s4:torture cldap test - Add checks for the right forest DNS name
[sfrench/samba-autobuild/.git] / source4 / torture / ldap / cldap.c
1 /* 
2    Unix SMB/CIFS mplementation.
3
4    test CLDAP operations
5    
6    Copyright (C) Andrew Tridgell 2005
7     
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20    
21 */
22
23 #include "includes.h"
24 #include "libcli/cldap/cldap.h"
25 #include "libcli/ldap/ldap.h"
26 #include "librpc/gen_ndr/ndr_nbt.h"
27 #include "librpc/gen_ndr/netlogon.h"
28 #include "torture/torture.h"
29 #include "lib/ldb/include/ldb.h"
30 #include "param/param.h"
31 #include "../lib/tsocket/tsocket.h"
32
33 #define CHECK_STATUS(status, correct) torture_assert_ntstatus_equal(tctx, status, correct, "incorrect status")
34
35 #define CHECK_VAL(v, correct) torture_assert_int_equal(tctx, (v), (correct), "incorrect value");
36
37 #define CHECK_STRING(v, correct) torture_assert_str_equal(tctx, v, correct, "incorrect value");
38 /*
39   test netlogon operations
40 */
41 static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest)
42 {
43         struct cldap_socket *cldap;
44         NTSTATUS status;
45         struct cldap_netlogon search, empty_search;
46         struct netlogon_samlogon_response n1;
47         struct GUID guid;
48         int i;
49         struct smb_iconv_convenience *iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
50         struct tsocket_address *dest_addr;
51         int ret;
52
53         ret = tsocket_address_inet_from_strings(tctx, "ip",
54                                                 dest,
55                                                 lp_cldap_port(tctx->lp_ctx),
56                                                 &dest_addr);
57         CHECK_VAL(ret, 0);
58
59         status = cldap_socket_init(tctx, NULL, NULL, dest_addr, &cldap);
60         CHECK_STATUS(status, NT_STATUS_OK);
61
62         ZERO_STRUCT(search);
63         search.in.dest_address = NULL;
64         search.in.dest_port = 0;
65         search.in.acct_control = -1;
66         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
67         search.in.map_response = true;
68
69         empty_search = search;
70
71         printf("Trying without any attributes\n");
72         search = empty_search;
73         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
74         CHECK_STATUS(status, NT_STATUS_OK);
75
76         n1 = search.out.netlogon;
77
78         search.in.user         = "Administrator";
79         search.in.realm        = n1.data.nt5_ex.dns_domain;
80         search.in.host         = "__cldap_torture__";
81
82         printf("Scanning for netlogon levels\n");
83         for (i=0;i<256;i++) {
84                 search.in.version = i;
85                 printf("Trying netlogon level %d\n", i);
86                 status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
87                 CHECK_STATUS(status, NT_STATUS_OK);
88         }
89
90         printf("Scanning for netlogon level bits\n");
91         for (i=0;i<31;i++) {
92                 search.in.version = (1<<i);
93                 printf("Trying netlogon level 0x%x\n", i);
94                 status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
95                 CHECK_STATUS(status, NT_STATUS_OK);
96         }
97
98         search.in.version = NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_IP;
99
100         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
101         CHECK_STATUS(status, NT_STATUS_OK);
102
103         printf("Trying with User=NULL\n");
104
105         search.in.user = NULL;
106         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
107         CHECK_STATUS(status, NT_STATUS_OK);
108         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
109         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
110
111         printf("Trying with User=Administrator\n");
112
113         search.in.user = "Administrator";
114         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
115         CHECK_STATUS(status, NT_STATUS_OK);
116
117         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
118         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
119
120         search.in.version = NETLOGON_NT_VERSION_5;
121         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
122         CHECK_STATUS(status, NT_STATUS_OK);
123
124         printf("Trying with User=NULL\n");
125
126         search.in.user = NULL;
127         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
128         CHECK_STATUS(status, NT_STATUS_OK);
129         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
130         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE);
131
132         printf("Trying with User=Administrator\n");
133
134         search.in.user = "Administrator";
135         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
136         CHECK_STATUS(status, NT_STATUS_OK);
137
138         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
139         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN);
140
141         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
142
143         printf("Trying with a GUID\n");
144         search.in.realm       = NULL;
145         search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
