Add a torture test for the new 'netlogon' flags.
[kai/samba.git] / source4 / torture / ldap / cldap.c
1 /* 
2    Unix SMB/CIFS mplementation.
3
4    test CLDAP operations
5    
6    Copyright (C) Andrew Tridgell 2005
7     
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20    
21 */
22
23 #include "includes.h"
24 #include "libcli/cldap/cldap.h"
25 #include "libcli/ldap/ldap.h"
26 #include "librpc/gen_ndr/ndr_nbt.h"
27 #include "torture/torture.h"
28 #include "lib/ldb/include/ldb.h"
29 #include "param/param.h"
30
31 #define CHECK_STATUS(status, correct) torture_assert_ntstatus_equal(tctx, status, correct, "incorrect status")
32
33 #define CHECK_VAL(v, correct) torture_assert_int_equal(tctx, (v), (correct), "incorrect value");
34
35 #define CHECK_STRING(v, correct) torture_assert_str_equal(tctx, v, correct, "incorrect value");
36 /*
37   test netlogon operations
38 */
39 static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest)
40 {
41         struct cldap_socket *cldap;
42         NTSTATUS status;
43         struct cldap_netlogon search, empty_search;
44         struct netlogon_samlogon_response n1;
45         struct GUID guid;
46         int i;
47
48         cldap = cldap_socket_init(tctx, tctx->ev, lp_iconv_convenience(tctx->lp_ctx));
49
50         ZERO_STRUCT(search);
51         search.in.dest_address = dest;
52         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
53         search.in.acct_control = -1;
54         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
55         search.in.map_response = true;
56
57         empty_search = search;
58
59         printf("Trying without any attributes\n");
60         search = empty_search;
61         status = cldap_netlogon(cldap, tctx, &search);
62         CHECK_STATUS(status, NT_STATUS_OK);
63
64         n1 = search.out.netlogon;
65
66         search.in.user         = "Administrator";
67         search.in.realm        = n1.nt5_ex.dns_domain;
68         search.in.host         = "__cldap_torture__";
69
70         printf("Scanning for netlogon levels\n");
71         for (i=0;i<256;i++) {
72                 search.in.version = i;
73                 printf("Trying netlogon level %d\n", i);
74                 status = cldap_netlogon(cldap, tctx, &search);
75                 CHECK_STATUS(status, NT_STATUS_OK);
76         }
77
78         printf("Scanning for netlogon level bits\n");
79         for (i=0;i<31;i++) {
80                 search.in.version = (1<<i);
81                 printf("Trying netlogon level 0x%x\n", i);
82                 status = cldap_netlogon(cldap, tctx, &search);
83                 CHECK_STATUS(status, NT_STATUS_OK);
84         }
85
86         search.in.version = NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_IP;
87
88         status = cldap_netlogon(cldap, tctx, &search);
89         CHECK_STATUS(status, NT_STATUS_OK);
90
91         printf("Trying with User=NULL\n");
92
93         search.in.user = NULL;
94         status = cldap_netlogon(cldap, tctx, &search);
95         CHECK_STATUS(status, NT_STATUS_OK);
96         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
97         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
98
99         printf("Trying with User=Administrator\n");
100
101         search.in.user = "Administrator";
102         status = cldap_netlogon(cldap, tctx, &search);
103         CHECK_STATUS(status, NT_STATUS_OK);
104
105         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, search.in.user);
106         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
107
108         search.in.version = NETLOGON_NT_VERSION_5;
109         status = cldap_netlogon(cldap, tctx, &search);
110         CHECK_STATUS(status, NT_STATUS_OK);
111
112         printf("Trying with User=NULL\n");
113
114         search.in.user = NULL;
115         status = cldap_netlogon(cldap, tctx, &search);
116         CHECK_STATUS(status, NT_STATUS_OK);
117         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
118         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE);
119
120         printf("Trying with User=Administrator\n");
121
122         search.in.user = "Administrator";
123         status = cldap_netlogon(cldap, tctx, &search);
124         CHECK_STATUS(status, NT_STATUS_OK);
125
126         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, search.in.user);
127         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN);
128
129         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
130
131         printf("Trying with a GUID\n");
132         search.in.realm       = NULL;
133         search.in.domain_guid = GUID_string(tctx, &n1.nt5_ex.domain_uuid);
134         status = cldap_netlogon(cldap, tctx, &search);
135         CHECK_STATUS(status, NT_STATUS_OK);
136         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
137         CHECK_STRING(GUID_string(tctx, &search.out.netlogon.nt5_ex.domain_uuid), search.in.domain_guid);
