r19392: Use torture_setting_* rather than lp_parm_* where possible.
[sfrench/samba-autobuild/.git] / source4 / torture / rpc / samba3rpc.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    dcerpc torture tests, designed to walk Samba3 code paths
5
6    Copyright (C) Volker Lendecke 2006
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 2 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program; if not, write to the Free Software
20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/rap/rap.h"
26 #include "torture/torture.h"
27 #include "torture/util.h"
28 #include "torture/rap/proto.h"
29 #include "librpc/gen_ndr/ndr_lsa.h"
30 #include "librpc/gen_ndr/ndr_lsa_c.h"
31 #include "librpc/gen_ndr/ndr_samr.h"
32 #include "librpc/gen_ndr/ndr_samr_c.h"
33 #include "librpc/gen_ndr/ndr_netlogon.h"
34 #include "librpc/gen_ndr/ndr_netlogon_c.h"
35 #include "librpc/gen_ndr/ndr_srvsvc.h"
36 #include "librpc/gen_ndr/ndr_srvsvc_c.h"
37 #include "librpc/gen_ndr/ndr_spoolss.h"
38 #include "librpc/gen_ndr/ndr_spoolss_c.h"
39 #include "librpc/gen_ndr/ndr_winreg.h"
40 #include "librpc/gen_ndr/ndr_winreg_c.h"
41 #include "librpc/gen_ndr/ndr_wkssvc.h"
42 #include "librpc/gen_ndr/ndr_wkssvc_c.h"
43 #include "lib/cmdline/popt_common.h"
44 #include "librpc/rpc/dcerpc.h"
45 #include "torture/rpc/rpc.h"
46 #include "libcli/libcli.h"
47 #include "libcli/composite/composite.h"
48 #include "libcli/smb_composite/smb_composite.h"
49 #include "libcli/auth/libcli_auth.h"
50 #include "libcli/auth/credentials.h"
51 #include "lib/crypto/crypto.h"
52 #include "libcli/security/proto.h"
53
54 static struct cli_credentials *create_anon_creds(TALLOC_CTX *mem_ctx)
55 {
56         struct cli_credentials *result;
57
58         if (!(result = cli_credentials_init(mem_ctx))) {
59                 return NULL;
60         }
61
62         cli_credentials_set_conf(result);
63         cli_credentials_set_anonymous(result);
64
65         return result;
66 }
67
68 /*
69  * This tests a RPC call using an invalid vuid
70  */
71
72 BOOL torture_bind_authcontext(struct torture_context *torture) 
73 {
74         TALLOC_CTX *mem_ctx;
75         NTSTATUS status;
76         BOOL ret = False;
77         struct lsa_ObjectAttribute objectattr;
78         struct lsa_OpenPolicy2 openpolicy;
79         struct policy_handle handle;
80         struct lsa_Close close_handle;
81         struct smbcli_session *tmp;
82         struct smbcli_session *session2;
83         struct smbcli_state *cli;
84         struct dcerpc_pipe *lsa_pipe;
85         struct cli_credentials *anon_creds;
86         struct smb_composite_sesssetup setup;
87
88         mem_ctx = talloc_init("torture_bind_authcontext");
89
90         if (mem_ctx == NULL) {
91                 d_printf("talloc_init failed\n");
92                 return False;
93         }
94
95         status = smbcli_full_connection(mem_ctx, &cli,
96                                         torture_setting_string(torture, "host", NULL),
97                                         "IPC$", NULL, cmdline_credentials,
98                                         NULL);
99         if (!NT_STATUS_IS_OK(status)) {
100                 d_printf("smbcli_full_connection failed: %s\n",
101                          nt_errstr(status));
102                 goto done;
103         }
104
105         lsa_pipe = dcerpc_pipe_init(mem_ctx, cli->transport->socket->event.ctx);
106         if (lsa_pipe == NULL) {
107                 d_printf("dcerpc_pipe_init failed\n");
108                 goto done;
109         }
110
111         status = dcerpc_pipe_open_smb(lsa_pipe->conn, cli->tree, "\\lsarpc");
112         if (!NT_STATUS_IS_OK(status)) {
113                 d_printf("dcerpc_pipe_open_smb failed: %s\n",
114                          nt_errstr(status));
115                 goto done;
116         }
117
118         status = dcerpc_bind_auth_none(lsa_pipe, &dcerpc_table_lsarpc);
119         if (!NT_STATUS_IS_OK(status)) {
120                 d_printf("dcerpc_bind_auth_none failed: %s\n",
121                          nt_errstr(status));
122                 goto done;
123         }
124
125         openpolicy.in.system_name =talloc_asprintf(
126                 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
127         ZERO_STRUCT(objectattr);
128         openpolicy.in.attr = &objectattr;
129         openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
130         openpolicy.out.handle = &handle;
131
132         status = dcerpc_lsa_OpenPolicy2(lsa_pipe, mem_ctx, &openpolicy);
133
134         if (!NT_STATUS_IS_OK(status)) {
135                 d_printf("dcerpc_lsa_OpenPolicy2 failed: %s\n",
136                          nt_errstr(status));
137                 goto done;
138         }
139
140         close_handle.in.handle = &handle;
141         close_handle.out.handle = &handle;
142
143         status = dcerpc_lsa_Close(lsa_pipe, mem_ctx, &close_handle);
144         if (!NT_STATUS_IS_OK(status)) {
145                 d_printf("dcerpc_lsa_Close failed: %s\n",
146                          nt_errstr(status));
147                 goto done;
148         }
149
150         session2 = smbcli_session_init(cli->transport, mem_ctx, False);
151         if (session2 == NULL) {
152                 d_printf("smbcli_session_init failed\n");
153                 goto done;
154         }
155
156         if (!(anon_creds = create_anon_creds(mem_ctx))) {
157                 d_printf("create_anon_creds failed\n");
158                 goto done;
159         }
160
161         setup.in.sesskey = cli->transport->negotiate.sesskey;
162         setup.in.capabilities = cli->transport->negotiate.capabilities;
163         setup.in.workgroup = "";
164         setup.in.credentials = anon_creds;
165
166         status = smb_composite_sesssetup(session2, &setup);
167         if (!NT_STATUS_IS_OK(status)) {
168                 d_printf("anon session setup failed: %s\n",
169                          nt_errstr(status));
170                 goto done;
171         }
172
173         tmp = cli->tree->session;
174         cli->tree->session = session2;
175
176         status = dcerpc_lsa_OpenPolicy2(lsa_pipe, mem_ctx, &openpolicy);
177
178         cli->tree->session = tmp;
179         talloc_free(lsa_pipe);
180         lsa_pipe = NULL;
181
182         if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
183                 d_printf("dcerpc_lsa_OpenPolicy2 with wrong vuid gave %s, "
184                          "expected NT_STATUS_INVALID_HANDLE\n",
185                          nt_errstr(status));
186                 goto done;
187         }
188
189         ret = True;
190  done:
191         talloc_free(mem_ctx);
192         return ret;
193 }
194
195 /*
196  * Bind to lsa using a specific auth method
197  */
198
199 static BOOL bindtest(struct smbcli_state *cli,
200                      struct cli_credentials *credentials,
201                      uint8_t auth_type, uint8_t auth_level)
202 {
203         TALLOC_CTX *mem_ctx;
204         BOOL ret = False;
205         NTSTATUS status;
206
207         struct dcerpc_pipe *lsa_pipe;
208         struct lsa_ObjectAttribute objectattr;
209         struct lsa_OpenPolicy2 openpolicy;
210         struct lsa_QueryInfoPolicy query;
211         struct policy_handle handle;
212         struct lsa_Close close_handle;
213
214         if ((mem_ctx = talloc_init("bindtest")) == NULL) {
215                 d_printf("talloc_init failed\n");
216                 return False;
217         }
218
219         lsa_pipe = dcerpc_pipe_init(mem_ctx,
220                                     cli->transport->socket->event.ctx);
221         if (lsa_pipe == NULL) {
222                 d_printf("dcerpc_pipe_init failed\n");
223                 goto done;
224         }
225
226         status = dcerpc_pipe_open_smb(lsa_pipe->conn, cli->tree, "\\lsarpc");
227         if (!NT_STATUS_IS_OK(status)) {
228                 d_printf("dcerpc_pipe_open_smb failed: %s\n",
229                          nt_errstr(status));
230                 goto done;
231         }
232
233         status = dcerpc_bind_auth(lsa_pipe, &dcerpc_table_lsarpc,
234                                   credentials, auth_type, auth_level,
235                                   NULL);
236         if (!NT_STATUS_IS_OK(status)) {
237                 d_printf("dcerpc_bind_auth failed: %s\n", nt_errstr(status));
238                 goto done;
239         }
240
241         openpolicy.in.system_name =talloc_asprintf(
242                 mem_ctx, "\\\\%s", dcerpc_server_name(lsa_pipe));
243         ZERO_STRUCT(objectattr);
244         openpolicy.in.attr = &objectattr;
245         openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
246         openpolicy.out.handle = &handle;
247
248         status = dcerpc_lsa_OpenPolicy2(lsa_pipe, mem_ctx, &openpolicy);
249
250         if (!NT_STATUS_IS_OK(status)) {
251                 d_printf("dcerpc_lsa_OpenPolicy2 failed: %s\n",
252                          nt_errstr(status));
253                 goto done;
254         }
255
256         query.in.handle = &handle;
257         query.in.level = LSA_POLICY_INFO_DOMAIN;
258
259         status = dcerpc_lsa_QueryInfoPolicy(lsa_pipe, mem_ctx, &query);
260         if (!NT_STATUS_IS_OK(status)) {
261                 d_printf("dcerpc_lsa_QueryInfoPolicy failed: %s\n",
262                          nt_errstr(status));
263                 goto done;
264         }
265
266         close_handle.in.handle = &handle;
267         close_handle.out.handle = &handle;
268
269         status = dcerpc_lsa_Close(lsa_pipe, mem_ctx, &close_handle);
270         if (!NT_STATUS_IS_OK(status)) {
271                 d_printf("dcerpc_lsa_Close failed: %s\n",
272                          nt_errstr(status));
273                 goto done;
274         }
275
276         ret = True;
277  done:
278         talloc_free(mem_ctx);
279         return ret;
280 }
281
282 /*
283  * test authenticated RPC binds with the variants Samba3 does support
284  */
285
286 BOOL torture_bind_samba3(struct torture_context *torture) 
287 {
288         TALLOC_CTX *mem_ctx;
289         NTSTATUS status;
290         BOOL ret = False;
291         struct smbcli_state *cli;
292
293         mem_ctx = talloc_init("torture_bind_authcontext");
294
295         if (mem_ctx == NULL) {
296                 d_printf("talloc_init failed\n");
297                 return False;
298         }
299
300         status = smbcli_full_connection(mem_ctx, &cli,
301                                         torture_setting_string(torture, "host", NULL),
302                                         "IPC$", NULL, cmdline_credentials,
303                                         NULL);
304         if (!NT_STATUS_IS_OK(status)) {
305                 d_printf("smbcli_full_connection failed: %s\n",
306                          nt_errstr(status));
307                 goto done;
308         }
309
310         ret = True;
311
312         ret &= bindtest(cli, cmdline_credentials, DCERPC_AUTH_TYPE_NTLMSSP,
313                         DCERPC_AUTH_LEVEL_INTEGRITY);
314         ret &= bindtest(cli, cmdline_credentials, DCERPC_AUTH_TYPE_NTLMSSP,
315                         DCERPC_AUTH_LEVEL_PRIVACY);
316         ret &= bindtest(cli, cmdline_credentials, DCERPC_AUTH_TYPE_SPNEGO,
317                         DCERPC_AUTH_LEVEL_INTEGRITY);
318         ret &= bindtest(cli, cmdline_credentials, DCERPC_AUTH_TYPE_SPNEGO,
319                         DCERPC_AUTH_LEVEL_PRIVACY);
320
321  done:
322         talloc_free(mem_ctx);
323         return ret;
324 }
325
326 /*
327  * Lookup or create a user and return all necessary info
328  */
329
330 static NTSTATUS get_usr_handle(struct smbcli_state *cli,
331                                TALLOC_CTX *mem_ctx,
332                                struct cli_credentials *admin_creds,
333                                uint8_t auth_type,
334                                uint8_t auth_level,
335                                const char *username,
336                                char **domain,
337                                struct dcerpc_pipe **result_pipe,
338                                struct policy_handle **result_handle,
339                                struct dom_sid **sid)
340 {
341         struct dcerpc_pipe *samr_pipe;
342         NTSTATUS status;
343         struct policy_handle conn_handle;
344         struct policy_handle domain_handle;
345         struct policy_handle *user_handle;
346         struct samr_Connect2 conn;
347         struct samr_EnumDomains enumdom;
348         uint32_t resume_handle = 0;
349         struct samr_LookupDomain l;
350         int dom_idx;
351         struct lsa_String domain_name;
352         struct lsa_String user_name;
353         struct samr_OpenDomain o;
354         struct samr_CreateUser2 c;
355         uint32_t user_rid,access_granted;
356
357         samr_pipe = dcerpc_pipe_init(mem_ctx,
358                                      cli->transport->socket->event.ctx);
359         if (samr_pipe == NULL) {
360                 d_printf("dcerpc_pipe_init failed\n");
361                 status = NT_STATUS_NO_MEMORY;
362                 goto fail;
363         }
364
365         status = dcerpc_pipe_open_smb(samr_pipe->conn, cli->tree, "\\samr");
366         if (!NT_STATUS_IS_OK(status)) {
367                 d_printf("dcerpc_pipe_open_smb failed: %s\n",
368                          nt_errstr(status));
369                 goto fail;
370         }
371
372         if (admin_creds != NULL) {
373                 status = dcerpc_bind_auth(samr_pipe, &dcerpc_table_samr,
374                                           admin_creds, auth_type, auth_level,
375                                           NULL);
376                 if (!NT_STATUS_IS_OK(status)) {
377                         d_printf("dcerpc_bind_auth failed: %s\n",
378                                  nt_errstr(status));
