summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-25 12:14:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:13 -0500
commit2a2a35005749766e407c2a106720e74b7dfcc005 (patch)
tree52aa739fe2aa00e1cf4e497755e5e8b81a2324a7
parent75d3a8f6dc74601e30f667a1dbd09a4dad0ebe1c (diff)
downloadsamba-2a2a35005749766e407c2a106720e74b7dfcc005.tar.gz
samba-2a2a35005749766e407c2a106720e74b7dfcc005.tar.bz2
samba-2a2a35005749766e407c2a106720e74b7dfcc005.zip
r11287: Understand the new behaviour of the LSA pipe on ncacn_ip_tcp in Win2k3 SP1.
Only a few operations are supported (LookupSids3 and LookupNames4), and these are only supported under schannel. This appears to be the operations Win2k3 SP1 uses to verify part of the PAC back to the server. The test is setup to pass, but not enforce (so far) this new behaviour. Andrew Bartlett (This used to be commit e15e39866e9775ba662f669a19836d33f7633f6f)
-rw-r--r--source4/libnet/libnet_join.c114
-rw-r--r--source4/torture/rpc/alter_context.c14
-rw-r--r--source4/torture/rpc/lsa.c252
-rw-r--r--source4/torture/rpc/schannel.c134
-rw-r--r--source4/torture/rpc/session_key.c4
5 files changed, 325 insertions, 193 deletions
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 78f239eab5..ec366aeb73 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -227,7 +227,11 @@ static NTSTATUS libnet_JoinADSDomain(struct libnet_context *ctx, struct libnet_J
}
*drsuapi_binding = *samr_binding;
- drsuapi_binding->transport = NCACN_IP_TCP;
+
+ /* DRSUAPI is only available on IP_TCP, and locally on NCALRPC */
+ if (drsuapi_binding->transport != NCALRPC) {
+ drsuapi_binding->transport = NCACN_IP_TCP;
+ }
drsuapi_binding->endpoint = NULL;
drsuapi_binding->flags |= DCERPC_SEAL;
@@ -655,52 +659,57 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
lsa_open_policy.out.handle = &lsa_p_handle;
status = dcerpc_lsa_OpenPolicy2(lsa_pipe, tmp_ctx, &lsa_open_policy);
- if (!NT_STATUS_IS_OK(status)) {
- r->out.error_string = talloc_asprintf(mem_ctx,
- "lsa_OpenPolicy2 failed: %s",
- nt_errstr(status));
- talloc_free(tmp_ctx);
- return status;
- }
-
- /* Look to see if this is ADS (a fault indicates NT4 or Samba 3.0) */
-
- lsa_query_info2.in.handle = &lsa_p_handle;
- lsa_query_info2.in.level = LSA_POLICY_INFO_DNS;
- status = dcerpc_lsa_QueryInfoPolicy2(lsa_pipe, tmp_ctx,
- &lsa_query_info2);
-
- if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+ /* This now fails on ncacn_ip_tcp against Win2k3 SP1 */
+ if (NT_STATUS_IS_OK(status)) {
+ /* Look to see if this is ADS (a fault indicates NT4 or Samba 3.0) */
+
+ lsa_query_info2.in.handle = &lsa_p_handle;
+ lsa_query_info2.in.level = LSA_POLICY_INFO_DNS;
+
+ status = dcerpc_lsa_QueryInfoPolicy2(lsa_pipe, tmp_ctx,
+ &lsa_query_info2);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+ if (!NT_STATUS_IS_OK(status)) {
+ r->out.error_string = talloc_asprintf(mem_ctx,
+ "lsa_QueryInfoPolicy2 failed: %s",
+ nt_errstr(status));
+ talloc_free(tmp_ctx);
+ return status;
+ }
+ realm = lsa_query_info2.out.info->dns.dns_domain.string;
+ }
+
+ /* Grab the domain SID (regardless of the result of the previous call */
+
+ lsa_query_info.in.handle = &lsa_p_handle;
+ lsa_query_info.in.level = LSA_POLICY_INFO_DOMAIN;
+
+ status = dcerpc_lsa_QueryInfoPolicy(lsa_pipe, tmp_ctx,
+ &lsa_query_info);
+
if (!NT_STATUS_IS_OK(status)) {
r->out.error_string = talloc_asprintf(mem_ctx,
- "lsa_QueryInfoPolicy2 failed: %s",
- nt_errstr(status));
+ "lsa_QueryInfoPolicy2 failed: %s",
+ nt_errstr(status));
talloc_free(tmp_ctx);
return status;
}
- realm = lsa_query_info2.out.info->dns.dns_domain.string;
- }
-
- /* Grab the domain SID (regardless of the result of the previous call */
-
- lsa_query_info.in.handle = &lsa_p_handle;
