summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-06 23:07:21 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:31:26 -0500
commitc46b658eecdb33c11b00c3059210fb0846373c9b (patch)
tree571c797b4976b0e55c699e569d44e02f5a09f518
parent910c1d55c24f52cb38b4b54db641a5d67764ea58 (diff)
downloadsamba-c46b658eecdb33c11b00c3059210fb0846373c9b.tar.gz
samba-c46b658eecdb33c11b00c3059210fb0846373c9b.tar.bz2
samba-c46b658eecdb33c11b00c3059210fb0846373c9b.zip
r9166: This checks more of auth subsystem in the PAC test.
Andrew Bartlett (This used to be commit 1fa87223eb66825ef2dd93966652fa84de6b0b2f)
-rw-r--r--source4/torture/auth/pac.c134
-rw-r--r--source4/torture/rpc/samlogon.c13
-rw-r--r--source4/torture/rpc/xplogin.c117
3 files changed, 147 insertions, 117 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index 74a31af890..43a9fd44b5 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -34,6 +34,8 @@ static BOOL torture_pac_self_check(void)
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check");
DATA_BLOB tmp_blob;
struct PAC_DATA *pac_data;
+ struct PAC_LOGON_INFO *logon_info;
+ union netr_Validation validation;
/* Generate a nice, arbitary keyblock */
uint8_t server_bytes[16];
@@ -46,6 +48,7 @@ static BOOL torture_pac_self_check(void)
struct smb_krb5_context *smb_krb5_context;
struct auth_serversupplied_info *server_info;
+ struct auth_serversupplied_info *server_info_out;
ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
@@ -62,10 +65,10 @@ static BOOL torture_pac_self_check(void)
server_bytes, sizeof(server_bytes),
&server_keyblock);
if (ret) {
- DEBUG(1, ("Server Keyblock encoding failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
-
+ printf("Server Keyblock encoding failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx));
+
talloc_free(mem_ctx);
return False;
}
@@ -75,10 +78,10 @@ static BOOL torture_pac_self_check(void)
krbtgt_bytes, sizeof(krbtgt_bytes),
&krbtgt_keyblock);
if (ret) {
- DEBUG(1, ("KRBTGT Keyblock encoding failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
-
+ printf("KRBTGT Keyblock encoding failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx));
+
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
talloc_free(mem_ctx);
@@ -105,9 +108,9 @@ static BOOL torture_pac_self_check(void)
&tmp_blob);
if (ret) {
- DEBUG(1, ("PAC encoding failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
+ printf("PAC encoding failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
@@ -126,18 +129,64 @@ static BOOL torture_pac_self_check(void)
&krbtgt_keyblock,
&server_keyblock);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ DEBUG(1, ("PAC decoding failed: %s\n",
+ nt_errstr(nt_status)));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ /* Now check that we can read it back */
+ nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
+ tmp_blob,
+ smb_krb5_context,
+ &krbtgt_keyblock,
+ &server_keyblock);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ printf("PAC decoding (for logon info) failed: %s\n",
+ nt_errstr(nt_status));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
- if (ret) {
- DEBUG(1, ("PAC decoding failed: %s\n",
- nt_errstr(nt_status)));
+ validation.sam3 = &logon_info->info3;
+ nt_status = make_server_info_netlogon_validation(mem_ctx,
+ "",
+ 3, &validation,
+ &server_info_out);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ printf("PAC decoding (make server info) failed: %s\n",
+ nt_errstr(nt_status));
+
talloc_free(mem_ctx);
return False;
}
-
+
+ if (!dom_sid_equal(server_info->account_sid,
+ server_info_out->account_sid)) {
+ printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
+ dom_sid_string(mem_ctx, server_info->account_sid),
+ dom_sid_string(mem_ctx, server_info_out->account_sid));
+ talloc_free(mem_ctx);
+ return False;
+ }
+
talloc_free(mem_ctx);
return True;
}
@@ -196,6 +245,11 @@ static BOOL torture_pac_saved_check(void)
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
DATA_BLOB tmp_blob, validate_blob;
struct PAC_DATA *pac_data;
+ struct PAC_LOGON_INFO *logon_info;