379                         goto fail;
380                 }
381         } else {
382                 /* We must have an authenticated SMB connection */
383                 status = dcerpc_bind_auth_none(samr_pipe, &dcerpc_table_samr);
384                 if (!NT_STATUS_IS_OK(status)) {
385                         d_printf("dcerpc_bind_auth_none failed: %s\n",
386                                  nt_errstr(status));
387                         goto fail;
388                 }
389         }
390
391         conn.in.system_name = talloc_asprintf(
392                 mem_ctx, "\\\\%s", dcerpc_server_name(samr_pipe));
393         conn.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
394         conn.out.connect_handle = &conn_handle;
395
396         status = dcerpc_samr_Connect2(samr_pipe, mem_ctx, &conn);
397         if (!NT_STATUS_IS_OK(status)) {
398                 d_printf("samr_Connect2 failed: %s\n", nt_errstr(status));
399                 goto fail;
400         }
401
402         enumdom.in.connect_handle = &conn_handle;
403         enumdom.in.resume_handle = &resume_handle;
404         enumdom.in.buf_size = (uint32_t)-1;
405         enumdom.out.resume_handle = &resume_handle;
406
407         status = dcerpc_samr_EnumDomains(samr_pipe, mem_ctx, &enumdom);
408         if (!NT_STATUS_IS_OK(status)) {
409                 d_printf("samr_EnumDomains failed: %s\n", nt_errstr(status));
410                 goto fail;
411         }
412
413         if (enumdom.out.num_entries != 2) {
414                 d_printf("samr_EnumDomains returned %d entries, expected 2\n",
415                          enumdom.out.num_entries);
416                 status = NT_STATUS_UNSUCCESSFUL;
417                 goto fail;
418         }
419
420         dom_idx = strequal(enumdom.out.sam->entries[0].name.string,
421                            "builtin") ? 1:0;
422
423         l.in.connect_handle = &conn_handle;
424         domain_name.string = enumdom.out.sam->entries[0].name.string;
425         *domain = talloc_strdup(mem_ctx, domain_name.string);
426         l.in.domain_name = &domain_name;
427
428         status = dcerpc_samr_LookupDomain(samr_pipe, mem_ctx, &l);
429         if (!NT_STATUS_IS_OK(status)) {
430                 d_printf("samr_LookupDomain failed: %s\n", nt_errstr(status));
431                 goto fail;
432         }
433
434         o.in.connect_handle = &conn_handle;
435         o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
436         o.in.sid = l.out.sid;
437         o.out.domain_handle = &domain_handle;
438
439         status = dcerpc_samr_OpenDomain(samr_pipe, mem_ctx, &o);
440         if (!NT_STATUS_IS_OK(status)) {
441                 d_printf("samr_OpenDomain failed: %s\n", nt_errstr(status));
442                 goto fail;
443         }
444
445         c.in.domain_handle = &domain_handle;
446         user_name.string = username;
447         c.in.account_name = &user_name;
448         c.in.acct_flags = ACB_NORMAL;
449         c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
450         user_handle = talloc(mem_ctx, struct policy_handle);
451         c.out.user_handle = user_handle;
452         c.out.access_granted = &access_granted;
453         c.out.rid = &user_rid;
454
455         status = dcerpc_samr_CreateUser2(samr_pipe, mem_ctx, &c);
456
457         if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
458                 struct samr_LookupNames ln;
459                 struct samr_OpenUser ou;
460
461                 ln.in.domain_handle = &domain_handle;
462                 ln.in.num_names = 1;
463                 ln.in.names = &user_name;
464
465                 status = dcerpc_samr_LookupNames(samr_pipe, mem_ctx, &ln);
466                 if (!NT_STATUS_IS_OK(status)) {
467                         d_printf("samr_LookupNames failed: %s\n",
468                                  nt_errstr(status));
469                         goto fail;
470                 }
471
472                 ou.in.domain_handle = &domain_handle;
473                 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
474                 user_rid = ou.in.rid = ln.out.rids.ids[0];
475                 ou.out.user_handle = user_handle;
476
477                 status = dcerpc_samr_OpenUser(samr_pipe, mem_ctx, &ou);
478                 if (!NT_STATUS_IS_OK(status)) {
479                         d_printf("samr_OpenUser failed: %s\n",
480                                  nt_errstr(status));
481                         goto fail;
482                 }
483         }
484
485         if (!NT_STATUS_IS_OK(status)) {
486                 d_printf("samr_CreateUser failed: %s\n", nt_errstr(status));
487                 goto fail;
488         }
489
490         *result_pipe = samr_pipe;
491         *result_handle = user_handle;
492         if (sid != NULL) {
493                 *sid = dom_sid_add_rid(mem_ctx, l.out.sid, user_rid);
494         }
495         return NT_STATUS_OK;
496
497  fail:
498         return status;
499 }
500
501 /*
502  * Create a test user
503  */
504
505 static BOOL create_user(TALLOC_CTX *mem_ctx, struct smbcli_state *cli,
506                         struct cli_credentials *admin_creds,
507                         const char *username, const char *password,
508                         char **domain_name,
509                         struct dom_sid **user_sid)
510 {
511         TALLOC_CTX *tmp_ctx;
512         NTSTATUS status;
513         struct dcerpc_pipe *samr_pipe;
514         struct policy_handle *wks_handle;
515         BOOL ret = False;
516
517         if (!(tmp_ctx = talloc_new(mem_ctx))) {
518                 d_printf("talloc_init failed\n");
519                 return False;
520         }
521
522         status = get_usr_handle(cli, tmp_ctx, admin_creds,
523                                 DCERPC_AUTH_TYPE_NTLMSSP,
524                                 DCERPC_AUTH_LEVEL_INTEGRITY,
525                                 username, domain_name, &samr_pipe, &wks_handle,
526                                 user_sid);
527         if (!NT_STATUS_IS_OK(status)) {
528                 d_printf("get_wks_handle failed: %s\n", nt_errstr(status));
529                 goto done;
530         }
531
532         {
533                 struct samr_SetUserInfo2 sui2;
534                 struct samr_SetUserInfo sui;
535                 struct samr_QueryUserInfo qui;
536                 union samr_UserInfo u_info;
537                 DATA_BLOB session_key;
538
539                 encode_pw_buffer(u_info.info24.password.data, password,
540                                  STR_UNICODE);
541                 u_info.info24.pw_len =  strlen_m(password)*2;
542
543                 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
544                 if (!NT_STATUS_IS_OK(status)) {
545                         d_printf("dcerpc_fetch_session_key failed\n");
546                         goto done;
547                 }
548                 arcfour_crypt_blob(u_info.info24.password.data, 516,
549                                    &session_key);
550                 sui2.in.user_handle = wks_handle;
551                 sui2.in.info = &u_info;
552                 sui2.in.level = 24;
553
554                 status = dcerpc_samr_SetUserInfo2(samr_pipe, tmp_ctx, &sui2);
555                 if (!NT_STATUS_IS_OK(status)) {
556                         d_printf("samr_SetUserInfo(24) failed: %s\n",
557                                  nt_errstr(status));
558                         goto done;
559                 }
560
561                 u_info.info16.acct_flags = ACB_NORMAL;
562                 sui.in.user_handle = wks_handle;
563                 sui.in.info = &u_info;
564                 sui.in.level = 16;
565
566                 status = dcerpc_samr_SetUserInfo(samr_pipe, tmp_ctx, &sui);
567                 if (!NT_STATUS_IS_OK(status)) {
568                         d_printf("samr_SetUserInfo(16) failed\n");
569                         goto done;
570                 }
571
572                 qui.in.user_handle = wks_handle;
573                 qui.in.level = 21;
574
575                 status = dcerpc_samr_QueryUserInfo(samr_pipe, tmp_ctx, &qui);
576                 if (!NT_STATUS_IS_OK(status)) {
577                         d_printf("samr_QueryUserInfo(21) failed\n");
578                         goto done;
579                 }
580
581                 qui.out.info->info21.allow_password_change = 0;
582                 qui.out.info->info21.force_password_change = 0;
583                 qui.out.info->info21.account_name.string = NULL;
584                 qui.out.info->info21.rid = 0;
585                 qui.out.info->info21.fields_present = 0x81827fa; /* copy usrmgr.exe */
586
587                 u_info.info21 = qui.out.info->info21;
588                 sui.in.user_handle = wks_handle;
589                 sui.in.info = &u_info;
590                 sui.in.level = 21;
591
592                 status = dcerpc_samr_SetUserInfo(samr_pipe, tmp_ctx, &sui);
593                 if (!NT_STATUS_IS_OK(status)) {
594                         d_printf("samr_SetUserInfo(21) failed\n");
595                         goto done;
596                 }
597         }
598
599         *domain_name= talloc_steal(mem_ctx, *domain_name);
600         *user_sid = talloc_steal(mem_ctx, *user_sid);
601         ret = True;
602  done:
603         talloc_free(tmp_ctx);
604         return ret;
605 }
606
607 /*
608  * Delete a test user
609  */
610
611 static BOOL delete_user(struct smbcli_state *cli,
612                         struct cli_credentials *admin_creds,
613                         const char *username)
614 {
615         TALLOC_CTX *mem_ctx;
616         NTSTATUS status;
617         char *dom_name;
618         struct dcerpc_pipe *samr_pipe;
619         struct policy_handle *user_handle;
620         BOOL ret = False;
621
622         if ((mem_ctx = talloc_init("leave")) == NULL) {
623                 d_printf("talloc_init failed\n");
624                 return False;
625         }
626
627         status = get_usr_handle(cli, mem_ctx, admin_creds,
628                                 DCERPC_AUTH_TYPE_NTLMSSP,
629                                 DCERPC_AUTH_LEVEL_INTEGRITY,
630                                 username, &dom_name, &samr_pipe,
631                                 &user_handle, NULL);
632
633         if (!NT_STATUS_IS_OK(status)) {
634                 d_printf("get_wks_handle failed: %s\n", nt_errstr(status));
635                 goto done;
636         }
637
638         {
639                 struct samr_DeleteUser d;
640
641                 d.in.user_handle = user_handle;
642                 d.out.user_handle = user_handle;
643
644                 status = dcerpc_samr_DeleteUser(samr_pipe, mem_ctx, &d);
645                 if (!NT_STATUS_IS_OK(status)) {
646                         d_printf("samr_DeleteUser failed\n");
647                         goto done;
648                 }
649         }
650
651         ret = True;
652
653  done:
654         talloc_free(mem_ctx);
655         return ret;
656 }
657
658 /*
659  * Do a Samba3-style join
660  */
661
662 static BOOL join3(struct smbcli_state *cli,
663                   BOOL use_level25,
664                   struct cli_credentials *admin_creds,
665                   struct cli_credentials *wks_creds)
666 {
667         TALLOC_CTX *mem_ctx;
668         NTSTATUS status;
669         char *dom_name;
670         struct dcerpc_pipe *samr_pipe;
671         struct policy_handle *wks_handle;
672         BOOL ret = False;
673
674         if ((mem_ctx = talloc_init("join3")) == NULL) {
675                 d_printf("talloc_init failed\n");
676                 return False;
677         }
678
679         status = get_usr_handle(
680                 cli, mem_ctx, admin_creds,
681                 DCERPC_AUTH_TYPE_NTLMSSP,
682                 DCERPC_AUTH_LEVEL_PRIVACY,
683                 talloc_asprintf(mem_ctx, "%s$",
684                                 cli_credentials_get_workstation(wks_creds)),
685                 &dom_name, &samr_pipe, &wks_handle, NULL);
686
687         if (!NT_STATUS_IS_OK(status)) {
688                 d_printf("get_wks_handle failed: %s\n", nt_errstr(status));
689                 goto done;
690         }
691
692         cli_credentials_set_domain(wks_creds, dom_name, CRED_SPECIFIED);
693
694         if (use_level25) {
695                 struct samr_SetUserInfo2 sui2;
696                 union samr_UserInfo u_info;
697                 struct samr_UserInfo21 *i21 = &u_info.info25.info;
698                 DATA_BLOB session_key;
699                 DATA_BLOB confounded_session_key = data_blob_talloc(
700                         mem_ctx, NULL, 16);
701                 struct MD5Context ctx;
702                 uint8_t confounder[16];
703
704                 ZERO_STRUCT(u_info);
705
706                 i21->full_name.string = talloc_asprintf(
707                         mem_ctx, "%s$",
708                         cli_credentials_get_workstation(wks_creds));
709                 i21->acct_flags = ACB_WSTRUST;
710                 i21->fields_present = SAMR_FIELD_FULL_NAME |
711                         SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_PASSWORD;
712
713                 encode_pw_buffer(u_info.info25.password.data,
714                                  cli_credentials_get_password(wks_creds),
715                                  STR_UNICODE);
716                 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
717                 if (!NT_STATUS_IS_OK(status)) {
718                         d_printf("dcerpc_fetch_session_key failed: %s\n",
719                                  nt_errstr(status));
720                         goto done;
721                 }
722                 generate_random_buffer((uint8_t *)confounder, 16);
723
724                 MD5Init(&ctx);
