diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-09-22 01:50:58 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:38:39 -0500 |
commit | 51cbc188df03f9ee38599fe5a87ec2608117a845 (patch) | |
tree | e446c68879a08f5c30de72d6029f6d7e2a32880b | |
parent | 3b7f8ddd9a7c0d372a0585790913ac95c9eb3324 (diff) | |
download | samba-51cbc188df03f9ee38599fe5a87ec2608117a845.tar.gz samba-51cbc188df03f9ee38599fe5a87ec2608117a845.tar.bz2 samba-51cbc188df03f9ee38599fe5a87ec2608117a845.zip |
r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)
This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.
Also don't set the realm from a ccache, as then it overrides --option=realm=.
Andrew Bartlett
(This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
-rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 2 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_client.c | 4 | ||||
-rw-r--r-- | source4/client/client.c | 2 | ||||
-rw-r--r-- | source4/lib/cmdline/credentials.c | 3 | ||||
-rw-r--r-- | source4/lib/credentials.c | 36 | ||||
-rw-r--r-- | source4/lib/messaging/config.mk | 2 | ||||
-rw-r--r-- | source4/libcli/composite/sesssetup.c | 10 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_schannel.c | 4 | ||||
-rw-r--r-- | source4/scripting/ejs/smbcalls_auth.c | 2 | ||||
-rw-r--r-- | source4/scripting/ejs/smbcalls_creds.c | 2 | ||||
-rw-r--r-- | source4/torture/rpc/netlogon.c | 6 | ||||
-rw-r--r-- | source4/torture/rpc/samlogon.c | 358 | ||||
-rw-r--r-- | source4/torture/rpc/schannel.c | 4 | ||||
-rw-r--r-- | source4/utils/net/net_password.c | 4 |
14 files changed, 274 insertions, 165 deletions
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index d0bb2f4f52..3a6aff9df8 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -60,7 +60,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, return ENOMEM; } - machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account, mem_ctx)); + machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account)); if (!machine_username) { talloc_free(mem_ctx); diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index feee14a857..7801e0208d 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -164,8 +164,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } - user = cli_credentials_get_username(gensec_security->credentials, out_mem_ctx); - domain = cli_credentials_get_domain(gensec_security->credentials); + cli_credentials_get_ntlm_username_domain(gensec_security->credentials, out_mem_ctx, + &user, &domain); nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx); diff --git a/source4/client/client.c b/source4/client/client.c index 58fb8cc350..b6b95a4ebd 100644 --- a/source4/client/client.c +++ b/source4/client/client.c @@ -197,7 +197,7 @@ static void send_message(void) int total_len = 0; int grp_id; - if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials, cmdline_credentials), &grp_id)) { + if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials), &grp_id)) { d_printf("message start: %s\n", smbcli_errstr(cli->tree)); return; } diff --git a/source4/lib/cmdline/credentials.c b/source4/lib/cmdline/credentials.c index f164663118..a3d4920e6d 100644 --- a/source4/lib/cmdline/credentials.c +++ b/source4/lib/cmdline/credentials.c @@ -32,8 +32,7 @@ static const char *cmdline_get_userpassword(struct cli_credentials *credentials) const char *username; TALLOC_CTX *mem_ctx = talloc_new(NULL); - domain = cli_credentials_get_domain(credentials); - username = cli_credentials_get_username(credentials, mem_ctx); + cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain); if (domain && domain[0]) { prompt = talloc_asprintf(mem_ctx, "Password for [%s\\%s]:", domain, username); diff --git a/source4/lib/credentials.c b/source4/lib/credentials.c index 4650fee1af..045047d358 100644 --- a/source4/lib/credentials.c +++ b/source4/lib/credentials.c @@ -58,23 +58,18 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) * @retval The username set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_username(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) +const char *cli_credentials_get_username(struct cli_credentials *cred) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred); } - /* If we have a principal set on this, we want to login with "" domain and user@realm */ - if (cred->username_obtained < cred->principal_obtained) { - return cli_credentials_get_principal(cred, mem_ctx); - } - if (cred->username_obtained == CRED_CALLBACK) { cred->username = cred->username_cb(cred); cred->username_obtained = CRED_SPECIFIED; } - return talloc_reference(mem_ctx, cred->username); + return cred->username; } BOOL