138
139         printf("Trying with a incorrect GUID\n");
140         guid = GUID_random();
141         search.in.user        = NULL;
142         search.in.domain_guid = GUID_string(tctx, &guid);
143         status = cldap_netlogon(cldap, tctx, &search);
144         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
145
146         printf("Trying with a AAC\n");
147         search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST;
148         search.in.realm = n1.nt5_ex.dns_domain;
149         status = cldap_netlogon(cldap, tctx, &search);
150         CHECK_STATUS(status, NT_STATUS_OK);
151         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
152         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
153
154         printf("Trying with a zero AAC\n");
155         search.in.acct_control = 0x0;
156         search.in.realm = n1.nt5_ex.dns_domain;
157         status = cldap_netlogon(cldap, tctx, &search);
158         CHECK_STATUS(status, NT_STATUS_OK);
159         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
160         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
161
162         printf("Trying with a zero AAC and user=Administrator\n");
163         search.in.acct_control = 0x0;
164         search.in.user = "Administrator";
165         search.in.realm = n1.nt5_ex.dns_domain;
166         status = cldap_netlogon(cldap, tctx, &search);
167         CHECK_STATUS(status, NT_STATUS_OK);
168         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
169         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "Administrator");
170
171         printf("Trying with a bad AAC\n");
172         search.in.user = NULL;
173         search.in.acct_control = 0xFF00FF00;
174         search.in.realm = n1.nt5_ex.dns_domain;
175         status = cldap_netlogon(cldap, tctx, &search);
176         CHECK_STATUS(status, NT_STATUS_OK);
177         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
178         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
179
180         printf("Trying with a user only\n");
181         search = empty_search;
182         search.in.user = "Administrator";
183         status = cldap_netlogon(cldap, tctx, &search);
184         CHECK_STATUS(status, NT_STATUS_OK);
185         CHECK_STRING(search.out.netlogon.nt5_ex.dns_domain, n1.nt5_ex.dns_domain);
186         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, search.in.user);
187
188         printf("Trying with just a bad username\n");
189         search.in.user = "___no_such_user___";
190         status = cldap_netlogon(cldap, tctx, &search);
191         CHECK_STATUS(status, NT_STATUS_OK);
192         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, search.in.user);
193         CHECK_STRING(search.out.netlogon.nt5_ex.dns_domain, n1.nt5_ex.dns_domain);
194         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
195
196         printf("Trying with just a bad domain\n");
197         search = empty_search;
198         search.in.realm = "___no_such_domain___";
199         status = cldap_netlogon(cldap, tctx, &search);
200         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
201
202         printf("Trying with a incorrect domain and correct guid\n");
203         search.in.domain_guid = GUID_string(tctx, &n1.nt5_ex.domain_uuid);
204         status = cldap_netlogon(cldap, tctx, &search);
205         CHECK_STATUS(status, NT_STATUS_OK);
206         CHECK_STRING(search.out.netlogon.nt5_ex.dns_domain, n1.nt5_ex.dns_domain);
207         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
208         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
209
210         printf("Trying with a incorrect domain and incorrect guid\n");
211         search.in.domain_guid = GUID_string(tctx, &guid);
212         status = cldap_netlogon(cldap, tctx, &search);
213         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
214         CHECK_STRING(search.out.netlogon.nt5_ex.dns_domain, n1.nt5_ex.dns_domain);
215         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
216         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
217
218         printf("Trying with a incorrect GUID and correct domain\n");
219         search.in.domain_guid = GUID_string(tctx, &guid);
220         search.in.realm = n1.nt5_ex.dns_domain;
221         status = cldap_netlogon(cldap, tctx, &search);
222         CHECK_STATUS(status, NT_STATUS_OK);
223         CHECK_STRING(search.out.netlogon.nt5_ex.dns_domain, n1.nt5_ex.dns_domain);
224         CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "");
225         CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
226
227         return true;
228 }
229
230 /*
231   test cldap netlogon server type flags
232 */
233 static bool test_cldap_netlogon_flags(struct torture_context *tctx,
234         const char *dest)
235 {
236         struct cldap_socket *cldap;
