diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-11-02 17:14:55 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-11-02 22:00:54 +1100 |
commit | 41999761f1bd018dd039421e2cfe498e173e2f79 (patch) | |
tree | 3b518ad4a84af0b4f1a46981df51085482d828f0 | |
parent | b8a0eb749fff7c462f4841b12c3977108fba3925 (diff) | |
download | samba-41999761f1bd018dd039421e2cfe498e173e2f79.tar.gz samba-41999761f1bd018dd039421e2cfe498e173e2f79.tar.bz2 samba-41999761f1bd018dd039421e2cfe498e173e2f79.zip |
s4-torture Add tests for DES-only accounts PAC behaviour/validation.
Previously we didn't support DES-only in a Samba4 domain. This is
important for some legacy systems that have not yet migrated from this
weak crypto.
Andrew Bartlett
-rw-r--r-- | source4/torture/rpc/remote_pac.c | 45 | ||||
-rw-r--r-- | source4/torture/rpc/rpc.c | 35 | ||||
-rw-r--r-- | source4/torture/rpc/torture_rpc.h | 6 |
3 files changed, 83 insertions, 3 deletions
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index de6976ffdf..22ea204efe 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -23,15 +23,21 @@ #include "auth/auth.h" #include "auth/auth_sam_reply.h" #include "auth/gensec/gensec.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_krb5.h" #include "lib/cmdline/popt_common.h" #include "torture/rpc/torture_rpc.h" #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" +#include "librpc/gen_ndr/ndr_samr_c.h" #include "param/param.h" #define TEST_MACHINE_NAME_BDC "torturepacbdc" #define TEST_MACHINE_NAME_WKSTA "torturepacwksta" +#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes" #define TEST_MACHINE_NAME_S2U4SELF_BDC "tests2u4selfbdc" #define TEST_MACHINE_NAME_S2U4SELF_WKSTA "tests2u4selfwk" @@ -57,7 +63,6 @@ static bool test_PACVerify(struct torture_context *tctx, struct netr_GenericInfo generic; struct netr_Authenticator auth, auth2; - struct netlogon_creds_CredentialState *creds; struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; @@ -71,9 +76,7 @@ static bool test_PACVerify(struct torture_context *tctx, char *tmp_dir; struct dcerpc_binding_handle *b = p->binding_handle; - TALLOC_CTX *tmp_ctx = talloc_new(tctx); - torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, @@ -347,6 +350,38 @@ static bool test_PACVerify_workstation(struct torture_context *tctx, return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_WKSTA); } +static bool test_PACVerify_workstation_des(struct torture_context *tctx, + struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx) +{ + struct samr_SetUserInfo r; + union samr_UserInfo user_info; + struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx); + struct smb_krb5_context *smb_krb5_context; + krb5_error_code ret; + + ret = cli_credentials_get_krb5_context(cmdline_credentials, tctx->lp_ctx, &smb_krb5_context); + torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed"); + + if (krb5_config_get_bool_default(smb_krb5_context->krb5_context, NULL, FALSE, + "libdefaults", + "allow_weak_crypto", NULL) == FALSE) { + torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes"); + } + + /* Mark this workstation with DES-only */ + user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST; + r.in.user_handle = torture_join_samr_user_policy(join_ctx); + r.in.level = 16; + r.in.info = &user_info; + + torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r), + "failed to set DES info account flags"); + torture_assert_ntstatus_ok(tctx, r.out.result, + "failed to set DES into account flags"); + + return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_WKSTA_DES); +} + /* Check various ways to get the PAC, in particular check the group membership and other details between the PAC from a normal kinit, S2U4Self and a SamLogon */ static bool test_S2U4Self(struct torture_context *tctx, @@ -625,6 +660,10 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); torture_rpc_tcase_add_test_creds(tcase, "verify-sig", test_PACVerify_workstation); + tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", + &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); + torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon-bdc", &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_BDC); torture_rpc_tcase_add_test_creds(tcase, "s2u4self", test_S2U4Self_bdc); diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c index 8d7c51aff9..7f3ae06d3a 100644 --- a/source4/torture/rpc/rpc.c +++ b/source4/torture/rpc/rpc.c @@ -352,6 +352,19 @@ static bool torture_rpc_wrap_test_creds(struct torture_context *tctx, return fn(tctx, tcase_data->pipe, tcase_data->credentials); } +static bool torture_rpc_wrap_test_join(struct torture_context *tctx, + struct torture_tcase *tcase, + struct torture_test *test) +{ + bool (*fn) (struct torture_context *, struct dcerpc_pipe *, struct cli_credentials *, struct test_join *); + struct torture_rpc_tcase_data *tcase_data = + (struct torture_rpc_tcase_data *)tcase->data; + + fn = test->fn; + + return fn(tctx, tcase_data->pipe, tcase_data->credentials, tcase_data->join_ctx); +} + _PUBLIC_ struct torture_test *torture_rpc_tcase_add_test( struct torture_rpc_tcase *tcase, const char *name, @@ -394,6 +407,28 @@ _PUBLIC_ struct torture_test *torture_rpc_tcase_add_test_creds( return test; } +_PUBLIC_ struct torture_test *torture_rpc_tcase_add_test_join( + struct torture_rpc_tcase *tcase, + const char *name, + bool (*fn) (struct torture_context *, struct dcerpc_pipe *, + struct cli_credentials *, struct test_join *)) +{ + struct torture_test *test; + + test = talloc(tcase, struct torture_test); + + test->name = talloc_strdup(test, name); + test->description = NULL; + test->run = torture_rpc_wrap_test_join; + test->dangerous = false; + test->data = NULL; + test->fn = fn; + + DLIST_ADD(tcase->tcase.tests, test); + + return test; +} + _PUBLIC_ struct torture_test *torture_rpc_tcase_add_test_ex( struct torture_rpc_tcase *tcase, const char *name, diff --git a/source4/torture/rpc/torture_rpc.h b/source4/torture/rpc/torture_rpc.h index 8640b56720..2f65baa64f 100644 --- a/source4/torture/rpc/torture_rpc.h +++ b/source4/torture/rpc/torture_rpc.h @@ -64,6 +64,12 @@ struct torture_rpc_tcase *torture_suite_add_anon_rpc_iface_tcase(struct torture_ const char *name, const struct ndr_interface_table *table); +struct torture_test *torture_rpc_tcase_add_test_join( + struct torture_rpc_tcase *tcase, + const char *name, + bool (*fn) (struct torture_context *, struct dcerpc_pipe *, + struct cli_credentials *, struct test_join *)); + struct torture_test *torture_rpc_tcase_add_test_ex( struct torture_rpc_tcase *tcase, const char *name, |