725                 MD5Update(&ctx, confounder, 16);
726                 MD5Update(&ctx, session_key.data, session_key.length);
727                 MD5Final(confounded_session_key.data, &ctx);
728
729                 arcfour_crypt_blob(u_info.info25.password.data, 516,
730                                    &confounded_session_key);
731                 memcpy(&u_info.info25.password.data[516], confounder, 16);
732
733                 sui2.in.user_handle = wks_handle;
734                 sui2.in.level = 25;
735                 sui2.in.info = &u_info;
736
737                 status = dcerpc_samr_SetUserInfo2(samr_pipe, mem_ctx, &sui2);
738                 if (!NT_STATUS_IS_OK(status)) {
739                         d_printf("samr_SetUserInfo2(25) failed: %s\n",
740                                  nt_errstr(status));
741                         goto done;
742                 }
743         } else {
744                 struct samr_SetUserInfo2 sui2;
745                 struct samr_SetUserInfo sui;
746                 union samr_UserInfo u_info;
747                 DATA_BLOB session_key;
748
749                 encode_pw_buffer(u_info.info24.password.data,
750                                  cli_credentials_get_password(wks_creds),
751                                  STR_UNICODE);
752                 u_info.info24.pw_len =
753                         strlen_m(cli_credentials_get_password(wks_creds))*2;
754
755                 status = dcerpc_fetch_session_key(samr_pipe, &session_key);
756                 if (!NT_STATUS_IS_OK(status)) {
757                         d_printf("dcerpc_fetch_session_key failed\n");
758                         goto done;
759                 }
760                 arcfour_crypt_blob(u_info.info24.password.data, 516,
761                                    &session_key);
762                 sui2.in.user_handle = wks_handle;
763                 sui2.in.info = &u_info;
764                 sui2.in.level = 24;
765
766                 status = dcerpc_samr_SetUserInfo2(samr_pipe, mem_ctx, &sui2);
767                 if (!NT_STATUS_IS_OK(status)) {
768                         d_printf("samr_SetUserInfo(24) failed: %s\n",
769                                  nt_errstr(status));
770                         goto done;
771                 }
772
773                 u_info.info16.acct_flags = ACB_WSTRUST;
774                 sui.in.user_handle = wks_handle;
775                 sui.in.info = &u_info;
776                 sui.in.level = 16;
777
778                 status = dcerpc_samr_SetUserInfo(samr_pipe, mem_ctx, &sui);
779                 if (!NT_STATUS_IS_OK(status)) {
780                         d_printf("samr_SetUserInfo(16) failed\n");
781                         goto done;
782                 }
783         }
784
785         ret = True;
786
787  done:
788         talloc_free(mem_ctx);
789         return ret;
790 }
791
792 /*
793  * Do a ReqChallenge/Auth2 and get the wks creds
794  */
795
796 static BOOL auth2(struct smbcli_state *cli,
797                   struct cli_credentials *wks_cred)
798 {
799         TALLOC_CTX *mem_ctx;
800         struct dcerpc_pipe *net_pipe;
801         BOOL result = False;
802         NTSTATUS status;
803         struct netr_ServerReqChallenge r;
804         struct netr_Credential netr_cli_creds;
805         struct netr_Credential netr_srv_creds;
806         uint32_t negotiate_flags;
807         struct netr_ServerAuthenticate2 a;
808         struct creds_CredentialState *creds_state;
809         struct netr_Credential netr_cred;
810         struct samr_Password mach_pw;
811
812         mem_ctx = talloc_new(NULL);
813         if (mem_ctx == NULL) {
814                 d_printf("talloc_new failed\n");
815                 return False;
816         }
817
818         net_pipe = dcerpc_pipe_init(mem_ctx,
819                                     cli->transport->socket->event.ctx);
820         if (net_pipe == NULL) {
821                 d_printf("dcerpc_pipe_init failed\n");
822                 goto done;
823         }
824
825         status = dcerpc_pipe_open_smb(net_pipe->conn, cli->tree, "\\netlogon");
826         if (!NT_STATUS_IS_OK(status)) {
827                 d_printf("dcerpc_pipe_open_smb failed: %s\n",
828                          nt_errstr(status));
829                 goto done;
830         }
831
832         status = dcerpc_bind_auth_none(net_pipe, &dcerpc_table_netlogon);
833         if (!NT_STATUS_IS_OK(status)) {
834                 d_printf("dcerpc_bind_auth_none failed: %s\n",
835                          nt_errstr(status));
836                 goto done;
837         }
838
839         r.in.computer_name = cli_credentials_get_workstation(wks_cred);
840         r.in.server_name = talloc_asprintf(
841                 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
842         if (r.in.server_name == NULL) {
843                 d_printf("talloc_asprintf failed\n");
844                 goto done;
845         }
846         generate_random_buffer(netr_cli_creds.data,
847                                sizeof(netr_cli_creds.data));
848         r.in.credentials = &netr_cli_creds;
849         r.out.credentials = &netr_srv_creds;
850
851         status = dcerpc_netr_ServerReqChallenge(net_pipe, mem_ctx, &r);
852         if (!NT_STATUS_IS_OK(status)) {
853                 d_printf("netr_ServerReqChallenge failed: %s\n",
854                          nt_errstr(status));
855                 goto done;
856         }
857
858         negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
859         E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
860
861         creds_state = talloc(mem_ctx, struct creds_CredentialState);
862         creds_client_init(creds_state, r.in.credentials,
863                           r.out.credentials, &mach_pw,
864                           &netr_cred, negotiate_flags);
865
866         a.in.server_name = talloc_asprintf(
867                 mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
868         a.in.account_name = talloc_asprintf(
869                 mem_ctx, "%s$", cli_credentials_get_workstation(wks_cred));
870         a.in.computer_name = cli_credentials_get_workstation(wks_cred);
871         a.in.secure_channel_type = SEC_CHAN_WKSTA;
872         a.in.negotiate_flags = &negotiate_flags;
873         a.out.negotiate_flags = &negotiate_flags;
874         a.in.credentials = &netr_cred;
875         a.out.credentials = &netr_cred;
876
877         status = dcerpc_netr_ServerAuthenticate2(net_pipe, mem_ctx, &a);
878         if (!NT_STATUS_IS_OK(status)) {
879                 d_printf("netr_ServerServerAuthenticate2 failed: %s\n",
880                          nt_errstr(status));
881                 goto done;
882         }
883
884         if (!creds_client_check(creds_state, a.out.credentials)) {
885                 d_printf("creds_client_check failed\n");
886                 goto done;
887         }
888
889         cli_credentials_set_netlogon_creds(wks_cred, creds_state);
890
891         result = True;
892
893  done:
894         talloc_free(mem_ctx);
895         return result;
896 }
897
898 /*
899  * Do a couple of schannel protected Netlogon ops: Interactive and Network
900  * login, and change the wks password
901  */
902
903 static BOOL schan(struct smbcli_state *cli,
904                   struct cli_credentials *wks_creds,
905                   struct cli_credentials *user_creds)
906 {
907         TALLOC_CTX *mem_ctx;
908         NTSTATUS status;
909         BOOL ret = False;
910         struct dcerpc_pipe *net_pipe;
911         int i;
912         
913         mem_ctx = talloc_new(NULL);
914         if (mem_ctx == NULL) {
915                 d_printf("talloc_new failed\n");
916                 return False;
917         }
918
919         net_pipe = dcerpc_pipe_init(mem_ctx,
920                                     cli->transport->socket->event.ctx);
921         if (net_pipe == NULL) {
922                 d_printf("dcerpc_pipe_init failed\n");
923                 goto done;
924         }
925
926         status = dcerpc_pipe_open_smb(net_pipe->conn, cli->tree, "\\netlogon");
927         if (!NT_STATUS_IS_OK(status)) {
928                 d_printf("dcerpc_pipe_open_smb failed: %s\n",
929                          nt_errstr(status));
930                 goto done;
931         }
932
933 #if 0
934         net_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN |
935                 DCERPC_DEBUG_PRINT_OUT;
936 #endif
937 #if 1
938         net_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
939         status = dcerpc_bind_auth(net_pipe, &dcerpc_table_netlogon,
940                                   wks_creds, DCERPC_AUTH_TYPE_SCHANNEL,
941                                   DCERPC_AUTH_LEVEL_PRIVACY,
942                                   NULL);
943 #else
944         status = dcerpc_bind_auth_none(net_pipe, &dcerpc_table_netlogon);
945 #endif
946         if (!NT_STATUS_IS_OK(status)) {
947                 d_printf("schannel bind failed: %s\n", nt_errstr(status));
948                 goto done;
949         }
950
951
952         for (i=2; i<4; i++) {
953                 int flags;
954                 DATA_BLOB chal, nt_resp, lm_resp, names_blob, session_key;
955                 struct creds_CredentialState *creds_state;
956                 struct netr_Authenticator netr_auth, netr_auth2;
957                 struct netr_NetworkInfo ninfo;
958                 struct netr_PasswordInfo pinfo;
959                 struct netr_LogonSamLogon r;
960
961                 flags = CLI_CRED_LANMAN_AUTH | CLI_CRED_NTLM_AUTH |
962                         CLI_CRED_NTLMv2_AUTH;
963
964                 chal = data_blob_talloc(mem_ctx, NULL, 8);
965                 if (chal.data == NULL) {
966                         d_printf("data_blob_talloc failed\n");
967                         goto done;
968                 }
969
970                 generate_random_buffer(chal.data, chal.length);
971                 names_blob = NTLMv2_generate_names_blob(
972                         mem_ctx, cli_credentials_get_workstation(user_creds),
973                         cli_credentials_get_domain(user_creds));
974                 status = cli_credentials_get_ntlm_response(
975                         user_creds, mem_ctx, &flags, chal, names_blob,
976                         &lm_resp, &nt_resp, NULL, NULL);
977                 if (!NT_STATUS_IS_OK(status)) {
978                         d_printf("cli_credentials_get_ntlm_response failed:"
979                                  " %s\n", nt_errstr(status));
980                         goto done;
981                 }
982
983                 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
984                 creds_client_authenticator(creds_state, &netr_auth);
985
986                 ninfo.identity_info.account_name.string =
987                         cli_credentials_get_username(user_creds);
988                 ninfo.identity_info.domain_name.string =
989                         cli_credentials_get_domain(user_creds);
990                 ninfo.identity_info.parameter_control = 0;
991                 ninfo.identity_info.logon_id_low = 0;
992                 ninfo.identity_info.logon_id_high = 0;
993                 ninfo.identity_info.workstation.string =
994                         cli_credentials_get_workstation(user_creds);
995                 memcpy(ninfo.challenge, chal.data, sizeof(ninfo.challenge));
996                 ninfo.nt.length = nt_resp.length;
997                 ninfo.nt.data = nt_resp.data;
998                 ninfo.lm.length = lm_resp.length;
999                 ninfo.lm.data = lm_resp.data;
1000
1001                 r.in.server_name = talloc_asprintf(
1002                         mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1003                 ZERO_STRUCT(netr_auth2);
1004                 r.in.computer_name =
1005                         cli_credentials_get_workstation(wks_creds);
1006                 r.in.credential = &netr_auth;
1007                 r.in.return_authenticator = &netr_auth2;
1008                 r.in.logon_level = 2;
1009                 r.in.validation_level = i;
1010                 r.in.logon.network = &ninfo;
1011                 r.out.return_authenticator = NULL;
1012
1013                 status = dcerpc_netr_LogonSamLogon(net_pipe, mem_ctx, &r);
1014                 if (!NT_STATUS_IS_OK(status)) {
1015                         d_printf("netr_LogonSamLogon failed: %s\n",
1016                                  nt_errstr(status));
1017                         goto done;
1018                 }
1019
1020                 if ((r.out.return_authenticator == NULL) ||
1021                     (!creds_client_check(creds_state,
1022                                          &r.out.return_authenticator->cred))) {
1023                         d_printf("Credentials check failed!\n");
1024                         goto done;
1025                 }
1026
1027                 creds_client_authenticator(creds_state, &netr_auth);
1028
1029                 pinfo.identity_info = ninfo.identity_info;
1030                 ZERO_STRUCT(pinfo.lmpassword.hash);
1031                 E_md4hash(cli_credentials_get_password(user_creds),
1032                           pinfo.ntpassword.hash);
1033                 session_key = data_blob_talloc(mem_ctx,
1034                                                creds_state->session_key, 16);
1035                 arcfour_crypt_blob(pinfo.ntpassword.hash,
1036                                    sizeof(pinfo.ntpassword.hash),
1037                                    &session_key);
1038
1039                 r.in.logon_level = 1;
1040                 r.in.logon.password = &pinfo;
1041                 r.out.return_authenticator = NULL;
1042
1043                 status = dcerpc_netr_LogonSamLogon(net_pipe, mem_ctx, &r);
1044                 if (!NT_STATUS_IS_OK(status)) {