237         NTSTATUS status;
238         struct cldap_netlogon search;
239         struct netlogon_samlogon_response n1;
240         uint32_t server_type;
241
242         cldap = cldap_socket_init(tctx, tctx->ev, lp_iconv_convenience(tctx->lp_ctx));
243
244         printf("Printing out netlogon server type flags:\n");
245
246         ZERO_STRUCT(search);
247         search.in.dest_address = dest;
248         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
249         search.in.acct_control = -1;
250         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
251         search.in.map_response = true;
252
253         status = cldap_netlogon(cldap, tctx, &search);
254         CHECK_STATUS(status, NT_STATUS_OK);
255
256         n1 = search.out.netlogon;
257         if (n1.ntver == NETLOGON_NT_VERSION_5)
258                 server_type = n1.nt5.server_type;
259         else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
260                 server_type = n1.nt5_ex.server_type;    
261
262         printf("The word is: %i\n", server_type);
263         if (server_type & NBT_SERVER_PDC)
264                 printf("NBT_SERVER_PDC ");
265         if (server_type & NBT_SERVER_GC)
266                 printf("NBT_SERVER_GC ");
267         if (server_type & NBT_SERVER_LDAP)
268                 printf("NBT_SERVER_LDAP ");
269         if (server_type & NBT_SERVER_DS)
270                 printf("NBT_SERVER_DS ");
271         if (server_type & NBT_SERVER_KDC)
272                 printf("NBT_SERVER_KDC ");
273         if (server_type & NBT_SERVER_TIMESERV)
274                 printf("NBT_SERVER_TIMESERV ");
275         if (server_type & NBT_SERVER_CLOSEST)
276                 printf("NBT_SERVER_CLOSEST ");
277         if (server_type & NBT_SERVER_WRITABLE)
278                 printf("NBT_SERVER_WRITABLE ");
279         if (server_type & NBT_SERVER_GOOD_TIMESERV)
280                 printf("NBT_SERVER_GOOD_TIMESERV ");
281         if (server_type & NBT_SERVER_NDNC)
282                 printf("NBT_SERVER_NDNC ");
283         if (server_type & NBT_SERVER_SEL_SEC_DOM_6)
284                 printf("NBT_SERVER_SEL_SEC_DOM_6 ");
285         if (server_type & NBT_SERVER_FUL_SEC_DOM_6)
286                 printf("NBT_SERVER_FUL_SEC_DOM_6 ");
287         if (server_type & NBT_SERVER_DS_DNS_CONTR)
288                 printf("NBT_SERVER_DS_DNS_CONTR ");
289         if (server_type & NBT_SERVER_DS_DNS_DOMAIN)
290                 printf("NBT_SERVER_DS_DNS_DOMAIN ");
291         if (server_type & NBT_SERVER_DS_DNS_FOREST)
292                 printf("NBT_SERVER_DS_DNS_FOREST ");
293
294         printf("\n");
295
296         return true;
297 }
298
299 /*
300   convert a ldap result message to a ldb message. This allows us to
301   use the convenient ldif dump routines in ldb to print out cldap
302   search results
303 */
304 static struct ldb_message *ldap_msg_to_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct ldap_SearchResEntry *res)
305 {
306         struct ldb_message *msg;
307
308         msg = ldb_msg_new(mem_ctx);
309         msg->dn = ldb_dn_new(msg, ldb, res->dn);
310         msg->num_elements = res->num_attributes;
311         msg->elements = talloc_steal(msg, res->attributes);
312         return msg;
313 }
314
315 /*
316   dump a set of cldap results
317 */
318 static void cldap_dump_results(struct cldap_search *search)
319 {
320         struct ldb_ldif ldif;
321         struct ldb_context *ldb;
322
323         if (!search || !(search->out.response)) {
324                 return;
325         }
326
327         /* we need a ldb context to use ldb_ldif_write_file() */
328         ldb = ldb_init(NULL, NULL);
329
330         ZERO_STRUCT(ldif);
331         ldif.msg = ldap_msg_to_ldb(ldb, ldb, search->out.response);
332
333         ldb_ldif_write_file(ldb, stdout, &ldif);
334
335         talloc_free(ldb);
336 }
337
338
339 /*
340   test cldap netlogon server type flag "NBT_SERVER_DS_DNS_FOREST"
341 */
342 static bool test_cldap_netlogon_flag_ds_dns_forest(struct torture_context *tctx,
343         const char *dest)
344 {
345         struct cldap_socket *cldap;
346         NTSTATUS status;
347         struct cldap_netlogon search;
348         uint32_t server_type;
349         struct netlogon_samlogon_response n1;
350
351         bool result = true;
352
353         cldap = cldap_socket_init(tctx, tctx->ev, lp_iconv_convenience(tctx->lp_ctx));
354
355         printf("Testing netlogon server type flag NBT_SERVER_DS_DNS_FOREST: ");
356
357         ZERO_STRUCT(search);
358         search.in.dest_address = dest;
359         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
360         search.in.acct_control = -1;
361         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
362         search.in.map_response = true;
363
364         status = cldap_netlogon(cldap, tctx, &search);
365         CHECK_STATUS(status, NT_STATUS_OK);
