx, 
+                                  netlogon_creds, wksname, domain,
+                                  user1name, user1pw)) {
+               return False;
+       }
+               
         status = test_getgroups(transport, user2name);
         
         if (!NT_STATUS_IS_OK(status))
@@ -1093,8 +1019,6 @@ static BOOL xp_login(const char *dcname, const char *wksname,
         return True;
  }
  
-#endif
-
  struct user_pw {
         const char *username;
         const char *password;
@@ -1112,10 +1036,8 @@ static const struct user_pw machines[] = {
  
  BOOL torture_rpc_login(void)
  {
-#if 0
         const char *pdcname = "pdcname";
         const char *domainname = "domain";
-#endif
  
         int useridx1 = rand() % ARRAY_SIZE(users);
         int useridx2 = rand() % ARRAY_SIZE(users);
@@ -1125,13 +1047,18 @@ BOOL torture_rpc_login(void)
                users[useridx1].username,
                users[useridx2].username);
  
-#if 0
         return xp_login(pdcname, machines[machidx].username,
                         domainname, machines[machidx].password,
                         users[useridx1].username,
                         users[useridx1].password,
                         users[useridx2].username,
                         users[useridx2].password);
-#endif
         return False;
  }
+#else 
+
+BOOL torture_rpc_login(void)
+{
+       return False;
+}
+#endif
author	Andrew Bartlett <abartlet@samba.org>
	Sat, 6 Aug 2005 23:07:21 +0000 (23:07 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 18:31:26 +0000 (13:31 -0500)
source/torture/auth/pac.c		patch \| blob \| history
source/torture/rpc/samlogon.c		patch \| blob \| history
source/torture/rpc/xplogin.c		patch \| blob \| history