146         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
147         CHECK_STATUS(status, NT_STATUS_OK);
148         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
149         CHECK_STRING(GUID_string(tctx, &search.out.netlogon.data.nt5_ex.domain_uuid), search.in.domain_guid);
150
151         printf("Trying with a incorrect GUID\n");
152         guid = GUID_random();
153         search.in.user        = NULL;
154         search.in.domain_guid = GUID_string(tctx, &guid);
155         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
156         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
157
158         printf("Trying with a AAC\n");
159         search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST;
160         search.in.realm = n1.data.nt5_ex.dns_domain;
161         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
162         CHECK_STATUS(status, NT_STATUS_OK);
163         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
164         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
165
166         printf("Trying with a zero AAC\n");
167         search.in.acct_control = 0x0;
168         search.in.realm = n1.data.nt5_ex.dns_domain;
169         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
170         CHECK_STATUS(status, NT_STATUS_OK);
171         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
172         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
173
174         printf("Trying with a zero AAC and user=Administrator\n");
175         search.in.acct_control = 0x0;
176         search.in.user = "Administrator";
177         search.in.realm = n1.data.nt5_ex.dns_domain;
178         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
179         CHECK_STATUS(status, NT_STATUS_OK);
180         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
181         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "Administrator");
182
183         printf("Trying with a bad AAC\n");
184         search.in.user = NULL;
185         search.in.acct_control = 0xFF00FF00;
186         search.in.realm = n1.data.nt5_ex.dns_domain;
187         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
188         CHECK_STATUS(status, NT_STATUS_OK);
189         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
190         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
191
192         printf("Trying with a user only\n");
193         search = empty_search;
194         search.in.user = "Administrator";
195         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
196         CHECK_STATUS(status, NT_STATUS_OK);
197         CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
198         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
199         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
200
201         printf("Trying with just a bad username\n");
202         search.in.user = "___no_such_user___";
203         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
204         CHECK_STATUS(status, NT_STATUS_OK);
205         CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
206         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
207         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
208         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
209
210         printf("Trying with just a bad domain\n");
211         search = empty_search;
212         search.in.realm = "___no_such_domain___";
213         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
214         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
215
216         printf("Trying with a incorrect domain and correct guid\n");
217         search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
218         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
219         CHECK_STATUS(status, NT_STATUS_OK);
220         CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
221         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
222         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
223         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
224
225         printf("Trying with a incorrect domain and incorrect guid\n");
226         search.in.domain_guid = GUID_string(tctx, &guid);
227         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
228         CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
229         CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
230         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
231         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
232         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
233
234         printf("Trying with a incorrect GUID and correct domain\n");
235         search.in.domain_guid = GUID_string(tctx, &guid);
236         search.in.realm = n1.data.nt5_ex.dns_domain;
237         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
238         CHECK_STATUS(status, NT_STATUS_OK);
239         CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
240         CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
241         CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
242         CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
243
244         return true;
245 }
246
247 /*