366
367         n1 = search.out.netlogon;
368         if (n1.ntver == NETLOGON_NT_VERSION_5)
369                 server_type = n1.nt5.server_type;
370         else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
371                 server_type = n1.nt5_ex.server_type;
372
373         if (server_type & NBT_SERVER_DS_DNS_FOREST) {
374                 struct cldap_search search2;
375                 const char *attrs[] = { "defaultNamingContext", "rootDomainNamingContext", 
376                         NULL };
377                 struct ldb_context *ldb;
378                 struct ldb_message *msg;
379
380                 /* Trying to fetch the attributes "defaultNamingContext" and
381                    "rootDomainNamingContext" */
382                 ZERO_STRUCT(search2);
383                 search2.in.dest_address = dest;
384                 search2.in.dest_port = lp_cldap_port(tctx->lp_ctx);
385                 search2.in.timeout = 10;
386                 search2.in.retries = 3;
387                 search2.in.filter = "(objectclass=*)";
388                 search2.in.attributes = attrs;
389
390                 status = cldap_search(cldap, tctx, &search2);
391                 CHECK_STATUS(status, NT_STATUS_OK);
392
393                 ldb = ldb_init(NULL, NULL);
394
395                 msg = ldap_msg_to_ldb(ldb, ldb, search2.out.response);
396
397                 /* Try to compare the two attributes */
398                 if (ldb_msg_element_compare(ldb_msg_find_element(msg, attrs[0]),
399                         ldb_msg_find_element(msg, attrs[1])))
400                         result = false;
401
402                 talloc_free(ldb);
403         }
404
405         if (result)
406                 printf("passed\n");
407         else
408                 printf("failed\n");
409
410         return result;
411 }
412
413 /*
414   test generic cldap operations
415 */
416 static bool test_cldap_generic(struct torture_context *tctx, const char *dest)
417 {
418         struct cldap_socket *cldap;
419         NTSTATUS status;
420         struct cldap_search search;
421         const char *attrs1[] = { "currentTime", "highestCommittedUSN", NULL };
422         const char *attrs2[] = { "currentTime", "highestCommittedUSN", "netlogon", NULL };
423         const char *attrs3[] = { "netlogon", NULL };
424
425         cldap = cldap_socket_init(tctx, tctx->ev, lp_iconv_convenience(tctx->lp_ctx));
426
427         ZERO_STRUCT(search);
428         search.in.dest_address = dest;
429         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
430         search.in.timeout = 10;
431         search.in.retries = 3;
432
433         status = cldap_search(cldap, tctx, &search);
434         CHECK_STATUS(status, NT_STATUS_OK);
435
436         printf("fetching whole rootDSE\n");
437         search.in.filter = "(objectclass=*)";
438         search.in.attributes = NULL;
439
440         status = cldap_search(cldap, tctx, &search);
441         CHECK_STATUS(status, NT_STATUS_OK);
442
443         if (DEBUGLVL(3)) cldap_dump_results(&search);
444
445         printf("fetching currentTime and USN\n");
446         search.in.filter = "(objectclass=*)";
447         search.in.attributes = attrs1;
448
449         status = cldap_search(cldap, tctx, &search);
450         CHECK_STATUS(status, NT_STATUS_OK);
451         
452         if (DEBUGLVL(3)) cldap_dump_results(&search);
453
454         printf("Testing currentTime, USN and netlogon\n");
455         search.in.filter = "(objectclass=*)";
456         search.in.attributes = attrs2;
457
458         status = cldap_search(cldap, tctx, &search);
459         CHECK_STATUS(status, NT_STATUS_OK);
460
461         if (DEBUGLVL(3)) cldap_dump_results(&search);
462
463         printf("Testing objectClass=* and netlogon\n");
464         search.in.filter = "(objectclass2=*)";
465         search.in.attributes = attrs3;
466
467         status = cldap_search(cldap, tctx, &search);
468         CHECK_STATUS(status, NT_STATUS_OK);
469
470         if (DEBUGLVL(3)) cldap_dump_results(&search);
471
472         printf("Testing a false expression\n");
473         search.in.filter = "(&(objectclass=*)(highestCommittedUSN=2))";
474         search.in.attributes = attrs1;
475
476         status = cldap_search(cldap, tctx, &search);
477         CHECK_STATUS(status, NT_STATUS_OK);
478
479         if (DEBUGLVL(3)) cldap_dump_results(&search);   
480
481         return true;    
482 }
483
484 bool torture_cldap(struct torture_context *torture)
485 {
486         bool ret = true;
487         const char *host = torture_setting_string(torture, "host", NULL);
488
489         ret &= test_cldap_netlogon(torture, host);
490         ret &= test_cldap_netlogon_flags(torture, host);
491         ret &= test_cldap_netlogon_flag_ds_dns_forest(torture, host);
492         ret &= test_cldap_generic(torture, host);
493
494         return ret;
495 }
496