2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
9 Copyright (C) Matthias Dieter Wallnöfer 2009-2010
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "lib/cmdline/popt_common.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
34 #include "libcli/security/security.h"
35 #include "lib/ldb/include/ldb.h"
36 #include "lib/util/util_ldb.h"
37 #include "lib/ldb_wrap.h"
38 #include "lib/replace/system/network.h"
39 #include "dsdb/samdb/samdb.h"
41 #define TEST_MACHINE_NAME "torturetest"
43 static bool test_LogonUasLogon(struct torture_context *tctx,
44 struct dcerpc_pipe *p)
47 struct netr_LogonUasLogon r;
48 struct netr_UasInfo *info = NULL;
49 struct dcerpc_binding_handle *b = p->binding_handle;
51 r.in.server_name = NULL;
52 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
53 r.in.workstation = TEST_MACHINE_NAME;
56 status = dcerpc_netr_LogonUasLogon_r(b, tctx, &r);
57 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
62 static bool test_LogonUasLogoff(struct torture_context *tctx,
63 struct dcerpc_pipe *p)
66 struct netr_LogonUasLogoff r;
67 struct netr_UasLogoffInfo info;
68 struct dcerpc_binding_handle *b = p->binding_handle;
70 r.in.server_name = NULL;
71 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
72 r.in.workstation = TEST_MACHINE_NAME;
75 status = dcerpc_netr_LogonUasLogoff_r(b, tctx, &r);
76 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
81 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
82 struct cli_credentials *credentials,
83 struct netlogon_creds_CredentialState **creds_out)
85 struct netr_ServerReqChallenge r;
86 struct netr_ServerAuthenticate a;
87 struct netr_Credential credentials1, credentials2, credentials3;
88 struct netlogon_creds_CredentialState *creds;
89 const struct samr_Password *mach_password;
90 const char *machine_name;
91 struct dcerpc_binding_handle *b = p->binding_handle;
93 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
94 machine_name = cli_credentials_get_workstation(credentials);
96 torture_comment(tctx, "Testing ServerReqChallenge\n");
98 r.in.server_name = NULL;
99 r.in.computer_name = machine_name;
100 r.in.credentials = &credentials1;
101 r.out.return_credentials = &credentials2;
103 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
106 "ServerReqChallenge failed");
107 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
109 a.in.server_name = NULL;
110 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
111 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
112 a.in.computer_name = machine_name;
113 a.in.credentials = &credentials3;
114 a.out.return_credentials = &credentials3;
116 creds = netlogon_creds_client_init(tctx, a.in.account_name,
118 &credentials1, &credentials2,
119 mach_password, &credentials3,
121 torture_assert(tctx, creds != NULL, "memory allocation");
124 torture_comment(tctx, "Testing ServerAuthenticate\n");
126 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate_r(b, tctx, &a),
127 "ServerAuthenticate failed");
129 /* This allows the tests to continue against the more fussy windows 2008 */
130 if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
131 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
133 cli_credentials_get_secure_channel_type(credentials),
137 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate");
139 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
140 "Credential chaining failed");
146 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
147 uint32_t negotiate_flags,
148 struct cli_credentials *machine_credentials,
150 struct netlogon_creds_CredentialState **creds_out)
152 struct netr_ServerReqChallenge r;
153 struct netr_ServerAuthenticate2 a;
154 struct netr_Credential credentials1, credentials2, credentials3;
155 struct netlogon_creds_CredentialState *creds;
156 const struct samr_Password *mach_password;
157 const char *machine_name;
158 struct dcerpc_binding_handle *b = p->binding_handle;
160 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
161 machine_name = cli_credentials_get_workstation(machine_credentials);
163 torture_comment(tctx, "Testing ServerReqChallenge\n");
166 r.in.server_name = NULL;
167 r.in.computer_name = machine_name;
168 r.in.credentials = &credentials1;
169 r.out.return_credentials = &credentials2;
171 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
173 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
174 "ServerReqChallenge failed");
175 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
177 a.in.server_name = NULL;
178 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
179 a.in.secure_channel_type = sec_chan_type;
180 a.in.computer_name = machine_name;
181 a.in.negotiate_flags = &negotiate_flags;
182 a.out.negotiate_flags = &negotiate_flags;
183 a.in.credentials = &credentials3;
184 a.out.return_credentials = &credentials3;
186 creds = netlogon_creds_client_init(tctx, a.in.account_name,
188 &credentials1, &credentials2,
189 mach_password, &credentials3,
192 torture_assert(tctx, creds != NULL, "memory allocation");
194 torture_comment(tctx, "Testing ServerAuthenticate2\n");
196 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
197 "ServerAuthenticate2 failed");
198 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate2 failed");
200 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
201 "Credential chaining failed");
203 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
210 static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
211 uint32_t negotiate_flags,
212 struct cli_credentials *machine_credentials,
213 struct netlogon_creds_CredentialState **creds_out)
215 struct netr_ServerReqChallenge r;
216 struct netr_ServerAuthenticate3 a;
217 struct netr_Credential credentials1, credentials2, credentials3;
218 struct netlogon_creds_CredentialState *creds;
219 struct samr_Password mach_password;
221 const char *machine_name;
222 const char *plain_pass;
223 struct dcerpc_binding_handle *b = p->binding_handle;
225 machine_name = cli_credentials_get_workstation(machine_credentials);
226 plain_pass = cli_credentials_get_password(machine_credentials);
228 torture_comment(tctx, "Testing ServerReqChallenge\n");
230 r.in.server_name = NULL;
231 r.in.computer_name = machine_name;
232 r.in.credentials = &credentials1;
233 r.out.return_credentials = &credentials2;
235 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
237 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
238 "ServerReqChallenge failed");
239 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
241 E_md4hash(plain_pass, mach_password.hash);
243 a.in.server_name = NULL;
244 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
245 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
246 a.in.computer_name = machine_name;
247 a.in.negotiate_flags = &negotiate_flags;
248 a.in.credentials = &credentials3;
249 a.out.return_credentials = &credentials3;
250 a.out.negotiate_flags = &negotiate_flags;
253 creds = netlogon_creds_client_init(tctx, a.in.account_name,
255 &credentials1, &credentials2,
256 &mach_password, &credentials3,
259 torture_assert(tctx, creds != NULL, "memory allocation");
261 torture_comment(tctx, "Testing ServerAuthenticate3\n");
263 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
264 "ServerAuthenticate3 failed");
265 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed");
266 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
268 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
270 /* Prove that requesting a challenge again won't break it */
271 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
272 "ServerReqChallenge failed");
273 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
280 try a change password for our machine account
282 static bool test_SetPassword(struct torture_context *tctx,
283 struct dcerpc_pipe *p,
284 struct cli_credentials *machine_credentials)
286 struct netr_ServerPasswordSet r;
287 const char *password;
288 struct netlogon_creds_CredentialState *creds;
289 struct netr_Authenticator credential, return_authenticator;
290 struct samr_Password new_password;
291 struct dcerpc_binding_handle *b = p->binding_handle;
293 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
297 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
298 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
299 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
300 r.in.computer_name = TEST_MACHINE_NAME;
301 r.in.credential = &credential;
302 r.in.new_password = &new_password;
303 r.out.return_authenticator = &return_authenticator;
305 password = generate_random_password(tctx, 8, 255);
306 E_md4hash(password, new_password.hash);
308 netlogon_creds_des_encrypt(creds, &new_password);
310 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
311 torture_comment(tctx, "Changing machine account password to '%s'\n",
314 netlogon_creds_client_authenticator(creds, &credential);
316 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
317 "ServerPasswordSet failed");
318 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
320 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
321 torture_comment(tctx, "Credential chaining failed\n");
324 /* by changing the machine password twice we test the
325 credentials chaining fully, and we verify that the server
326 allows the password to be set to the same value twice in a
327 row (match win2k3) */
328 torture_comment(tctx,
329 "Testing a second ServerPasswordSet on machine account\n");
330 torture_comment(tctx,
331 "Changing machine account password to '%s' (same as previous run)\n", password);
333 netlogon_creds_client_authenticator(creds, &credential);
335 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
336 "ServerPasswordSet (2) failed");
337 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
339 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
340 torture_comment(tctx, "Credential chaining failed\n");
343 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
346 test_SetupCredentials(p, tctx, machine_credentials, &creds),
347 "ServerPasswordSet failed to actually change the password");
353 try a change password for our machine account
355 static bool test_SetPassword_flags(struct torture_context *tctx,
356 struct dcerpc_pipe *p,
357 struct cli_credentials *machine_credentials,
358 uint32_t negotiate_flags)
360 struct netr_ServerPasswordSet r;
361 const char *password;
362 struct netlogon_creds_CredentialState *creds;
363 struct netr_Authenticator credential, return_authenticator;
364 struct samr_Password new_password;
365 struct dcerpc_binding_handle *b = p->binding_handle;
367 if (!test_SetupCredentials2(p, tctx, negotiate_flags,
369 cli_credentials_get_secure_channel_type(machine_credentials),
374 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
375 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
376 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
377 r.in.computer_name = TEST_MACHINE_NAME;
378 r.in.credential = &credential;
379 r.in.new_password = &new_password;
380 r.out.return_authenticator = &return_authenticator;
382 password = generate_random_password(tctx, 8, 255);
383 E_md4hash(password, new_password.hash);
385 netlogon_creds_des_encrypt(creds, &new_password);
387 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
388 torture_comment(tctx, "Changing machine account password to '%s'\n",
391 netlogon_creds_client_authenticator(creds, &credential);
393 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
394 "ServerPasswordSet failed");
395 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
397 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
398 torture_comment(tctx, "Credential chaining failed\n");
401 /* by changing the machine password twice we test the
402 credentials chaining fully, and we verify that the server
403 allows the password to be set to the same value twice in a
404 row (match win2k3) */
405 torture_comment(tctx,
406 "Testing a second ServerPasswordSet on machine account\n");
407 torture_comment(tctx,
408 "Changing machine account password to '%s' (same as previous run)\n", password);
410 netlogon_creds_client_authenticator(creds, &credential);
412 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
413 "ServerPasswordSet (2) failed");