1045                         d_printf("netr_LogonSamLogon failed: %s\n",
1046                                  nt_errstr(status));
1047                         goto done;
1048                 }
1049
1050                 if ((r.out.return_authenticator == NULL) ||
1051                     (!creds_client_check(creds_state,
1052                                          &r.out.return_authenticator->cred))) {
1053                         d_printf("Credentials check failed!\n");
1054                         goto done;
1055                 }
1056         }
1057
1058         {
1059                 struct netr_ServerPasswordSet s;
1060                 char *password = generate_random_str(wks_creds, 8);
1061                 struct creds_CredentialState *creds_state;
1062
1063                 s.in.server_name = talloc_asprintf(
1064                         mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
1065                 s.in.computer_name = cli_credentials_get_workstation(wks_creds);
1066                 s.in.account_name = talloc_asprintf(
1067                         mem_ctx, "%s$", s.in.computer_name);
1068                 s.in.secure_channel_type = SEC_CHAN_WKSTA;
1069                 E_md4hash(password, s.in.new_password.hash);
1070
1071                 creds_state = cli_credentials_get_netlogon_creds(wks_creds);
1072                 creds_des_encrypt(creds_state, &s.in.new_password);
1073                 creds_client_authenticator(creds_state, &s.in.credential);
1074
1075                 status = dcerpc_netr_ServerPasswordSet(net_pipe, mem_ctx, &s);
1076                 if (!NT_STATUS_IS_OK(status)) {
1077                         printf("ServerPasswordSet - %s\n", nt_errstr(status));
1078                         goto done;
1079                 }
1080
1081                 if (!creds_client_check(creds_state,
1082                                         &s.out.return_authenticator.cred)) {
1083                         printf("Credential chaining failed\n");
1084                 }
1085
1086                 cli_credentials_set_password(wks_creds, password,
1087                                              CRED_SPECIFIED);
1088         }
1089
1090         ret = True;
1091  done:
1092         talloc_free(mem_ctx);
1093         return ret;
1094 }
1095
1096 /*
1097  * Delete the wks account again
1098  */
1099
1100 static BOOL leave(struct smbcli_state *cli,
1101                   struct cli_credentials *admin_creds,
1102                   struct cli_credentials *wks_creds)
1103 {
1104         char *wks_name = talloc_asprintf(
1105                 NULL, "%s$", cli_credentials_get_workstation(wks_creds));
1106         BOOL ret;
1107
1108         ret = delete_user(cli, admin_creds, wks_name);
1109         talloc_free(wks_name);
1110         return ret;
1111 }
1112
1113 /*
1114  * Test the Samba3 DC code a bit. Join, do some schan netlogon ops, leave
1115  */
1116
1117 BOOL torture_netlogon_samba3(struct torture_context *torture)
1118 {
1119         TALLOC_CTX *mem_ctx;
1120         NTSTATUS status;
1121         BOOL ret = False;
1122         struct smbcli_state *cli;
1123         struct cli_credentials *anon_creds;
1124         struct cli_credentials *wks_creds;
1125         const char *wks_name;
1126         int i;
1127
1128         wks_name = torture_setting_string(torture, "wksname", NULL);
1129         if (wks_name == NULL) {
1130                 wks_name = get_myname();
1131         }
1132
1133         mem_ctx = talloc_init("torture_bind_authcontext");
1134
1135         if (mem_ctx == NULL) {
1136                 d_printf("talloc_init failed\n");
1137                 return False;
1138         }
1139
1140         if (!(anon_creds = create_anon_creds(mem_ctx))) {
1141                 d_printf("create_anon_creds failed\n");
1142                 goto done;
1143         }
1144
1145         status = smbcli_full_connection(mem_ctx, &cli,
1146                                         torture_setting_string(torture, "host", NULL),
1147                                         "IPC$", NULL, anon_creds, NULL);
1148         if (!NT_STATUS_IS_OK(status)) {
1149                 d_printf("smbcli_full_connection failed: %s\n",
1150                          nt_errstr(status));
1151                 goto done;
1152         }
1153
1154         wks_creds = cli_credentials_init(mem_ctx);
1155         if (wks_creds == NULL) {
1156                 d_printf("cli_credentials_init failed\n");
1157                 goto done;
1158         }
1159
1160         cli_credentials_set_conf(wks_creds);
1161         cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1162         cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1163         cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1164         cli_credentials_set_password(wks_creds,
1165                                      generate_random_str(wks_creds, 8),
1166                                      CRED_SPECIFIED);
1167
1168         if (!join3(cli, False, cmdline_credentials, wks_creds)) {
1169                 d_printf("join failed\n");
1170                 goto done;
1171         }
1172
1173         cli_credentials_set_domain(
1174                 cmdline_credentials, cli_credentials_get_domain(wks_creds),
1175                 CRED_SPECIFIED);
1176
1177         for (i=0; i<2; i++) {
1178
1179                 /* Do this more than once, the routine "schan" changes
1180                  * the workstation password using the netlogon
1181                  * password change routine */
1182
1183                 int j;
1184
1185                 if (!auth2(cli, wks_creds)) {
1186                         d_printf("auth2 failed\n");
1187                         goto done;
1188                 }
1189
1190                 for (j=0; j<2; j++) {
1191                         if (!schan(cli, wks_creds, cmdline_credentials)) {
1192                                 d_printf("schan failed\n");
1193                                 goto done;
1194                         }
1195                 }
1196         }
1197
1198         if (!leave(cli, cmdline_credentials, wks_creds)) {
1199                 d_printf("leave failed\n");
1200                 goto done;
1201         }
1202
1203         ret = True;
1204
1205  done:
1206         talloc_free(mem_ctx);
1207         return ret;
1208 }
1209
1210 /*
1211  * Do a simple join, testjoin and leave using specified smb and samr
1212  * credentials
1213  */
1214
1215 static BOOL test_join3(TALLOC_CTX *mem_ctx,
1216                        BOOL use_level25,
1217                        struct cli_credentials *smb_creds,
1218                        struct cli_credentials *samr_creds,
1219                        const char *wks_name)
1220 {
1221         NTSTATUS status;
1222         BOOL ret = False;
1223         struct smbcli_state *cli;
1224         struct cli_credentials *wks_creds;
1225
1226         status = smbcli_full_connection(mem_ctx, &cli,
1227                                         lp_parm_string(-1, "torture", "host"),
1228                                         "IPC$", NULL, smb_creds, NULL);
1229         if (!NT_STATUS_IS_OK(status)) {
1230                 d_printf("smbcli_full_connection failed: %s\n",
1231                          nt_errstr(status));
1232                 goto done;
1233         }
1234
1235         wks_creds = cli_credentials_init(cli);
1236         if (wks_creds == NULL) {
1237                 d_printf("cli_credentials_init failed\n");
1238                 goto done;
1239         }
1240
1241         cli_credentials_set_conf(wks_creds);
1242         cli_credentials_set_secure_channel_type(wks_creds, SEC_CHAN_WKSTA);
1243         cli_credentials_set_username(wks_creds, wks_name, CRED_SPECIFIED);
1244         cli_credentials_set_workstation(wks_creds, wks_name, CRED_SPECIFIED);
1245         cli_credentials_set_password(wks_creds,
1246                                      generate_random_str(wks_creds, 8),
1247                                      CRED_SPECIFIED);
1248
1249         if (!join3(cli, use_level25, samr_creds, wks_creds)) {
1250                 d_printf("join failed\n");
1251                 goto done;
1252         }
1253
1254         cli_credentials_set_domain(
1255                 cmdline_credentials, cli_credentials_get_domain(wks_creds),
1256                 CRED_SPECIFIED);
1257
1258         if (!auth2(cli, wks_creds)) {
1259                 d_printf("auth2 failed\n");
1260                 goto done;
1261         }
1262
1263         if (!leave(cli, samr_creds, wks_creds)) {
1264                 d_printf("leave failed\n");
1265                 goto done;
1266         }
1267
1268         talloc_free(cli);
1269
1270         ret = True;
1271
1272  done:
1273         return ret;
1274 }
1275
1276 /*
1277  * Test the different session key variants. Do it by joining, this uses the
1278  * session key in the setpassword routine. Test the join by doing the auth2.
1279  */
1280
1281 BOOL torture_samba3_sessionkey(struct torture_context *torture)
1282 {
1283         TALLOC_CTX *mem_ctx;
1284         BOOL ret = False;
1285         struct cli_credentials *anon_creds;
1286         const char *wks_name;
1287
1288         wks_name = torture_setting_string(torture, "wksname", get_myname());
1289
1290         mem_ctx = talloc_init("torture_samba3_sessionkey");
1291
1292         if (mem_ctx == NULL) {
1293                 d_printf("talloc_init failed\n");
1294                 return False;
1295         }
1296
1297         if (!(anon_creds = create_anon_creds(mem_ctx))) {
1298                 d_printf("create_anon_creds failed\n");
1299                 goto done;
1300         }
1301
1302         ret = True;
1303
1304         if (!torture_setting_bool(torture, "samba3", False)) {
1305
1306                 /* Samba3 in the build farm right now does this happily. Need
1307                  * to fix :-) */
1308
1309                 if (test_join3(mem_ctx, False, anon_creds, NULL, wks_name)) {
1310                         d_printf("join using anonymous bind on an anonymous smb "
1311                                  "connection succeeded -- HUH??\n");
1312                         ret = False;
1313                 }
1314         }
1315
1316         if (!test_join3(mem_ctx, False, anon_creds, cmdline_credentials,
1317                         wks_name)) {
1318                 d_printf("join using ntlmssp bind on an anonymous smb "
1319                          "connection failed\n");
1320                 ret = False;
1321         }
1322
1323         if (!test_join3(mem_ctx, False, cmdline_credentials, NULL, wks_name)) {
1324                 d_printf("join using anonymous bind on an authenticated smb "
1325                          "connection failed\n");
1326                 ret = False;
1327         }
1328
1329         if (!test_join3(mem_ctx, False, cmdline_credentials,
1330                         cmdline_credentials,
1331                         wks_name)) {
1332                 d_printf("join using ntlmssp bind on an authenticated smb "
1333                          "connection failed\n");
1334                 ret = False;
1335         }
1336
1337         /*
1338          * The following two are tests for setuserinfolevel 25
1339          */
1340
1341         if (!test_join3(mem_ctx, True, anon_creds, cmdline_credentials,
1342                         wks_name)) {
1343                 d_printf("join using ntlmssp bind on an anonymous smb "
1344                          "connection failed\n");
1345                 ret = False;
1346         }
1347
1348         if (!test_join3(mem_ctx, True, cmdline_credentials, NULL, wks_name)) {
1349                 d_printf("join using anonymous bind on an authenticated smb "
1350                          "connection failed\n");
1351                 ret = False;
1352         }
1353
1354  done:
1355
1356         return ret;
1357 }
1358
1359 /*
1360  * open pipe and bind, given an IPC$ context
1361  */
1362
1363 static NTSTATUS pipe_bind_smb(TALLOC_CTX *mem_ctx,
1364                               struct smbcli_tree *tree,
1365                               const char *pipe_name,
1366                               const struct dcerpc_interface_table *iface,
1367                               struct dcerpc_pipe **p)
1368 {
1369         struct dcerpc_pipe *result;
1370         NTSTATUS status;
1371
1372         if (!(result = dcerpc_pipe_init(
1373                       mem_ctx, tree->session->transport->socket->event.ctx))) {
1374                 return NT_STATUS_NO_MEMORY;
1375         }
1376
1377         status = dcerpc_pipe_open_smb(result->conn, tree, pipe_name);
1378         if (!NT_STATUS_IS_OK(status)) {
1379                 d_printf("dcerpc_pipe_open_smb failed: %s\n",
1380                          nt_errstr(status));
1381                 talloc_free(result);
1382                 return status;
1383         }
1384
1385         status = dcerpc_bind_auth_none(result, iface);
1386         if (!NT_STATUS_IS_OK(status)) {
1387                 d_printf("schannel bind failed: %s\n", nt_errstr(status));
1388                 talloc_free(result);
1389                 return status;
1390         }
1391
1392         *p = result;
1393         return NT_STATUS_OK;
1394 }
1395
1396 /*
1397  * Sane wrapper around lsa_LookupNames
1398  */
1399
1400 static struct dom_sid *name2sid(TALLOC_CTX *mem_ctx,
1401                                 struct dcerpc_pipe *p,
1402                                 const char *name,
1403                                 const char *domain)
1404 {
1405         struct lsa_ObjectAttribute attr;
1406         struct lsa_QosInfo qos;
1407         struct lsa_OpenPolicy2 r;
1408         struct lsa_Close c;
1409         NTSTATUS status;
1410         struct policy_handle handle;
1411         struct lsa_LookupNames l;
1412         struct lsa_TransSidArray sids;
1413         struct lsa_String lsa_name;
