summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-09-22 01:50:58 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:38:39 -0500
commit51cbc188df03f9ee38599fe5a87ec2608117a845 (patch)
treee446c68879a08f5c30de72d6029f6d7e2a32880b
parent3b7f8ddd9a7c0d372a0585790913ac95c9eb3324 (diff)
downloadsamba-51cbc188df03f9ee38599fe5a87ec2608117a845.tar.gz
samba-51cbc188df03f9ee38599fe5a87ec2608117a845.tar.bz2
samba-51cbc188df03f9ee38599fe5a87ec2608117a845.zip
r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
-rw-r--r--source4/auth/kerberos/kerberos_util.c2
-rw-r--r--source4/auth/ntlmssp/ntlmssp_client.c4
-rw-r--r--source4/client/client.c2
-rw-r--r--source4/lib/cmdline/credentials.c3
-rw-r--r--source4/lib/credentials.c36
-rw-r--r--source4/lib/messaging/config.mk2
-rw-r--r--source4/libcli/composite/sesssetup.c10
-rw-r--r--source4/librpc/rpc/dcerpc_schannel.c4
-rw-r--r--source4/scripting/ejs/smbcalls_auth.c2
-rw-r--r--source4/scripting/ejs/smbcalls_creds.c2
-rw-r--r--source4/torture/rpc/netlogon.c6
-rw-r--r--source4/torture/rpc/samlogon.c358
-rw-r--r--source4/torture/rpc/schannel.c4
-rw-r--r--source4/utils/net/net_password.c4
14 files changed, 274 insertions, 165 deletions
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index d0bb2f4f52..3a6aff9df8 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -60,7 +60,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
return ENOMEM;
}
- machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account, mem_ctx));
+ machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
if (!machine_username) {
talloc_free(mem_ctx);
diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index feee14a857..7801e0208d 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -164,8 +164,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
- user = cli_credentials_get_username(gensec_security->credentials, out_mem_ctx);
- domain = cli_credentials_get_domain(gensec_security->credentials);
+ cli_credentials_get_ntlm_username_domain(gensec_security->credentials, out_mem_ctx,
+ &user, &domain);
nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx);
diff --git a/source4/client/client.c b/source4/client/client.c
index 58fb8cc350..b6b95a4ebd 100644
--- a/source4/client/client.c
+++ b/source4/client/client.c
@@ -197,7 +197,7 @@ static void send_message(void)
int total_len = 0;
int grp_id;
- if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials, cmdline_credentials), &grp_id)) {
+ if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials), &grp_id)) {
d_printf("message start: %s\n", smbcli_errstr(cli->tree));
return;
}
diff --git a/source4/lib/cmdline/credentials.c b/source4/lib/cmdline/credentials.c
index f164663118..a3d4920e6d 100644
--- a/source4/lib/cmdline/credentials.c
+++ b/source4/lib/cmdline/credentials.c
@@ -32,8 +32,7 @@ static const char *cmdline_get_userpassword(struct cli_credentials *credentials)
const char *username;
TALLOC_CTX *mem_ctx = talloc_new(NULL);
- domain = cli_credentials_get_domain(credentials);
- username = cli_credentials_get_username(credentials, mem_ctx);
+ cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
if (domain && domain[0]) {
prompt = talloc_asprintf(mem_ctx, "Password for [%s\\%s]:",
domain, username);
diff --git a/source4/lib/credentials.c b/source4/lib/credentials.c
index 4650fee1af..045047d358 100644
--- a/source4/lib/credentials.c
+++ b/source4/lib/credentials.c
@@ -58,23 +58,18 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_username(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
+const char *cli_credentials_get_username(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred);
}
- /* If we have a principal set on this, we want to login with "" domain and user@realm */
- if (cred->username_obtained < cred->principal_obtained) {
- return cli_credentials_get_principal(cred, mem_ctx);
- }
-
if (cred->username_obtained == CRED_CALLBACK) {
cred->username = cred->username_cb(cred);
cred->username_obtained = CRED_SPECIFIED;
}
- return talloc_reference(mem_ctx, cred->username);
+ return cred->username;
}
BOOL cli_credentials_set_username(struct cli_credentials *cred,