414 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
416 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
417 torture_comment(tctx, "Credential chaining failed\n");
420 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
423 test_SetupCredentials(p, tctx, machine_credentials, &creds),
424 "ServerPasswordSet failed to actually change the password");
431 generate a random password for password change tests
433 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
436 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
437 generate_random_buffer(password.data, password.length);
439 for (i=0; i < len; i++) {
440 if (((uint16_t *)password.data)[i] == 0) {
441 ((uint16_t *)password.data)[i] = 1;
449 try a change password for our machine account
451 static bool test_SetPassword2(struct torture_context *tctx,
452 struct dcerpc_pipe *p,
453 struct cli_credentials *machine_credentials)
455 struct netr_ServerPasswordSet2 r;
456 const char *password;
457 DATA_BLOB new_random_pass;
458 struct netlogon_creds_CredentialState *creds;
459 struct samr_CryptPassword password_buf;
460 struct samr_Password nt_hash;
461 struct netr_Authenticator credential, return_authenticator;
462 struct netr_CryptPassword new_password;
463 struct dcerpc_binding_handle *b = p->binding_handle;
465 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
469 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
470 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
471 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
472 r.in.computer_name = TEST_MACHINE_NAME;
473 r.in.credential = &credential;
474 r.in.new_password = &new_password;
475 r.out.return_authenticator = &return_authenticator;
477 password = generate_random_password(tctx, 8, 255);
478 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
479 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
481 memcpy(new_password.data, password_buf.data, 512);
482 new_password.length = IVAL(password_buf.data, 512);
484 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
485 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
487 netlogon_creds_client_authenticator(creds, &credential);
489 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
490 "ServerPasswordSet2 failed");
491 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
493 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
494 torture_comment(tctx, "Credential chaining failed\n");
497 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
499 if (!torture_setting_bool(tctx, "dangerous", false)) {
500 torture_comment(tctx,
501 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
503 /* by changing the machine password to ""
504 * we check if the server uses password restrictions
505 * for ServerPasswordSet2
506 * (win2k3 accepts "")
509 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
510 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
512 memcpy(new_password.data, password_buf.data, 512);
513 new_password.length = IVAL(password_buf.data, 512);
515 torture_comment(tctx,
516 "Testing ServerPasswordSet2 on machine account\n");
517 torture_comment(tctx,
518 "Changing machine account password to '%s'\n", password);
520 netlogon_creds_client_authenticator(creds, &credential);
522 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
523 "ServerPasswordSet2 failed");
524 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
526 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
527 torture_comment(tctx, "Credential chaining failed\n");
530 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
533 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
534 "ServerPasswordSet failed to actually change the password");
536 /* now try a random password */
537 password = generate_random_password(tctx, 8, 255);
538 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
539 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
541 memcpy(new_password.data, password_buf.data, 512);
542 new_password.length = IVAL(password_buf.data, 512);
544 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
545 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
547 netlogon_creds_client_authenticator(creds, &credential);
549 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
550 "ServerPasswordSet2 (2) failed");
551 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 (2) failed");
553 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
554 torture_comment(tctx, "Credential chaining failed\n");
557 /* by changing the machine password twice we test the
558 credentials chaining fully, and we verify that the server
559 allows the password to be set to the same value twice in a
560 row (match win2k3) */
561 torture_comment(tctx,
562 "Testing a second ServerPasswordSet2 on machine account\n");
563 torture_comment(tctx,
564 "Changing machine account password to '%s' (same as previous run)\n", password);
566 netlogon_creds_client_authenticator(creds, &credential);
568 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
569 "ServerPasswordSet (3) failed");
570 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
572 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
573 torture_comment(tctx, "Credential chaining failed\n");
576 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
578 torture_assert (tctx,
579 test_SetupCredentials(p, tctx, machine_credentials, &creds),
580 "ServerPasswordSet failed to actually change the password");
582 new_random_pass = netlogon_very_rand_pass(tctx, 128);
584 /* now try a random stream of bytes for a password */
585 set_pw_in_buffer(password_buf.data, &new_random_pass);
587 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
589 memcpy(new_password.data, password_buf.data, 512);
590 new_password.length = IVAL(password_buf.data, 512);
592 torture_comment(tctx,
593 "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
595 netlogon_creds_client_authenticator(creds, &credential);
597 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
598 "ServerPasswordSet (3) failed");
599 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
601 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
602 torture_comment(tctx, "Credential chaining failed\n");
605 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
607 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
608 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
610 torture_assert (tctx,
611 test_SetupCredentials(p, tctx, machine_credentials, &creds),
612 "ServerPasswordSet failed to actually change the password");
617 static bool test_GetPassword(struct torture_context *tctx,
618 struct dcerpc_pipe *p,
619 struct cli_credentials *machine_credentials)
621 struct netr_ServerPasswordGet r;
622 struct netlogon_creds_CredentialState *creds;
623 struct netr_Authenticator credential;
625 struct netr_Authenticator return_authenticator;
626 struct samr_Password password;
627 struct dcerpc_binding_handle *b = p->binding_handle;
629 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
633 netlogon_creds_client_authenticator(creds, &credential);
635 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
636 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
637 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
638 r.in.computer_name = TEST_MACHINE_NAME;
639 r.in.credential = &credential;
640 r.out.return_authenticator = &return_authenticator;
641 r.out.password = &password;
643 status = dcerpc_netr_ServerPasswordGet_r(b, tctx, &r);
644 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
649 static bool test_GetTrustPasswords(struct torture_context *tctx,
650 struct dcerpc_pipe *p,
651 struct cli_credentials *machine_credentials)
653 struct netr_ServerTrustPasswordsGet r;
654 struct netlogon_creds_CredentialState *creds;
655 struct netr_Authenticator credential;
656 struct netr_Authenticator return_authenticator;
657 struct samr_Password password, password2;
658 struct dcerpc_binding_handle *b = p->binding_handle;
660 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
664 netlogon_creds_client_authenticator(creds, &credential);
666 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
667 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
668 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
669 r.in.computer_name = TEST_MACHINE_NAME;
670 r.in.credential = &credential;
671 r.out.return_authenticator = &return_authenticator;
672 r.out.password = &password;
673 r.out.password2 = &password2;
675 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerTrustPasswordsGet_r(b, tctx, &r),
676 "ServerTrustPasswordsGet failed");
677 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerTrustPasswordsGet failed");
683 try a netlogon SamLogon
685 static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context *tctx,
686 struct cli_credentials *credentials,
687 struct netlogon_creds_CredentialState *creds,
691 struct netr_LogonSamLogon r;
692 struct netr_Authenticator auth, auth2;
693 union netr_LogonLevel logon;
694 union netr_Validation validation;
695 uint8_t authoritative;
696 struct netr_NetworkInfo ninfo;
697 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
699 struct dcerpc_binding_handle *b = p->binding_handle;
700 int flags = CLI_CRED_NTLM_AUTH;
701 if (lp_client_lanman_auth(tctx->lp_ctx)) {
702 flags |= CLI_CRED_LANMAN_AUTH;
705 if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
706 flags |= CLI_CRED_NTLMv2_AUTH;
709 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
710 &ninfo.identity_info.account_name.string,
711 &ninfo.identity_info.domain_name.string);
714 ninfo.identity_info.domain_name.string = NULL;
717 generate_random_buffer(ninfo.challenge,
718 sizeof(ninfo.challenge));
719 chal = data_blob_const(ninfo.challenge,
720 sizeof(ninfo.challenge));
722 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
723 cli_credentials_get_domain(credentials));
725 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
731 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
733 ninfo.lm.data = lm_resp.data;
734 ninfo.lm.length = lm_resp.length;
736 ninfo.nt.data = nt_resp.data;
737 ninfo.nt.length = nt_resp.length;
739 ninfo.identity_info.parameter_control = 0;
740 ninfo.identity_info.logon_id_low = 0;
741 ninfo.identity_info.logon_id_high = 0;
742 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
744 logon.network = &ninfo;
746 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
747 r.in.computer_name = cli_credentials_get_workstation(credentials);
748 r.in.credential = &auth;
749 r.in.return_authenticator = &auth2;
750 r.in.logon_level = 2;
752 r.out.validation = &validation;
753 r.out.authoritative = &authoritative;
755 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
759 netlogon_creds_client_authenticator(creds, &auth);
761 r.in.validation_level = i;
763 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
764 "LogonSamLogon failed");
765 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
767 torture_assert(tctx, netlogon_creds_client_check(creds,
768 &r.out.return_authenticator->cred),
769 "Credential chaining failed");
772 r.in.credential = NULL;
776 r.in.validation_level = i;
778 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
780 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
781 "LogonSamLogon failed");
782 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
783 "LogonSamLogon expected INVALID_PARAMETER");
790 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
791 struct cli_credentials *credentials,
792 struct netlogon_creds_CredentialState *creds)
794 return test_netlogon_ops_args(p, tctx, credentials, creds, false);
798 try a netlogon SamLogon
800 static bool test_SamLogon(struct torture_context *tctx,
801 struct dcerpc_pipe *p,
802 struct cli_credentials *credentials)
804 struct netlogon_creds_CredentialState *creds;
806 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
810 return test_netlogon_ops(p, tctx, credentials, creds);
813 static bool test_SamLogon_NULL_domain(struct torture_context *tctx,
814 struct dcerpc_pipe *p,
815 struct cli_credentials *credentials)
817 struct netlogon_creds_CredentialState *creds;
819 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
823 return test_netlogon_ops_args(p, tctx, credentials, creds, true);
826 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