1414         uint32_t count = 0;
1415         struct dom_sid *result;
1416         TALLOC_CTX *tmp_ctx;
1417
1418         if (!(tmp_ctx = talloc_new(mem_ctx))) {
1419                 return NULL;
1420         }
1421
1422         qos.len = 0;
1423         qos.impersonation_level = 2;
1424         qos.context_mode = 1;
1425         qos.effective_only = 0;
1426
1427         attr.len = 0;
1428         attr.root_dir = NULL;
1429         attr.object_name = NULL;
1430         attr.attributes = 0;
1431         attr.sec_desc = NULL;
1432         attr.sec_qos = &qos;
1433
1434         r.in.system_name = "\\";
1435         r.in.attr = &attr;
1436         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1437         r.out.handle = &handle;
1438
1439         status = dcerpc_lsa_OpenPolicy2(p, tmp_ctx, &r);
1440         if (!NT_STATUS_IS_OK(status)) {
1441                 printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
1442                 talloc_free(tmp_ctx);
1443                 return NULL;
1444         }
1445
1446         sids.count = 0;
1447         sids.sids = NULL;
1448
1449         lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, name);
1450
1451         l.in.handle = &handle;
1452         l.in.num_names = 1;
1453         l.in.names = &lsa_name;
1454         l.in.sids = &sids;
1455         l.in.level = 1;
1456         l.in.count = &count;
1457         l.out.count = &count;
1458         l.out.sids = &sids;
1459
1460         status = dcerpc_lsa_LookupNames(p, tmp_ctx, &l);
1461         if (!NT_STATUS_IS_OK(status)) {
1462                 printf("LookupNames failed - %s\n", nt_errstr(status));
1463                 talloc_free(tmp_ctx);
1464                 return NULL;
1465         }
1466
1467         result = dom_sid_add_rid(mem_ctx, l.out.domains->domains[0].sid,
1468                                  l.out.sids->sids[0].rid);
1469
1470         c.in.handle = &handle;
1471         c.out.handle = &handle;
1472
1473         status = dcerpc_lsa_Close(p, tmp_ctx, &c);
1474         if (!NT_STATUS_IS_OK(status)) {
1475                 printf("dcerpc_lsa_Close failed - %s\n", nt_errstr(status));
1476                 talloc_free(tmp_ctx);
1477                 return NULL;
1478         }
1479         
1480         talloc_free(tmp_ctx);
1481         return result;
1482 }
1483
1484 /*
1485  * Find out the user SID on this connection
1486  */
1487
1488 static struct dom_sid *whoami(TALLOC_CTX *mem_ctx, struct smbcli_tree *tree)
1489 {
1490         struct dcerpc_pipe *lsa;
1491         struct lsa_GetUserName r;
1492         NTSTATUS status;
1493         struct lsa_StringPointer authority_name_p;
1494         struct dom_sid *result;
1495
1496         status = pipe_bind_smb(mem_ctx, tree, "\\pipe\\lsarpc",
1497                                &dcerpc_table_lsarpc, &lsa);
1498         if (!NT_STATUS_IS_OK(status)) {
1499                 d_printf("(%s) Could not bind to LSA: %s\n",
1500                          __location__, nt_errstr(status));
1501                 return NULL;
1502         }
1503
1504         r.in.system_name = "\\";
1505         r.in.account_name = NULL;
1506         authority_name_p.string = NULL;
1507         r.in.authority_name = &authority_name_p;
1508
1509         status = dcerpc_lsa_GetUserName(lsa, mem_ctx, &r);
1510
1511         if (!NT_STATUS_IS_OK(status)) {
1512                 printf("(%s) GetUserName failed - %s\n",
1513                        __location__, nt_errstr(status));
1514                 talloc_free(lsa);
1515                 return NULL;
1516         }
1517
1518         result = name2sid(mem_ctx, lsa, r.out.account_name->string,
1519                           r.out.authority_name->string->string);
1520
1521         talloc_free(lsa);
1522         return result;
1523 }
1524
1525 /*
1526  * Do a tcon, given a session
1527  */
1528
1529 NTSTATUS secondary_tcon(TALLOC_CTX *mem_ctx,
1530                         struct smbcli_session *session,
1531                         const char *sharename,
1532                         struct smbcli_tree **res)
1533 {
1534         struct smbcli_tree *result;
1535         TALLOC_CTX *tmp_ctx;
1536         union smb_tcon tcon;
1537         NTSTATUS status;
1538
1539         if (!(tmp_ctx = talloc_new(mem_ctx))) {
1540                 return NT_STATUS_NO_MEMORY;
1541         }
1542
1543         if (!(result = smbcli_tree_init(session, mem_ctx, False))) {
1544                 talloc_free(tmp_ctx);
1545                 return NT_STATUS_NO_MEMORY;
1546         }
1547
1548         tcon.generic.level = RAW_TCON_TCONX;
1549         tcon.tconx.in.flags = 0;
1550         tcon.tconx.in.password = data_blob(NULL, 0);
1551         tcon.tconx.in.path = sharename;
1552         tcon.tconx.in.device = "?????";
1553
1554         status = smb_raw_tcon(result, tmp_ctx, &tcon);
1555         if (!NT_STATUS_IS_OK(status)) {
1556                 d_printf("(%s) smb_raw_tcon failed: %s\n", __location__,
1557                          nt_errstr(status));
1558                 talloc_free(tmp_ctx);
1559                 return status;
1560         }
1561
1562         result->tid = tcon.tconx.out.tid;
1563         result = talloc_steal(mem_ctx, result);
1564         talloc_free(tmp_ctx);
1565         *res = result;
1566         return NT_STATUS_OK;
1567 }
1568
1569 /*
1570  * Test the getusername behaviour
1571  */
1572
1573 BOOL torture_samba3_rpc_getusername(struct torture_context *torture)
1574 {
1575         NTSTATUS status;
1576         struct smbcli_state *cli;
1577         TALLOC_CTX *mem_ctx;
1578         BOOL ret = True;
1579         struct dom_sid *user_sid;
1580         struct dom_sid *created_sid;
1581         struct cli_credentials *anon_creds;
1582         struct cli_credentials *user_creds;
1583         char *domain_name;
1584
1585         if (!(mem_ctx = talloc_new(torture))) {
1586                 return False;
1587         }
1588
1589         status = smbcli_full_connection(
1590                 mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
1591                 "IPC$", NULL, cmdline_credentials, NULL);
1592         if (!NT_STATUS_IS_OK(status)) {
1593                 d_printf("(%s) smbcli_full_connection failed: %s\n",
1594                          __location__, nt_errstr(status));
1595                 ret = False;
1596                 goto done;
1597         }
1598
1599         if (!(user_sid = whoami(mem_ctx, cli->tree))) {
1600                 d_printf("(%s) whoami on auth'ed connection failed\n",
1601                          __location__);
1602                 ret = False;
1603         }
1604
1605         talloc_free(cli);
1606
1607         if (!(anon_creds = create_anon_creds(mem_ctx))) {
1608                 d_printf("(%s) create_anon_creds failed\n", __location__);
1609                 ret = False;
1610                 goto done;
1611         }
1612
1613         status = smbcli_full_connection(
1614                 mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
1615                 "IPC$", NULL, anon_creds, NULL);
1616         if (!NT_STATUS_IS_OK(status)) {
1617                 d_printf("(%s) anon smbcli_full_connection failed: %s\n",
1618                          __location__, nt_errstr(status));
1619                 ret = False;
1620                 goto done;
1621         }
1622
1623         if (!(user_sid = whoami(mem_ctx, cli->tree))) {
1624                 d_printf("(%s) whoami on anon connection failed\n",
1625                          __location__);
1626                 ret = False;
1627                 goto done;
1628         }
1629
1630         if (!dom_sid_equal(user_sid,
1631                            dom_sid_parse_talloc(mem_ctx, "s-1-5-7"))) {
1632                 d_printf("(%s) Anon lsa_GetUserName returned %s, expected "
1633                          "S-1-5-7", __location__,
1634                          dom_sid_string(mem_ctx, user_sid));
1635                 ret = False;
1636         }
1637
1638         if (!(user_creds = cli_credentials_init(mem_ctx))) {
1639                 d_printf("(%s) cli_credentials_init failed\n", __location__);
1640                 ret = False;
1641                 goto done;
1642         }
1643
1644         cli_credentials_set_conf(user_creds);
1645         cli_credentials_set_username(user_creds, "torture_username",
1646                                      CRED_SPECIFIED);
1647         cli_credentials_set_password(user_creds,
1648                                      generate_random_str(user_creds, 8),
1649                                      CRED_SPECIFIED);
1650
1651         if (!create_user(mem_ctx, cli, cmdline_credentials,
1652                          cli_credentials_get_username(user_creds),
1653                          cli_credentials_get_password(user_creds),
1654                          &domain_name, &created_sid)) {
1655                 d_printf("(%s) create_user failed\n", __location__);
1656                 ret = False;
1657                 goto done;
1658         }
1659
1660         cli_credentials_set_domain(user_creds, domain_name,
1661                                    CRED_SPECIFIED);
1662
1663         {
1664                 struct smbcli_session *session2;
1665                 struct smb_composite_sesssetup setup;
1666                 struct smbcli_tree *tree;
1667
1668                 session2 = smbcli_session_init(cli->transport, mem_ctx, False);
1669                 if (session2 == NULL) {
1670                         d_printf("(%s) smbcli_session_init failed\n",
1671                                  __location__);
1672                         goto done;
1673                 }
1674
1675                 setup.in.sesskey = cli->transport->negotiate.sesskey;
1676                 setup.in.capabilities = cli->transport->negotiate.capabilities;
1677                 setup.in.workgroup = "";
1678                 setup.in.credentials = user_creds;
1679
1680                 status = smb_composite_sesssetup(session2, &setup);
1681                 if (!NT_STATUS_IS_OK(status)) {
1682                         d_printf("(%s) session setup with new user failed: "
1683                                  "%s\n", __location__, nt_errstr(status));
1684                         ret = False;
1685                         goto done;
1686                 }
1687
1688                 if (!NT_STATUS_IS_OK(secondary_tcon(mem_ctx, session2,
1689                                                     "IPC$", &tree))) {
1690                         d_printf("(%s) secondary_tcon failed\n",
1691                                  __location__);
1692                         ret = False;
1693                         goto done;
1694                 }
1695
1696                 if (!(user_sid = whoami(mem_ctx, tree))) {
1697                         d_printf("(%s) whoami on user connection failed\n",
1698                                  __location__);
1699                         ret = False;
1700                         goto delete;
1701                 }
1702
1703                 talloc_free(tree);
1704         }
1705
1706         d_printf("Created %s, found %s\n",
1707                  dom_sid_string(mem_ctx, created_sid),
1708                  dom_sid_string(mem_ctx, user_sid));
1709
1710         if (!dom_sid_equal(created_sid, user_sid)) {
1711                 ret = False;
1712         }
1713
1714  delete:
1715         if (!delete_user(cli, cmdline_credentials,
1716                          cli_credentials_get_username(user_creds))) {
1717                 d_printf("(%s) delete_user failed\n", __location__);
1718                 ret = False;
1719         }
1720
1721  done:
1722         talloc_free(mem_ctx);
1723         return ret;
1724 }
1725
1726 static BOOL test_NetShareGetInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
1727                                  const char *sharename)
1728 {
1729         NTSTATUS status;
1730         struct srvsvc_NetShareGetInfo r;
1731         uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007, 1501 };
1732         int i;
1733         BOOL ret = True;
1734
1735         r.in.server_unc = talloc_asprintf(mem_ctx, "\\\\%s",
1736                                           dcerpc_server_name(p));
1737         r.in.share_name = sharename;
1738
1739         for (i=0;i<ARRAY_SIZE(levels);i++) {
1740                 r.in.level = levels[i];
1741
1742                 ZERO_STRUCT(r.out);
1743
1744                 printf("testing NetShareGetInfo level %u on share '%s'\n", 
1745                        r.in.level, r.in.share_name);
1746
1747                 status = dcerpc_srvsvc_NetShareGetInfo(p, mem_ctx, &r);
1748                 if (!NT_STATUS_IS_OK(status)) {
1749                         printf("NetShareGetInfo level %u on share '%s' failed"
1750                                " - %s\n", r.in.level, r.in.share_name,
1751                                nt_errstr(status));
1752                         ret = False;
1753                         continue;
1754                 }
1755                 if (!W_ERROR_IS_OK(r.out.result)) {
1756                         printf("NetShareGetInfo level %u on share '%s' failed "
1757                                "- %s\n", r.in.level, r.in.share_name,
1758                                win_errstr(r.out.result));
1759                         ret = False;
1760                         continue;
1761                 }
1762         }
1763
1764         return ret;
1765 }
1766
1767 static BOOL test_NetShareEnum(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
1768                               const char **one_sharename)
1769 {
1770         NTSTATUS status;
1771         struct srvsvc_NetShareEnum r;
1772         struct srvsvc_NetShareCtr0 c0;
1773         uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007 };
1774         int i;
1775         BOOL ret = True;
1776