@@ -122,10 +117,12 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C
if (cred->principal_obtained < cred->username_obtained) {
if (cred->domain_obtained > cred->realm_obtained) {
- return NULL;
+ return talloc_asprintf(mem_ctx, "%s@%s",
+ cli_credentials_get_username(cred),
+ cli_credentials_get_domain(cred));
} else {
return talloc_asprintf(mem_ctx, "%s@%s",
- cli_credentials_get_username(cred, mem_ctx),
+ cli_credentials_get_username(cred),
cli_credentials_get_realm(cred));
}
}
@@ -283,7 +280,6 @@ int cli_credentials_set_from_ccache(struct cli_credentials *cred,
realm = krb5_princ_realm(cred->ccache->smb_krb5_context->krb5_context, princ);
- cli_credentials_set_realm(cred, *realm, obtained);
cli_credentials_set_principal(cred, name, obtained);
free(name);
@@ -466,11 +462,6 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred)
cli_credentials_set_machine_account(cred);
}
- /* If we have a principal set on this, we want to login with "" domain and user@realm */
- if (cred->domain_obtained < cred->principal_obtained) {
- return "";
- }
-
if (cred->domain_obtained == CRED_CALLBACK) {
cred->domain = cred->domain_cb(cred);
cred->domain_obtained = CRED_SPECIFIED;
@@ -505,6 +496,19 @@ BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred,
return False;
}
+void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
+ const char **username,
+ const char **domain)
+{
+ if (cred->principal_obtained > cred->username_obtained) {
+ *domain = talloc_strdup(mem_ctx, "");
+ *username = cli_credentials_get_principal(cred, mem_ctx);
+ } else {
+ *domain = cli_credentials_get_domain(cred);
+ *username = cli_credentials_get_username(cred);
+ }
+}
+
/**
* Obtain the Kerberos realm for this credentials context.
* @param cred credentials context
@@ -1028,7 +1032,7 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred)
BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
{
TALLOC_CTX *tmp_ctx = talloc_new(cred);
- const char *username = cli_credentials_get_username(cred, tmp_ctx);
+ const char *username = cli_credentials_get_username(cred);
/* Yes, it is deliberate that we die if we have a NULL pointer
* here - anonymous is "", not NULL, which is 'never specified,
diff --git a/source4/lib/messaging/config.mk b/source4/lib/messaging/config.mk
index c94d137d3f..2cba66f0a3 100644
--- a/source4/lib/messaging/config.mk
+++ b/source4/lib/messaging/config.mk
@@ -4,6 +4,8 @@
[SUBSYSTEM::MESSAGING]
INIT_OBJ_FILES = \
lib/messaging/messaging.o
+# \
+# lib/messaging/msgutil.o
NOPROTO = YES
REQUIRED_SUBSYSTEMS = \
NDR_IRPC \
diff --git a/source4/libcli/composite/sesssetup.c b/source4/libcli/composite/sesssetup.c
index b925f99bed..3bd9ed285d 100644
--- a/source4/libcli/composite/sesssetup.c
+++ b/source4/libcli/composite/sesssetup.c
@@ -174,8 +174,9 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
state->setup.nt1.in.capabilities = io->in.capabilities;
state->setup.nt1.in.os = "Unix";
state->setup.nt1.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
- state->setup.nt1.in.user = cli_credentials_get_username(io->in.credentials, state);
- state->setup.nt1.in.domain = cli_credentials_get_domain(io->in.credentials);
+ cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
+ &state->setup.nt1.in.user,
+ &state->setup.nt1.in.domain);
if (!password) {
state->setup.nt1.in.password1 = data_blob(NULL, 0);
@@ -259,10 +260,11 @@ static NTSTATUS session_setup_old(struct composite_context *c,
state->setup.old.in.mpx_max = session->transport->options.max_mux;
state->setup.old.in.vc_num = 1;
state->setup.old.in.sesskey = io->in.sesskey;
- state->setup.old.in.domain = cli_credentials_get_domain(io->in.credentials);
- state->setup.old.in.user = cli_credentials_get_username(io->in.credentials, state);
state->setup.old.in.os = "Unix";
state->setup.old.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
+ cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
+ &state->setup.old.in.user,
+ &state->setup.old.in.domain);
if (!password) {
state->setup.old.in.password = data_blob(NULL, 0);
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 77c8c028af..ae4ce94269 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -110,7 +110,7 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
