summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBenjamin Franzke <benjaminfranzke@googlemail.com>2013-10-28 14:21:20 +0100
committerBenjamin Franzke <benjaminfranzke@googlemail.com>2013-11-08 18:11:40 +0100
commitab704565d218e6858cce63cf61933515090f754a (patch)
tree626fc8800ce1cf66f25b21ea9bab7cd6b00f9bfe
parent420b47331adba8d7639488418149df5b47f8e8b3 (diff)
downloadsamba-ab704565d218e6858cce63cf61933515090f754a.tar.gz
samba-ab704565d218e6858cce63cf61933515090f754a.tar.bz2
samba-ab704565d218e6858cce63cf61933515090f754a.zip
s4:torture/ldap: Add test for netlogon over tcp
This patch moves the udp netlogon tests from cldap.c to netlogon.c and passes a generic netlogon-send function as parameter. Therefore a tcp replacement for cldap_netlogon is also added. The two variants tcp and udp are added as 2 new torture tests: ldap.netlogon-udp & ldap.netlogon-tcp Both tests succeed.
-rw-r--r--source4/torture/ldap/cldap.c329
-rw-r--r--source4/torture/ldap/common.c2
-rw-r--r--source4/torture/ldap/netlogon.c516
-rwxr-xr-xsource4/torture/wscript_build2
4 files changed, 519 insertions, 330 deletions
diff --git a/source4/torture/ldap/cldap.c b/source4/torture/ldap/cldap.c
index 28859a544d..6a925cf454 100644
--- a/source4/torture/ldap/cldap.c
+++ b/source4/torture/ldap/cldap.c
@@ -24,7 +24,6 @@
#include "includes.h"
#include "libcli/cldap/cldap.h"
#include "libcli/ldap/ldap_client.h"
-#include "librpc/gen_ndr/netlogon.h"
#include "param/param.h"
#include "../lib/tsocket/tsocket.h"
@@ -36,332 +35,6 @@
#define CHECK_VAL(v, correct) torture_assert_int_equal(tctx, (v), (correct), "incorrect value");
#define CHECK_STRING(v, correct) torture_assert_str_equal(tctx, v, correct, "incorrect value");
-/*
- test netlogon operations
-*/
-static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest)
-{
- struct cldap_socket *cldap;
- NTSTATUS status;
- struct cldap_netlogon search, empty_search;
- struct netlogon_samlogon_response n1;
- struct GUID guid;
- int i;
- struct tsocket_address *dest_addr;
- int ret;
-
- ret = tsocket_address_inet_from_strings(tctx, "ip",
- dest,
- lpcfg_cldap_port(tctx->lp_ctx),
- &dest_addr);
- CHECK_VAL(ret, 0);
-
- status = cldap_socket_init(tctx, NULL, dest_addr, &cldap);
- CHECK_STATUS(status, NT_STATUS_OK);
-
- ZERO_STRUCT(search);
- search.in.dest_address = NULL;
- search.in.dest_port = 0;
- search.in.acct_control = -1;
- search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
- search.in.map_response = true;
-
- empty_search = search;
-
- printf("Trying without any attributes\n");
- search = empty_search;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
-
- n1 = search.out.netlogon;
-
- search.in.user = "Administrator";
- search.in.realm = n1.data.nt5_ex.dns_domain;
- search.in.host = "__cldap_torture__";
-
- printf("Scanning for netlogon levels\n");
- for (i=0;i<256;i++) {
- search.in.version = i;
- printf("Trying netlogon level %d\n", i);
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- }
-
- printf("Scanning for netlogon level bits\n");
- for (i=0;i<31;i++) {
- search.in.version = (1<<i);
- printf("Trying netlogon level 0x%x\n", i);
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- }
-
- search.in.version = NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_IP;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
-
- printf("Trying with User=NULL\n");
- search.in.user = NULL;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
- torture_assert(tctx,
- strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") == NULL,
- "PDC name should not be in UNC form");
-
- printf("Trying with User=Administrator\n");
- search.in.user = "Administrator";
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
- torture_assert(tctx,
- strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") == NULL,
- "PDC name should not be in UNC form");
-
- search.in.version = NETLOGON_NT_VERSION_5;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
-
- printf("Trying with User=NULL\n");
- search.in.user = NULL;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
- torture_assert(tctx,
- strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") != NULL,
- "PDC name should be in UNC form");
-
- printf("Trying with User=Administrator\n");
- search.in.user = "Administrator";
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
- torture_assert(tctx,
- strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") != NULL,
- "PDC name should be in UNC form");
-
- search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
-
- printf("Trying with a GUID\n");
- search.in.realm = NULL;
- search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
- CHECK_STRING(GUID_string(tctx, &search.out.netlogon.data.nt5_ex.domain_uuid), search.in.domain_guid);
- torture_assert(tctx,
- strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") == NULL,