+ union netr_Validation validation;
+
+ struct auth_serversupplied_info *server_info_out;
+
krb5_keyblock server_keyblock;
krb5_keyblock krbtgt_keyblock;
uint8_t server_bytes[16];
@@ -255,9 +309,9 @@ static BOOL torture_pac_saved_check(void)
}
tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
-
+
/*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
-
+
dump_data(10,tmp_blob.data,tmp_blob.length);
/* Decode and verify the signaure on the PAC */
@@ -278,6 +332,52 @@ static BOOL torture_pac_saved_check(void)
return False;
}
+ /* Parse the PAC again, for the logon info this time */
+ nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
+ tmp_blob,
+ smb_krb5_context,
+ &krbtgt_keyblock,
+ &server_keyblock);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ printf("PAC decoding (for logon info) failed: %s\n",
+ nt_errstr(nt_status));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ validation.sam3 = &logon_info->info3;
+ nt_status = make_server_info_netlogon_validation(mem_ctx,
+ "",
+ 3, &validation,
+ &server_info_out);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+
+ printf("PAC decoding (make server info) failed: %s\n",
+ nt_errstr(nt_status));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"),
+ server_info_out->account_sid)) {
+ printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
+ "S-1-5-21-3048156945-3961193616-3706469200-1005",
+ dom_sid_string(mem_ctx, server_info_out->account_sid));
+ talloc_free(mem_ctx);
+ return False;
+ }
+
ret = kerberos_encode_pac(mem_ctx,
pac_data,
smb_krb5_context->krb5_context,
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index e219e9c140..607dbaec8a 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -1259,10 +1259,11 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
/*
test an ADS style interactive domain logon
*/
-static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds,
- const char *account_domain, const char *account_name,
- const char *plain_pass)
+BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
+ struct creds_CredentialState *creds,
+ const char *workstation_name,
+ const char *account_domain, const char *account_name,
+ const char *plain_pass)
{
NTSTATUS status;
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
@@ -1290,7 +1291,7 @@ static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
pinfo.identity_info.logon_id_low = 0;
pinfo.identity_info.logon_id_high = 0;
pinfo.identity_info.account_name.string = account_name;
- pinfo.identity_info.workstation.string = TEST_MACHINE_NAME;
+ pinfo.identity_info.workstation.string = workstation_name;
if (!E_deshash(plain_pass, pinfo.lmpassword.hash)) {
ZERO_STRUCT(pinfo.lmpassword.hash);
@@ -1491,6 +1492,7 @@ BOOL torture_rpc_samlogon(void)
for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
if (!test_InteractiveLogon(p, mem_ctx, creds,
+ TEST_MACHINE_NAME,
usercreds[ci].domain,
usercreds[ci].username,
usercreds[ci].password)) {
@@ -1514,6 +1516,7 @@ BOOL torture_rpc_samlogon(void)
for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
if (!test_InteractiveLogon(p, mem_ctx, creds,
+ TEST_MACHINE_NAME,
usercreds[0].domain,
usercreds[0].username,
usercreds[0].password)) {
diff --git a/source4/torture/rpc/xplogin.c b/source4/torture/rpc/xplogin.c
index c841267d97..acf7a41657 100644
--- a/source4/torture/rpc/xplogin.c
+++ b/source4/torture/rpc/xplogin.c
@@ -29,6 +29,7 @@
#include "libcli/composite/composite.h"
#if 0
+
static NTSTATUS after_negprot(struct smbcli_transport **dst_transport,
const char *dest_host, uint16_t port,
const char *my_name)
@@ -501,79 +502,6 @@ static NTSTATUS setup_netlogon_creds(struct smbcli_transport *transport,
return NT_STATUS_OK;
}
-static NTSTATUS torture_samlogon(struct dcerpc_pipe *p,
- struct creds_CredentialState *netlogon_creds,
- const char *workstation,
- const char *domain,
- const char *username,
- const char *password)
-{
- TALLOC_CTX *mem_ctx;
- struct netr_LogonSamLogon log;
- struct netr_NetworkInfo ninfo;
- struct netr_Authenticator auth, auth2;
- uint8_t user_session_key[16];
- DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
- DATA_BLOB lmv2_response = data_blob(NULL, 0);
- DATA_BLOB names_blob;
- DATA_BLOB chall;
- NTSTATUS status;
-
- mem_ctx = talloc_init("torture_samlogon");
-
- ZERO_STRUCT(user_session_key);
-
- printf("testing netr_LogonSamLogon\n");
-
- log.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s",
- dcerpc_server_name(p));
- log.in.workstation = workstation;
- log.in.credential = &auth;
- log.in.return_authenticator = &auth2;
- log.in.validation_level = 3;
- log.in.logon_level = 2;
- log.in.logon.network = &ninfo;
-
- chall = data_blob_talloc(mem_ctx, NULL, 8);
- generate_random_buffer(chall.data, 8);
-
- names_blob = NTLMv2_generate_names_blob(mem_ctx, workstation,
- lp_workgroup());
- ZERO_STRUCT(user_session_key);
-
- if (!SMBNTLMv2encrypt(username, domain, password,
- &chall, &names_blob,
- &lmv2_response, &ntlmv2_response,
- NULL, NULL)) {
- data_blob_free(&names_blob);
- talloc_free(mem_ctx);
- return NT_STATUS_UNSUCCESSFUL;
- }
- data_blob_free(&names_blob);
-
- ninfo.identity_info.domain_name.string = domain;
- ninfo.identity_info.parameter_control = 0;
- ninfo.identity_info.logon_id_low = 0;
- ninfo.identity_info.logon_id_high = 0;
- ninfo.identity_info.account_name.string = username;
- ninfo.identity_info.workstation.string = workstation;
- memcpy(ninfo.challenge, chall.data, 8);
- ninfo.nt.data = ntlmv2_response.data;
- ninfo.nt.length = ntlmv2_response.length;
- ninfo.lm.data = NULL;
- ninfo.lm.length = 0;
-
- ZERO_STRUCT(auth2);
- creds_client_authenticator(netlogon_creds, &auth);
-
- log.out.return_authenticator = NULL;
- status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &log);
- talloc_free(mem_ctx);
- data_blob_free(&lmv2_response);
- data_blob_free(&ntlmv2_response);
- return status;
-}
-
static NTSTATUS test_getgroups(struct smbcli_transport *transport,
const char *name)
{
@@ -659,7 +587,7 @@ static NTSTATUS test_getgroups(struct smbcli_transport *transport,
{
struct samr_LookupNames l;
- struct samr_String samr_name;
+ struct lsa_String samr_name;
struct samr_OpenUser o;
samr_name.string = name;
@@ -832,7 +760,7 @@ static NTSTATUS test_getallsids(struct smbcli_transport *transport,
{
struct samr_LookupNames l;
- struct samr_String samr_name;
+ struct lsa_String samr_name;
struct samr_OpenUser o;
samr_name.string = name;
@@ -1038,22 +966,20 @@ static BOOL xp_login(const char *dcname, const char *wksname,
if (!NT_STATUS_IS_OK(status))
return False;
- status = torture_samlogon(netlogon_schannel_pipe,
- netlogon_creds, wksname, domain,
- user1name, user1pw);
-
- if (!NT_STATUS_IS_OK(status))
- return False;
-
+ if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx,
+ netlogon_creds, wksname, domain,
+ user1name, user1pw)) {
+ return False;
+ }
+
talloc_free(netlogon_pipe);
- status = torture_samlogon(netlogon_schannel_pipe,
- netlogon_creds, wksname, domain,
- user2name, user2pw);
-
- if (!NT_STATUS_IS_OK(status))
- return False;
-
+ if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx,
+ netlogon_creds, wksname, domain,
+ user1name, user1pw)) {
+ return False;
+ }
+
status = test_getgroups(transport, user2name);
if (!NT_STATUS_IS_OK(status))
@@ -1093,8 +1019,6 @@ static BOOL xp_login(const char *dcname, const char *wksname,
return True;
}
-#endif
-
struct user_pw {
const char *username;
const char *password;
@@ -1112,10 +1036,8 @@ static const struct user_pw machines[] = {
BOOL torture_rpc_login(void)
{
-#if 0
const char *pdcname = "pdcname";
const char *domainname = "domain";
-#endif
int useridx1 = rand() % ARRAY_SIZE(users);
int useridx2 = rand() % ARRAY_SIZE(users);
@@ -1125,13 +1047,18 @@ BOOL torture_rpc_login(void)
users[useridx1].username,
users[useridx2].username);
-#if 0
return xp_login(pdcname, machines[machidx].username,
domainname, machines[machidx].password,
users[useridx1].username,
users[useridx1].password,
users[useridx2].username,
users[useridx2].password);
-#endif
return False;
}
+#else
+
+BOOL torture_rpc_login(void)
+{
+ return False;
+}
+#endif