summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-05-04 10:03:41 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:05:36 -0500
commit5f4d86f955d939e96ec9b81c8a9d080aab4354b6 (patch)
treeb785a6c2aa092fea9bd64391cc45915788b31692
parent086c9cc5f4a9145ee93060db2eebb3badc325e44 (diff)
downloadsamba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.tar.gz
samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.tar.bz2
samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.zip
r15426: Implement SPNEGO as the default RPC authentication mechanism. Where
this isn't supported, fallback to NTLM. Also, where we get a failure as 'logon failure', try and do a '3 tries' for the password, like we already do for CIFS. (Incomplete: needs a mapping between RPC errors and the logon failure NTSTATUS). Because we don't yet support Kerberos sign/seal to win2k3 SP1 for DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos isn't demanded. Andrew Bartlett (This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80)
-rw-r--r--source4/auth/gensec/gensec_gssapi.c9
-rw-r--r--source4/libnet/libnet_join.c4
-rw-r--r--source4/librpc/rpc/dcerpc.h9
-rw-r--r--source4/librpc/rpc/dcerpc_connect.c51
-rw-r--r--source4/librpc/rpc/dcerpc_util.c156
-rwxr-xr-xsource4/script/tests/test_session_key.sh14
-rwxr-xr-xsource4/script/tests/test_w2k3.sh2
-rwxr-xr-xsource4/script/tests/tests_all.sh2
-rw-r--r--source4/torture/rpc/bind.c2
9 files changed, 201 insertions, 48 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 4cc067ffde..070e83e97c 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -257,6 +257,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_INVALID_PARAMETER;
}
+ if (((gensec_security->want_features & GENSEC_FEATURE_SIGN)
+ || (gensec_security->want_features & GENSEC_FEATURE_SEAL))
+ && (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE)
+ && !lp_parm_bool(-1, "gensec_gssapi", "dce_signseal",
+ cli_credentials_get_kerberos_state(creds) == CRED_MUST_USE_KERBEROS)) {
+ DEBUG(2, ("GSSAPI sign/seal disabled for DCE/RPC. "));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
nt_status = gensec_gssapi_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 9185015da0..743076ee72 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -481,9 +481,9 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
return status;
}
- samr_pipe = connect_with_info->out.dcerpc_pipe,
+ samr_pipe = connect_with_info->out.dcerpc_pipe;
- status = dcerpc_pipe_auth(samr_pipe,
+ status = dcerpc_pipe_auth(tmp_ctx, &samr_pipe,
connect_with_info->out.dcerpc_pipe->binding,
&dcerpc_table_samr, ctx->cred);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 4c8a615ce5..39de9fcaa8 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -144,16 +144,19 @@ struct dcerpc_pipe {
/* set LIBNDR_FLAG_REF_ALLOC flag when decoding NDR */
#define DCERPC_NDR_REF_ALLOC (1<<14)
-#define DCERPC_AUTH_OPTIONS (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5)
+#define DCERPC_AUTH_OPTIONS (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5|DCERPC_AUTH_NTLM)
-/* enable spnego auth */
+/* select spnego auth */
#define DCERPC_AUTH_SPNEGO (1<<15)
-/* enable krb5 auth */
+/* select krb5 auth */
#define DCERPC_AUTH_KRB5 (1<<16)
#define DCERPC_SMB2 (1<<17)
+/* select NTLM auth */
+#define DCERPC_AUTH_NTLM (1<<18)
+
/*
this is used to find pointers to calls
*/
diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c
index 2b40935be6..64bb78ec60 100644
--- a/source4/librpc/rpc/dcerpc_connect.c
+++ b/source4/librpc/rpc/dcerpc_connect.c