827 static uint64_t sequence_nums[3];
830 try a netlogon DatabaseSync
832 static bool test_DatabaseSync(struct torture_context *tctx,
833 struct dcerpc_pipe *p,
834 struct cli_credentials *machine_credentials)
836 struct netr_DatabaseSync r;
837 struct netlogon_creds_CredentialState *creds;
838 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
840 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
841 struct netr_Authenticator credential, return_authenticator;
842 struct dcerpc_binding_handle *b = p->binding_handle;
844 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
848 ZERO_STRUCT(return_authenticator);
850 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
851 r.in.computername = TEST_MACHINE_NAME;
852 r.in.preferredmaximumlength = (uint32_t)-1;
853 r.in.return_authenticator = &return_authenticator;
854 r.out.delta_enum_array = &delta_enum_array;
855 r.out.return_authenticator = &return_authenticator;
857 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
859 uint32_t sync_context = 0;
861 r.in.database_id = database_ids[i];
862 r.in.sync_context = &sync_context;
863 r.out.sync_context = &sync_context;
865 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
868 netlogon_creds_client_authenticator(creds, &credential);
870 r.in.credential = &credential;
872 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync_r(b, tctx, &r),
873 "DatabaseSync failed");
874 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
877 /* Native mode servers don't do this */
878 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
881 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync");
883 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
884 torture_comment(tctx, "Credential chaining failed\n");
887 if (delta_enum_array &&
888 delta_enum_array->num_deltas > 0 &&
889 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
890 delta_enum_array->delta_enum[0].delta_union.domain) {
891 sequence_nums[r.in.database_id] =
892 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
893 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
895 (unsigned long long)sequence_nums[r.in.database_id]);
897 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
905 try a netlogon DatabaseDeltas
907 static bool test_DatabaseDeltas(struct torture_context *tctx,
908 struct dcerpc_pipe *p,
909 struct cli_credentials *machine_credentials)
911 struct netr_DatabaseDeltas r;
912 struct netlogon_creds_CredentialState *creds;
913 struct netr_Authenticator credential;
914 struct netr_Authenticator return_authenticator;
915 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
916 const uint32_t database_ids[] = {0, 1, 2};
918 struct dcerpc_binding_handle *b = p->binding_handle;
920 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
924 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
925 r.in.computername = TEST_MACHINE_NAME;
926 r.in.preferredmaximumlength = (uint32_t)-1;
927 ZERO_STRUCT(r.in.return_authenticator);
928 r.out.return_authenticator = &return_authenticator;
929 r.out.delta_enum_array = &delta_enum_array;
931 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
932 r.in.database_id = database_ids[i];
933 r.in.sequence_num = &sequence_nums[r.in.database_id];
935 if (*r.in.sequence_num == 0) continue;
937 *r.in.sequence_num -= 1;
939 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
940 r.in.database_id, (unsigned long long)*r.in.sequence_num);
943 netlogon_creds_client_authenticator(creds, &credential);
945 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseDeltas_r(b, tctx, &r),
946 "DatabaseDeltas failed");
947 if (NT_STATUS_EQUAL(r.out.result,
948 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
949 torture_comment(tctx, "not considering %s to be an error\n",
950 nt_errstr(r.out.result));
953 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
956 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseDeltas");
958 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
959 torture_comment(tctx, "Credential chaining failed\n");
962 (*r.in.sequence_num)++;
963 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
969 static bool test_DatabaseRedo(struct torture_context *tctx,
970 struct dcerpc_pipe *p,
971 struct cli_credentials *machine_credentials)
973 struct netr_DatabaseRedo r;
974 struct netlogon_creds_CredentialState *creds;
975 struct netr_Authenticator credential;
976 struct netr_Authenticator return_authenticator;
977 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
978 struct netr_ChangeLogEntry e;
979 struct dom_sid null_sid, *sid;
981 struct dcerpc_binding_handle *b = p->binding_handle;
983 ZERO_STRUCT(null_sid);
985 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
996 NTSTATUS expected_error;
997 uint32_t expected_num_results;
998 uint8_t expected_delta_type_1;
999 uint8_t expected_delta_type_2;
1000 const char *comment;
1003 /* SAM_DATABASE_DOMAIN */
1008 .db_index = SAM_DATABASE_DOMAIN,
1009 .delta_type = NETR_DELTA_MODIFY_COUNT,
1012 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1013 .expected_num_results = 0,
1014 .comment = "NETR_DELTA_MODIFY_COUNT"
1019 .db_index = SAM_DATABASE_DOMAIN,
1023 .expected_error = NT_STATUS_OK,
1024 .expected_num_results = 1,
1025 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1026 .comment = "NULL DELTA"
1031 .db_index = SAM_DATABASE_DOMAIN,
1032 .delta_type = NETR_DELTA_DOMAIN,
1035 .expected_error = NT_STATUS_OK,
1036 .expected_num_results = 1,
1037 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1038 .comment = "NETR_DELTA_DOMAIN"
1041 .rid = DOMAIN_RID_ADMINISTRATOR,
1043 .db_index = SAM_DATABASE_DOMAIN,
1044 .delta_type = NETR_DELTA_USER,
1047 .expected_error = NT_STATUS_OK,
1048 .expected_num_results = 1,
1049 .expected_delta_type_1 = NETR_DELTA_USER,
1050 .comment = "NETR_DELTA_USER by rid 500"
1053 .rid = DOMAIN_RID_GUEST,
1055 .db_index = SAM_DATABASE_DOMAIN,
1056 .delta_type = NETR_DELTA_USER,
1059 .expected_error = NT_STATUS_OK,
1060 .expected_num_results = 1,
1061 .expected_delta_type_1 = NETR_DELTA_USER,
1062 .comment = "NETR_DELTA_USER by rid 501"
1066 .flags = NETR_CHANGELOG_SID_INCLUDED,
1067 .db_index = SAM_DATABASE_DOMAIN,
1068 .delta_type = NETR_DELTA_USER,
1071 .expected_error = NT_STATUS_OK,
1072 .expected_num_results = 1,
1073 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1074 .comment = "NETR_DELTA_USER by sid and flags"
1078 .flags = NETR_CHANGELOG_SID_INCLUDED,
1079 .db_index = SAM_DATABASE_DOMAIN,
1080 .delta_type = NETR_DELTA_USER,
1083 .expected_error = NT_STATUS_OK,
1084 .expected_num_results = 1,
1085 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1086 .comment = "NETR_DELTA_USER by null_sid and flags"
1090 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1091 .db_index = SAM_DATABASE_DOMAIN,
1092 .delta_type = NETR_DELTA_USER,
1094 .name = "administrator",
1095 .expected_error = NT_STATUS_OK,
1096 .expected_num_results = 1,
1097 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1098 .comment = "NETR_DELTA_USER by name 'administrator'"
1101 .rid = DOMAIN_RID_ADMINS,
1103 .db_index = SAM_DATABASE_DOMAIN,
1104 .delta_type = NETR_DELTA_GROUP,
1107 .expected_error = NT_STATUS_OK,
1108 .expected_num_results = 2,
1109 .expected_delta_type_1 = NETR_DELTA_GROUP,
1110 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1111 .comment = "NETR_DELTA_GROUP by rid 512"
1114 .rid = DOMAIN_RID_ADMINS,
1116 .db_index = SAM_DATABASE_DOMAIN,
1117 .delta_type = NETR_DELTA_GROUP_MEMBER,
1120 .expected_error = NT_STATUS_OK,
1121 .expected_num_results = 2,
1122 .expected_delta_type_1 = NETR_DELTA_GROUP,
1123 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1124 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
1128 /* SAM_DATABASE_BUILTIN */
1133 .db_index = SAM_DATABASE_BUILTIN,
1134 .delta_type = NETR_DELTA_MODIFY_COUNT,
1137 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1138 .expected_num_results = 0,
1139 .comment = "NETR_DELTA_MODIFY_COUNT"
1144 .db_index = SAM_DATABASE_BUILTIN,
1145 .delta_type = NETR_DELTA_DOMAIN,
1148 .expected_error = NT_STATUS_OK,
1149 .expected_num_results = 1,
1150 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1151 .comment = "NETR_DELTA_DOMAIN"
1154 .rid = DOMAIN_RID_ADMINISTRATOR,
1156 .db_index = SAM_DATABASE_BUILTIN,
1157 .delta_type = NETR_DELTA_USER,
1160 .expected_error = NT_STATUS_OK,
1161 .expected_num_results = 1,
1162 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1163 .comment = "NETR_DELTA_USER by rid 500"
1168 .db_index = SAM_DATABASE_BUILTIN,
1169 .delta_type = NETR_DELTA_USER,
1172 .expected_error = NT_STATUS_OK,
1173 .expected_num_results = 1,
1174 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1175 .comment = "NETR_DELTA_USER"
1180 .db_index = SAM_DATABASE_BUILTIN,
1181 .delta_type = NETR_DELTA_ALIAS,
1184 .expected_error = NT_STATUS_OK,
1185 .expected_num_results = 2,
1186 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1187 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1188 .comment = "NETR_DELTA_ALIAS by rid 544"
1193 .db_index = SAM_DATABASE_BUILTIN,
1194 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1197 .expected_error = NT_STATUS_OK,
1198 .expected_num_results = 2,
1199 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1200 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1201 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1206 .db_index = SAM_DATABASE_BUILTIN,
1210 .expected_error = NT_STATUS_OK,
1211 .expected_num_results = 1,
1212 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1213 .comment = "NULL DELTA by rid 544"
1217 .flags = NETR_CHANGELOG_SID_INCLUDED,
1218 .db_index = SAM_DATABASE_BUILTIN,
1220 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1222 .expected_error = NT_STATUS_OK,
1223 .expected_num_results = 1,
1224 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1225 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1229 .flags = NETR_CHANGELOG_SID_INCLUDED,
1230 .db_index = SAM_DATABASE_BUILTIN,
1231 .delta_type = NETR_DELTA_ALIAS,
1232 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1234 .expected_error = NT_STATUS_OK,
1235 .expected_num_results = 2,
1236 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1237 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1238 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1242 .flags = NETR_CHANGELOG_SID_INCLUDED,
1243 .db_index = SAM_DATABASE_BUILTIN,
1244 .delta_type = NETR_DELTA_ALIAS,
1245 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1247 .expected_error = NT_STATUS_OK,
1248 .expected_num_results = 1,
1249 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1250 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1253 /* SAM_DATABASE_PRIVS */
1258 .db_index = SAM_DATABASE_PRIVS,
1262 .expected_error = NT_STATUS_ACCESS_DENIED,
1263 .expected_num_results = 0,
1264 .comment = "NULL DELTA"
1269 .db_index = SAM_DATABASE_PRIVS,
1270 .delta_type = NETR_DELTA_MODIFY_COUNT,
1273 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1274 .expected_num_results = 0,
1275 .comment = "NETR_DELTA_MODIFY_COUNT"
1280 .db_index = SAM_DATABASE_PRIVS,
1281 .delta_type = NETR_DELTA_POLICY,
1284 .expected_error = NT_STATUS_OK,
1285 .expected_num_results = 1,
1286 .expected_delta_type_1 = NETR_DELTA_POLICY,
1287 .comment = "NETR_DELTA_POLICY"
1291 .flags = NETR_CHANGELOG_SID_INCLUDED,
1292 .db_index = SAM_DATABASE_PRIVS,
1293 .delta_type = NETR_DELTA_POLICY,
1296 .expected_error = NT_STATUS_OK,
1297 .expected_num_results = 1,
1298 .expected_delta_type_1 = NETR_DELTA_POLICY,
1299 .comment = "NETR_DELTA_POLICY by null sid and flags"
1303 .flags = NETR_CHANGELOG_SID_INCLUDED,
1304 .db_index = SAM_DATABASE_PRIVS,
1305 .delta_type = NETR_DELTA_POLICY,
1306 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1308 .expected_error = NT_STATUS_OK,
1309 .expected_num_results = 1,
1310 .expected_delta_type_1 = NETR_DELTA_POLICY,
1311 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1314 .rid = DOMAIN_RID_ADMINISTRATOR,
1316 .db_index = SAM_DATABASE_PRIVS,
1317 .delta_type = NETR_DELTA_ACCOUNT,
1320 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1321 .expected_num_results = 0,
1322 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1326 .flags = NETR_CHANGELOG_SID_INCLUDED,
