summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-06 10:29:28 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:39:28 -0500
commit8af30ce3130888a22a99bbb1c9b65d7b699b0614 (patch)
treedede55b3e3fbad20d7308e3b4d3358009aa77416
parent03b634042f937a6085a6cb96a1eb1e302e27c991 (diff)
downloadsamba-8af30ce3130888a22a99bbb1c9b65d7b699b0614.tar.gz
samba-8af30ce3130888a22a99bbb1c9b65d7b699b0614.tar.bz2
samba-8af30ce3130888a22a99bbb1c9b65d7b699b0614.zip
r10763: PROOF of the single, easily understood cause of all of our schannel PAIN!
This test currently passes against Win2k3 SP0, but not SP1. The problem was not a convoluted series of changes in policy handles, but a simple rule that schannel logins would be regarded as ANONYMOUS not SYSTEM. Andrew Bartlett (This used to be commit e843a7fcba496b91b014ec1bff2f2dfb2a2fcdb1)
-rw-r--r--source4/torture/rpc/schannel.c91
1 files changed, 87 insertions, 4 deletions
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index d73dae08b4..7674b30417 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -83,6 +83,57 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
/*
+ do some lsa ops using the schannel connection
+ */
+static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
+{
+ struct lsa_GetUserName r;
+ NTSTATUS status;
+ BOOL ret = True;
+ struct lsa_StringPointer authority_name_p;
+ int i;
+
+ printf("\nTesting GetUserName\n");
+
+ r.in.system_name = "\\";
+ r.in.account_name = NULL;
+ r.in.authority_name = &authority_name_p;
+ authority_name_p.string = NULL;
+
+ /* do several ops to test credential chaining */
+ for (i=0;i<5;i++) {
+ status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("GetUserName failed - %s\n", nt_errstr(status));
+ return False;
+ } else {
+ if (!r.out.account_name) {
+ return False;
+ }
+
+ if (strcmp(r.out.account_name->string, "SYSTEM") != 0) {
+ printf("GetUserName returned wrong user: %s, expected %s\n",
+ r.out.account_name->string, "SYSTEM");
+ return False;
+ }
+ if (!r.out.authority_name || !r.out.authority_name->string) {
+ return False;
+ }
+
+ if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
+ printf("GetUserName returned wrong user: %s, expected %s\n",
+ r.out.authority_name->string->string, "NT AUTHORITY");
+ return False;
+ }
+ }
+ }
+
+ return ret;
+}
+
+
+/*
try a netlogon SamLogon
*/
static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
@@ -146,12 +197,15 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
uint16_t acct_flags, uint32_t dcerpc_flags,
uint32_t schannel_type)
{
+ BOOL ret = True;
+
void *join_ctx;
NTSTATUS status;
const char *binding = lp_parm_string(-1, "torture", "binding");
struct dcerpc_binding *b;
struct dcerpc_pipe *p = NULL;
struct dcerpc_pipe *p_netlogon = NULL;
+ struct dcerpc_pipe *p_lsa = NULL;
struct creds_CredentialState *creds;
struct cli_credentials *credentials;
@@ -185,8 +239,8 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
}
if (!test_samr_ops(p, test_ctx)) {
- printf("Failed to process schannel secured ops\n");
- goto failed;
+ printf("Failed to process schannel secured SAMR ops\n");
+ ret = False;
}
status = dcerpc_schannel_creds(p->conn->security_state.generic_state, test_ctx, &creds);
@@ -229,13 +283,42 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
/* do a couple of logins */
if (!test_netlogon_ops(p_netlogon, test_ctx, creds)) {
- printf("Failed to process schannel secured ops\n");
+ printf("Failed to process schannel secured NETLOGON ops\n");
+ ret = False;
+ }
+
+ /* Swap the binding details from SAMR to LSARPC */
+ status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_LSARPC_UUID,
+ DCERPC_LSARPC_VERSION, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
+ }
+
+ status = dcerpc_secondary_connection(p, &p_lsa,
+ b);
+
+ if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
+ status = dcerpc_bind_auth_password(p_lsa,
+ DCERPC_LSARPC_UUID,
+ DCERPC_LSARPC_VERSION,
+ credentials, DCERPC_AUTH_TYPE_SCHANNEL,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
+ }
+
+ if (!test_lsa_ops(p_lsa, test_ctx)) {
+ printf("Failed to process schannel secured LSA ops\n");
+ ret = False;
+ }
+
torture_leave_domain(join_ctx);
talloc_free(test_ctx);
- return True;
+ return ret;
failed:
torture_leave_domain(join_ctx);