negotiate_flags);
a.in.server_name = r.in.server_name;
- a.in.account_name = cli_credentials_get_username(credentials, tmp_ctx);
+ a.in.account_name = cli_credentials_get_username(credentials);
a.in.secure_channel_type =
cli_credentials_get_secure_channel_type(credentials);
a.in.computer_name = cli_credentials_get_workstation(credentials);
@@ -153,7 +153,7 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
- cli_credentials_get_username(credentials, tmp_ctx),
+ cli_credentials_get_username(credentials),
nt_errstr(status)));
return status;
}
diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c
index e3b48490f6..672694bbc5 100644
--- a/source4/scripting/ejs/smbcalls_auth.c
+++ b/source4/scripting/ejs/smbcalls_auth.c
@@ -122,7 +122,7 @@ static int ejs_userAuth(MprVarHandle eid, int argc, struct MprVar **argv)
tmp_ctx = talloc_new(mprMemCtx());
- username = cli_credentials_get_username(creds, tmp_ctx);
+ username = cli_credentials_get_username(creds);
password = cli_credentials_get_password(creds);
domain = cli_credentials_get_domain(creds);
remote_host = cli_credentials_get_workstation(creds);
diff --git a/source4/scripting/ejs/smbcalls_creds.c b/source4/scripting/ejs/smbcalls_creds.c
index f9d231293a..cc2ccf8c47 100644
--- a/source4/scripting/ejs/smbcalls_creds.c
+++ b/source4/scripting/ejs/smbcalls_creds.c
@@ -73,7 +73,7 @@ static int ejs_creds_get_username(MprVarHandle eid, int argc, struct MprVar **ar
{
struct cli_credentials *creds = ejs_creds_get_credentials(eid);
- mpr_Return(eid, mprString(cli_credentials_get_username(creds, mprMemCtx())));
+ mpr_Return(eid, mprString(cli_credentials_get_username(creds)));
return 0;
}
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 2ac5e39084..a8d881f665 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -38,7 +38,7 @@ static BOOL test_LogonUasLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
struct netr_LogonUasLogon r;
r.in.server_name = NULL;
- r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx);
+ r.in.account_name = cli_credentials_get_username(cmdline_credentials);
r.in.workstation = TEST_MACHINE_NAME;
printf("Testing LogonUasLogon\n");
@@ -59,7 +59,7 @@ static BOOL test_LogonUasLogoff(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
struct netr_LogonUasLogoff r;
r.in.server_name = NULL;
- r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx);
+ r.in.account_name = cli_credentials_get_username(cmdline_credentials);
r.in.workstation = TEST_MACHINE_NAME;
printf("Testing LogonUasLogoff\n");
@@ -487,7 +487,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
struct netr_LogonSamLogon r;
struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
- const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx);
+ const char *username = cli_credentials_get_username(cmdline_credentials);
const char *password = cli_credentials_get_password(cmdline_credentials);
struct creds_CredentialState *creds;
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index 42051795c8..06dcecb9e7 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -52,7 +52,7 @@ struct samlogon_state {
struct netr_LogonSamLogonWithFlags r_flags;
struct netr_Authenticator auth, auth2;
struct creds_CredentialState *creds;
-
+ NTSTATUS expected_error;
DATA_BLOB chall;
};
@@ -335,12 +335,18 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
}
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
if (break_which == NO_NT && !lm_good) {
- printf("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!");
+ *error_string = strdup("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!");
return False;
}
@@ -362,7 +368,7 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm
memset(lm_key_expected+8, '\0', 8);
if (memcmp(lm_key_expected, user_session_key,
16) != 0) {
- printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
+ *error_string = strdup("NT Session Key does not match expectations (should be first-8 LM hash)!\n");
printf("user_session_key:\n");
dump_data(1, user_session_key, sizeof(user_session_key));
printf("expected:\n");
@@ -374,7 +380,7 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm
default:
if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
- printf("NT Session Key does not match expectations!\n");
+ *error_string = strdup("NT Session Key does not match expectations!\n");
printf("user_session_key:\n");
dump_data(1, user_session_key, 16);
printf("expected:\n");
@@ -433,7 +439,13 @@ static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_
user_session_key,
error_string);
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
@@ -503,6 +515,16 @@ static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **erro
user_session_key,
error_string);
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
+ return False;
+ }
+
if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
@@ -601,10 +623,17 @@ static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state,
return break_which == BREAK_BOTH;
}
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
+
switch (break_which) {
case NO_NT:
if (memcmp(lmv2_session_key.data, user_session_key,
@@ -752,7 +781,13 @@ static BOOL test_lmv2_ntlm_broken(struct samlogon_state *samlogon_state,
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
}
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
@@ -1006,7 +1041,13 @@ static BOOL test_ntlm2(struct samlogon_state *samlogon_state, char **error_strin
user_session_key,
error_string);
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
+ SAFE_FREE(*error_string);
+ asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
+ return False;
+ } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) {
+ return True;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
@@ -1175,7 +1216,7 @@ static const struct ntlm_tests {
static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct creds_CredentialState *creds,
const char *account_domain, const char *account_name,
- const char *plain_pass,
+ const char *plain_pass, NTSTATUS expected_error,
int n_subtests)
{
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_SamLogon function-level context");
@@ -1196,7 +1237,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
samlogon_state.password = plain_pass;
samlogon_state.p = p;
samlogon_state.creds = creds;
-
+ samlogon_state.expected_error = expected_error;
samlogon_state.chall = data_blob_talloc(fn_ctx, NULL, 8);
generate_random_buffer(samlogon_state.chall.data, 8);
@@ -1263,7 +1304,7 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct creds_CredentialState *creds,
const char *workstation_name,
const char *account_domain, const char *account_name,
- const char *plain_pass)
+ const char *plain_pass, NTSTATUS expected_error)
{
NTSTATUS status;
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
@@ -1318,9 +1359,9 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
talloc_free(fn_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - %s\n",
- account_name, account_domain, nt_errstr(status));
+ if (!NT_STATUS_EQUAL(expected_error, status)) {
+ printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - expected %s got %s\n",
+ account_domain, account_name, nt_errstr(expected_error), nt_errstr(status));
return False;
}
@@ -1334,7 +1375,7 @@ BOOL torture_rpc_samlogon(void)
NTSTATUS status;
struct dcerpc_pipe *p;
struct dcerpc_binding *b;
- struct cli_credentials *credentials;
+ struct cli_credentials *machine_credentials;
TALLOC_CTX *mem_ctx = talloc_init("torture_rpc_netlogon");
BOOL ret = True;
struct test_join *join_ctx;
@@ -1358,73 +1399,7 @@ BOOL torture_rpc_samlogon(void)
struct creds_CredentialState *creds;
- struct {
- const char *domain;
- const char *username;
- const char *password;
- BOOL network_login;
- } usercreds[] = {
- {
- cli_credentials_get_domain(cmdline_credentials),
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_password(cmdline_credentials),
- True
- },
- {
- cli_credentials_get_realm(cmdline_credentials),
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_password(cmdline_credentials),
- True
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_domain(cmdline_credentials)
- ),
- cli_credentials_get_password(cmdline_credentials),
- False
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- cli_credentials_get_username(cmdline_credentials, mem_ctx),