- "PDC name should not be in UNC form");
-
- printf("Trying with a incorrect GUID\n");
- guid = GUID_random();
- search.in.user = NULL;
- search.in.domain_guid = GUID_string(tctx, &guid);
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
-
- printf("Trying with a AAC\n");
- search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST;
- search.in.realm = n1.data.nt5_ex.dns_domain;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
-
- printf("Trying with a zero AAC\n");
- search.in.acct_control = 0x0;
- search.in.realm = n1.data.nt5_ex.dns_domain;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
-
- printf("Trying with a zero AAC and user=Administrator\n");
- search.in.acct_control = 0x0;
- search.in.user = "Administrator";
- search.in.realm = n1.data.nt5_ex.dns_domain;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "Administrator");
-
- printf("Trying with a bad AAC\n");
- search.in.user = NULL;
- search.in.acct_control = 0xFF00FF00;
- search.in.realm = n1.data.nt5_ex.dns_domain;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
-
- printf("Trying with a user only\n");
- search = empty_search;
- search.in.user = "Administrator";
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
-
- printf("Trying with just a bad username\n");
- search.in.user = "___no_such_user___";
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
-
- printf("Trying with just a bad domain\n");
- search = empty_search;
- search.in.realm = "___no_such_domain___";
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
-
- printf("Trying with a incorrect domain and correct guid\n");
- search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
- CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
-
- printf("Trying with a incorrect domain and incorrect guid\n");
- search.in.domain_guid = GUID_string(tctx, &guid);
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
- CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
-
- printf("Trying with a incorrect GUID and correct domain\n");
- search.in.domain_guid = GUID_string(tctx, &guid);
- search.in.realm = n1.data.nt5_ex.dns_domain;
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
- CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
-
- printf("Proof other results\n");
- search.in.user = "Administrator";
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
- CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
-
- return true;
-}
-
-/*
- test cldap netlogon server type flags
-*/
-static bool test_cldap_netlogon_flags(struct torture_context *tctx,
- const char *dest)
-{
- struct cldap_socket *cldap;
- NTSTATUS status;
- struct cldap_netlogon search;
- struct netlogon_samlogon_response n1;
- uint32_t server_type;
- struct tsocket_address *dest_addr;
- int ret;
-
- ret = tsocket_address_inet_from_strings(tctx, "ip",
- dest,
- lpcfg_cldap_port(tctx->lp_ctx),
- &dest_addr);
- CHECK_VAL(ret, 0);
-
- /* cldap_socket_init should now know about the dest. address */
- status = cldap_socket_init(tctx, NULL, dest_addr, &cldap);
- CHECK_STATUS(status, NT_STATUS_OK);
-
- printf("Printing out netlogon server type flags: %s\n", dest);
-
- ZERO_STRUCT(search);
- search.in.dest_address = NULL;
- search.in.dest_port = 0;
- search.in.acct_control = -1;
- search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
- search.in.map_response = true;
-
- status = cldap_netlogon(cldap, tctx, &search);
- CHECK_STATUS(status, NT_STATUS_OK);
-
- n1 = search.out.netlogon;
- if (n1.ntver == NETLOGON_NT_VERSION_5)
- server_type = n1.data.nt5.server_type;
- else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
- server_type = n1.data.nt5_ex.server_type;
-
- printf("The word is: %i\n", server_type);
- if (server_type & NBT_SERVER_PDC)
- printf("NBT_SERVER_PDC ");
- if (server_type & NBT_SERVER_GC)
- printf("NBT_SERVER_GC ");
- if (server_type & NBT_SERVER_LDAP)
- printf("NBT_SERVER_LDAP ");
- if (server_type & NBT_SERVER_DS)
- printf("NBT_SERVER_DS ");
- if (server_type & NBT_SERVER_KDC)
- printf("NBT_SERVER_KDC ");
- if (server_type & NBT_SERVER_TIMESERV)
- printf("NBT_SERVER_TIMESERV ");
- if (server_type & NBT_SERVER_CLOSEST)
- printf("NBT_SERVER_CLOSEST ");
- if (server_type & NBT_SERVER_WRITABLE)
- printf("NBT_SERVER_WRITABLE ");
- if (server_type & NBT_SERVER_GOOD_TIMESERV)
- printf("NBT_SERVER_GOOD_TIMESERV ");
- if (server_type & NBT_SERVER_NDNC)
- printf("NBT_SERVER_NDNC ");
- if (server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6)
- printf("NBT_SERVER_SELECT_SECRET_DOMAIN_6");
- if (server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6)
- printf("NBT_SERVER_FULL_SECRET_DOMAIN_6");
- if (server_type & DS_DNS_CONTROLLER)
- printf("DS_DNS_CONTROLLER ");
- if (server_type & DS_DNS_DOMAIN)
- printf("DS_DNS_DOMAIN ");
- if (server_type & DS_DNS_FOREST_ROOT)