1327 .db_index = SAM_DATABASE_PRIVS,
1328 .delta_type = NETR_DELTA_ACCOUNT,
1329 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1331 .expected_error = NT_STATUS_OK,
1332 .expected_num_results = 1,
1333 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1334 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1338 .flags = NETR_CHANGELOG_SID_INCLUDED |
1339 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1340 .db_index = SAM_DATABASE_PRIVS,
1341 .delta_type = NETR_DELTA_ACCOUNT,
1342 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1344 .expected_error = NT_STATUS_OK,
1345 .expected_num_results = 1,
1346 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1347 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1351 .flags = NETR_CHANGELOG_SID_INCLUDED |
1352 NETR_CHANGELOG_NAME_INCLUDED,
1353 .db_index = SAM_DATABASE_PRIVS,
1354 .delta_type = NETR_DELTA_ACCOUNT,
1355 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1357 .expected_error = NT_STATUS_INVALID_PARAMETER,
1358 .expected_num_results = 0,
1359 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1362 .rid = DOMAIN_RID_ADMINISTRATOR,
1363 .flags = NETR_CHANGELOG_SID_INCLUDED,
1364 .db_index = SAM_DATABASE_PRIVS,
1365 .delta_type = NETR_DELTA_ACCOUNT,
1368 .expected_error = NT_STATUS_OK,
1369 .expected_num_results = 1,
1370 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1371 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1375 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1376 .db_index = SAM_DATABASE_PRIVS,
1377 .delta_type = NETR_DELTA_SECRET,
1379 .name = "IsurelydontexistIhope",
1380 .expected_error = NT_STATUS_OK,
1381 .expected_num_results = 1,
1382 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1383 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1387 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1388 .db_index = SAM_DATABASE_PRIVS,
1389 .delta_type = NETR_DELTA_SECRET,
1391 .name = "G$BCKUPKEY_P",
1392 .expected_error = NT_STATUS_OK,
1393 .expected_num_results = 1,
1394 .expected_delta_type_1 = NETR_DELTA_SECRET,
1395 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1399 ZERO_STRUCT(return_authenticator);
1401 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1402 r.in.computername = TEST_MACHINE_NAME;
1403 r.in.return_authenticator = &return_authenticator;
1404 r.out.return_authenticator = &return_authenticator;
1405 r.out.delta_enum_array = &delta_enum_array;
1407 for (d=0; d<3; d++) {
1408 const char *database = NULL;
1415 database = "BUILTIN";
1424 torture_comment(tctx, "Testing DatabaseRedo\n");
1426 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1430 for (i=0;i<ARRAY_SIZE(changes);i++) {
1432 if (d != changes[i].db_index) {
1436 netlogon_creds_client_authenticator(creds, &credential);
1438 r.in.credential = &credential;
1440 e.serial_number1 = 0;
1441 e.serial_number2 = 0;
1442 e.object_rid = changes[i].rid;
1443 e.flags = changes[i].flags;
1444 e.db_index = changes[i].db_index;
1445 e.delta_type = changes[i].delta_type;
1447 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1448 case NETR_CHANGELOG_SID_INCLUDED:
1449 e.object.object_sid = changes[i].sid;
1451 case NETR_CHANGELOG_NAME_INCLUDED:
1452 e.object.object_name = changes[i].name;
1458 r.in.change_log_entry = e;
1460 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1461 database, changes[i].comment);
1463 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseRedo_r(b, tctx, &r),
1464 "DatabaseRedo failed");
1465 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1469 torture_assert_ntstatus_equal(tctx, r.out.result, changes[i].expected_error, changes[i].comment);
1470 if (delta_enum_array) {
1471 torture_assert_int_equal(tctx,
1472 delta_enum_array->num_deltas,
1473 changes[i].expected_num_results,
1474 changes[i].comment);
1475 if (delta_enum_array->num_deltas > 0) {
1476 torture_assert_int_equal(tctx,
1477 delta_enum_array->delta_enum[0].delta_type,
1478 changes[i].expected_delta_type_1,
1479 changes[i].comment);
1481 if (delta_enum_array->num_deltas > 1) {
1482 torture_assert_int_equal(tctx,
1483 delta_enum_array->delta_enum[1].delta_type,
1484 changes[i].expected_delta_type_2,
1485 changes[i].comment);
1489 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1490 torture_comment(tctx, "Credential chaining failed\n");
1491 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1503 try a netlogon AccountDeltas
1505 static bool test_AccountDeltas(struct torture_context *tctx,
1506 struct dcerpc_pipe *p,
1507 struct cli_credentials *machine_credentials)
1509 struct netr_AccountDeltas r;
1510 struct netlogon_creds_CredentialState *creds;
1512 struct netr_AccountBuffer buffer;
1513 uint32_t count_returned = 0;
1514 uint32_t total_entries = 0;
1515 struct netr_UAS_INFO_0 recordid;
1516 struct netr_Authenticator return_authenticator;
1517 struct dcerpc_binding_handle *b = p->binding_handle;
1519 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1523 ZERO_STRUCT(return_authenticator);
1525 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1526 r.in.computername = TEST_MACHINE_NAME;
1527 r.in.return_authenticator = &return_authenticator;
1528 netlogon_creds_client_authenticator(creds, &r.in.credential);
1529 ZERO_STRUCT(r.in.uas);
1532 r.in.buffersize=100;
1533 r.out.buffer = &buffer;
1534 r.out.count_returned = &count_returned;
1535 r.out.total_entries = &total_entries;
1536 r.out.recordid = &recordid;
1537 r.out.return_authenticator = &return_authenticator;
1539 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1540 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountDeltas_r(b, tctx, &r),
1541 "AccountDeltas failed");
1542 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1548 try a netlogon AccountSync
1550 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1551 struct cli_credentials *machine_credentials)
1553 struct netr_AccountSync r;
1554 struct netlogon_creds_CredentialState *creds;
1556 struct netr_AccountBuffer buffer;
1557 uint32_t count_returned = 0;
1558 uint32_t total_entries = 0;
1559 uint32_t next_reference = 0;
1560 struct netr_UAS_INFO_0 recordid;
1561 struct netr_Authenticator return_authenticator;
1562 struct dcerpc_binding_handle *b = p->binding_handle;
1564 ZERO_STRUCT(recordid);
1565 ZERO_STRUCT(return_authenticator);
1567 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1571 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1572 r.in.computername = TEST_MACHINE_NAME;
1573 r.in.return_authenticator = &return_authenticator;
1574 netlogon_creds_client_authenticator(creds, &r.in.credential);
1575 r.in.recordid = &recordid;
1578 r.in.buffersize=100;
1579 r.out.buffer = &buffer;
1580 r.out.count_returned = &count_returned;
1581 r.out.total_entries = &total_entries;
1582 r.out.next_reference = &next_reference;
1583 r.out.recordid = &recordid;
1584 r.out.return_authenticator = &return_authenticator;
1586 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1587 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountSync_r(b, tctx, &r),
1588 "AccountSync failed");
1589 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1595 try a netlogon GetDcName
1597 static bool test_GetDcName(struct torture_context *tctx,
1598 struct dcerpc_pipe *p)
1600 struct netr_GetDcName r;
1601 const char *dcname = NULL;
1602 struct dcerpc_binding_handle *b = p->binding_handle;
1604 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1605 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1606 r.out.dcname = &dcname;
1608 torture_assert_ntstatus_ok(tctx, dcerpc_netr_GetDcName_r(b, tctx, &r),
1609 "GetDcName failed");
1610 torture_assert_werr_ok(tctx, r.out.result, "GetDcName failed");
1612 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1617 static const char *function_code_str(TALLOC_CTX *mem_ctx,
1618 enum netr_LogonControlCode function_code)
1620 switch (function_code) {
1621 case NETLOGON_CONTROL_QUERY:
1622 return "NETLOGON_CONTROL_QUERY";
1623 case NETLOGON_CONTROL_REPLICATE:
1624 return "NETLOGON_CONTROL_REPLICATE";
1625 case NETLOGON_CONTROL_SYNCHRONIZE:
1626 return "NETLOGON_CONTROL_SYNCHRONIZE";
1627 case NETLOGON_CONTROL_PDC_REPLICATE:
1628 return "NETLOGON_CONTROL_PDC_REPLICATE";
1629 case NETLOGON_CONTROL_REDISCOVER:
1630 return "NETLOGON_CONTROL_REDISCOVER";
1631 case NETLOGON_CONTROL_TC_QUERY:
1632 return "NETLOGON_CONTROL_TC_QUERY";
1633 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1634 return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
1635 case NETLOGON_CONTROL_FIND_USER:
1636 return "NETLOGON_CONTROL_FIND_USER";
1637 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1638 return "NETLOGON_CONTROL_CHANGE_PASSWORD";
1639 case NETLOGON_CONTROL_TC_VERIFY:
1640 return "NETLOGON_CONTROL_TC_VERIFY";
1641 case NETLOGON_CONTROL_FORCE_DNS_REG:
1642 return "NETLOGON_CONTROL_FORCE_DNS_REG";
1643 case NETLOGON_CONTROL_QUERY_DNS_REG:
1644 return "NETLOGON_CONTROL_QUERY_DNS_REG";
1645 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1646 return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
1647 case NETLOGON_CONTROL_TRUNCATE_LOG:
1648 return "NETLOGON_CONTROL_TRUNCATE_LOG";
1649 case NETLOGON_CONTROL_SET_DBFLAG:
1650 return "NETLOGON_CONTROL_SET_DBFLAG";
1651 case NETLOGON_CONTROL_BREAKPOINT:
1652 return "NETLOGON_CONTROL_BREAKPOINT";
1654 return talloc_asprintf(mem_ctx, "unknown function code: %d",
1661 try a netlogon LogonControl
1663 static bool test_LogonControl(struct torture_context *tctx,
1664 struct dcerpc_pipe *p,
1665 struct cli_credentials *machine_credentials)
1669 struct netr_LogonControl r;
1670 union netr_CONTROL_QUERY_INFORMATION query;
1672 enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
1673 struct dcerpc_binding_handle *b = p->binding_handle;
1675 uint32_t function_codes[] = {
1676 NETLOGON_CONTROL_QUERY,
1677 NETLOGON_CONTROL_REPLICATE,
1678 NETLOGON_CONTROL_SYNCHRONIZE,
1679 NETLOGON_CONTROL_PDC_REPLICATE,
1680 NETLOGON_CONTROL_REDISCOVER,
1681 NETLOGON_CONTROL_TC_QUERY,
1682 NETLOGON_CONTROL_TRANSPORT_NOTIFY,
1683 NETLOGON_CONTROL_FIND_USER,
1684 NETLOGON_CONTROL_CHANGE_PASSWORD,
1685 NETLOGON_CONTROL_TC_VERIFY,
1686 NETLOGON_CONTROL_FORCE_DNS_REG,
1687 NETLOGON_CONTROL_QUERY_DNS_REG,
1688 NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
1689 NETLOGON_CONTROL_TRUNCATE_LOG,
1690 NETLOGON_CONTROL_SET_DBFLAG,
1691 NETLOGON_CONTROL_BREAKPOINT
1694 if (machine_credentials) {
1695 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
1698 torture_comment(tctx, "Testing LogonControl with secure channel type: %d\n",
1699 secure_channel_type);
1701 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1702 r.in.function_code = 1;
1703 r.out.query = &query;
1705 for (f=0;f<ARRAY_SIZE(function_codes); f++) {
1708 r.in.function_code = function_codes[f];
1711 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
1712 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1714 status = dcerpc_netr_LogonControl_r(b, tctx, &r);
1715 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1717 switch (r.in.level) {
1719 switch (r.in.function_code) {
1720 case NETLOGON_CONTROL_REPLICATE:
1721 case NETLOGON_CONTROL_SYNCHRONIZE:
1722 case NETLOGON_CONTROL_PDC_REPLICATE:
1723 case NETLOGON_CONTROL_BREAKPOINT:
1724 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1725 if ((secure_channel_type == SEC_CHAN_BDC) ||
1726 (secure_channel_type == SEC_CHAN_WKSTA)) {
1727 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1728 "LogonControl returned unexpected error code");
1730 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1731 "LogonControl returned unexpected error code");
1735 case NETLOGON_CONTROL_REDISCOVER:
1736 case NETLOGON_CONTROL_TC_QUERY:
1737 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1738 case NETLOGON_CONTROL_FIND_USER:
1739 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1740 case NETLOGON_CONTROL_TC_VERIFY:
1741 case NETLOGON_CONTROL_FORCE_DNS_REG:
1742 case NETLOGON_CONTROL_QUERY_DNS_REG:
1743 case NETLOGON_CONTROL_SET_DBFLAG:
1744 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1745 "LogonControl returned unexpected error code");
1747 case NETLOGON_CONTROL_TRUNCATE_LOG:
1748 if ((secure_channel_type == SEC_CHAN_BDC) ||
1749 (secure_channel_type == SEC_CHAN_WKSTA)) {