- cli_credentials_get_realm(cmdline_credentials)
- ),
- cli_credentials_get_password(cmdline_credentials),
- True
- },
-#if 0
- {
- lp_parm_string(-1, "torture", "userdomain"),
- TEST_USER_NAME,
- NULL,
- True
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- TEST_USER_NAME,
- lp_realm()),
- NULL,
- True
- },
- {
- NULL,
- talloc_asprintf(mem_ctx,
- "%s@%s",
- TEST_USER_NAME,
- lp_parm_string(-1, "torture", "userdomain")),
- NULL,
- False
- }
-#endif
- };
-
- credentials = cli_credentials_init(mem_ctx);
+ machine_credentials = cli_credentials_init(mem_ctx);
test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME);
/* We only need to join as a workstation here, and in future,
@@ -1446,9 +1421,6 @@ BOOL torture_rpc_samlogon(void)
return False;
}
- usercreds[3].password = user_password;
- usercreds[4].password = user_password;
- usercreds[5].password = user_password;
#endif
status = dcerpc_parse_binding(mem_ctx, binding, &b);
@@ -1464,17 +1436,18 @@ BOOL torture_rpc_samlogon(void)
b->flags &= ~DCERPC_AUTH_OPTIONS;
b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
- cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
- cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED);
- cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED);
- cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED);
- cli_credentials_set_secure_channel_type(credentials,
+ cli_credentials_set_workstation(machine_credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
+ cli_credentials_set_domain(machine_credentials, lp_workgroup(), CRED_SPECIFIED);
+ cli_credentials_set_realm(machine_credentials, lp_realm(), CRED_SPECIFIED);
+ cli_credentials_set_username(machine_credentials, test_machine_account, CRED_SPECIFIED);
+ cli_credentials_set_password(machine_credentials, machine_password, CRED_SPECIFIED);
+ cli_credentials_set_secure_channel_type(machine_credentials,
SEC_CHAN_WKSTA);
status = dcerpc_pipe_connect_b(mem_ctx, &p, b,
DCERPC_NETLOGON_UUID,
DCERPC_NETLOGON_VERSION,
- credentials, NULL);
+ machine_credentials, NULL);
if (!NT_STATUS_IS_OK(status)) {
printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status));
@@ -1488,52 +1461,181 @@ BOOL torture_rpc_samlogon(void)
goto failed;
}
- /* Try all the tests for different username forms */
- for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
+ {
- if (!test_InteractiveLogon(p, mem_ctx, creds,
- TEST_MACHINE_NAME,
- usercreds[ci].domain,
- usercreds[ci].username,
- usercreds[ci].password)) {
- ret = False;
- }
+ struct {
+ const char *domain;
+ const char *username;
+ const char *password;
+ BOOL network_login;
+ NTSTATUS expected_interactive_error;
+ NTSTATUS expected_network_error;
+ } usercreds[] = {
+ {
+ cli_credentials_get_domain(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_password(cmdline_credentials),
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ cli_credentials_get_realm(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_password(cmdline_credentials),
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_domain(cmdline_credentials)
+ ),
+ cli_credentials_get_password(cmdline_credentials),
+ False,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_realm(cmdline_credentials)
+ ),
+ cli_credentials_get_password(cmdline_credentials),
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ cli_credentials_get_domain(machine_credentials),
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_password(machine_credentials),
+ True,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+ {
+ cli_credentials_get_realm(machine_credentials),
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_password(machine_credentials),
+ True,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_domain(machine_credentials)
+ ),
+ cli_credentials_get_password(machine_credentials),
+ False,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ cli_credentials_get_username(machine_credentials),
+ cli_credentials_get_realm(machine_credentials)
+ ),
+ cli_credentials_get_password(machine_credentials),
+ True,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
+ },
+#if 0
+ {