cli_credentials_set_username(struct cli_credentials *cred, @@ -122,10 +117,12 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C if (cred->principal_obtained < cred->username_obtained) { if (cred->domain_obtained > cred->realm_obtained) { - return NULL; + return talloc_asprintf(mem_ctx, "%s@%s", + cli_credentials_get_username(cred), + cli_credentials_get_domain(cred)); } else { return talloc_asprintf(mem_ctx, "%s@%s", - cli_credentials_get_username(cred, mem_ctx), + cli_credentials_get_username(cred), cli_credentials_get_realm(cred)); } } @@ -283,7 +280,6 @@ int cli_credentials_set_from_ccache(struct cli_credentials *cred, realm = krb5_princ_realm(cred->ccache->smb_krb5_context->krb5_context, princ); - cli_credentials_set_realm(cred, *realm, obtained); cli_credentials_set_principal(cred, name, obtained); free(name); @@ -466,11 +462,6 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred) cli_credentials_set_machine_account(cred); } - /* If we have a principal set on this, we want to login with "" domain and user@realm */ - if (cred->domain_obtained < cred->principal_obtained) { - return ""; - } - if (cred->domain_obtained == CRED_CALLBACK) { cred->domain = cred->domain_cb(cred); cred->domain_obtained = CRED_SPECIFIED; @@ -505,6 +496,19 @@ BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred, return False; } +void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + const char **username, + const char **domain) +{ + if (cred->principal_obtained > cred->username_obtained) { + *domain = talloc_strdup(mem_ctx, ""); + *username = cli_credentials_get_principal(cred, mem_ctx); + } else { + *domain = cli_credentials_get_domain(cred); + *username = cli_credentials_get_username(cred); + } +} + /** * Obtain the Kerberos realm for this credentials context. * @param cred credentials context @@ -1028,7 +1032,7 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred) BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) { TALLOC_CTX *tmp_ctx = talloc_new(cred); - const char *username = cli_credentials_get_username(cred, tmp_ctx); + const char *username = cli_credentials_get_username(cred); /* Yes, it is deliberate that we die if we have a NULL pointer * here - anonymous is "", not NULL, which is 'never specified, diff --git a/source4/lib/messaging/config.mk b/source4/lib/messaging/config.mk index c94d137d3f..2cba66f0a3 100644 --- a/source4/lib/messaging/config.mk +++ b/source4/lib/messaging/config.mk @@ -4,6 +4,8 @@ [SUBSYSTEM::MESSAGING] INIT_OBJ_FILES = \ lib/messaging/messaging.o +# \ +# lib/messaging/msgutil.o NOPROTO = YES REQUIRED_SUBSYSTEMS = \ NDR_IRPC \ diff --git a/source4/libcli/composite/sesssetup.c b/source4/libcli/composite/sesssetup.c index b925f99bed..3bd9ed285d 100644 --- a/source4/libcli/composite/sesssetup.c +++ b/source4/libcli/composite/sesssetup.c @@ -174,8 +174,9 @@ static NTSTATUS session_setup_nt1(struct composite_context *c, state->setup.nt1.in.capabilities = io->in.capabilities; state->setup.nt1.in.os = "Unix"; state->setup.nt1.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING); - state->setup.nt1.in.user = cli_credentials_get_username(io->in.credentials, state); - state->setup.nt1.in.domain = cli_credentials_get_domain(io->in.credentials); + cli_credentials_get_ntlm_username_domain(io->in.credentials, state, + &state->setup.nt1.in.user, + &state->setup.nt1.in.domain); if (!password) { state->setup.nt1.in.password1 = data_blob(NULL, 0); @@ -259,10 +260,11 @@ static NTSTATUS session_setup_old(struct composite_context *c, state->setup.old.in.mpx_max = session->transport->options.max_mux; state->setup.old.in.vc_num = 1; state->setup.old.in.sesskey = io->in.sesskey; - state->setup.old.in.domain = cli_credentials_get_domain(io->in.credentials); - state->setup.old.in.user = cli_credentials_get_username(io->in.credentials, state); state->setup.old.in.os = "Unix"; state->setup.old.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING); + cli_credentials_get_ntlm_username_domain(io->in.credentials, state, + &state->setup.old.in.user, + &state->setup.old.in.domain); if (!password) { state->setup.old.in.password = data_blob(NULL, 0); diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 77c8c028af..ae4ce94269 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -110,7 +110,7 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx, negotiate_flags); a.in.server_name = r.in.server_name; - a.in.account_name = cli_credentials_get_username(credentials, tmp_ctx); + a.in.account_name = cli_credentials_get_username(credentials); a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials); a.in.computer_name = cli_credentials_get_workstation(credentials); @@ -153,7 +153,7 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to setup credentials for account %s: %s\n", - cli_credentials_get_username(credentials, tmp_ctx), + cli_credentials_get_username(credentials), nt_errstr(status))); return status; } diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c index e3b48490f6..672694bbc5 100644 --- a/source4/scripting/ejs/smbcalls_auth.c +++ b/source4/scripting/ejs/smbcalls_auth.c @@ -122,7 +122,7 @@ static int ejs_userAuth(MprVarHandle eid, int argc, struct MprVar **argv) tmp_ctx = talloc_new(mprMemCtx()); - username = cli_credentials_get_username(creds, tmp_ctx); + username = cli_credentials_get_username(creds); password = cli_credentials_get_password(creds); domain = cli_credentials_get_domain(creds); remote_host = cli_credentials_get_workstation(creds); diff --git a/source4/scripting/ejs/smbcalls_creds.c b/source4/scripting/ejs/smbcalls_creds.c index f9d231293a..cc2ccf8c47 100644 --- a/source4/scripting/ejs/smbcalls_creds.c +++ b/source4/scripting/ejs/smbcalls_creds.c @@ -73,7 +73,7 @@ static int ejs_creds_get_username(MprVarHandle eid, int argc, struct MprVar **ar { struct cli_credentials *creds = ejs_creds_get_credentials(eid); - mpr_Return(eid, mprString(cli_credentials_get_username(creds, mprMemCtx()))); + mpr_Return(eid, mprString(cli_credentials_get_username(creds))); return 0; } diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 2ac5e39084..a8d881f665 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -38,7 +38,7 @@ static BOOL test_LogonUasLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct netr_LogonUasLogon r; r.in.server_name = NULL; - r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx); + r.in.account_name = cli_credentials_get_username(cmdline_credentials); r.in.workstation = TEST_MACHINE_NAME; printf("Testing LogonUasLogon\n"); @@ -59,7 +59,7 @@ static BOOL test_LogonUasLogoff(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct netr_LogonUasLogoff r; r.in.server_name = NULL; - r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx); + r.in.account_name = cli_credentials_get_username(cmdline_credentials); r.in.workstation = TEST_MACHINE_NAME; printf("Testing LogonUasLogoff\n"); @@ -487,7 +487,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct netr_LogonSamLogon r; struct netr_Authenticator auth, auth2; struct netr_NetworkInfo ninfo; - const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx); + const char *username = cli_credentials_get_username(cmdline_credentials); const char *password = cli_credentials_get_password(cmdline_credentials); struct creds_CredentialState *creds; diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 42051795c8..06dcecb9e7 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -52,7 +52,7 @@ struct samlogon_state { struct netr_LogonSamLogonWithFlags r_flags; struct netr_Authenticator auth, auth2; struct creds_CredentialState *creds; - + NTSTATUS expected_error; DATA_BLOB chall; }; @@ -335,12 +335,18 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); } - if (!NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + SAFE_FREE(*error_string); + asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); + return False; + } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) { + return True; + } else if (!NT_STATUS_IS_OK(nt_status)) { return False; } if (break_which == NO_NT && !lm_good) { - printf("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!"); + *error_string = strdup("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!"); return False; } @@ -362,7 +368,7 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm memset(lm_key_expected+8, '\0', 8); if (memcmp(lm_key_expected, user_session_key, 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); + *error_string = strdup("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); printf("user_session_key:\n"); dump_data(1, user_session_key, sizeof(user_session_key)); printf("expected:\n"); @@ -374,7 +380,7 @@ static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm default: if (memcmp(session_key.data, user_session_key, sizeof(user_session_key)) != 0) { - printf("NT Session Key does not match expectations!\n"); + *error_string = strdup("NT Session Key does not match expectations!