if ($envname eq "s3dc") {
return $self->setup_s3dc("$path/s3dc");
+ } elsif ($envname eq "s3dc_schannel") {
+ return $self->setup_s3dc_schannel("$path/s3dc_schannel");
} elsif ($envname eq "simpleserver") {
return $self->setup_simpleserver("$path/simpleserver");
} elsif ($envname eq "maptoguest") {
return $vars;
}
+sub setup_s3dc_schannel($$)
+{
+ my ($self, $path) = @_;
+
+ print "PROVISIONING S3DC WITH SERVER SCHANNEL ...";
+
+ my $pdc_options = "
+ domain master = yes
+ domain logons = yes
+ lanman auth = yes
+
+ rpc_server:epmapper = external
+ rpc_server:spoolss = external
+ rpc_server:lsarpc = external
+ rpc_server:samr = external
+ rpc_server:netlogon = external
+ rpc_server:register_embedded_np = yes
+
+ rpc_daemon:epmd = fork
+ rpc_daemon:spoolssd = fork
+ rpc_daemon:lsasd = fork
+
+ server schannel = yes
+";
+
+ my $vars = $self->provision($path,
+ "LOCALS3DC9",
+ "locals3dc9pass",
+ $pdc_options);
+
+ $vars or return undef;
+
+ if (not $self->check_or_start($vars, "yes", "yes", "yes")) {
+ return undef;
+ }
+
+ $vars->{DC_SERVER} = $vars->{SERVER};
+ $vars->{DC_SERVER_IP} = $vars->{SERVER_IP};
+ $vars->{DC_SERVER_IPV6} = $vars->{SERVER_IPV6};
+ $vars->{DC_NETBIOSNAME} = $vars->{NETBIOSNAME};
+ $vars->{DC_USERNAME} = $vars->{USERNAME};
+ $vars->{DC_PASSWORD} = $vars->{PASSWORD};
+
+ $self->{vars}->{s3dc_schannel} = $vars;
+
+ return $vars;
+}
+
sub setup_member($$$)
{
my ($self, $prefix, $s3dcvars) = @_;
"rpc.samr.passwords.pwdlastset", "rpc.samr.passwords.lockout", "rpc.samr.passwords.badpwdcount", "rpc.samr.large-dc", "rpc.samr.machine.auth",
"rpc.samr.priv", "rpc.samr.passwords.validate",
"rpc.netlogon.admin",
- "rpc.schannel", "rpc.schannel2", "rpc.bench-schannel1", "rpc.join", "rpc.bind"]
+ "rpc.schannel", "rpc.schannel2", "rpc.bench-schannel1", "rpc.schannel_anon_setpw", "rpc.join", "rpc.bind"]
local = ["local.ndr"]
elif t == "vfs.fruit":
plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:share1=vfs_fruit --option=torture:share2=tmp --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:share1=vfs_fruit --option=torture:share2=tmp --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share')
+ elif t == "rpc.schannel_anon_setpw":
+ plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$%', description="anonymous password set")
+ plansmbtorture4testsuite(t, "s3dc_schannel", '//$SERVER_IP/tmp -U$%', description="anonymous password set (schannel enforced server-side)")
+ plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp -U$%', description="anonymous password set")
else:
plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
return true;
}
+/*
+ * Purpose of this test is to demonstrate that a netlogon server carefully deals
+ * with anonymous attempts to set passwords, in particular when the server
+ * enforces the use of schannel. This test makes most sense to be run in an
+ * environment where the netlogon server enforces use of schannel.
+ */
+
+static bool test_schannel_anonymous_setPassword(struct torture_context *tctx,
+ uint32_t dcerpc_flags,
+ bool use2)
+{
+ struct test_join *join_ctx;
+ NTSTATUS status, result;
+ const char *binding = torture_setting_string(tctx, "binding", NULL);
+ struct dcerpc_binding *b;
+ struct dcerpc_pipe *p = NULL;
+ struct cli_credentials *credentials;
+ bool ok = true;
+
+ credentials = cli_credentials_init(NULL);
+ torture_assert(tctx, credentials != NULL, "Bad credentials");
+ cli_credentials_set_anonymous(credentials);
+
+ status = dcerpc_parse_binding(tctx, binding, &b);
+ torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
+
+ status = dcerpc_binding_set_flags(b, dcerpc_flags, DCERPC_AUTH_OPTIONS);
+ torture_assert_ntstatus_ok(tctx, status, "set flags");
+
+ status = dcerpc_pipe_connect_b(tctx,
+ &p,
+ b,
+ &ndr_table_netlogon,
+ credentials,
+ tctx->ev,
+ tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
+
+ if (use2) {
+ struct netr_ServerPasswordSet2 r = {};
+ struct netr_Authenticator credential = {};
+ struct netr_Authenticator return_authenticator = {};
+ struct netr_CryptPassword new_password = {};
+
+ r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+ r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
+ r.in.secure_channel_type = 0;
+ r.in.computer_name = TEST_MACHINE_NAME;
+ r.in.credential = &credential;
+ r.in.new_password = &new_password;
+ r.out.return_authenticator = &return_authenticator;
+
+ status = dcerpc_netr_ServerPasswordSet2_r(p->binding_handle, tctx, &r);
+ result = r.out.result;
+ } else {
+ struct netr_ServerPasswordSet r = {};
+ struct netr_Authenticator credential = {};
+ struct netr_Authenticator return_authenticator = {};
+ struct samr_Password new_password = {};
+
+ r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+ r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
+ r.in.secure_channel_type = 0;
+ r.in.computer_name = TEST_MACHINE_NAME;
+ r.in.credential = &credential;
+ r.in.new_password = &new_password;
+ r.out.return_authenticator = &return_authenticator;
+
+ status = dcerpc_netr_ServerPasswordSet_r(p->binding_handle, tctx, &r);
+ result = r.out.result;
+ }
+
+ torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet failed");
+
+ if (NT_STATUS_IS_OK(result)) {
+ torture_fail(tctx, "unexpectedly received NT_STATUS_OK");
+ }
+
+ return ok;
+}
/*
return ret;
}
+bool torture_rpc_schannel_anon_setpw(struct torture_context *torture)
+{
+ bool ret = true;
+ bool ok;
+ uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AUTO;
+
+ ok = test_schannel_anonymous_setPassword(torture,
+ dcerpc_flags,
+ true);
+ if (!ok) {
+ torture_comment(torture,
+ "Failed with dcerpc_flags=0x%x\n",
+ dcerpc_flags);
+ ret = false;
+ }
+
+ ok = test_schannel_anonymous_setPassword(torture,
+ dcerpc_flags,
+ false);
+ if (!ok) {
+ torture_comment(torture,
+ "Failed with dcerpc_flags=0x%x\n",
+ dcerpc_flags);
+ ret = false;
+ }
+
+ return ret;
+}
+
/*
test two schannel connections
*/