+ lp_parm_string(-1, "torture", "userdomain"),
+ TEST_USER_NAME,
+ user_password,
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ TEST_USER_NAME,
+ lp_realm()),
+ user_password,
+ True,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ },
+ {
+ NULL,
+ talloc_asprintf(mem_ctx,
+ "%s@%s",
+ TEST_USER_NAME,
+ lp_parm_string(-1, "torture", "userdomain")),
+ user_password,
+ False,
+ NT_STATUS_OK,
+ NT_STATUS_OK
+ }
+#endif
+ };
- if (usercreds[ci].network_login) {
- if (!test_SamLogon(p, mem_ctx, creds,
- usercreds[ci].domain,
- usercreds[ci].username,
- usercreds[ci].password,
- 0)) {
+ /* Try all the tests for different username forms */
+ for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) {
+
+ if (!test_InteractiveLogon(p, mem_ctx, creds,
+ TEST_MACHINE_NAME,
+ usercreds[ci].domain,
+ usercreds[ci].username,
+ usercreds[ci].password,
+ usercreds[ci].expected_interactive_error)) {
ret = False;
}
+
+ if (usercreds[ci].network_login) {
+ if (!test_SamLogon(p, mem_ctx, creds,
+ usercreds[ci].domain,
+ usercreds[ci].username,
+ usercreds[ci].password,
+ usercreds[ci].expected_network_error,
+ 0)) {
+ ret = False;
+ }
+ }
}
- }
- /* Using the first username form, try the different
- * credentials flag setups, on only one of the tests (checks
- * session key encryption) */
-
- for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
- if (!test_InteractiveLogon(p, mem_ctx, creds,
- TEST_MACHINE_NAME,
- usercreds[0].domain,
- usercreds[0].username,
- usercreds[0].password)) {
- ret = False;
- }
-
- if (usercreds[ci].network_login) {
- if (!test_SamLogon(p, mem_ctx, creds,
- usercreds[0].domain,
- usercreds[0].username,
- usercreds[0].password,
- 1)) {
+ /* Using the first username form, try the different
+ * credentials flag setups, on only one of the tests (checks
+ * session key encryption) */
+
+ for (i=0; i < ARRAY_SIZE(credential_flags); i++) {
+ if (!test_InteractiveLogon(p, mem_ctx, creds,
+ TEST_MACHINE_NAME,
+ usercreds[0].domain,
+ usercreds[0].username,
+ usercreds[0].password,
+ usercreds[0].expected_interactive_error)) {
ret = False;
}
+
+ if (usercreds[ci].network_login) {
+ if (!test_SamLogon(p, mem_ctx, creds,
+ usercreds[0].domain,
+ usercreds[0].username,
+ usercreds[0].password,
+ usercreds[0].expected_network_error,
+ 1)) {
+ ret = False;
+ }
+ }
}
- }
+ }
failed:
talloc_free(mem_ctx);
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index 3f02622e1c..c10405354e 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -86,13 +86,13 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
try a netlogon SamLogon
*/
static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds)
+ struct creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_LogonSamLogon r;
struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
- const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx);
+ const char *username = cli_credentials_get_username(cmdline_credentials);
const char *password = cli_credentials_get_password(cmdline_credentials);
int i;
BOOL ret = True;
diff --git a/source4/utils/net/net_password.c b/source4/utils/net/net_password.c
index 0bfb8a5be8..1912beeb41 100644
--- a/source4/utils/net/net_password.c
+++ b/source4/utils/net/net_password.c
@@ -49,7 +49,7 @@ static int net_password_change(struct net_context *ctx, int argc, const char **a
} else {
password_prompt = talloc_asprintf(ctx->mem_ctx, "Enter new password for account [%s\\%s]:",
cli_credentials_get_domain(ctx->credentials),
- cli_credentials_get_username(ctx->credentials, ctx->mem_ctx));
+ cli_credentials_get_username(ctx->credentials));
new_password = getpass(password_prompt);
}
@@ -61,7 +61,7 @@ static int net_password_change(struct net_context *ctx, int argc, const char **a
/* prepare password change */
r.generic.level = LIBNET_CHANGE_PASSWORD_GENERIC;
- r.generic.in.account_name = cli_credentials_get_username(ctx->credentials, ctx->mem_ctx);
+ r.generic.in.account_name = cli_credentials_get_username(ctx->credentials);
r.generic.in.domain_name = cli_credentials_get_domain(ctx->credentials);
r.generic.in.oldpassword = cli_credentials_get_password(ctx->credentials);
r.generic.in.newpassword = new_password;