\n"); printf("user_session_key:\n"); dump_data(1, user_session_key, 16); printf("expected:\n"); @@ -433,7 +439,13 @@ static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_ user_session_key, error_string); - if (!NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + SAFE_FREE(*error_string); + asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); + return False; + } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) { + return True; + } else if (!NT_STATUS_IS_OK(nt_status)) { return False; } @@ -503,6 +515,16 @@ static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **erro user_session_key, error_string); + if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + SAFE_FREE(*error_string); + asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); + return False; + } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) { + return True; + } else if (!NT_STATUS_IS_OK(nt_status)) { + return False; + } + if (!NT_STATUS_IS_OK(nt_status)) { return False; } @@ -601,10 +623,17 @@ static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, return break_which == BREAK_BOTH; } - if (!NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + SAFE_FREE(*error_string); + asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); + return False; + } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) { + return True; + } else if (!NT_STATUS_IS_OK(nt_status)) { return False; } + switch (break_which) { case NO_NT: if (memcmp(lmv2_session_key.data, user_session_key, @@ -752,7 +781,13 @@ static BOOL test_lmv2_ntlm_broken(struct samlogon_state *samlogon_state, return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); } - if (!NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + SAFE_FREE(*error_string); + asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); + return False; + } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) { + return True; + } else if (!NT_STATUS_IS_OK(nt_status)) { return False; } @@ -1006,7 +1041,13 @@ static BOOL test_ntlm2(struct samlogon_state *samlogon_state, char **error_strin user_session_key, error_string); - if (!NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) { + SAFE_FREE(*error_string); + asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status)); + return False; + } else if (NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status) && !NT_STATUS_IS_OK(nt_status)) { + return True; + } else if (!NT_STATUS_IS_OK(nt_status)) { return False; } @@ -1175,7 +1216,7 @@ static const struct ntlm_tests { static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct creds_CredentialState *creds, const char *account_domain, const char *account_name, - const char *plain_pass, + const char *plain_pass, NTSTATUS expected_error, int n_subtests) { TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_SamLogon function-level context"); @@ -1196,7 +1237,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, samlogon_state.password = plain_pass; samlogon_state.p = p; samlogon_state.creds = creds; - + samlogon_state.expected_error = expected_error; samlogon_state.chall = data_blob_talloc(fn_ctx, NULL, 8); generate_random_buffer(samlogon_state.chall.data, 8); @@ -1263,7 +1304,7 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct creds_CredentialState *creds, const char *workstation_name, const char *account_domain, const char *account_name, - const char *plain_pass) + const char *plain_pass, NTSTATUS expected_error) { NTSTATUS status; TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context"); @@ -1318,9 +1359,9 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, talloc_free(fn_ctx); - if (!NT_STATUS_IS_OK(status)) { - printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - %s\n", - account_name, account_domain, nt_errstr(status)); + if (!NT_STATUS_EQUAL(expected_error, status)) { + printf("[%s]\\[%s] netr_LogonSamLogonWithFlags - expected %s got %s\n", + account_domain, account_name, nt_errstr(expected_error), nt_errstr(status)); return False; } @@ -1334,7 +1375,7 @@ BOOL torture_rpc_samlogon(void) NTSTATUS status; struct dcerpc_pipe *p; struct dcerpc_binding *b; - struct cli_credentials *credentials; + struct cli_credentials *machine_credentials; TALLOC_CTX *mem_ctx = talloc_init("torture_rpc_netlogon"); BOOL ret = True; struct test_join *join_ctx; @@ -1358,73 +1399,7 @@ BOOL torture_rpc_samlogon(void) struct creds_CredentialState *creds; - struct { - const char *domain; - const char *username; - const char *password; - BOOL network_login; - } usercreds[] = { - { - cli_credentials_get_domain(cmdline_credentials), - cli_credentials_get_username(cmdline_credentials, mem_ctx), - cli_credentials_get_password(cmdline_credentials), - True - }, - { - cli_credentials_get_realm(cmdline_credentials), - cli_credentials_get_username(cmdline_credentials, mem_ctx), - cli_credentials_get_password(cmdline_credentials), - True - }, - { - NULL, - talloc_asprintf(mem_ctx, - "%s@%s", - cli_credentials_get_username(cmdline_credentials, mem_ctx), - cli_credentials_get_domain(cmdline_credentials) - ), - cli_credentials_get_password(cmdline_credentials), - False - }, - { - NULL, - talloc_asprintf(mem_ctx, - "%s@%s", - cli_credentials_get_username(cmdline_credentials, mem_ctx), - cli_credentials_get_realm(cmdline_credentials) - ), - cli_credentials_get_password(cmdline_credentials), - True - }, -#if 0 - { - lp_parm_string(-1, "torture", "userdomain"), - TEST_USER_NAME, - NULL, - True - }, - { - NULL, - talloc_asprintf(mem_ctx, - "%s@%s", - TEST_USER_NAME, - lp_realm()), - NULL, - True - }, - { - NULL, - talloc_asprintf(mem_ctx, - "%s@%s", - TEST_USER_NAME, - lp_parm_string(-1, "torture", "userdomain")), - NULL, - False - } -#endif - }; - - credentials = cli_credentials_init(mem_ctx); + machine_credentials = cli_credentials_init(mem_ctx); test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); /* We only need to join as a workstation here, and in future, @@ -1446,9 +1421,6 @@ BOOL torture_rpc_samlogon(void) return False; } - usercreds[3].password = user_password; - usercreds[4].password = user_password; - usercreds[5].password = user_password; #endif status = dcerpc_parse_binding(mem_ctx, binding, &b); @@ -1464,17 +1436,18 @@ BOOL torture_rpc_samlogon(void) b->flags &= ~DCERPC_AUTH_OPTIONS; b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128; - cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED); - cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED); - cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED); - cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED); - cli_credentials_set_secure_channel_type(credentials, + cli_credentials_set_workstation(machine_credentials, TEST_MACHINE_NAME, CRED_SPECIFIED); + cli_credentials_set_domain(machine_credentials, lp_workgroup(), CRED_SPECIFIED); + cli_credentials_set_realm(machine_credentials, lp_realm(), CRED_SPECIFIED); + cli_credentials_set_username(machine_credentials, test_machine_account, CRED_SPECIFIED); + cli_credentials_set_password(machine_credentials, machine_password, CRED_SPECIFIED); + cli_credentials_set_secure_channel_type(machine_credentials, SEC_CHAN_WKSTA); status = dcerpc_pipe_connect_b(mem_ctx, &p, b, DCERPC_NETLOGON_UUID, DCERPC_NETLOGON_VERSION, - credentials, NULL); + machine_credentials, NULL); if (!NT_STATUS_IS_OK(status)) { printf("RPC pipe connect as domain member failed: %s\n", nt_errstr(status)); @@ -1488,52 +1461,181 @@ BOOL torture_rpc_samlogon(void) goto failed; } - /* Try all the tests for different username forms */ - for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) { + { - if (!test_InteractiveLogon(p, mem_ctx, creds, - TEST_MACHINE_NAME, - usercreds[ci].domain, - usercreds[ci].username, - usercreds[ci].password)) { - ret = False; - } + struct { + const char *domain; + const char *username; + const char *password; + BOOL network_login; + NTSTATUS expected_interactive_error; + NTSTATUS expected_network_error; + } usercreds[] = { + { + cli_credentials_get_domain(cmdline_credentials), + cli_credentials_get_username(cmdline_credentials), + cli_credentials_get_password(cmdline_credentials), + True, + NT_STATUS_OK, + NT_STATUS_OK + }, + { + cli_credentials_get_realm(cmdline_credentials), + cli_credentials_get_username(cmdline_credentials), + cli_credentials_get_password(cmdline_credentials), + True, + NT_STATUS_OK, + NT_STATUS_OK + }, + { + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + cli_credentials_get_username(cmdline_credentials), + cli_credentials_get_domain(cmdline_credentials) + ), + cli_credentials_get_password(cmdline_credentials), + False, + NT_STATUS_OK, + NT_STATUS_OK + }, + { + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + cli_credentials_get_username(cmdline_credentials), + cli_credentials_get_realm(cmdline_credentials) + ), + cli_credentials_get_password(cmdline_credentials), + True, + NT_STATUS_OK, + NT_STATUS_OK + }, + { + cli_credentials_get_domain(machine_credentials), + cli_credentials_get_username(machine_credentials), + cli_credentials_get_password(machine_credentials), + True, + NT_STATUS_NO_SUCH_USER, + NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT + }, + { + cli_credentials_get_realm(machine_credentials), + cli_credentials_get_username(machine_credentials), + cli_credentials_get_password(machine_credentials), + True, + NT_STATUS_NO_SUCH_USER, + NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT + }, + { + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + cli_credentials_get_username(machine_credentials), + cli_credentials_get_domain(machine_credentials) + ), + cli_credentials_get_password(machine_credentials), + False, + NT_STATUS_NO_SUCH_USER, + NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT + }, + { + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + cli_credentials_get_username(machine_credentials), + cli_credentials_get_realm(machine_credentials) + ), + cli_credentials_get_password(machine_credentials), + True, + NT_STATUS_NO_SUCH_USER, + NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT + }, +#if 0 + { + lp_parm_string(-1, "torture", "userdomain"), + TEST_USER_NAME, + user_password, + True, + NT_STATUS_OK, + NT_STATUS_OK + }, + { + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + TEST_USER_NAME, + lp_realm()), + user_password, + True, + NT_STATUS_OK, + NT_STATUS_OK + }, + { + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + TEST_USER_NAME, + lp_parm_string(-1, "torture", "userdomain")), + user_password, + False, + NT_STATUS_OK, + NT_STATUS_OK + } +#endif + }; - if (usercreds[ci].network_login) { - if (!test_SamLogon(p, mem_ctx, creds, - usercreds[ci].domain, - usercreds[ci].username, - usercreds[ci].password, - 0)) { + /* Try all the tests for different username forms */ + for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) { + + if (!test_InteractiveLogon(p, mem_ctx, creds, + TEST_MACHINE_NAME, + usercreds[ci].domain, + usercreds[ci].username, + usercreds[ci].password, + usercreds[ci].expected_interactive_error)) { ret = False; } + + if (usercreds[ci].network_login) { + if (!test_SamLogon(p, mem_ctx, creds, + usercreds[ci].domain, + usercreds[ci].username, + usercreds[ci].password, + usercreds[ci].expected_network_error, + 0)) { + ret = False; + } + } } - } - /* Using the first username form, try the different - * credentials flag setups, on only one of the tests (checks - * session key encryption) */ - - for (i=0; i < ARRAY_SIZE(credential_flags); i++) { - if (!test_InteractiveLogon(p, mem_ctx, creds, - TEST_MACHINE_NAME, - usercreds[0].domain, - usercreds[0].username, - usercreds[0].password)) { - ret = False; - } - - if (usercreds[ci].network_login) { - if (!test_SamLogon(p, mem_ctx, creds, - usercreds[0].domain, - usercreds[0].username, - usercreds[0].password, - 1)) { + /* Using the first username form, try the different + * credentials flag setups, on only one of the tests (checks + * session key encryption) */ + + for (i=0; i < ARRAY_SIZE(credential_flags); i++) { + if (!test_InteractiveLogon(p, mem_ctx, creds, + TEST_MACHINE_NAME, + usercreds[0].domain, + usercreds[0].username, + usercreds[0].password, + usercreds[0].expected_interactive_error)) { ret = False; } + + if (usercreds[ci].network_login) { + if (!test_SamLogon(p, mem_ctx, creds, + usercreds[0].domain, + usercreds[0].username, + usercreds[0].password, + usercreds[0].expected_network_error, + 1)) { + ret = False; + } + } } - } + } failed: talloc_free(mem_ctx); diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 3f02622e1c..c10405354e 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -86,13 +86,13 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) try a netlogon SamLogon */ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) + struct creds_CredentialState *creds) { NTSTATUS status; struct netr_LogonSamLogon r; struct netr_Authenticator auth, auth2; struct netr_NetworkInfo ninfo; - const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx); + const char *username = cli_credentials_get_username(cmdline_credentials); const char *password = cli_credentials_get_password(cmdline_credentials); int i; BOOL ret = True; diff --git a/source4/utils/net/net_password.c b/source4/utils/net/net_password.c index 0bfb8a5be8..1912beeb41 100644 --- a/source4/utils/net/net_password.c +++ b/source4/utils/net/net_password.c @@ -49,7 +49,7 @@ static int net_password_change(struct net_context *ctx, int argc, const char **a } else { password_prompt = talloc_asprintf(ctx->mem_ctx, "Enter new password for account [%s\\%s]:", cli_credentials_get_domain(ctx->credentials), - cli_credentials_get_username(ctx->credentials, ctx->mem_ctx)); + cli_credentials_get_username(ctx->credentials)); new_password = getpass(password_prompt); } @@ -61,7 +61,7 @@ static int net_password_change(struct net_context *ctx, int argc, const char **a /* prepare password change */ r.generic.level = LIBNET_CHANGE_PASSWORD_GENERIC; - r.generic.in.account_name = cli_credentials_get_username(ctx->credentials, ctx->mem_ctx); + r.generic.in.account_name = cli_credentials_get_username(ctx->credentials); r.generic.in.domain_name = cli_credentials_get_domain(ctx->credentials); r.generic.in.oldpassword = cli_credentials_get_password(ctx->credentials); r.generic.in.newpassword = new_password; |