1750 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1751 "LogonControl returned unexpected error code");
1753 torture_assert_werr_ok(tctx, r.out.result,
1754 "LogonControl returned unexpected result");
1758 torture_assert_werr_ok(tctx, r.out.result,
1759 "LogonControl returned unexpected result");
1764 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1765 "LogonControl returned unexpected error code");
1768 torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL,
1769 "LogonControl returned unexpected error code");
1780 try a netlogon GetAnyDCName
1782 static bool test_GetAnyDCName(struct torture_context *tctx,
1783 struct dcerpc_pipe *p)
1786 struct netr_GetAnyDCName r;
1787 const char *dcname = NULL;
1788 struct dcerpc_binding_handle *b = p->binding_handle;
1790 r.in.domainname = lp_workgroup(tctx->lp_ctx);
1791 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1792 r.out.dcname = &dcname;
1794 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1795 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1796 if ((!W_ERROR_IS_OK(r.out.result)) &&
1797 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1802 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1805 r.in.domainname = NULL;
1807 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1808 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1809 if ((!W_ERROR_IS_OK(r.out.result)) &&
1810 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1814 r.in.domainname = "";
1816 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1817 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1818 if ((!W_ERROR_IS_OK(r.out.result)) &&
1819 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1828 try a netlogon LogonControl2
1830 static bool test_LogonControl2(struct torture_context *tctx,
1831 struct dcerpc_pipe *p,
1832 struct cli_credentials *machine_credentials)
1836 struct netr_LogonControl2 r;
1837 union netr_CONTROL_DATA_INFORMATION data;
1838 union netr_CONTROL_QUERY_INFORMATION query;
1840 struct dcerpc_binding_handle *b = p->binding_handle;
1842 data.domain = lp_workgroup(tctx->lp_ctx);
1844 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1846 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1848 r.out.query = &query;
1853 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1854 i, r.in.function_code);
1856 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1857 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1860 data.domain = lp_workgroup(tctx->lp_ctx);
1862 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1868 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1869 i, r.in.function_code);
1871 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1872 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1875 data.domain = lp_workgroup(tctx->lp_ctx);
1877 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1883 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1884 i, r.in.function_code);
1886 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1887 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1890 data.debug_level = ~0;
1892 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1898 torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1899 i, r.in.function_code);
1901 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1902 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1909 try a netlogon DatabaseSync2
1911 static bool test_DatabaseSync2(struct torture_context *tctx,
1912 struct dcerpc_pipe *p,
1913 struct cli_credentials *machine_credentials)
1915 struct netr_DatabaseSync2 r;
1916 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1917 struct netr_Authenticator return_authenticator, credential;
1919 struct netlogon_creds_CredentialState *creds;
1920 const uint32_t database_ids[] = {0, 1, 2};
1922 struct dcerpc_binding_handle *b = p->binding_handle;
1924 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1925 machine_credentials,
1926 cli_credentials_get_secure_channel_type(machine_credentials),
1931 ZERO_STRUCT(return_authenticator);
1933 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1934 r.in.computername = TEST_MACHINE_NAME;
1935 r.in.preferredmaximumlength = (uint32_t)-1;
1936 r.in.return_authenticator = &return_authenticator;
1937 r.out.return_authenticator = &return_authenticator;
1938 r.out.delta_enum_array = &delta_enum_array;
1940 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1942 uint32_t sync_context = 0;
1944 r.in.database_id = database_ids[i];
1945 r.in.sync_context = &sync_context;
1946 r.out.sync_context = &sync_context;
1947 r.in.restart_state = 0;
1949 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1952 netlogon_creds_client_authenticator(creds, &credential);
1954 r.in.credential = &credential;
1956 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync2_r(b, tctx, &r),
1957 "DatabaseSync2 failed");
1958 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
1961 /* Native mode servers don't do this */
1962 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1966 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync2");
1968 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
1969 torture_comment(tctx, "Credential chaining failed\n");
1972 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
1980 try a netlogon LogonControl2Ex
1982 static bool test_LogonControl2Ex(struct torture_context *tctx,
1983 struct dcerpc_pipe *p,
1984 struct cli_credentials *machine_credentials)
1988 struct netr_LogonControl2Ex r;
1989 union netr_CONTROL_DATA_INFORMATION data;
1990 union netr_CONTROL_QUERY_INFORMATION query;
1992 struct dcerpc_binding_handle *b = p->binding_handle;
1994 data.domain = lp_workgroup(tctx->lp_ctx);
1996 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1998 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
2000 r.out.query = &query;
2005 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2006 i, r.in.function_code);
2008 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2009 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2012 data.domain = lp_workgroup(tctx->lp_ctx);
2014 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
2020 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2021 i, r.in.function_code);
2023 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2024 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2027 data.domain = lp_workgroup(tctx->lp_ctx);
2029 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
2035 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2036 i, r.in.function_code);
2038 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2039 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2042 data.debug_level = ~0;
2044 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2050 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2051 i, r.in.function_code);
2053 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2054 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2060 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
2061 struct dcerpc_pipe *p, const char *trusted_domain_name)
2064 struct netr_DsRGetForestTrustInformation r;
2065 struct lsa_ForestTrustInformation info, *info_ptr;
2066 struct dcerpc_binding_handle *b = p->binding_handle;
2070 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2071 r.in.trusted_domain_name = trusted_domain_name;
2073 r.out.forest_trust_info = &info_ptr;
2075 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
2077 status = dcerpc_netr_DsRGetForestTrustInformation_r(b, tctx, &r);
2078 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
2079 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
2085 try a netlogon netr_DsrEnumerateDomainTrusts
2087 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
2088 struct dcerpc_pipe *p)
2091 struct netr_DsrEnumerateDomainTrusts r;
2092 struct netr_DomainTrustList trusts;
2094 struct dcerpc_binding_handle *b = p->binding_handle;
2096 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2097 r.in.trust_flags = 0x3f;
2098 r.out.trusts = &trusts;
2100 status = dcerpc_netr_DsrEnumerateDomainTrusts_r(b, tctx, &r);
2101 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
2102 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
2104 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
2105 * will show non-forest trusts and all UPN suffixes of the own forest
2106 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
2108 if (r.out.trusts->count) {
2109 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
2114 for (i=0; i<r.out.trusts->count; i++) {
2116 /* get info for transitive forest trusts */
2118 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
2119 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
2120 r.out.trusts->array[i].dns_name)) {
2129 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
2130 struct dcerpc_pipe *p)
2133 struct netr_NetrEnumerateTrustedDomains r;
2134 struct netr_Blob trusted_domains_blob;
2135 struct dcerpc_binding_handle *b = p->binding_handle;
2137 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2138 r.out.trusted_domains_blob = &trusted_domains_blob;
2140 status = dcerpc_netr_NetrEnumerateTrustedDomains_r(b, tctx, &r);
2141 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
2142 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
2147 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
2148 struct dcerpc_pipe *p)
2151 struct netr_NetrEnumerateTrustedDomainsEx r;
2152 struct netr_DomainTrustList dom_trust_list;
2153 struct dcerpc_binding_handle *b = p->binding_handle;
2155 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2156 r.out.dom_trust_list = &dom_trust_list;
2158 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx_r(b, tctx, &r);
2159 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
2160 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
2166 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
2167 const char *computer_name,
2168 const char *expected_site)
2171 struct netr_DsRGetSiteName r;
2172 const char *site = NULL;
2173 struct dcerpc_binding_handle *b = p->binding_handle;
2175 r.in.computer_name = computer_name;
2177 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
2179 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
2180 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2181 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
2182 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
2184 if (torture_setting_bool(tctx, "samba4", false))
2185 torture_skip(tctx, "skipping computer name check against Samba4");
2187 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
2188 torture_comment(tctx,
2189 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
2191 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
2192 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2193 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
2199 try a netlogon netr_DsRGetDCName
2201 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
2202 struct dcerpc_pipe *p)
2205 struct netr_DsRGetDCName r;
2206 struct netr_DsRGetDCNameInfo *info = NULL;
2207 struct dcerpc_binding_handle *b = p->binding_handle;
2209 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2210 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2211 r.in.domain_guid = NULL;
2212 r.in.site_guid = NULL;
2213 r.in.flags = DS_RETURN_DNS_NAME;
2216 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2217 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2218 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2220 r.in.domain_name = lp_workgroup(tctx->lp_ctx);
2222 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2223 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2224 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2226 return test_netr_DsRGetSiteName(p, tctx,
2228 info->dc_site_name);
2232 try a netlogon netr_DsRGetDCNameEx
2234 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
2235 struct dcerpc_pipe *p)
2238 struct netr_DsRGetDCNameEx r;
2239 struct netr_DsRGetDCNameInfo *info = NULL;
2240 struct dcerpc_binding_handle *b = p->binding_handle;
2242 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2243 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2244 r.in.domain_guid = NULL;
2245 r.in.site_name = NULL;