@@ -28,6 +28,7 @@
#include "smb.h"
#include "libcli/composite/composite.h"
#include "libcli/smb_composite/smb_composite.h"
+#include "lib/events/events.h"
#include "libcli/smb2/smb2.h"
#include "libcli/smb2/smb2_calls.h"
#include "auth/credentials/credentials.h"
@@ -762,8 +763,9 @@ static void continue_pipe_auth(struct composite_context *ctx)
{
struct composite_context *c = talloc_get_type(ctx->async.private_data,
struct composite_context);
+ struct pipe_connect_state *s = talloc_get_type(c->private_data, struct pipe_connect_state);
- c->status = dcerpc_pipe_auth_recv(ctx);
+ c->status = dcerpc_pipe_auth_recv(ctx, s, &s->pipe);
if (!composite_is_ok(c)) return;
composite_done(c);
@@ -775,7 +777,6 @@ static void continue_pipe_auth(struct composite_context *ctx)
specified binding structure to determine the endpoint and options
*/
struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx,
- struct dcerpc_pipe **pp,
struct dcerpc_binding *binding,
const struct dcerpc_interface_table *table,
struct cli_credentials *credentials,
@@ -796,16 +797,19 @@ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx,
c->state = COMPOSITE_STATE_IN_PROGRESS;
c->private_data = s;
- (*pp) = NULL;
+ if (ev == NULL) {
+ ev = event_context_init(c);
+ if (ev == NULL) {
+ talloc_free(c);
+ return NULL;
+ }
+ }
+ c->event_ctx = ev;
/* initialise dcerpc pipe structure */
s->pipe = dcerpc_pipe_init(c, ev);
if (composite_nomem(s->pipe, c)) return c;
- /* get event context from initialised dcerpc pipe */
- c->event_ctx = s->pipe->conn->event_ctx;
- (*pp) = s->pipe;
-
/* store parameters in state structure */
s->binding = binding;
s->table = table;
@@ -842,12 +846,10 @@ NTSTATUS dcerpc_pipe_connect_b_recv(struct composite_context *c, TALLOC_CTX *mem
status = composite_wait(c);
- if (NT_STATUS_IS_OK(status) && p) {
- s = talloc_get_type(c->private_data, struct pipe_connect_state);
- talloc_steal(mem_ctx, s->pipe);
- *p = s->pipe;
- }
-
+ s = talloc_get_type(c->private_data, struct pipe_connect_state);
+ talloc_steal(mem_ctx, s->pipe);
+ *p = s->pipe;
+
talloc_free(c);
return status;
}
@@ -866,7 +868,7 @@ NTSTATUS dcerpc_pipe_connect_b(TALLOC_CTX *parent_ctx,
{
struct composite_context *c;
- c = dcerpc_pipe_connect_b_send(parent_ctx, pp, binding, table,
+ c = dcerpc_pipe_connect_b_send(parent_ctx, binding, table,
credentials, ev);
return dcerpc_pipe_connect_b_recv(c, parent_ctx, pp);
}
@@ -908,6 +910,15 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx,
c->state = COMPOSITE_STATE_IN_PROGRESS;
c->private_data = s;
+ if (ev == NULL) {
+ ev = event_context_init(c);
+ if (ev == NULL) {
+ talloc_free(c);
+ return NULL;
+ }
+ }
+ c->event_ctx = ev;
+
/* parse binding string to the structure */
status = dcerpc_parse_binding(c, binding, &b);
if (!NT_STATUS_IS_OK(status)) {
@@ -922,12 +933,9 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx,
start connecting to a rpc pipe after binding structure
is established
*/
- pipe_conn_req = dcerpc_pipe_connect_b_send(c, &s->pipe, b, table,
+ pipe_conn_req = dcerpc_pipe_connect_b_send(c, b, table,
credentials, ev);
- /* event context for created dcerpc_pipe would be useful... */
- c->event_ctx = s->pipe->conn->event_ctx;
-
if (composite_nomem(pipe_conn_req, c)) return c;
composite_continue(c, pipe_conn_req, continue_pipe_connect_b, c);
@@ -947,6 +955,7 @@ static void continue_pipe_connect_b(struct composite_context *ctx)
struct pipe_conn_state);
c->status = dcerpc_pipe_connect_b_recv(ctx, c, &s->pipe);
+ talloc_steal(s, s->pipe);