248   test cldap netlogon server type flags
249 */
250 static bool test_cldap_netlogon_flags(struct torture_context *tctx,
251         const char *dest)
252 {
253         struct cldap_socket *cldap;
254         NTSTATUS status;
255         struct cldap_netlogon search;
256         struct netlogon_samlogon_response n1;
257         uint32_t server_type;
258         struct smb_iconv_convenience *iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
259
260         /* cldap_socket_init should now know about the dest. address */
261         status = cldap_socket_init(tctx, NULL, NULL, NULL, &cldap);
262         CHECK_STATUS(status, NT_STATUS_OK);
263
264         printf("Printing out netlogon server type flags: %s\n", dest);
265
266         ZERO_STRUCT(search);
267         search.in.dest_address = dest;
268         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
269         search.in.acct_control = -1;
270         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
271         search.in.map_response = true;
272
273         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
274         CHECK_STATUS(status, NT_STATUS_OK);
275
276         n1 = search.out.netlogon;
277         if (n1.ntver == NETLOGON_NT_VERSION_5)
278                 server_type = n1.data.nt5.server_type;
279         else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
280                 server_type = n1.data.nt5_ex.server_type;       
281
282         printf("The word is: %i\n", server_type);
283         if (server_type & NBT_SERVER_PDC)
284                 printf("NBT_SERVER_PDC ");
285         if (server_type & NBT_SERVER_GC)
286                 printf("NBT_SERVER_GC ");
287         if (server_type & NBT_SERVER_LDAP)
288                 printf("NBT_SERVER_LDAP ");
289         if (server_type & NBT_SERVER_DS)
290                 printf("NBT_SERVER_DS ");
291         if (server_type & NBT_SERVER_KDC)
292                 printf("NBT_SERVER_KDC ");
293         if (server_type & NBT_SERVER_TIMESERV)
294                 printf("NBT_SERVER_TIMESERV ");
295         if (server_type & NBT_SERVER_CLOSEST)
296                 printf("NBT_SERVER_CLOSEST ");
297         if (server_type & NBT_SERVER_WRITABLE)
298                 printf("NBT_SERVER_WRITABLE ");
299         if (server_type & NBT_SERVER_GOOD_TIMESERV)
300                 printf("NBT_SERVER_GOOD_TIMESERV ");
301         if (server_type & NBT_SERVER_NDNC)
302                 printf("NBT_SERVER_NDNC ");
303         if (server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6)
304                 printf("NBT_SERVER_SELECT_SECRET_DOMAIN_6");
305         if (server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6)
306                 printf("NBT_SERVER_FULL_SECRET_DOMAIN_6");
307         if (server_type & DS_DNS_CONTROLLER)
308                 printf("DS_DNS_CONTROLLER ");
309         if (server_type & DS_DNS_DOMAIN)
310                 printf("DS_DNS_DOMAIN ");
311         if (server_type & DS_DNS_FOREST_ROOT)
312                 printf("DS_DNS_FOREST_ROOT ");
313
314         printf("\n");
315
316         return true;
317 }
318
319 /*
320   convert a ldap result message to a ldb message. This allows us to
321   use the convenient ldif dump routines in ldb to print out cldap
322   search results
323 */
324 static struct ldb_message *ldap_msg_to_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct ldap_SearchResEntry *res)
325 {
326         struct ldb_message *msg;
327
328         msg = ldb_msg_new(mem_ctx);
329         msg->dn = ldb_dn_new(msg, ldb, res->dn);
330         msg->num_elements = res->num_attributes;
331         msg->elements = talloc_steal(msg, res->attributes);
332         return msg;
333 }
334
335 /*
336   dump a set of cldap results
337 */
338 static void cldap_dump_results(struct cldap_search *search)
339 {
340         struct ldb_ldif ldif;
341         struct ldb_context *ldb;
342
343         if (!search || !(search->out.response)) {
344                 return;
345         }
346
347         /* we need a ldb context to use ldb_ldif_write_file() */
348         ldb = ldb_init(NULL, NULL);
349
350         ZERO_STRUCT(ldif);
351         ldif.msg = ldap_msg_to_ldb(ldb, ldb, search->out.response);
352
353         ldb_ldif_write_file(ldb, stdout, &ldif);
354
355         talloc_free(ldb);
356 }
357
358
359 /*
360   test cldap netlogon server type flag "NBT_SERVER_FOREST_ROOT"
361 */
362 static bool test_cldap_netlogon_flag_ds_dns_forest(struct torture_context *tctx,
363         const char *dest)
364 {
365         struct cldap_socket *cldap;
366         NTSTATUS status;
367         struct cldap_netlogon search;
368         uint32_t server_type;
369         struct netlogon_samlogon_response n1;
370         struct smb_iconv_convenience *iconv_convenience = lp_iconv_convenience(tctx->lp_ctx);
371         bool result = true;
372
373         /* cldap_socket_init should now know about the dest. address */
374         status = cldap_socket_init(tctx, NULL, NULL, NULL, &cldap);
375         CHECK_STATUS(status, NT_STATUS_OK);
376
377         printf("Testing netlogon server type flag NBT_SERVER_FOREST_ROOT: ");
378
379         ZERO_STRUCT(search);
380         search.in.dest_address = dest;
381         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