- lsa_query_info.in.level = LSA_POLICY_INFO_DOMAIN;
-
- status = dcerpc_lsa_QueryInfoPolicy(lsa_pipe, tmp_ctx,
- &lsa_query_info);
-
- if (!NT_STATUS_IS_OK(status)) {
- r->out.error_string = talloc_asprintf(mem_ctx,
- "lsa_QueryInfoPolicy2 failed: %s",
- nt_errstr(status));
- talloc_free(tmp_ctx);
- return status;
+
+ domain_sid = lsa_query_info.out.info->domain.sid;
+ domain_name = lsa_query_info.out.info->domain.name.string;
+ } else {
+ /* Cause the code further down to try this with just SAMR */
+ domain_sid = NULL;
+ if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
+ domain_name = talloc_strdup(tmp_ctx, r->in.domain_name);
+ } else {
+ /* Bugger, we just lost our way to automaticly find the domain name */
+ domain_name = talloc_strdup(tmp_ctx, lp_workgroup());
+ }
}
- domain_sid = lsa_query_info.out.info->domain.sid;
- domain_name = lsa_query_info.out.info->domain.name.string;
-
DEBUG(0, ("Joining domain %s\n", domain_name));
/*
@@ -766,16 +775,25 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
return status;
}
- /* check result of samr_Connect */
- if (!NT_STATUS_IS_OK(sc.out.result)) {
- r->out.error_string = talloc_asprintf(mem_ctx,
- "samr_Connect failed: %s",
- nt_errstr(sc.out.result));
- status = sc.out.result;
- talloc_free(tmp_ctx);
- return status;
+ /* Perhaps we didn't get a SID above, because we are against ncacn_ip_tcp */
+ if (!domain_sid) {
+ struct lsa_String name;
+ struct samr_LookupDomain l;
+ name.string = domain_name;
+ l.in.connect_handle = &p_handle;
+ l.in.domain_name = &name;
+
+ status = dcerpc_samr_LookupDomain(samr_pipe, tmp_ctx, &l);
+ if (!NT_STATUS_IS_OK(status)) {
+ r->out.error_string = talloc_asprintf(mem_ctx,
+ "SAMR LookupDomain failed: %s",
+ nt_errstr(status));
+ talloc_free(tmp_ctx);
+ return status;
+ }
+ domain_sid = l.out.sid;
}
-
+
/* prepare samr_OpenDomain */
ZERO_STRUCT(d_handle);
od.in.connect_handle = &p_handle;
diff --git a/source4/torture/rpc/alter_context.c b/source4/torture/rpc/alter_context.c
index ad00a34913..0b2c324d36 100644
--- a/source4/torture/rpc/alter_context.c
+++ b/source4/torture/rpc/alter_context.c
@@ -31,7 +31,7 @@ BOOL torture_rpc_alter_context(void)
struct dcerpc_pipe *p, *p2;
TALLOC_CTX *mem_ctx;
BOOL ret = True;
- struct policy_handle handle;
+ struct policy_handle *handle;
struct dcerpc_syntax_id syntax;
struct dcerpc_syntax_id transfer_syntax;
@@ -70,8 +70,10 @@ BOOL torture_rpc_alter_context(void)
printf("testing DSSETUP pipe operations\n");
ret &= test_DsRoleGetPrimaryDomainInformation(p2, mem_ctx);
- if (!test_lsa_Close(p, mem_ctx, &handle)) {
- ret = False;
+ if (handle) {
+ if (!test_lsa_Close(p, mem_ctx, handle)) {
+ ret = False;
+ }
}
syntax = p->syntax;
@@ -94,8 +96,10 @@ BOOL torture_rpc_alter_context(void)
ret = False;
}
- if (!test_lsa_Close(p, mem_ctx, &handle)) {
- ret = False;
+ if (handle) {
+ if (!test_lsa_Close(p, mem_ctx, handle)) {
+ ret = False;
+ }
}
printf("testing DSSETUP pipe operations\n");
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 7630056503..4d53048d8e 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -58,6 +58,11 @@ static BOOL test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
status = dcerpc_lsa_OpenPolicy(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
+ printf("not considering %s to be an error\n", nt_errstr(status));
+ return True;
+ }
printf("OpenPolicy failed - %s\n", nt_errstr(status));
return False;
}
@@ -67,7 +72,7 @@ static BOOL test_OpenPolicy(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
BOOL test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct policy_handle *handle)
+ struct policy_handle **handle)
{
struct lsa_ObjectAttribute attr;
struct lsa_QosInfo qos;