if (!composite_is_ok(c)) return;
composite_done(c);
@@ -965,10 +974,8 @@ NTSTATUS dcerpc_pipe_connect_recv(struct composite_context *c,
struct pipe_conn_state *s;
status = composite_wait(c);
- if (NT_STATUS_IS_OK(status) && pp) {
- s = talloc_get_type(c->private_data, struct pipe_conn_state);
- *pp = talloc_steal(mem_ctx, s->pipe);
- }
+ s = talloc_get_type(c->private_data, struct pipe_conn_state);
+ *pp = talloc_steal(mem_ctx, s->pipe);
talloc_free(c);
return status;
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index dc2eded967..6c8ed7ecd8 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -141,6 +141,7 @@ static const struct {
{"seal", DCERPC_SEAL},
{"connect", DCERPC_CONNECT},
{"spnego", DCERPC_AUTH_SPNEGO},
+ {"ntlm", DCERPC_AUTH_NTLM},
{"krb5", DCERPC_AUTH_KRB5},
{"validate", DCERPC_DEBUG_VALIDATE_BOTH},
{"print", DCERPC_DEBUG_PRINT_BOTH},
@@ -936,7 +937,7 @@ struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx,
epmapper_binding->endpoint = NULL;
/* initiate rpc pipe connection */
- pipe_connect_req = dcerpc_pipe_connect_b_send(c, &s->pipe, epmapper_binding, &dcerpc_table_epmapper,
+ pipe_connect_req = dcerpc_pipe_connect_b_send(c, epmapper_binding, &dcerpc_table_epmapper,
anon_creds, c->event_ctx);
if (composite_nomem(pipe_connect_req, c)) return c;
@@ -981,6 +982,8 @@ struct pipe_auth_state {
static void continue_auth_schannel(struct composite_context *ctx);
static void continue_auth(struct composite_context *ctx);
static void continue_auth_none(struct composite_context *ctx);
+static void continue_ntlmssp_connection(struct composite_context *ctx);
+static void continue_spnego_after_wrong_pass(struct composite_context *ctx);
/*
@@ -1011,6 +1014,111 @@ static void continue_auth(struct composite_context *ctx)
composite_done(c);
}
+/*
+ Stage 2 of pipe_auth: Receive result of authenticated bind request, but handle fallbacks:
+ SPNEGO -> NTLMSSP
+*/
+static void continue_auth_auto(struct composite_context *ctx)
+{
+ struct composite_context *c = talloc_get_type(ctx->async.private_data,
+ struct composite_context);
+
+ c->status = dcerpc_bind_auth_recv(ctx);
+ if (NT_STATUS_EQUAL(c->status, NT_STATUS_INVALID_PARAMETER)) {
+ struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
+ struct composite_context *sec_conn_req;
+
+ /* send a request for secondary rpc connection */
+ sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
+ s->binding);
+ if (composite_nomem(sec_conn_req, c)) return;
+
+ composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c);
+
+ return;
+ } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
+ struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
+ struct composite_context *sec_conn_req;
+ if (cli_credentials_wrong_password(s->credentials)) {
+ /* send a request for secondary rpc connection */
+ sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
+ s->binding);
+ if (composite_nomem(sec_conn_req, c)) return;
+
+ composite_continue(c, sec_conn_req, continue_spnego_after_wrong_pass, c);
+ }
+ }
+
+ if (!composite_is_ok(c)) return;
+
+ composite_done(c);
+}
+
+/*
+ Stage 3 of pipe_auth (fallback to NTLMSSP case): Receive secondary
+ rpc connection (the first one can't be used any more, due to the
+ bind nak) and perform authenticated bind request
+*/
+static void continue_ntlmssp_connection(struct composite_context *ctx)
+{
+ struct composite_context *c;
+ struct pipe_auth_state *s;
+ struct composite_context *auth_req;
+ struct dcerpc_pipe *p2;
+
+ c = talloc_get_type(ctx->async.private_data, struct composite_context);