2246 r.in.flags = DS_RETURN_DNS_NAME;
2249 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2250 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2251 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2253 r.in.domain_name = lp_workgroup(tctx->lp_ctx);
2255 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2256 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2257 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2259 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2260 info->dc_site_name);
2264 try a netlogon netr_DsRGetDCNameEx2
2266 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
2267 struct dcerpc_pipe *p)
2270 struct netr_DsRGetDCNameEx2 r;
2271 struct netr_DsRGetDCNameInfo *info = NULL;
2272 struct dcerpc_binding_handle *b = p->binding_handle;
2274 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2275 r.in.client_account = NULL;
2276 r.in.mask = 0x00000000;
2277 r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
2278 r.in.domain_guid = NULL;
2279 r.in.site_name = NULL;
2280 r.in.flags = DS_RETURN_DNS_NAME;
2283 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
2285 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2286 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2287 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2289 r.in.domain_name = lp_workgroup(tctx->lp_ctx);
2291 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2292 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2293 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2295 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client account\n");
2296 r.in.client_account = TEST_MACHINE_NAME"$";
2297 r.in.mask = ACB_SVRTRUST;
2298 r.in.flags = DS_RETURN_FLAT_NAME;
2301 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2302 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2303 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2305 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2306 info->dc_site_name);
2309 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
2310 struct dcerpc_pipe *p)
2313 struct ldb_context *sam_ctx = NULL;
2315 struct netr_DsrGetDcSiteCoverageW r;
2316 struct DcSitesCtr *ctr = NULL;
2317 struct dcerpc_binding_handle *b = p->binding_handle;
2319 torture_comment(tctx, "This does only pass with the default site\n");
2321 /* We won't double-check this when we are over 'local' transports */
2322 if (dcerpc_server_name(p)) {
2323 /* Set up connection to SAMDB on DC */
2324 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2325 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2327 cmdline_credentials,
2330 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2333 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2336 status = dcerpc_netr_DsrGetDcSiteCoverageW_r(b, tctx, &r);
2337 torture_assert_ntstatus_ok(tctx, status, "failed");
2338 torture_assert_werr_ok(tctx, r.out.result, "failed");
2340 torture_assert(tctx, ctr->num_sites == 1,
2341 "we should per default only get the default site");
2342 if (sam_ctx != NULL) {
2343 torture_assert_casestr_equal(tctx, ctr->sites[0].string,
2344 samdb_server_site_name(sam_ctx, tctx),
2345 "didn't return default site");
2351 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
2352 struct dcerpc_pipe *p)
2355 struct ldb_context *sam_ctx = NULL;
2357 struct netr_DsRAddressToSitenamesW r;
2358 struct netr_DsRAddress addrs[6];
2359 struct sockaddr_in *addr;
2360 struct sockaddr_in6 *addr6;
2361 struct netr_DsRAddressToSitenamesWCtr *ctr;
2362 struct dcerpc_binding_handle *b = p->binding_handle;
2366 torture_comment(tctx, "This does only pass with the default site\n");
2368 /* We won't double-check this when we are over 'local' transports */
2369 if (dcerpc_server_name(p)) {
2370 /* Set up connection to SAMDB on DC */
2371 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2372 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2374 cmdline_credentials,
2377 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2380 /* First try valid IP addresses */
2382 addrs[0].size = sizeof(struct sockaddr_in);
2383 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
2384 addr = (struct sockaddr_in *) addrs[0].buffer;
2385 addr->sin_family = AF_INET;
2386 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2387 torture_assert(tctx, ret > 0, "inet_pton failed");
2389 addrs[1].size = sizeof(struct sockaddr_in);
2390 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
2391 addr = (struct sockaddr_in *) addrs[1].buffer;
2392 addr->sin_family = AF_INET;
2393 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2394 torture_assert(tctx, ret > 0, "inet_pton failed");
2396 addrs[2].size = sizeof(struct sockaddr_in);
2397 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
2398 addr = (struct sockaddr_in *) addrs[2].buffer;
2399 addr->sin_family = AF_INET;
2400 ret = inet_pton(AF_INET, "255.255.255.255",
2401 &((struct sockaddr_in *)addrs[2].buffer)->sin_addr);
2402 torture_assert(tctx, ret > 0, "inet_pton failed");
2404 addrs[3].size = sizeof(struct sockaddr_in6);
2405 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2406 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
2407 addr6->sin6_family = AF_INET6;
2408 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
2409 torture_assert(tctx, ret > 0, "inet_pton failed");
2411 addrs[4].size = sizeof(struct sockaddr_in6);
2412 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2413 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
2414 addr6->sin6_family = AF_INET6;
2415 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
2416 torture_assert(tctx, ret > 0, "inet_pton failed");
2418 addrs[5].size = sizeof(struct sockaddr_in6);
2419 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2420 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
2421 addr6->sin6_family = AF_INET6;
2422 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
2423 torture_assert(tctx, ret > 0, "inet_pton failed");
2425 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2427 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2429 r.in.addresses = addrs;
2432 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2433 torture_assert_ntstatus_ok(tctx, status, "failed");
2434 torture_assert_werr_ok(tctx, r.out.result, "failed");
2436 if (sam_ctx != NULL) {
2437 for (i = 0; i < 3; i++) {
2438 torture_assert_casestr_equal(tctx,
2439 ctr->sitename[i].string,
2440 samdb_server_site_name(sam_ctx, tctx),
2441 "didn't return default site");
2443 for (i = 3; i < 6; i++) {
2444 /* Windows returns "NULL" for the sitename if it isn't IPv6 configured
2445 torture_assert_casestr_equal(tctx,
2446 ctr->sitename[i].string,
2447 samdb_server_site_name(sam_ctx, tctx),
2448 "didn't return default site");
2453 /* Now try invalid ones (too short buffers) */
2463 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2464 torture_assert_ntstatus_ok(tctx, status, "failed");
2465 torture_assert_werr_ok(tctx, r.out.result, "failed");
2467 for (i = 0; i < 6; i++) {
2468 torture_assert(tctx, ctr->sitename[i].string == NULL,
2469 "sitename should be null");
2472 /* Now try invalid ones (wrong address types) */
2475 addrs[0].buffer[0] = AF_UNSPEC;
2477 addrs[1].buffer[0] = AF_LOCAL;
2479 addrs[2].buffer[0] = AF_UNIX;
2482 addrs[3].buffer[0] = AF_FILE;
2484 addrs[4].buffer[0] = AF_AX25;
2486 addrs[5].buffer[0] = AF_IPX;
2488 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2489 torture_assert_ntstatus_ok(tctx, status, "failed");
2490 torture_assert_werr_ok(tctx, r.out.result, "failed");
2492 for (i = 0; i < 6; i++) {
2493 torture_assert(tctx, ctr->sitename[i].string == NULL,
2494 "sitename should be null");
2500 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2501 struct dcerpc_pipe *p)
2504 struct ldb_context *sam_ctx = NULL;
2506 struct netr_DsRAddressToSitenamesExW r;
2507 struct netr_DsRAddress addrs[6];
2508 struct sockaddr_in *addr;
2509 struct sockaddr_in6 *addr6;
2510 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2511 struct dcerpc_binding_handle *b = p->binding_handle;
2515 torture_comment(tctx, "This does pass with the default site\n");
2517 /* We won't double-check this when we are over 'local' transports */
2518 if (dcerpc_server_name(p)) {
2519 /* Set up connection to SAMDB on DC */
2520 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2521 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2523 cmdline_credentials,
2526 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2529 /* First try valid IP addresses */
2531 addrs[0].size = sizeof(struct sockaddr_in);
2532 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
2533 addr = (struct sockaddr_in *) addrs[0].buffer;
2534 addr->sin_family = AF_INET;
2535 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2536 torture_assert(tctx, ret > 0, "inet_pton failed");
2538 addrs[1].size = sizeof(struct sockaddr_in);
2539 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
2540 addr = (struct sockaddr_in *) addrs[1].buffer;
2541 addr->sin_family = AF_INET;
2542 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2543 torture_assert(tctx, ret > 0, "inet_pton failed");
2545 addrs[2].size = sizeof(struct sockaddr_in);
2546 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
2547 addr = (struct sockaddr_in *) addrs[2].buffer;
2548 addr->sin_family = AF_INET;
2549 ret = inet_pton(AF_INET, "255.255.255.255",
2550 &((struct sockaddr_in *)addrs[2].buffer)->sin_addr);
2551 torture_assert(tctx, ret > 0, "inet_pton failed");
2553 addrs[3].size = sizeof(struct sockaddr_in6);
2554 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2555 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
2556 addr6->sin6_family = AF_INET6;
2557 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
2558 torture_assert(tctx, ret > 0, "inet_pton failed");
2560 addrs[4].size = sizeof(struct sockaddr_in6);
2561 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2562 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
2563 addr6->sin6_family = AF_INET6;
2564 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
2565 torture_assert(tctx, ret > 0, "inet_pton failed");
2567 addrs[5].size = sizeof(struct sockaddr_in6);
2568 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2569 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
2570 addr6->sin6_family = AF_INET6;
2571 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
2572 torture_assert(tctx, ret > 0, "inet_pton failed");
2574 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2576 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2578 r.in.addresses = addrs;
2581 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2582 torture_assert_ntstatus_ok(tctx, status, "failed");
2583 torture_assert_werr_ok(tctx, r.out.result, "failed");
2585 if (sam_ctx != NULL) {
2586 for (i = 0; i < 3; i++) {
2587 torture_assert_casestr_equal(tctx,
2588 ctr->sitename[i].string,
2589 samdb_server_site_name(sam_ctx, tctx),
2590 "didn't return default site");
2591 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2592 "subnet should be null");
2594 for (i = 3; i < 6; i++) {
2595 /* Windows returns "NULL" for the sitename if it isn't IPv6 configured
2596 torture_assert_casestr_equal(tctx,
2597 ctr->sitename[i].string,
2598 samdb_server_site_name(sam_ctx, tctx),
2599 "didn't return default site");
2601 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2602 "subnet should be null");
2606 /* Now try invalid ones (too short buffers) */
2616 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2617 torture_assert_ntstatus_ok(tctx, status, "failed");
2618 torture_assert_werr_ok(tctx, r.out.result, "failed");
2620 for (i = 0; i < 6; i++) {
2621 torture_assert(tctx, ctr->sitename[i].string == NULL,
2622 "sitename should be null");
2623 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2624 "subnet should be null");
2628 addrs[0].buffer[0] = AF_UNSPEC;
2630 addrs[1].buffer[0] = AF_LOCAL;
2632 addrs[2].buffer[0] = AF_UNIX;
2635 addrs[3].buffer[0] = AF_FILE;
2637 addrs[4].buffer[0] = AF_AX25;
2639 addrs[5].buffer[0] = AF_IPX;
2641 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2642 torture_assert_ntstatus_ok(tctx, status, "failed");
2643 torture_assert_werr_ok(tctx, r.out.result, "failed");