@@ -76,6 +81,11 @@ BOOL test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
printf("\ntesting OpenPolicy2\n");
+ *handle = talloc(mem_ctx, struct policy_handle);
+ if (!*handle) {
+ return False;
+ }
+
qos.len = 0;
qos.impersonation_level = 2;
qos.context_mode = 1;
@@ -91,10 +101,17 @@ BOOL test_lsa_OpenPolicy2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
r.in.system_name = "\\";
r.in.attr = &attr;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
- r.out.handle = handle;
+ r.out.handle = *handle;
status = dcerpc_lsa_OpenPolicy2(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
+ printf("not considering %s to be an error\n", nt_errstr(status));
+ talloc_free(*handle);
+ *handle = NULL;
+ return True;
+ }
printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
return False;
}
@@ -233,6 +250,48 @@ static BOOL test_LookupNames3(struct dcerpc_pipe *p,
return True;
}
+static BOOL test_LookupNames4(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ struct lsa_TransNameArray2 *tnames)
+{
+ struct lsa_LookupNames4 r;
+ struct lsa_TransSidArray3 sids;
+ struct lsa_String *names;
+ uint32_t count = 0;
+ NTSTATUS status;
+ int i;
+
+ printf("\nTesting LookupNames4 with %d names\n", tnames->count);
+
+ sids.count = 0;
+ sids.sids = NULL;
+
+ names = talloc_array(mem_ctx, struct lsa_String, tnames->count);
+ for (i=0;i<tnames->count;i++) {
+ init_lsa_String(&names[i], tnames->names[i].name.string);
+ }
+
+ r.in.num_names = tnames->count;
+ r.in.names = names;
+ r.in.sids = &sids;
+ r.in.level = 1;
+ r.in.count = &count;
+ r.in.unknown1 = 0;
+ r.in.unknown2 = 0;
+ r.out.count = &count;
+ r.out.sids = &sids;
+
+ status = dcerpc_lsa_LookupNames4(p, mem_ctx, &r);
+ if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ printf("LookupNames4 failed - %s\n", nt_errstr(status));
+ return False;
+ }
+
+ printf("\n");
+
+ return True;
+}
+
static BOOL test_LookupSids(struct dcerpc_pipe *p,
TALLOC_CTX *mem_ctx,
@@ -319,7 +378,6 @@ static BOOL test_LookupSids2(struct dcerpc_pipe *p,
static BOOL test_LookupSids3(struct dcerpc_pipe *p,
TALLOC_CTX *mem_ctx,
- struct policy_handle *handle,
struct lsa_SidArray *sids)
{
struct lsa_LookupSids3 r;
@@ -355,19 +413,17 @@ static BOOL test_LookupSids3(struct dcerpc_pipe *p,
printf("\n");
- if (!test_LookupNames3(p, mem_ctx, handle, &names)) {
+ if (!test_LookupNames4(p, mem_ctx, &names)) {
return False;
}
return True;
}
-static BOOL test_many_LookupSids(struct dcerpc_pipe *p,
- TALLOC_CTX *mem_ctx,
- struct policy_handle *handle)
+BOOL test_many_LookupSids(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *handle)
{
- struct lsa_LookupSids r;
- struct lsa_TransNameArray names;
uint32_t count;
NTSTATUS status;
struct lsa_SidArray sids;
@@ -375,9 +431,6 @@ static BOOL test_many_LookupSids(struct dcerpc_pipe *p,
printf("\nTesting LookupSids with lots of SIDs\n");
- names.count = 0;
- names.names = NULL;
-
sids.num_sids = 100;
sids.sids = talloc_array(mem_ctx, struct lsa_SidPtr, sids.num_sids);
@@ -389,25 +442,68 @@ static BOOL test_many_LookupSids(struct dcerpc_pipe *p,
count = sids.num_sids;
- r.in.handle = handle;
- r.in.sids = &sids;
- r.in.names = &names;
- r.in.level = 1;
- r.in.count = &names.count;
- r.out.count = &count;
- r.out.names = &names;
+ if (handle) {
+ struct lsa_LookupSids r;
+ struct lsa_TransNameArray names;
+ names.count = 0;
+ names.names = NULL;
- status = dcerpc_lsa_LookupSids(p, mem_ctx, &r);
- if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
- printf("LookupSids failed - %s\n", nt_errstr(status));
- return False;
+ r.in.handle = handle;
+ r.in.sids = &sids;
+ r.in.names = &names;
+ r.in.level = 1;
+ r.in.count = &names.count;
+ r.out.count = &count;
+ r.out.names = &names;
+