1777         r.in.server_unc = talloc_asprintf(mem_ctx,"\\\\%s",dcerpc_server_name(p));
1778         r.in.ctr.ctr0 = &c0;
1779         r.in.ctr.ctr0->count = 0;
1780         r.in.ctr.ctr0->array = NULL;
1781         r.in.max_buffer = (uint32_t)-1;
1782         r.in.resume_handle = NULL;
1783
1784         for (i=0;i<ARRAY_SIZE(levels);i++) {
1785                 r.in.level = levels[i];
1786
1787                 ZERO_STRUCT(r.out);
1788
1789                 printf("testing NetShareEnum level %u\n", r.in.level);
1790                 status = dcerpc_srvsvc_NetShareEnum(p, mem_ctx, &r);
1791                 if (!NT_STATUS_IS_OK(status)) {
1792                         printf("NetShareEnum level %u failed - %s\n",
1793                                r.in.level, nt_errstr(status));
1794                         ret = False;
1795                         continue;
1796                 }
1797                 if (!W_ERROR_IS_OK(r.out.result)) {
1798                         printf("NetShareEnum level %u failed - %s\n",
1799                                r.in.level, win_errstr(r.out.result));
1800                         continue;
1801                 }
1802                 if (r.in.level == 0) {
1803                         struct srvsvc_NetShareCtr0 *ctr = r.out.ctr.ctr0;
1804                         if (ctr->count > 0) {
1805                                 *one_sharename = ctr->array[0].name;
1806                         }
1807                 }
1808         }
1809
1810         return ret;
1811 }
1812
1813 BOOL torture_samba3_rpc_srvsvc(struct torture_context *torture)
1814 {
1815         struct dcerpc_pipe *p;
1816         TALLOC_CTX *mem_ctx;
1817         BOOL ret = True;
1818         const char *sharename = NULL;
1819         struct smbcli_state *cli;
1820         NTSTATUS status;
1821
1822         if (!(mem_ctx = talloc_new(torture))) {
1823                 return False;
1824         }
1825
1826         if (!(torture_open_connection_share(
1827                       mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
1828                       "IPC$", NULL))) {
1829                 talloc_free(mem_ctx);
1830                 return False;
1831         }
1832
1833         status = pipe_bind_smb(mem_ctx, cli->tree, "\\pipe\\srvsvc",
1834                                &dcerpc_table_srvsvc, &p);
1835         if (!NT_STATUS_IS_OK(status)) {
1836                 d_printf("(%s) could not bind to srvsvc pipe: %s\n",
1837                          __location__, nt_errstr(status));
1838                 ret = False;
1839                 goto done;
1840         }
1841
1842         ret &= test_NetShareEnum(p, mem_ctx, &sharename);
1843         if (sharename == NULL) {
1844                 printf("did not get sharename\n");
1845         } else {
1846                 ret &= test_NetShareGetInfo(p, mem_ctx, sharename);
1847         }
1848
1849  done:
1850         talloc_free(mem_ctx);
1851         return ret;
1852 }
1853
1854 static struct security_descriptor *get_sharesec(TALLOC_CTX *mem_ctx,
1855                                                 struct smbcli_session *sess,
1856                                                 const char *sharename)
1857 {
1858         struct smbcli_tree *tree;
1859         TALLOC_CTX *tmp_ctx;
1860         struct dcerpc_pipe *p;
1861         NTSTATUS status;
1862         struct srvsvc_NetShareGetInfo r;
1863         struct security_descriptor *result;
1864
1865         if (!(tmp_ctx = talloc_new(mem_ctx))) {
1866                 d_printf("talloc_new failed\n");
1867                 return NULL;
1868         }
1869
1870         if (!NT_STATUS_IS_OK(secondary_tcon(tmp_ctx, sess, "IPC$", &tree))) {
1871                 d_printf("secondary_tcon failed\n");
1872                 talloc_free(tmp_ctx);
1873                 return NULL;
1874         }
1875
1876         status = pipe_bind_smb(mem_ctx, tree, "\\pipe\\srvsvc",
1877                                &dcerpc_table_srvsvc, &p);
1878         if (!NT_STATUS_IS_OK(status)) {
1879                 d_printf("(%s) could not bind to srvsvc pipe: %s\n",
1880                          __location__, nt_errstr(status));
1881                 talloc_free(tmp_ctx);
1882                 return NULL;
1883         }
1884
1885 #if 0
1886         p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
1887 #endif
1888
1889         r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
1890                                           dcerpc_server_name(p));
1891         r.in.share_name = sharename;
1892         r.in.level = 502;
1893
1894         status = dcerpc_srvsvc_NetShareGetInfo(p, tmp_ctx, &r);
1895         if (!NT_STATUS_IS_OK(status)) {
1896                 d_printf("srvsvc_NetShareGetInfo failed: %s\n",
1897                          nt_errstr(status));
1898                 talloc_free(tmp_ctx);
1899                 return NULL;
1900         }
1901
1902         result = talloc_steal(mem_ctx, r.out.info.info502->sd);
1903         talloc_free(tmp_ctx);
1904         return result;
1905 }
1906
1907 static NTSTATUS set_sharesec(TALLOC_CTX *mem_ctx,
1908                              struct smbcli_session *sess,
1909                              const char *sharename,
1910                              struct security_descriptor *sd)
1911 {
1912         struct smbcli_tree *tree;
1913         TALLOC_CTX *tmp_ctx;
1914         struct dcerpc_pipe *p;
1915         NTSTATUS status;
1916         struct sec_desc_buf i;
1917         struct srvsvc_NetShareSetInfo r;
1918         uint32_t error = 0;
1919
1920         if (!(tmp_ctx = talloc_new(mem_ctx))) {
1921                 d_printf("talloc_new failed\n");
1922                 return NT_STATUS_NO_MEMORY;
1923         }
1924
1925         if (!NT_STATUS_IS_OK(secondary_tcon(tmp_ctx, sess, "IPC$", &tree))) {
1926                 d_printf("secondary_tcon failed\n");
1927                 talloc_free(tmp_ctx);
1928                 return NT_STATUS_UNSUCCESSFUL;
1929         }
1930
1931         status = pipe_bind_smb(mem_ctx, tree, "\\pipe\\srvsvc",
1932                                &dcerpc_table_srvsvc, &p);
1933         if (!NT_STATUS_IS_OK(status)) {
1934                 d_printf("(%s) could not bind to srvsvc pipe: %s\n",
1935                          __location__, nt_errstr(status));
1936                 talloc_free(tmp_ctx);
1937                 return NT_STATUS_UNSUCCESSFUL;
1938         }
1939
1940 #if 0
1941         p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
1942 #endif
1943
1944         r.in.server_unc = talloc_asprintf(tmp_ctx, "\\\\%s",
1945                                           dcerpc_server_name(p));
1946         r.in.share_name = sharename;
1947         r.in.level = 1501;
1948         i.sd = sd;
1949         r.in.info.info1501 = &i;
1950         r.in.parm_error = &error;
1951
1952         status = dcerpc_srvsvc_NetShareSetInfo(p, tmp_ctx, &r);
1953         if (!NT_STATUS_IS_OK(status)) {
1954                 d_printf("srvsvc_NetShareGetInfo failed: %s\n",
1955                          nt_errstr(status));
1956         }
1957
1958         talloc_free(tmp_ctx);
1959         return status;
1960 }
1961
1962 BOOL try_tcon(TALLOC_CTX *mem_ctx,
1963               struct security_descriptor *orig_sd,
1964               struct smbcli_session *session,
1965               const char *sharename, const struct dom_sid *user_sid,
1966               unsigned int access_mask, NTSTATUS expected_tcon,
1967               NTSTATUS expected_mkdir)
1968 {
1969         TALLOC_CTX *tmp_ctx;
1970         struct smbcli_tree *rmdir_tree, *tree;
1971         struct dom_sid *domain_sid;
1972         uint32_t rid;
1973         struct security_descriptor *sd;
1974         NTSTATUS status;
1975         BOOL ret = True;
1976
1977         if (!(tmp_ctx = talloc_new(mem_ctx))) {
1978                 d_printf("talloc_new failed\n");
1979                 return False;
1980         }
1981
1982         status = secondary_tcon(tmp_ctx, session, sharename, &rmdir_tree);
1983         if (!NT_STATUS_IS_OK(status)) {
1984                 d_printf("first tcon to delete dir failed\n");
1985                 talloc_free(tmp_ctx);
1986                 return False;
1987         }
1988
1989         smbcli_rmdir(rmdir_tree, "sharesec_testdir");
1990
1991         if (!NT_STATUS_IS_OK(dom_sid_split_rid(tmp_ctx, user_sid,
1992                                                &domain_sid, &rid))) {
1993                 d_printf("dom_sid_split_rid failed\n");
1994                 talloc_free(tmp_ctx);
1995                 return False;
1996         }
1997
1998         sd = security_descriptor_create(
1999                 tmp_ctx, "S-1-5-32-544",
2000                 dom_sid_string(mem_ctx, dom_sid_add_rid(mem_ctx, domain_sid,
2001                                                         DOMAIN_RID_USERS)),
2002                 dom_sid_string(mem_ctx, user_sid),
2003                 SEC_ACE_TYPE_ACCESS_ALLOWED, access_mask, 0, NULL);
2004         if (sd == NULL) {
2005                 d_printf("security_descriptor_create failed\n");
2006                 talloc_free(tmp_ctx);
2007                 return False;
2008         }
2009
2010         status = set_sharesec(mem_ctx, session, sharename, sd);
2011         if (!NT_STATUS_IS_OK(status)) {
2012                 d_printf("custom set_sharesec failed: %s\n",
2013                          nt_errstr(status));
2014                 talloc_free(tmp_ctx);
2015                 return False;
2016         }
2017
2018         status = secondary_tcon(tmp_ctx, session, sharename, &tree);
2019         if (!NT_STATUS_EQUAL(status, expected_tcon)) {
2020                 d_printf("Expected %s, got %s\n", nt_errstr(expected_tcon),
2021                          nt_errstr(status));
2022                 ret = False;
2023                 goto done;
2024         }
2025
2026         if (!NT_STATUS_IS_OK(status)) {
2027                 /* An expected non-access, no point in trying to write */
2028                 goto done;
2029         }
2030
2031         status = smbcli_mkdir(tree, "sharesec_testdir");
2032         if (!NT_STATUS_EQUAL(status, expected_mkdir)) {
2033                 d_printf("Expected %s, got %s\n", nt_errstr(expected_mkdir),
2034                          nt_errstr(status));
2035                 ret = False;
2036         }
2037
2038  done:
2039         smbcli_rmdir(rmdir_tree, "sharesec_testdir");
2040
2041         status = set_sharesec(mem_ctx, session, sharename, orig_sd);
2042         if (!NT_STATUS_IS_OK(status)) {
2043                 d_printf("custom set_sharesec failed: %s\n",
2044                          nt_errstr(status));
2045                 talloc_free(tmp_ctx);
2046                 return False;
2047         }
2048
2049         talloc_free(tmp_ctx);
2050         return ret;
2051 }
2052
2053 BOOL torture_samba3_rpc_sharesec(struct torture_context *torture)
2054 {
2055         TALLOC_CTX *mem_ctx;
2056         BOOL ret = True;
2057         struct smbcli_state *cli;
2058         struct security_descriptor *sd;
2059         struct dom_sid *user_sid;
2060
2061         if (!(mem_ctx = talloc_new(torture))) {
2062                 return False;
2063         }
2064
2065         if (!(torture_open_connection_share(
2066                       mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
2067                       "IPC$", NULL))) {
2068                 d_printf("IPC$ connection failed\n");
2069                 talloc_free(mem_ctx);
2070                 return False;
2071         }
2072
2073         if (!(user_sid = whoami(mem_ctx, cli->tree))) {
2074                 d_printf("whoami failed\n");
2075                 talloc_free(mem_ctx);
2076                 return False;
2077         }
2078
2079         sd = get_sharesec(mem_ctx, cli->session, torture_setting_string(torture,
2080                                                                 "share", NULL));
2081
2082         ret &= try_tcon(mem_ctx, sd, cli->session,
2083                         torture_setting_string(torture, "share", NULL),
2084                         user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK);
2085
2086         ret &= try_tcon(mem_ctx, sd, cli->session,
2087                         torture_setting_string(torture, "share", NULL),
2088                         user_sid, SEC_FILE_READ_DATA, NT_STATUS_OK,
2089                         NT_STATUS_NETWORK_ACCESS_DENIED);
2090
2091         ret &= try_tcon(mem_ctx, sd, cli->session,
2092                         torture_setting_string(torture, "share", NULL),
2093                         user_sid, SEC_FILE_ALL, NT_STATUS_OK, NT_STATUS_OK);
2094
2095         talloc_free(mem_ctx);
2096         return ret;
2097 }
2098
2099 BOOL torture_samba3_rpc_lsa(struct torture_context *torture)
2100 {
2101         TALLOC_CTX *mem_ctx;
2102         BOOL ret = True;
2103         struct smbcli_state *cli;
2104         struct dcerpc_pipe *p;
2105         struct policy_handle lsa_handle;
2106         NTSTATUS status;
2107         struct dom_sid *domain_sid;
2108
2109         if (!(mem_ctx = talloc_new(torture))) {
2110                 return False;
2111         }
2112
2113         if (!(torture_open_connection_share(
2114                       mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
2115                       "IPC$", NULL))) {
2116                 d_printf("IPC$ connection failed\n");
2117                 talloc_free(mem_ctx);
2118                 return False;
2119         }
2120
2121         status = pipe_bind_smb(mem_ctx, cli->tree, "\\lsarpc",
2122                                &dcerpc_table_lsarpc, &p);
2123         if (!NT_STATUS_IS_OK(status)) {
2124                 d_printf("(%s) pipe_bind_smb failed: %s\n", __location__,
2125                          nt_errstr(status));
2126                 talloc_free(mem_ctx);
2127                 return False;
2128         }
2129
2130         {
2131                 struct lsa_ObjectAttribute attr;