382         search.in.acct_control = -1;
383         search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
384         search.in.map_response = true;
385
386         status = cldap_netlogon(cldap, iconv_convenience, tctx, &search);
387         CHECK_STATUS(status, NT_STATUS_OK);
388
389         n1 = search.out.netlogon;
390         if (n1.ntver == NETLOGON_NT_VERSION_5)
391                 server_type = n1.data.nt5.server_type;
392         else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
393                 server_type = n1.data.nt5_ex.server_type;
394
395         if (server_type & DS_DNS_FOREST_ROOT) {
396                 struct cldap_search search2;
397                 const char *attrs[] = { "defaultNamingContext", "rootDomainNamingContext", 
398                         NULL };
399                 struct ldb_context *ldb;
400                 struct ldb_message *msg;
401
402                 /* Trying to fetch the attributes "defaultNamingContext" and
403                    "rootDomainNamingContext" */
404                 ZERO_STRUCT(search2);
405                 search2.in.dest_address = dest;
406                 search2.in.dest_port = lp_cldap_port(tctx->lp_ctx);
407                 search2.in.timeout = 10;
408                 search2.in.retries = 3;
409                 search2.in.filter = "(objectclass=*)";
410                 search2.in.attributes = attrs;
411
412                 status = cldap_search(cldap, tctx, &search2);
413                 CHECK_STATUS(status, NT_STATUS_OK);
414
415                 ldb = ldb_init(NULL, NULL);
416
417                 msg = ldap_msg_to_ldb(ldb, ldb, search2.out.response);
418
419                 /* Try to compare the two attributes */
420                 if (ldb_msg_element_compare(ldb_msg_find_element(msg, attrs[0]),
421                         ldb_msg_find_element(msg, attrs[1])))
422                         result = false;
423
424                 talloc_free(ldb);
425         }
426
427         if (result)
428                 printf("passed\n");
429         else
430                 printf("failed\n");
431
432         return result;
433 }
434
435 /*
436   test generic cldap operations
437 */
438 static bool test_cldap_generic(struct torture_context *tctx, const char *dest)
439 {
440         struct cldap_socket *cldap;
441         NTSTATUS status;
442         struct cldap_search search;
443         const char *attrs1[] = { "currentTime", "highestCommittedUSN", NULL };
444         const char *attrs2[] = { "currentTime", "highestCommittedUSN", "netlogon", NULL };
445         const char *attrs3[] = { "netlogon", NULL };
446
447         /* cldap_socket_init should now know about the dest. address */
448         status = cldap_socket_init(tctx, NULL, NULL, NULL, &cldap);
449         CHECK_STATUS(status, NT_STATUS_OK);
450
451         ZERO_STRUCT(search);
452         search.in.dest_address = dest;
453         search.in.dest_port = lp_cldap_port(tctx->lp_ctx);
454         search.in.timeout = 10;
455         search.in.retries = 3;
456
457         status = cldap_search(cldap, tctx, &search);
458         CHECK_STATUS(status, NT_STATUS_OK);
459
460         printf("fetching whole rootDSE\n");
461         search.in.filter = "(objectclass=*)";
462         search.in.attributes = NULL;
463
464         status = cldap_search(cldap, tctx, &search);
465         CHECK_STATUS(status, NT_STATUS_OK);
466
467         if (DEBUGLVL(3)) cldap_dump_results(&search);
468
469         printf("fetching currentTime and USN\n");
470         search.in.filter = "(objectclass=*)";
471         search.in.attributes = attrs1;
472
473         status = cldap_search(cldap, tctx, &search);
474         CHECK_STATUS(status, NT_STATUS_OK);
475         
476         if (DEBUGLVL(3)) cldap_dump_results(&search);
477
478         printf("Testing currentTime, USN and netlogon\n");
479         search.in.filter = "(objectclass=*)";
480         search.in.attributes = attrs2;
481
482         status = cldap_search(cldap, tctx, &search);
483         CHECK_STATUS(status, NT_STATUS_OK);
484
485         if (DEBUGLVL(3)) cldap_dump_results(&search);
486
487         printf("Testing objectClass=* and netlogon\n");
488         search.in.filter = "(objectclass2=*)";
489         search.in.attributes = attrs3;
490
491         status = cldap_search(cldap, tctx, &search);
492         CHECK_STATUS(status, NT_STATUS_OK);
493
494         if (DEBUGLVL(3)) cldap_dump_results(&search);
495
496         printf("Testing a false expression\n");
497         search.in.filter = "(&(objectclass=*)(highestCommittedUSN=2))";
498         search.in.attributes = attrs1;
499
500         status = cldap_search(cldap, tctx, &search);
501         CHECK_STATUS(status, NT_STATUS_OK);
502
503         if (DEBUGLVL(3)) cldap_dump_results(&search);   
504
505         return true;    
506 }
507
508 bool torture_cldap(struct torture_context *torture)
509 {
510         bool ret = true;
511         const char *host = torture_setting_string(torture, "host", NULL);
512
513         ret &= test_cldap_netlogon(torture, host);
514         ret &= test_cldap_netlogon_flags(torture, host);
515         ret &= test_cldap_netlogon_flag_ds_dns_forest(torture, host);
516         ret &= test_cldap_generic(torture, host);
517
518         return ret;
519 }
520