+ status = dcerpc_lsa_LookupSids(p, mem_ctx, &r);
+ if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ printf("LookupSids failed - %s\n", nt_errstr(status));
+ return False;
+ }
+
+ printf("\n");
+
+ if (!test_LookupNames(p, mem_ctx, handle, &names)) {
+ return False;
+ }
+ } else {
+ struct lsa_LookupSids3 r;
+ struct lsa_TransNameArray2 names;
+
+ names.count = 0;
+ names.names = NULL;
+
+ printf("\nTesting LookupSids3\n");
+
+ r.in.sids = &sids;
+ r.in.names = &names;
+ r.in.level = 1;
+ r.in.count = &count;
+ r.in.unknown1 = 0;
+ r.in.unknown2 = 0;
+ r.out.count = &count;
+ r.out.names = &names;
+
+ status = dcerpc_lsa_LookupSids3(p, mem_ctx, &r);
+ if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
+ printf("not considering %s to be an error\n", nt_errstr(status));
+ return True;
+ }
+ printf("LookupSids3 failed - %s\n",
+ nt_errstr(status));
+ return False;
+ }
+ if (!test_LookupNames4(p, mem_ctx, &names)) {
+ return False;
+ }
}
printf("\n");
- if (!test_LookupNames(p, mem_ctx, handle, &names)) {
- return False;
- }
+
return True;
}
@@ -1097,7 +1193,7 @@ static BOOL test_EnumAccounts(struct dcerpc_pipe *p,
return False;
}
- if (!test_LookupSids3(p, mem_ctx, handle, &sids1)) {
+ if (!test_LookupSids3(p, mem_ctx, &sids1)) {
return False;
}
@@ -1637,7 +1733,7 @@ BOOL torture_rpc_lsa(void)
struct dcerpc_pipe *p;
TALLOC_CTX *mem_ctx;
BOOL ret = True;
- struct policy_handle handle;
+ struct policy_handle *handle;
mem_ctx = talloc_init("torture_rpc_lsa");
@@ -1659,56 +1755,64 @@ BOOL torture_rpc_lsa(void)
ret = False;
}
- if (!test_QueryDomainInfoPolicy(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_many_LookupSids(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_CreateAccount(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_CreateSecret(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_CreateTrustedDomain(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_EnumAccounts(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_EnumPrivs(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_QueryInfoPolicy(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_QueryInfoPolicy2(p, mem_ctx, &handle)) {
- ret = False;
- }
-
- if (!test_GetUserName(p, mem_ctx, &handle)) {
- ret = False;
- }
-
+ if (handle) {
+ if (!test_QueryDomainInfoPolicy(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_CreateAccount(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_CreateSecret(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_CreateTrustedDomain(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_EnumAccounts(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_EnumPrivs(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_QueryInfoPolicy(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_QueryInfoPolicy2(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_GetUserName(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
#if 0
- if (!test_Delete(p, mem_ctx, &handle)) {
- ret = False;
- }
+ if (!test_Delete(p, mem_ctx, handle)) {
+ ret = False;
+ }
#endif
-
- if (!test_lsa_Close(p, mem_ctx, &handle)) {
- ret = False;
+
+ if (!test_many_LookupSids(p, mem_ctx, handle)) {
+ ret = False;
+ }
+
+ if (!test_lsa_Close(p, mem_ctx, handle)) {
+ ret = False;
+ }
+ } else {
+ if (!test_many_LookupSids(p, mem_ctx, handle)) {
+ ret = False;
+ }
}
+
+
talloc_free(mem_ctx);
return ret;
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index 056684631a..05b8695844 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -25,7 +25,7 @@
#include "librpc/gen_ndr/ndr_netlogon.h"
#include "lib/cmdline/popt_common.h"
-#define TEST_MACHINE_NAME "schanneltest"
+#define TEST_MACHINE_NAME "schannel"
/*
do some samr ops using the schannel connection