2645 for (i = 0; i < 6; i++) {
2646 torture_assert(tctx, ctr->sitename[i].string == NULL,
2647 "sitename should be null");
2648 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2649 "subnet should be null");
2655 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2656 struct dcerpc_pipe *p,
2657 struct cli_credentials *machine_credentials)
2659 struct netr_ServerGetTrustInfo r;
2661 struct netr_Authenticator a;
2662 struct netr_Authenticator return_authenticator;
2663 struct samr_Password new_owf_password;
2664 struct samr_Password old_owf_password;
2665 struct netr_TrustInfo *trust_info;
2667 struct netlogon_creds_CredentialState *creds;
2668 struct dcerpc_binding_handle *b = p->binding_handle;
2670 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2671 machine_credentials, &creds)) {
2675 netlogon_creds_client_authenticator(creds, &a);
2677 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2678 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2679 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2680 r.in.computer_name = TEST_MACHINE_NAME;
2681 r.in.credential = &a;
2683 r.out.return_authenticator = &return_authenticator;
2684 r.out.new_owf_password = &new_owf_password;
2685 r.out.old_owf_password = &old_owf_password;
2686 r.out.trust_info = &trust_info;
2688 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerGetTrustInfo_r(b, tctx, &r),
2689 "ServerGetTrustInfo failed");
2690 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerGetTrustInfo failed");
2691 torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2697 static bool test_GetDomainInfo(struct torture_context *tctx,
2698 struct dcerpc_pipe *p,
2699 struct cli_credentials *machine_credentials)
2701 struct netr_LogonGetDomainInfo r;
2702 struct netr_WorkstationInformation q1;
2703 struct netr_Authenticator a;
2704 struct netlogon_creds_CredentialState *creds;
2705 struct netr_OsVersion os;
2706 union netr_WorkstationInfo query;
2707 union netr_DomainInfo info;
2708 const char* const attrs[] = { "dNSHostName", "operatingSystem",
2709 "operatingSystemServicePack", "operatingSystemVersion",
2710 "servicePrincipalName", NULL };
2712 struct ldb_context *sam_ctx = NULL;
2713 struct ldb_message **res;
2714 struct ldb_message_element *spn_el;
2717 const char *old_dnsname = NULL;
2721 struct dcerpc_binding_handle *b = p->binding_handle;
2723 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2725 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2726 machine_credentials, &creds)) {
2730 /* We won't double-check this when we are over 'local' transports */
2731 if (dcerpc_server_name(p)) {
2732 /* Set up connection to SAMDB on DC */
2733 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2734 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2736 cmdline_credentials,
2739 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2742 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
2743 netlogon_creds_client_authenticator(creds, &a);
2746 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2747 r.in.computer_name = TEST_MACHINE_NAME;
2748 r.in.credential = &a;
2750 r.in.return_authenticator = &a;
2751 r.in.query = &query;
2752 r.out.return_authenticator = &a;
2756 os.os.MajorVersion = 123;
2757 os.os.MinorVersion = 456;
2758 os.os.BuildNumber = 789;
2759 os.os.CSDVersion = "Service Pack 10";
2760 os.os.ServicePackMajor = 10;
2761 os.os.ServicePackMinor = 1;
2762 os.os.SuiteMask = NETR_VER_SUITE_SINGLEUSERTS;
2763 os.os.ProductType = NETR_VER_NT_SERVER;
2766 version_str = talloc_asprintf(tctx, "%d.%d (%d)", os.os.MajorVersion,
2767 os.os.MinorVersion, os.os.BuildNumber);
2770 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
2771 lp_dnsdomain(tctx->lp_ctx));
2772 q1.sitename = "Default-First-Site-Name";
2773 q1.os_version.os = &os;
2774 q1.os_name.string = talloc_asprintf(tctx,
2775 "Tortured by Samba4 RPC-NETLOGON: %s",
2776 timestring(tctx, time(NULL)));
2778 /* The workstation handles the "servicePrincipalName" and DNS hostname
2780 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2782 query.workstation_info = &q1;
2785 /* Gets back the old DNS hostname in AD */
2786 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2787 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2789 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL);
2791 /* Gets back the "servicePrincipalName"s in AD */
2792 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2793 if (spn_el != NULL) {
2794 for (i=0; i < spn_el->num_values; i++) {
2795 spns = talloc_realloc(tctx, spns, char *, i + 1);
2796 spns[i] = (char *) spn_el->values[i].data;
2802 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
2803 "LogonGetDomainInfo failed");
2804 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
2805 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2810 /* AD workstation infos entry check */
2811 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2812 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2813 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2814 torture_assert_str_equal(tctx,
2815 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2816 q1.os_name.string, "'operatingSystem' wrong!");
2817 torture_assert_str_equal(tctx,
2818 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL),
2819 os.os.CSDVersion, "'operatingSystemServicePack' wrong!");
2820 torture_assert_str_equal(tctx,
2821 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
2822 version_str, "'operatingSystemVersion' wrong!");
2824 if (old_dnsname != NULL) {
2825 /* If before a DNS hostname was set then it should remain
2826 the same in combination with the "servicePrincipalName"s.
2827 The DNS hostname should also be returned by our
2828 "LogonGetDomainInfo" call (in the domain info structure). */
2830 torture_assert_str_equal(tctx,
2831 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2832 old_dnsname, "'DNS hostname' was not set!");
2834 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2835 torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)),
2836 "'servicePrincipalName's not set!");
2837 torture_assert(tctx, spn_el->num_values == num_spns,
2838 "'servicePrincipalName's incorrect!");
2839 for (i=0; (i < spn_el->num_values) && (i < num_spns); i++)
2840 torture_assert_str_equal(tctx,
2841 (char *) spn_el->values[i].data,
2842 spns[i], "'servicePrincipalName's incorrect!");
2844 torture_assert_str_equal(tctx,
2845 info.domain_info->dns_hostname.string,
2847 "Out 'DNS hostname' doesn't match the old one!");
2849 /* If no DNS hostname was set then also now none should be set,
2850 the "servicePrincipalName"s should remain empty and no DNS
2851 hostname should be returned by our "LogonGetDomainInfo"
2852 call (in the domain info structure). */
2854 torture_assert(tctx,
2855 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL,
2856 "'DNS hostname' was set!");
2858 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2859 torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)),
2860 "'servicePrincipalName's were set!");
2862 torture_assert(tctx,
2863 info.domain_info->dns_hostname.string == NULL,
2864 "Out 'DNS host name' was set!");
2868 /* Checks "workstation flags" */
2869 torture_assert(tctx,
2870 info.domain_info->workstation_flags
2871 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2872 "Out 'workstation flags' don't match!");
2875 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname doesn't work)\n");
2876 netlogon_creds_client_authenticator(creds, &a);
2878 /* Wipe out the osVersion, and prove which values still 'stick' */
2879 q1.os_version.os = NULL;
2881 /* Change also the DNS hostname to test differences in behaviour */
2882 talloc_free(discard_const_p(char, q1.dns_hostname));
2883 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
2884 lp_dnsdomain(tctx->lp_ctx));
2886 /* The workstation handles the "servicePrincipalName" and DNS hostname
2888 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
2890 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
2891 "LogonGetDomainInfo failed");
2892 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
2894 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2899 /* AD workstation infos entry check */
2900 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2901 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2902 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2904 torture_assert_str_equal(tctx,
2905 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2906 q1.os_name.string, "'operatingSystem' should stick!");
2907 torture_assert(tctx,
2908 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
2909 "'operatingSystemServicePack' shouldn't stick!");
2910 torture_assert(tctx,
2911 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
2912 "'operatingSystemVersion' shouldn't stick!");
2914 /* The DNS host name shouldn't have been updated by the server */
2916 torture_assert_str_equal(tctx,
2917 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2918 old_dnsname, "'DNS host name' did change!");
2920 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
2921 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
2923 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
2924 torture_assert(tctx, spn_el != NULL,
2925 "There should exist 'servicePrincipalName's in AD!");
2926 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
2927 for (i=0; i < spn_el->num_values; i++)
2928 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
2930 torture_assert(tctx, i != spn_el->num_values,
2931 "'servicePrincipalName' HOST/<Netbios name> not found!");
2932 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
2933 for (i=0; i < spn_el->num_values; i++)
2934 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
2936 torture_assert(tctx, i != spn_el->num_values,
2937 "'servicePrincipalName' HOST/<FQDN name> not found!");
2939 /* Check that the out DNS hostname was set properly */
2940 torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string,
2941 old_dnsname, "Out 'DNS hostname' doesn't match the old one!");
2944 /* Checks "workstation flags" */
2945 torture_assert(tctx,
2946 info.domain_info->workstation_flags == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
2947 "Out 'workstation flags' don't match!");
2950 /* Now try the same but the workstation flags set to 0 */
2952 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 3rd call (variation of DNS hostname doesn't work)\n");
2953 netlogon_creds_client_authenticator(creds, &a);
2955 /* Change also the DNS hostname to test differences in behaviour */
2956 talloc_free(discard_const_p(char, q1.dns_hostname));
2957 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
2958 lp_dnsdomain(tctx->lp_ctx));
2960 /* Wipe out the osVersion, and prove which values still 'stick' */
2961 q1.os_version.os = NULL;
2963 /* Let the DC handle the "servicePrincipalName" and DNS hostname
2965 q1.workstation_flags = 0;
2967 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
2968 "LogonGetDomainInfo failed");
2969 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
2970 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
2975 /* AD workstation infos entry check */
2976 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
2977 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
2978 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
2980 torture_assert_str_equal(tctx,
2981 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
2982 q1.os_name.string, "'operatingSystem' should stick!");
2983 torture_assert(tctx,
2984 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
2985 "'operatingSystemServicePack' shouldn't stick!");
2986 torture_assert(tctx,
2987 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
2988 "'operatingSystemVersion' shouldn't stick!");
2990 /* The DNS host name shouldn't have been updated by the server */
2992 torture_assert_str_equal(tctx,
2993 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
2994 old_dnsname, "'DNS host name' did change!");
2996 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
2997 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
2999 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3000 torture_assert(tctx, spn_el != NULL,