+ s = talloc_get_type(c->private_data, struct pipe_auth_state);
+
+ /* receive secondary rpc connection */
+ c->status = dcerpc_secondary_connection_recv(ctx, &p2);
+ talloc_steal(s, p2);
+ talloc_steal(p2, s->pipe);
+ s->pipe = p2;
+
+ if (!composite_is_ok(c)) return;
+
+ /* initiate a authenticated bind */
+ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+ s->credentials, DCERPC_AUTH_TYPE_NTLMSSP,
+ dcerpc_auth_level(s->pipe->conn),
+ s->table->authservices->names[0]);
+ if (composite_nomem(auth_req, c)) return;
+
+ composite_continue(c, auth_req, continue_auth, c);
+}
+
+/*
+ Stage 3 of pipe_auth (retry on wrong password): Receive secondary
+ rpc connection (the first one can't be used any more, due to the
+ bind nak) and perform authenticated bind request
+*/
+static void continue_spnego_after_wrong_pass(struct composite_context *ctx)
+{
+ struct composite_context *c;
+ struct pipe_auth_state *s;
+ struct composite_context *auth_req;
+ struct dcerpc_pipe *p2;
+
+ c = talloc_get_type(ctx->async.private_data, struct composite_context);
+ s = talloc_get_type(c->private_data, struct pipe_auth_state);
+
+ /* receive secondary rpc connection */
+ c->status = dcerpc_secondary_connection_recv(ctx, &p2);
+ talloc_steal(s, p2);
+ talloc_steal(p2, s->pipe);
+ s->pipe = p2;
+
+ if (!composite_is_ok(c)) return;
+
+ /* initiate a authenticated bind */
+ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+ s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+ dcerpc_auth_level(s->pipe->conn),
+ s->table->authservices->names[0]);
+ if (composite_nomem(auth_req, c)) return;
+
+ composite_continue(c, auth_req, continue_auth, c);
+}
/*
@@ -1042,6 +1150,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
struct composite_context *auth_schannel_req;
struct composite_context *auth_req;
struct composite_context *auth_none_req;
+ struct dcerpc_connection *conn;
/* composite context allocation and setup */
c = talloc_zero(NULL, struct composite_context);
@@ -1060,10 +1169,11 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
s->credentials = credentials;
s->pipe = p;
- s->pipe->conn->flags = binding->flags;
+ conn = s->pipe->conn;
+ conn->flags = binding->flags;
/* remember the binding string for possible secondary connections */
- s->pipe->conn->binding_string = dcerpc_binding_string(p, binding);
+ conn->binding_string = dcerpc_binding_string(p, binding);
if (!cli_credentials_is_anonymous(s->credentials) &&
(binding->flags & DCERPC_SCHANNEL) &&
@@ -1074,13 +1184,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
* first */
auth_schannel_req = dcerpc_bind_auth_schannel_send(c, s->pipe, s->table,
s->credentials,
- dcerpc_auth_level(s->pipe->conn));
+ dcerpc_auth_level(conn));
if (composite_nomem(auth_schannel_req, c)) return c;
composite_continue(c, auth_schannel_req, continue_auth_schannel, c);
} else if (!cli_credentials_is_anonymous(s->credentials) &&
- !(s->pipe->conn->transport.transport == NCACN_NP &&
+ !(conn->transport.transport == NCACN_NP &&
!(s->binding->flags & DCERPC_SIGN) &&
!(s->binding->flags & DCERPC_SEAL))) {
@@ -1092,7 +1202,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
uint8_t auth_type;
- if ((s->pipe->conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
+ if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
/*
we are doing an authenticated connection,
but not using sign or seal. We must force
@@ -1100,7 +1210,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
type doesn't allow authentication
information to be passed.