@@ -52,19 +52,24 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
status = dcerpc_samr_Connect(p, mem_ctx, &connect);
if (!NT_STATUS_IS_OK(status)) {
- printf("Connect failed - %s\n", nt_errstr(status));
- return False;
- }
-
- opendom.in.connect_handle = &handle;
- opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
- opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
- opendom.out.domain_handle = &domain_handle;
-
- status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
- if (!NT_STATUS_IS_OK(status)) {
- printf("OpenDomain failed - %s\n", nt_errstr(status));
- return False;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
+ nt_errstr(status));
+ } else {
+ printf("Connect failed - %s\n", nt_errstr(status));
+ return False;
+ }
+ } else {
+ opendom.in.connect_handle = &handle;
+ opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
+ opendom.out.domain_handle = &domain_handle;
+
+ status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("OpenDomain failed - %s\n", nt_errstr(status));
+ return False;
+ }
}
printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
@@ -73,8 +78,10 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
for (i=0;i<5;i++) {
status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
- printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
- return False;
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
+ return False;
+ }
}
}
@@ -91,7 +98,6 @@ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
NTSTATUS status;
BOOL ret = True;
struct lsa_StringPointer authority_name_p;
- int i;
printf("\nTesting GetUserName\n");
@@ -100,34 +106,38 @@ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
r.in.authority_name = &authority_name_p;
authority_name_p.string = NULL;
- /* do several ops to test credential chaining */
- for (i=0;i<5;i++) {
- status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
+ /* do several ops to test credential chaining and various operations */
+ status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
+ printf("not considering %s to be an error\n", nt_errstr(status));
+ } else if (!NT_STATUS_IS_OK(status)) {
+ printf("GetUserName failed - %s\n", nt_errstr(status));
+ return False;
+ } else {
+ if (!r.out.account_name) {
+ return False;
+ }
- if (!NT_STATUS_IS_OK(status)) {
- printf("GetUserName failed - %s\n", nt_errstr(status));
+ if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
+ printf("GetUserName returned wrong user: %s, expected %s\n",
+ r.out.account_name->string, "ANONYMOUS LOGON");
+ return False;
+ }
+ if (!r.out.authority_name || !r.out.authority_name->string) {
+ return False;
+ }
+
+ if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
+ printf("GetUserName returned wrong user: %s, expected %s\n",
+ r.out.authority_name->string->string, "NT AUTHORITY");
return False;
- } else {
- if (!r.out.account_name) {
- return False;
- }
-
- if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
- printf("GetUserName returned wrong user: %s, expected %s\n",
- r.out.account_name->string, "ANONYMOUS LOGON");
- return False;
- }
- if (!r.out.authority_name || !r.out.authority_name->string) {
- return False;
- }
-
- if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
- printf("GetUserName returned wrong user: %s, expected %s\n",
- r.out.authority_name->string->string, "NT AUTHORITY");
- return False;
- }
}
}
+ if (!test_many_LookupSids(p, mem_ctx, NULL)) {
+ printf("LsaLookupSids3 failed!\n");
+ return False;
+ }
return ret;
}
@@ -137,6 +147,7 @@ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
try a netlogon SamLogon
*/
static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
+ struct cli_credentials *credentials,
struct creds_CredentialState *creds)
{