3001 "There should exist 'servicePrincipalName's in AD!");
3002 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
3003 for (i=0; i < spn_el->num_values; i++)
3004 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3006 torture_assert(tctx, i != spn_el->num_values,
3007 "'servicePrincipalName' HOST/<Netbios name> not found!");
3008 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
3009 for (i=0; i < spn_el->num_values; i++)
3010 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3012 torture_assert(tctx, i != spn_el->num_values,
3013 "'servicePrincipalName' HOST/<FQDN name> not found!");
3015 /* Here the server gives us NULL as the out DNS hostname */
3016 torture_assert(tctx, info.domain_info->dns_hostname.string == NULL,
3017 "Out 'DNS hostname' should be NULL!");
3020 /* Checks "workstation flags" */
3021 torture_assert(tctx,
3022 info.domain_info->workstation_flags == 0,
3023 "Out 'workstation flags' don't match!");
3026 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 4th call (verification of DNS hostname and check for trusted domains)\n");
3027 netlogon_creds_client_authenticator(creds, &a);
3029 /* Put the DNS hostname back */
3030 talloc_free(discard_const_p(char, q1.dns_hostname));
3031 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3032 lp_dnsdomain(tctx->lp_ctx));
3034 /* The workstation handles the "servicePrincipalName" and DNS hostname
3036 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3038 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3039 "LogonGetDomainInfo failed");
3040 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3041 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3045 /* Now the in/out DNS hostnames should be the same */
3046 torture_assert_str_equal(tctx,
3047 info.domain_info->dns_hostname.string,
3048 query.workstation_info->dns_hostname,
3049 "In/Out 'DNS hostnames' don't match!");
3051 /* Checks "workstation flags" */
3052 torture_assert(tctx,
3053 info.domain_info->workstation_flags
3054 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3055 "Out 'workstation flags' don't match!");
3057 /* Checks for trusted domains */
3058 torture_assert(tctx,
3059 (info.domain_info->trusted_domain_count != 0)
3060 && (info.domain_info->trusted_domains != NULL),
3061 "Trusted domains have been requested!");
3064 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 5th call (check for trusted domains)\n");
3065 netlogon_creds_client_authenticator(creds, &a);
3067 /* The workstation handles the "servicePrincipalName" and DNS hostname
3068 updates and requests inbound trusts */
3069 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
3070 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS;
3072 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3073 "LogonGetDomainInfo failed");
3074 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3075 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3079 /* Checks "workstation flags" */
3080 torture_assert(tctx,
3081 info.domain_info->workstation_flags
3082 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
3083 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
3084 "Out 'workstation flags' don't match!");
3086 /* Checks for trusted domains */
3087 torture_assert(tctx,
3088 (info.domain_info->trusted_domain_count != 0)
3089 && (info.domain_info->trusted_domains != NULL),
3090 "Trusted domains have been requested!");
3095 static bool test_GetDomainInfo_async(struct torture_context *tctx,
3096 struct dcerpc_pipe *p,
3097 struct cli_credentials *machine_credentials)
3100 struct netr_LogonGetDomainInfo r;
3101 struct netr_WorkstationInformation q1;
3102 struct netr_Authenticator a;
3103 #define ASYNC_COUNT 100
3104 struct netlogon_creds_CredentialState *creds;
3105 struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
3106 struct tevent_req *req[ASYNC_COUNT];
3108 union netr_WorkstationInfo query;
3109 union netr_DomainInfo info;
3111 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
3113 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
3114 machine_credentials, &creds)) {
3119 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3120 r.in.computer_name = TEST_MACHINE_NAME;
3121 r.in.credential = &a;
3123 r.in.return_authenticator = &a;
3124 r.in.query = &query;
3125 r.out.return_authenticator = &a;
3129 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3130 lp_dnsdomain(tctx->lp_ctx));
3131 q1.sitename = "Default-First-Site-Name";
3132 q1.os_name.string = "UNIX/Linux or similar";
3134 query.workstation_info = &q1;
3136 for (i=0;i<ASYNC_COUNT;i++) {
3137 netlogon_creds_client_authenticator(creds, &a);
3139 creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
3140 req[i] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx, tctx->ev, p->binding_handle, &r);
3142 /* even with this flush per request a w2k3 server seems to
3143 clag with multiple outstanding requests. bleergh. */
3144 torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
3145 "event_loop_once failed");
3148 for (i=0;i<ASYNC_COUNT;i++) {
3149 torture_assert_int_equal(tctx, tevent_req_poll(req[i], tctx->ev), true,
3150 "tevent_req_poll() failed");
3152 status = dcerpc_netr_LogonGetDomainInfo_r_recv(req[i], tctx);
3154 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
3155 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
3157 torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred),
3158 "Credential chaining failed at async");
3161 torture_comment(tctx,
3162 "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT);
3167 static bool test_ManyGetDCName(struct torture_context *tctx,
3168 struct dcerpc_pipe *p)
3171 struct dcerpc_pipe *p2;
3172 struct lsa_ObjectAttribute attr;
3173 struct lsa_QosInfo qos;
3174 struct lsa_OpenPolicy2 o;
3175 struct policy_handle lsa_handle;
3176 struct lsa_DomainList domains;
3178 struct lsa_EnumTrustDom t;
3179 uint32_t resume_handle = 0;
3180 struct netr_GetAnyDCName d;
3181 const char *dcname = NULL;
3182 struct dcerpc_binding_handle *b = p->binding_handle;
3183 struct dcerpc_binding_handle *b2;
3187 if (p->conn->transport.transport != NCACN_NP) {
3191 torture_comment(tctx, "Torturing GetDCName\n");
3193 status = dcerpc_secondary_connection(p, &p2, p->binding);
3194 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
3196 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
3197 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
3198 b2 = p2->binding_handle;
3201 qos.impersonation_level = 2;
3202 qos.context_mode = 1;
3203 qos.effective_only = 0;
3206 attr.root_dir = NULL;
3207 attr.object_name = NULL;
3208 attr.attributes = 0;
3209 attr.sec_desc = NULL;
3210 attr.sec_qos = &qos;
3212 o.in.system_name = "\\";
3214 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3215 o.out.handle = &lsa_handle;
3217 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b2, tctx, &o),
3218 "OpenPolicy2 failed");
3219 torture_assert_ntstatus_ok(tctx, o.out.result, "OpenPolicy2 failed");
3221 t.in.handle = &lsa_handle;
3222 t.in.resume_handle = &resume_handle;
3223 t.in.max_size = 1000;
3224 t.out.domains = &domains;
3225 t.out.resume_handle = &resume_handle;
3227 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b2, tctx, &t),
3228 "EnumTrustDom failed");
3230 if ((!NT_STATUS_IS_OK(t.out.result) &&
3231 (!NT_STATUS_EQUAL(t.out.result, NT_STATUS_NO_MORE_ENTRIES))))
3232 torture_fail(tctx, "Could not list domains");
3236 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
3237 dcerpc_server_name(p));
3238 d.out.dcname = &dcname;
3240 for (i=0; i<domains.count * 4; i++) {
3241 struct lsa_DomainInfo *info =
3242 &domains.domains[rand()%domains.count];
3244 d.in.domainname = info->name.string;
3246 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &d);
3247 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
3249 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
3250 dcname ? dcname : "unknown");
3256 static bool test_SetPassword_with_flags(struct torture_context *tctx,
3257 struct dcerpc_pipe *p,
3258 struct cli_credentials *machine_credentials)
3260 uint32_t flags[] = { 0, NETLOGON_NEG_STRONG_KEYS };
3261 struct netlogon_creds_CredentialState *creds;
3264 if (!test_SetupCredentials2(p, tctx, 0,
3265 machine_credentials,
3266 cli_credentials_get_secure_channel_type(machine_credentials),
3268 torture_skip(tctx, "DC does not support negotiation of 64bit session keys");
3271 for (i=0; i < ARRAY_SIZE(flags); i++) {
3272 torture_assert(tctx,
3273 test_SetPassword_flags(tctx, p, machine_credentials, flags[i]),
3274 talloc_asprintf(tctx, "failed to test SetPassword negotiating with 0x%08x flags", flags[i]));
3280 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
3282 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
3283 struct torture_rpc_tcase *tcase;
3284 struct torture_test *test;
3286 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3287 &ndr_table_netlogon, TEST_MACHINE_NAME);
3289 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
3290 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
3291 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
3292 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
3293 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
3294 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
3295 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
3296 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
3297 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
3298 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
3299 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
3300 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
3301 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
3302 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
3303 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
3304 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
3305 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
3306 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
3307 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
3308 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
3309 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
3310 test->dangerous = true;
3311 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
3312 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
3313 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
3314 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
3315 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
3316 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
3317 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
3322 struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
3324 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-S3");
3325 struct torture_rpc_tcase *tcase;
3327 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3328 &ndr_table_netlogon, TEST_MACHINE_NAME);
3330 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
3331 torture_rpc_tcase_add_test_creds(tcase, "SamLogon_NULL_domain", test_SamLogon_NULL_domain);
3332 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
3333 torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
3334 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
3335 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
3340 struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
3342 struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON-ADMIN");
3343 struct torture_rpc_tcase *tcase;
3345 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3346 &ndr_table_netlogon, TEST_MACHINE_NAME);
3347 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3348 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3349 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
3351 tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon",
3352 &ndr_table_netlogon, TEST_MACHINE_NAME);
3353 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3354 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3355 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
3357 tcase = torture_suite_add_rpc_iface_tcase(suite, "netlogon",
3358 &ndr_table_netlogon);
3359 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3360 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3361 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);