*/
- s->pipe->conn->flags |= DCERPC_CONNECT;
+ conn->flags |= DCERPC_CONNECT;
}
if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
@@ -1112,13 +1222,22 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
} else if (s->binding->flags & DCERPC_SCHANNEL) {
auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
- } else {
+ } else if (s->binding->flags & DCERPC_AUTH_NTLM) {
auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+ } else {
+ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+ s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+ dcerpc_auth_level(conn),
+ s->table->authservices->names[0]);
+ if (composite_nomem(auth_req, c)) return c;
+
+ composite_continue(c, auth_req, continue_auth_auto, c);
+ return c;
}
auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
s->credentials, auth_type,
- dcerpc_auth_level(s->pipe->conn),
+ dcerpc_auth_level(conn),
s->table->authservices->names[0]);
if (composite_nomem(auth_req, c)) return c;
@@ -1137,8 +1256,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
/*
Receive result of authenticated bind request on dcerpc pipe
+
+ This returns *p, which may be different to the one originally
+ supllied, as it rebinds to a new pipe due to authentication fallback
+
*/
-NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
+NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c, TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe **p)
{
NTSTATUS status;
@@ -1149,6 +1273,9 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
char *uuid_str = GUID_string(s->pipe, &s->table->syntax_id.uuid);
DEBUG(0, ("Failed to bind to uuid %s - %s\n", uuid_str, nt_errstr(status)));
talloc_free(uuid_str);
+ } else {
+ talloc_steal(mem_ctx, s->pipe);
+ *p = s->pipe;
}
talloc_free(c);
@@ -1158,16 +1285,19 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
/*
Perform an authenticated bind if needed - sync version
+
+ This may change *p, as it rebinds to a new pipe due to authentication fallback
*/
-NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
+NTSTATUS dcerpc_pipe_auth(TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe **p,
struct dcerpc_binding *binding,
const struct dcerpc_interface_table *table,
struct cli_credentials *credentials)
{
struct composite_context *c;
- c = dcerpc_pipe_auth_send(p, binding, table, credentials);
- return dcerpc_pipe_auth_recv(c);
+ c = dcerpc_pipe_auth_send(*p, binding, table, credentials);
+ return dcerpc_pipe_auth_recv(c, mem_ctx, p);
}
diff --git a/source4/script/tests/test_session_key.sh b/source4/script/tests/test_session_key.sh
index 74de90f479..5dbb4052ee 100755
--- a/source4/script/tests/test_session_key.sh
+++ b/source4/script/tests/test_session_key.sh
@@ -2,7 +2,7 @@
if [ $# -lt 4 ]; then
cat <<EOF
-Usage: test_session_key.sh SERVER USERNAME PASSWORD DOMAIN
+Usage: test_session_key.sh SERVER USERNAME PASSWORD DOMAIN NETBIOSNAME
EOF
exit 1;
fi
@@ -11,7 +11,8 @@ server="$1"
username="$2"
password="$3"
domain="$4"
-shift 4
+netbios_name="$5"
+shift 5
incdir=`dirname $0`
. $incdir/test_functions.sh
@@ -33,13 +34,16 @@ for bindoptions in validate seal; do
"-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes" \
"-k no --option=usespnego=no --option=clientntlmv2auth=yes" \
"-k no --option=gensec:spnego=no --option=clientntlmv2auth=yes" \
- "-k no --option=usespnego=no" \
- ; do
+ "-k no --option=usespnego=no"; do
name="RPC-SECRETS on $transport:$server[$bindoptions] with NTLM2:$ntlm2 KEYEX:$keyexchange LM_KEY:$lm_key $ntlmoptions"
- testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" --option=ntlmssp_client:keyexchange=$keyexchange --option=ntlmssp_client:ntlm2=$ntlm2 --option=ntlmssp_client:lm_key=$lm_key $ntlmoptions -U"$username"%"$password" -W $domain RPC-SECRETS "$*" || failed=`expr $failed + 1`
+ testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" --option=ntlmssp_client:keyexchange=$keyexchange --option=ntlmssp_client:ntlm2=$ntlm2 --option=ntlmssp_client:lm_key=$lm_key $ntlmoptions -U"$username"%"$password" -W $domain --option=gensec:target_hostname=$netbios_name RPC-SECRETS "$*" || failed=`expr $failed + 1`
done
done
done
done
+ name="RPC-SECRETS on $transport:$server[$bindoptions] with Kerberos"
+ testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" -k yes -U"$username"%"$password" -W $domain "--option=gensec:target_hostname=$netbios_name" RPC-SECRETS "$*" || failed=`expr $failed + 1`
+ name="RPC-SECRETS on $transport:$server[$bindoptions] with Kerberos (use target principal)"
+ testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" -k yes -U"$username"%"$password" -W $domain "--option=clientusespnegoprincipal=yes" "--option=gensec:target_hostname=$netbios_name" RPC-SECRETS "$*" || failed=`expr $failed + 1`
done
testok $0 $failed
diff --git a/source4/script/tests/test_w2k3.sh b/source4/script/tests/test_w2k3.sh
index 3e7da590c0..d3192e7bc9 100755
--- a/source4/script/tests/test_w2k3.sh
+++ b/source4/script/tests/test_w2k3.sh
@@ -31,7 +31,7 @@ failed=0
name="RPC-SPOOLSS on ncacn_np"
testit "$name" bin/smbtorture $TORTURE_OPTIONS ncacn_np:"$server" $OPTIONS RPC-SPOOLSS "$*" || failed=`expr $failed + 1`
-for bindoptions in padcheck connect sign seal spnego,sign spnego,seal validate bigendian; do
+for bindoptions in padcheck connect sign seal ntlm,sign ntlm,seal validate bigendian; do
for transport in ncacn_ip_tcp ncacn_np; do
case $transport in
ncacn_np) tests=$ncacn_np_tests ;;
diff --git a/source4/script/tests/tests_all.sh b/source4/script/tests/tests_all.sh
index d5d20d8f92..a93614b91c 100755
--- a/source4/script/tests/tests_all.sh
+++ b/source4/script/tests/tests_all.sh
@@ -3,7 +3,7 @@
$SRCDIR/script/tests/test_nbt.sh $SERVER || failed=`expr $failed + $?`
$SRCDIR/script/tests/test_quick.sh //$SERVER/cifs $USERNAME $PASSWORD "" || failed=`expr $failed + $?`
$SRCDIR/script/tests/test_rpc.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
- $SRCDIR/script/tests/test_session_key.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
+ $SRCDIR/script/tests/test_session_key.sh $SERVER $USERNAME $PASSWORD $DOMAIN $NETBIOSNAME || failed=`expr $failed + $?`
$SRCDIR/script/tests/test_binding_string.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
$SRCDIR/script/tests/test_echo.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
$SRCDIR/script/tests/test_posix.sh //$SERVER/tmp $USERNAME $PASSWORD "" || failed=`expr $failed + $?`
diff --git a/source4/torture/rpc/bind.c b/source4/torture/rpc/bind.c
index 56f3e9a040..17580737f8 100644
--- a/source4/torture/rpc/bind.c
+++ b/source4/torture/rpc/bind.c
@@ -63,7 +63,7 @@ BOOL torture_multi_bind(struct torture_context *torture)
return False;
}
- status = dcerpc_pipe_auth(p, binding, &dcerpc_table_lsarpc, cmdline_credentials);
+ status = dcerpc_pipe_auth(mem_ctx, &p, binding, &dcerpc_table_lsarpc, cmdline_credentials);
if (NT_STATUS_IS_OK(status)) {
printf("(incorrectly) allowed re-bind to uuid %s - %s\n",