NTSTATUS status;
@@ -148,12 +159,12 @@ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
int i;
BOOL ret = True;
- ninfo.identity_info.domain_name.string = lp_workgroup();
+ ninfo.identity_info.domain_name.string = cli_credentials_get_domain(cmdline_credentials);
ninfo.identity_info.parameter_control = 0;
ninfo.identity_info.logon_id_low = 0;
ninfo.identity_info.logon_id_high = 0;
ninfo.identity_info.account_name.string = username;
- ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
+ ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
generate_random_buffer(ninfo.challenge,
sizeof(ninfo.challenge));
ninfo.nt.length = 24;
@@ -165,7 +176,7 @@ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
- r.in.workstation = TEST_MACHINE_NAME;
+ r.in.workstation = cli_credentials_get_workstation(credentials);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = 2;
@@ -195,7 +206,7 @@ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
*/
static BOOL test_schannel(TALLOC_CTX *mem_ctx,
uint16_t acct_flags, uint32_t dcerpc_flags,
- uint32_t schannel_type)
+ int i)
{
BOOL ret = True;
@@ -211,7 +222,7 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
- join_ctx = torture_join_domain(TEST_MACHINE_NAME,
+ join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
acct_flags, &credentials);
if (!join_ctx) {
printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
@@ -243,11 +254,6 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
ret = False;
}
- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, test_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
-
/* Also test that when we connect to the netlogon pipe, that
* the credentials we setup on the first pipe are valid for
* the second */
@@ -282,7 +288,7 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
}
/* do a couple of logins */
- if (!test_netlogon_ops(p_netlogon, test_ctx, creds)) {
+ if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
printf("Failed to process schannel secured NETLOGON ops\n");
ret = False;
}
@@ -336,16 +342,15 @@ BOOL torture_rpc_schannel(void)
struct {
uint16_t acct_flags;
uint32_t dcerpc_flags;
- uint32_t schannel_type;
} tests[] = {
- { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN, 3 },
- { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL, 3 },
- { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
- { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 }
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN},
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL},
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
};
int i;
@@ -353,9 +358,10 @@ BOOL torture_rpc_schannel(void)
for (i=0;i<ARRAY_SIZE(tests);i++) {
if (!test_schannel(mem_ctx,
- tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type)) {
- printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x schannel_type=%d\n",
- tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type);
+ tests[i].acct_flags, tests[i].dcerpc_flags,
+ i)) {
+ printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
+ tests[i].acct_flags, tests[i].dcerpc_flags);
ret = False;
break;
}
diff --git a/source4/torture/rpc/session_key.c b/source4/torture/rpc/session_key.c
index ea24b0e35a..035ab7ace2 100644
--- a/source4/torture/rpc/session_key.c
+++ b/source4/torture/rpc/session_key.c
@@ -163,7 +163,7 @@ BOOL torture_rpc_lsa_secrets(void)
struct dcerpc_pipe *p;
TALLOC_CTX *mem_ctx;
BOOL ret = True;
- struct policy_handle handle;
+ struct policy_handle *handle;
mem_ctx = talloc_init("torture_rpc_lsa_secrets");
@@ -181,7 +181,7 @@ BOOL torture_rpc_lsa_secrets(void)
ret = False;
}
- if (!test_CreateSecret_basic(p, mem_ctx, &handle)) {
+ if (!test_CreateSecret_basic(p, mem_ctx, handle)) {
ret = False;
}