2132                 struct lsa_OpenPolicy2 o;
2133                 o.in.system_name = talloc_asprintf(
2134                         mem_ctx, "\\\\%s", dcerpc_server_name(p));
2135                 ZERO_STRUCT(attr);
2136                 o.in.attr = &attr;
2137                 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2138                 o.out.handle = &lsa_handle;
2139                 status = dcerpc_lsa_OpenPolicy2(p, mem_ctx, &o);
2140                 if (!NT_STATUS_IS_OK(status)) {
2141                         d_printf("(%s) dcerpc_lsa_OpenPolicy2 failed: %s\n",
2142                                  __location__, nt_errstr(status));
2143                         talloc_free(mem_ctx);
2144                         return False;
2145                 }
2146         }
2147
2148 #if 0
2149         p->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT;
2150 #endif
2151
2152         {
2153                 int i;
2154                 int levels[] = { 2,3,5,6 };
2155
2156                 for (i=0; i<ARRAY_SIZE(levels); i++) {
2157                         struct lsa_QueryInfoPolicy r;
2158                         r.in.handle = &lsa_handle;
2159                         r.in.level = levels[i];
2160                         status = dcerpc_lsa_QueryInfoPolicy(p, mem_ctx, &r);
2161                         if (!NT_STATUS_IS_OK(status)) {
2162                                 d_printf("(%s) dcerpc_lsa_QueryInfoPolicy %d "
2163                                          "failed: %s\n", __location__,
2164                                          levels[i], nt_errstr(status));
2165                                 talloc_free(mem_ctx);
2166                                 return False;
2167                         }
2168                         if (levels[i] == 5) {
2169                                 domain_sid = r.out.info->account_domain.sid;
2170                         }
2171                 }
2172         }
2173
2174         return ret;
2175 }
2176
2177 static NTSTATUS get_servername(TALLOC_CTX *mem_ctx, struct smbcli_tree *tree,
2178                                char **name)
2179 {
2180         struct rap_WserverGetInfo r;
2181         NTSTATUS status;
2182         char servername[17];
2183
2184         r.in.level = 0;
2185         r.in.bufsize = 0xffff;
2186
2187         status = smbcli_rap_netservergetinfo(tree, mem_ctx, &r);
2188         if (!NT_STATUS_IS_OK(status)) {
2189                 return status;
2190         }
2191
2192         memcpy(servername, r.out.info.info0.name, 16);
2193         servername[16] = '\0';
2194
2195         if (pull_ascii_talloc(mem_ctx, name, servername) < 0) {
2196                 return NT_STATUS_NO_MEMORY;
2197         }
2198
2199         return NT_STATUS_OK;
2200 }
2201
2202
2203 static NTSTATUS find_printers(TALLOC_CTX *ctx, struct smbcli_tree *tree,
2204                               const char ***printers, int *num_printers)
2205 {
2206         TALLOC_CTX *mem_ctx;
2207         NTSTATUS status;
2208         struct dcerpc_pipe *p;
2209         struct srvsvc_NetShareEnum r;
2210         struct srvsvc_NetShareCtr1 c1_in;
2211         struct srvsvc_NetShareCtr1 *c1;
2212         int i;
2213
2214         mem_ctx = talloc_new(ctx);
2215         if (mem_ctx == NULL) {
2216                 return NT_STATUS_NO_MEMORY;
2217         }
2218
2219         status = pipe_bind_smb(mem_ctx, tree, "\\srvsvc", &dcerpc_table_srvsvc,
2220                                &p);
2221         if (!NT_STATUS_IS_OK(status)) {
2222                 d_printf("could not bind to srvsvc pipe\n");
2223                 talloc_free(mem_ctx);
2224                 return status;
2225         }
2226
2227         r.in.server_unc = talloc_asprintf(
2228                 mem_ctx, "\\\\%s", dcerpc_server_name(p));
2229         r.in.level = 1;
2230         ZERO_STRUCT(c1_in);
2231         r.in.ctr.ctr1 = &c1_in;
2232         r.in.max_buffer = (uint32_t)-1;
2233         r.in.resume_handle = NULL;
2234
2235         status = dcerpc_srvsvc_NetShareEnum(p, mem_ctx, &r);
2236         if (!NT_STATUS_IS_OK(status)) {
2237                 d_printf("NetShareEnum level %u failed - %s\n",
2238                          r.in.level, nt_errstr(status));
2239                 talloc_free(mem_ctx);
2240                 return status;
2241         }
2242
2243         *printers = NULL;
2244         *num_printers = 0;
2245         c1 = r.out.ctr.ctr1;
2246         for (i=0; i<c1->count; i++) {
2247                 if (c1->array[i].type != STYPE_PRINTQ) {
2248                         continue;
2249                 }
2250                 if (!add_string_to_array(ctx, c1->array[i].name,
2251                                          printers, num_printers)) {
2252                         talloc_free(ctx);
2253                         return NT_STATUS_NO_MEMORY;
2254                 }
2255         }
2256
2257         talloc_free(mem_ctx);
2258         return NT_STATUS_OK;
2259 }
2260
2261 static BOOL enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe,
2262                          const char *servername, int level, int *num_printers)
2263 {
2264         struct spoolss_EnumPrinters r;
2265         NTSTATUS status;
2266         DATA_BLOB blob;
2267
2268         r.in.flags = PRINTER_ENUM_LOCAL;
2269         r.in.server = talloc_asprintf(mem_ctx, "\\\\%s", servername);
2270         r.in.level = level;
2271         r.in.buffer = NULL;
2272         r.in.offered = 0;
2273
2274         status = dcerpc_spoolss_EnumPrinters(pipe, mem_ctx, &r);
2275         if (!NT_STATUS_IS_OK(status)) {
2276                 d_printf("(%s) dcerpc_spoolss_EnumPrinters failed: %s\n",
2277                          __location__, nt_errstr(status));
2278                 return False;
2279         }
2280
2281         if (!W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) {
2282                 d_printf("(%s) EnumPrinters unexpected return code %s, should "
2283                          "be WERR_INSUFFICIENT_BUFFER\n", __location__,
2284                          win_errstr(r.out.result));
2285                 return False;
2286         }
2287
2288         blob = data_blob_talloc(mem_ctx, NULL, r.out.needed);
2289         if (blob.data == NULL) {
2290                 d_printf("(%s) data_blob_talloc failed\n", __location__);
2291                 return False;
2292         }
2293
2294         r.in.buffer = &blob;
2295         r.in.offered = r.out.needed;
2296
2297         status = dcerpc_spoolss_EnumPrinters(pipe, mem_ctx, &r);
2298         if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2299                 d_printf("(%s) dcerpc_spoolss_EnumPrinters failed: %s, "
2300                          "%s\n", __location__, nt_errstr(status),
2301                          win_errstr(r.out.result));
2302                 return False;
2303         }
2304
2305         *num_printers = r.out.count;
2306
2307         return True;
2308 }
2309
2310 static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *pipe,
2311                                struct policy_handle *handle, int level,
2312                                union spoolss_PrinterInfo **res)
2313 {
2314         TALLOC_CTX *mem_ctx;
2315         struct spoolss_GetPrinter r;
2316         DATA_BLOB blob;
2317         NTSTATUS status;
2318
2319         mem_ctx = talloc_new(ctx);
2320         if (mem_ctx == NULL) {
2321                 return NT_STATUS_NO_MEMORY;
2322         }
2323
2324         r.in.handle = handle;
2325         r.in.level = level;
2326         r.in.buffer = NULL;
2327         r.in.offered = 0;
2328
2329         status = dcerpc_spoolss_GetPrinter(pipe, mem_ctx, &r);
2330         if (!NT_STATUS_IS_OK(status)) {
2331                 d_printf("(%s) dcerpc_spoolss_GetPrinter failed: %s\n",
2332                          __location__, nt_errstr(status));
2333                 talloc_free(mem_ctx);
2334                 return status;
2335         }
2336
2337         if (!W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) {
2338                 printf("GetPrinter unexpected return code %s, should "
2339                        "be WERR_INSUFFICIENT_BUFFER\n",
2340                        win_errstr(r.out.result));
2341                 talloc_free(mem_ctx);
2342                 return NT_STATUS_UNSUCCESSFUL;
2343         }
2344
2345         r.in.handle = handle;
2346         r.in.level = level;
2347         blob = data_blob_talloc(mem_ctx, NULL, r.out.needed);
2348         if (blob.data == NULL) {
2349                 talloc_free(mem_ctx);
2350                 return NT_STATUS_NO_MEMORY;
2351         }
2352         memset(blob.data, 0, blob.length);
2353         r.in.buffer = &blob;
2354         r.in.offered = r.out.needed;
2355
2356         status = dcerpc_spoolss_GetPrinter(pipe, mem_ctx, &r);
2357         if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2358                 d_printf("(%s) dcerpc_spoolss_GetPrinter failed: %s, "
2359                          "%s\n", __location__, nt_errstr(status),
2360                          win_errstr(r.out.result));
2361                 talloc_free(mem_ctx);
2362                 return NT_STATUS_IS_OK(status) ?
2363                         NT_STATUS_UNSUCCESSFUL : status;
2364         }
2365
2366         if (res != NULL) {
2367                 *res = talloc_steal(ctx, r.out.info);
2368         }
2369
2370         talloc_free(mem_ctx);
2371         return NT_STATUS_OK;
2372 }
2373
2374 BOOL torture_samba3_rpc_spoolss(struct torture_context *torture)
2375 {
2376         TALLOC_CTX *mem_ctx;
2377         BOOL ret = True;
2378         struct smbcli_state *cli;
2379         struct dcerpc_pipe *p;
2380         NTSTATUS status;
2381         struct policy_handle server_handle, printer_handle;
2382         const char **printers;
2383         int num_printers;
2384         struct spoolss_UserLevel1 userlevel1;
2385         char *servername;
2386
2387         if (!(mem_ctx = talloc_new(torture))) {
2388                 return False;
2389         }
2390
2391         if (!(torture_open_connection_share(
2392                       mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
2393                       "IPC$", NULL))) {
2394                 d_printf("IPC$ connection failed\n");
2395                 talloc_free(mem_ctx);
2396                 return False;
2397         }
2398
2399         status = get_servername(mem_ctx, cli->tree, &servername);
2400         if (!NT_STATUS_IS_OK(status)) {
2401                 d_fprintf(stderr, "(%s) get_servername returned %s\n",
2402                           __location__, nt_errstr(status));
2403                 talloc_free(mem_ctx);
2404                 return False;
2405         }
2406
2407         if (!NT_STATUS_IS_OK(find_printers(mem_ctx, cli->tree,
2408                                            &printers, &num_printers))) {
2409                 talloc_free(mem_ctx);
2410                 return False;
2411         }
2412
2413         if (num_printers == 0) {
2414                 d_printf("Did not find printers\n");
2415                 talloc_free(mem_ctx);
2416                 return True;
2417         }
2418
2419         status = pipe_bind_smb(mem_ctx, cli->tree, "\\spoolss",
2420                                &dcerpc_table_spoolss, &p);
2421         if (!NT_STATUS_IS_OK(status)) {
2422                 d_printf("(%s) pipe_bind_smb failed: %s\n", __location__,
2423                          nt_errstr(status));
2424                 talloc_free(mem_ctx);
2425                 return False;
2426         }
2427
2428         ZERO_STRUCT(userlevel1);
2429         userlevel1.client = talloc_asprintf(
2430                 mem_ctx, "\\\\%s", lp_netbios_name());
2431         userlevel1.user = cli_credentials_get_username(cmdline_credentials);
2432         userlevel1.build = 2600;
2433         userlevel1.major = 3;
2434         userlevel1.minor = 0;
2435         userlevel1.processor = 0;
2436
2437         {
2438                 struct spoolss_OpenPrinterEx r;
2439
2440                 ZERO_STRUCT(r);
2441                 r.in.printername = talloc_asprintf(mem_ctx, "\\\\%s",
2442                                                    servername);
2443                 r.in.datatype = NULL;
2444                 r.in.access_mask = 0;
2445                 r.in.level = 1;
2446                 r.in.userlevel.level1 = &userlevel1;
2447                 r.out.handle = &server_handle;
2448
2449                 status = dcerpc_spoolss_OpenPrinterEx(p, mem_ctx, &r);
2450                 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2451                         d_printf("(%s) dcerpc_spoolss_OpenPrinterEx failed: "
2452                                  "%s, %s\n", __location__, nt_errstr(status),
2453                                  win_errstr(r.out.result));
2454                         talloc_free(mem_ctx);
2455                         return False;
2456                 }
2457         }
2458
2459         {
2460                 struct spoolss_ClosePrinter r;
2461
2462                 r.in.handle = &server_handle;
2463                 r.out.handle = &server_handle;
2464
2465                 status = dcerpc_spoolss_ClosePrinter(p, mem_ctx, &r);
2466                 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2467                         d_printf("(%s) dcerpc_spoolss_ClosePrinter failed: "
2468                                  "%s, %s\n", __location__, nt_errstr(status),
2469                                  win_errstr(r.out.result));
2470                         talloc_free(mem_ctx);
2471                         return False;
2472                 }
2473         }
2474
2475         {
2476                 struct spoolss_OpenPrinterEx r;
2477
2478                 ZERO_STRUCT(r);
2479                 r.in.printername = talloc_asprintf(
2480                         mem_ctx, "\\\\%s\\%s", servername, printers[0]);
2481                 r.in.datatype = NULL;
2482                 r.in.access_mask = 0;
2483                 r.in.level = 1;
2484                 r.in.userlevel.level1 = &userlevel1;
2485                 r.out.handle = &printer_handle;
2486
2487                 status = dcerpc_spoolss_OpenPrinterEx(p, mem_ctx, &r);
2488                 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2489                         d_printf("(%s) dcerpc_spoolss_OpenPrinterEx failed: "
2490                                  "%s, %s\n", __location__, nt_errstr(status),
2491                                  win_errstr(r.out.result));
2492                         talloc_free(mem_ctx);
2493                         return False;
2494                 }
2495         }
2496
2497         {
2498                 int i;
2499
2500                 for (i=0; i<8; i++) {
2501                         status = getprinterinfo(mem_ctx, p, &printer_handle,
2502                                                 i, NULL);
2503                         if (!NT_STATUS_IS_OK(status)) {
2504                                 d_printf("(%s) getprinterinfo %d failed: %s\n",
2505                                          __location__, i, nt_errstr(status));
2506                                 ret = False;
2507                         }
2508                 }
2509         }
2510
2511         {
2512                 struct spoolss_ClosePrinter r;
2513
2514                 r.in.handle = &printer_handle;
2515                 r.out.handle = &printer_handle;
2516
2517                 status = dcerpc_spoolss_ClosePrinter(p, mem_ctx, &r);
2518                 if (!NT_STATUS_IS_OK(status)) {
2519                         d_printf("(%s) dcerpc_spoolss_ClosePrinter failed: "
2520                                  "%s\n", __location__, nt_errstr(status));
2521                         talloc_free(mem_ctx);
2522                         return False;
2523                 }
2524         }
2525
2526         {
2527                 int num_enumerated;
2528                 if (!enumprinters(mem_ctx, p, servername, 1,
2529                                   &num_enumerated)) {
2530                         d_printf("(%s) enumprinters failed\n", __location__);
2531                         talloc_free(mem_ctx);
2532                         return False;
2533                 }
2534                 if (num_printers != num_enumerated) {
2535                         d_printf("(%s) netshareenum gave %d printers, "
2536                                  "enumprinters lvl 1 gave %d\n", __location__,
2537                                  num_printers, num_enumerated);
2538                         talloc_free(mem_ctx);
2539                         return False;
2540                 }
2541         }
2542
2543         {
2544                 int num_enumerated;
2545                 if (!enumprinters(mem_ctx, p, servername, 2,
2546                                   &num_enumerated)) {
2547                         d_printf("(%s) enumprinters failed\n", __location__);
2548                         talloc_free(mem_ctx);
2549                         return False;
2550                 }
2551                 if (num_printers != num_enumerated) {
2552                         d_printf("(%s) netshareenum gave %d printers, "
2553                                  "enumprinters lvl 2 gave %d\n", __location__,
2554                                  num_printers, num_enumerated);
2555                         talloc_free(mem_ctx);
2556                         return False;
2557                 }
2558         }
2559
2560         talloc_free(mem_ctx);
2561
2562         return ret;
2563 }
2564
2565 BOOL torture_samba3_rpc_wkssvc(struct torture_context *torture)
2566 {
2567         TALLOC_CTX *mem_ctx;
2568         struct smbcli_state *cli;
2569         struct dcerpc_pipe *p;
2570         NTSTATUS status;
2571         char *servername;
2572
2573         if (!(mem_ctx = talloc_new(torture))) {
2574                 return False;
2575         }
2576
2577         if (!(torture_open_connection_share(
2578                       mem_ctx, &cli, torture_setting_string(torture, "host", NULL),
2579                       "IPC$", NULL))) {
2580                 d_printf("IPC$ connection failed\n");
2581                 talloc_free(mem_ctx);
2582                 return False;
2583         }
2584
2585         status = get_servername(mem_ctx, cli->tree, &servername);
2586         if (!NT_STATUS_IS_OK(status)) {
2587                 d_fprintf(stderr, "(%s) get_servername returned %s\n",
2588                           __location__, nt_errstr(status));
2589                 talloc_free(mem_ctx);
2590                 return False;
2591         }
2592
2593         status = pipe_bind_smb(mem_ctx, cli->tree, "\\wkssvc",
2594                                &dcerpc_table_wkssvc, &p);
2595         if (!NT_STATUS_IS_OK(status)) {
2596                 d_printf("(%s) pipe_bind_smb failed: %s\n", __location__,
2597                          nt_errstr(status));
2598                 talloc_free(mem_ctx);
2599                 return False;
2600         }
2601
2602         {
2603                 struct wkssvc_NetWkstaInfo100 wks100;
2604                 union wkssvc_NetWkstaInfo info;
2605                 struct wkssvc_NetWkstaGetInfo r;
2606
2607                 r.in.server_name = "\\foo";
2608                 r.in.level = 100;
2609                 info.info100 = &wks100;
2610                 r.out.info = &info;
2611
2612                 status = dcerpc_wkssvc_NetWkstaGetInfo(p, mem_ctx, &r);
2613                 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2614                         d_printf("(%s) dcerpc_wkssvc_NetWksGetInfo failed: "
2615                                  "%s, %s\n", __location__, nt_errstr(status),
2616                                  win_errstr(r.out.result));
2617                         talloc_free(mem_ctx);
2618                         return False;
2619                 }
2620
2621                 if (strcmp(servername,
2622                            r.out.info->info100->server_name) != 0) {
2623                         d_printf("(%s) servername inconsistency: RAP=%s, "
2624                                  "dcerpc_wkssvc_NetWksGetInfo=%s",
2625                                  __location__, servername,
2626                                  r.out.info->info100->server_name);
2627                         talloc_free(mem_ctx);
2628                         return False;
2629                 }
2630         }
2631
2632         talloc_free(mem_ctx);
2633         return True;
2634 }
2635
2636 static NTSTATUS winreg_close(struct dcerpc_pipe *p,
2637                              struct policy_handle *handle)
2638 {
2639         struct winreg_CloseKey c;
2640         NTSTATUS status;
2641         TALLOC_CTX *mem_ctx;
2642
2643         c.in.handle = c.out.handle = handle;
2644
2645         if (!(mem_ctx = talloc_new(p))) {
2646                 return NT_STATUS_NO_MEMORY;
2647         }
2648
2649         status = dcerpc_winreg_CloseKey(p, mem_ctx, &c);
2650         talloc_free(mem_ctx);
2651
2652         if (!NT_STATUS_IS_OK(status)) {
2653                 return status;
2654         }
2655
2656         if (!W_ERROR_IS_OK(c.out.result)) {
2657                 return werror_to_ntstatus(c.out.result);
2658         }
2659
2660         return NT_STATUS_OK;
2661 }
2662
2663 static NTSTATUS enumvalues(struct dcerpc_pipe *p, struct policy_handle *handle,
2664                            TALLOC_CTX *mem_ctx)
2665 {
2666         uint32_t enum_index = 0;
2667
2668         while (1) {
2669                 struct winreg_EnumValue r;
2670                 struct winreg_StringBuf name;
2671                 enum winreg_Type type = 0;
2672                 uint8_t buf8[1024];
2673                 NTSTATUS status;
2674                 uint32_t size, length;
2675                 
2676                 r.in.handle = handle;
2677                 r.in.enum_index = enum_index;
2678                 name.name = "";
2679                 name.size = 1024;
2680                 r.in.name = r.out.name = &name;
2681                 size = 1024;
2682                 length = 5;
2683                 r.in.type = &type;
2684                 r.in.value = buf8;
2685                 r.in.size = &size;
2686                 r.in.length = &length;
2687
2688                 status = dcerpc_winreg_EnumValue(p, mem_ctx, &r);
2689                 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2690                         return NT_STATUS_OK;
2691                 }
2692                 enum_index += 1;
2693         }
2694 }
2695
2696 static NTSTATUS enumkeys(struct dcerpc_pipe *p, struct policy_handle *handle, 
2697                          TALLOC_CTX *mem_ctx, int depth)
2698 {
2699         struct winreg_EnumKey r;
2700         struct winreg_StringBuf class, name;
2701         NTSTATUS status;
2702         NTTIME t = 0;
2703
2704         if (depth <= 0) {
2705                 return NT_STATUS_OK;
2706         }
2707
2708         class.name   = "";
2709         class.size   = 1024;
2710
2711         r.in.handle = handle;
2712         r.in.enum_index = 0;
2713         r.in.name = &name;
2714         r.in.keyclass = &class;
2715         r.out.name = &name;
2716         r.in.last_changed_time = &t;
2717
2718         do {
2719                 TALLOC_CTX *tmp_ctx;
2720                 struct winreg_OpenKey o;
2721                 struct policy_handle key_handle;
2722                 int i;
2723
2724                 if (!(tmp_ctx = talloc_new(mem_ctx))) {
2725                         return NT_STATUS_NO_MEMORY;
2726                 }
2727
2728                 name.name = NULL;
2729                 name.size = 1024;
2730
2731                 status = dcerpc_winreg_EnumKey(p, tmp_ctx, &r);
2732                 if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2733                         /* We're done enumerating */
2734                         talloc_free(tmp_ctx);
2735                         return NT_STATUS_OK;
2736                 }
2737
2738                 for (i=0; i<10-depth; i++)
2739                         printf(" ");
2740                 printf("%s\n", r.out.name->name);
2741                         
2742
2743                 o.in.parent_handle = handle;
2744                 o.in.keyname.name = r.out.name->name;
2745                 o.in.unknown = 0;
2746                 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2747                 o.out.handle = &key_handle;
2748
2749                 status = dcerpc_winreg_OpenKey(p, tmp_ctx, &o);
2750                 if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(o.out.result)) {
2751                         enumkeys(p, &key_handle, tmp_ctx, depth-1);
2752                         enumvalues(p, &key_handle, tmp_ctx);
2753                         status = winreg_close(p, &key_handle);
2754                         if (!NT_STATUS_IS_OK(status)) {
2755                                 return status;
2756                         }
2757                 }
2758
2759                 talloc_free(tmp_ctx);
2760
2761                 r.in.enum_index += 1;
2762         } while(True);
2763
2764         return NT_STATUS_OK;
2765 }
2766
2767 typedef NTSTATUS (*winreg_open_fn)(struct dcerpc_pipe *, TALLOC_CTX *, void *);
2768
2769 static BOOL test_Open3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, 
2770                        const char *name, winreg_open_fn open_fn)
2771 {
2772         struct policy_handle handle;
2773         struct winreg_OpenHKLM r;
2774         NTSTATUS status;
2775
2776         r.in.system_name = 0;
2777         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2778         r.out.handle = &handle;
2779         
2780         status = open_fn(p, mem_ctx, &r);
2781         if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
2782                 d_printf("(%s) %s failed: %s, %s\n", __location__, name,
2783                          nt_errstr(status), win_errstr(r.out.result));
2784                 return False;
2785         }
2786
2787         enumkeys(p, &handle, mem_ctx, 4);
2788
2789         status = winreg_close(p, &handle);
2790         if (!NT_STATUS_IS_OK(status)) {
2791                 d_printf("(%s) dcerpc_CloseKey failed: %s\n",
2792                          __location__, nt_errstr(status));
2793                 return False;
2794         }
2795
2796         return True;
2797 }
2798
2799 BOOL torture_samba3_rpc_winreg(struct torture_context *torture)
2800 {
2801         NTSTATUS status;
2802         struct dcerpc_pipe *p;
2803         TALLOC_CTX *mem_ctx;
2804         BOOL ret = True;
2805         struct {
2806                 const char *name;
2807                 winreg_open_fn fn;
2808         } open_fns[] = {
2809                 {"OpenHKLM", (winreg_open_fn)dcerpc_winreg_OpenHKLM },
2810                 {"OpenHKU",  (winreg_open_fn)dcerpc_winreg_OpenHKU },
2811                 {"OpenHKPD", (winreg_open_fn)dcerpc_winreg_OpenHKPD },
2812                 {"OpenHKPT", (winreg_open_fn)dcerpc_winreg_OpenHKPT },
2813                 {"OpenHKCR", (winreg_open_fn)dcerpc_winreg_OpenHKCR }};
2814         int i;
2815
2816         mem_ctx = talloc_init("torture_rpc_winreg");
2817
2818         status = torture_rpc_connection(mem_ctx, &p, &dcerpc_table_winreg);
2819
2820         if (!NT_STATUS_IS_OK(status)) {
2821                 talloc_free(mem_ctx);
2822                 return False;
2823         }
2824
2825 #if 1
2826         ret = test_Open3(p, mem_ctx, open_fns[0].name, open_fns[0].fn);
2827 #else
2828         for (i = 0; i < ARRAY_SIZE(open_fns); i++) {
2829                 if (!test_Open3(p, mem_ctx, open_fns[i].name, open_fns[i].fn))
2830                         ret = False;
2831         }
2832 #endif
2833
2834         talloc_free(mem_ctx);
2835
2836         return ret;
2837 }