- printf("DS_DNS_FOREST_ROOT ");
-
- printf("\n");
-
- return true;
-}
/*
convert a ldap result message to a ldb message. This allows us to
@@ -488,8 +161,6 @@ bool torture_cldap(struct torture_context *torture)
bool ret = true;
const char *host = torture_setting_string(torture, "host", NULL);
- ret &= test_cldap_netlogon(torture, host);
- ret &= test_cldap_netlogon_flags(torture, host);
ret &= test_cldap_generic(torture, host);
return ret;
diff --git a/source4/torture/ldap/common.c b/source4/torture/ldap/common.c
index 3af3d02491..a37af68e1f 100644
--- a/source4/torture/ldap/common.c
+++ b/source4/torture/ldap/common.c
@@ -136,6 +136,8 @@ NTSTATUS torture_ldap_init(void)
torture_suite_add_simple_test(suite, "basic", torture_ldap_basic);
torture_suite_add_simple_test(suite, "sort", torture_ldap_sort);
torture_suite_add_simple_test(suite, "cldap", torture_cldap);
+ torture_suite_add_simple_test(suite, "netlogon-udp", torture_netlogon_udp);
+ torture_suite_add_simple_test(suite, "netlogon-tcp", torture_netlogon_tcp);
torture_suite_add_simple_test(suite, "schema", torture_ldap_schema);
torture_suite_add_simple_test(suite, "uptodatevector", torture_ldap_uptodatevector);
torture_suite_add_simple_test(suite, "nested-search", test_ldap_nested_search);
diff --git a/source4/torture/ldap/netlogon.c b/source4/torture/ldap/netlogon.c
new file mode 100644
index 0000000000..9ed058e35a
--- /dev/null
+++ b/source4/torture/ldap/netlogon.c
@@ -0,0 +1,516 @@
+/*
+ Unix SMB/CIFS mplementation.
+
+ test CLDAP/LDAP netlogon operations
+
+ Copyright (C) Andrew Tridgell 2005
+ Copyright (C) Matthias Dieter Wallnöfer 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#include "includes.h"
+#include "libcli/cldap/cldap.h"
+#include "libcli/ldap/ldap_client.h"
+#include "librpc/gen_ndr/netlogon.h"
+#include "param/param.h"
+#include "../lib/tsocket/tsocket.h"
+
+#include "torture/torture.h"
+#include "torture/ldap/proto.h"
+
+#define CHECK_STATUS(status, correct) torture_assert_ntstatus_equal(tctx, status, correct, "incorrect status")
+
+#define CHECK_VAL(v, correct) torture_assert_int_equal(tctx, (v), (correct), "incorrect value");
+
+#define CHECK_STRING(v, correct) torture_assert_str_equal(tctx, v, correct, "incorrect value");
+
+typedef NTSTATUS (*request_netlogon_t)(void *con,
+ TALLOC_CTX *mem_ctx,
+ struct cldap_netlogon *io);
+
+/*
+ test netlogon operations
+*/
+static bool test_ldap_netlogon(struct torture_context *tctx,
+ request_netlogon_t request_netlogon,
+ void *cldap,
+ const char *dest)
+{
+ NTSTATUS status;
+ struct cldap_netlogon search, empty_search;
+ struct netlogon_samlogon_response n1;
+ struct GUID guid;
+ int i;
+
+ ZERO_STRUCT(search);
+ search.in.dest_address = NULL;
+ search.in.dest_port = 0;
+ search.in.acct_control = -1;
+ search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
+ search.in.map_response = true;
+
+ empty_search = search;
+
+ printf("Trying without any attributes\n");
+ search = empty_search;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ n1 = search.out.netlogon;
+
+ search.in.user = "Administrator";
+ search.in.realm = n1.data.nt5_ex.dns_domain;
+ search.in.host = "__cldap_torture__";
+
+ printf("Scanning for netlogon levels\n");
+ for (i=0;i<256;i++) {
+ search.in.version = i;
+ printf("Trying netlogon level %d\n", i);
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ }
+
+ printf("Scanning for netlogon level bits\n");
+ for (i=0;i<31;i++) {
+ search.in.version = (1<<i);
+ printf("Trying netlogon level 0x%x\n", i);
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ }
+
+ search.in.version = NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_IP;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ printf("Trying with User=NULL\n");
+ search.in.user = NULL;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+ torture_assert(tctx,
+ strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") == NULL,
+ "PDC name should not be in UNC form");
+
+ printf("Trying with User=Administrator\n");
+ search.in.user = "Administrator";
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
+ torture_assert(tctx,
+ strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") == NULL,
+ "PDC name should not be in UNC form");
+
+ search.in.version = NETLOGON_NT_VERSION_5;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ printf("Trying with User=NULL\n");
+ search.in.user = NULL;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+ torture_assert(tctx,
+ strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") != NULL,
+ "PDC name should be in UNC form");
+
+ printf("Trying with User=Administrator\n");
+ search.in.user = "Administrator";
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
+ torture_assert(tctx,
+ strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") != NULL,
+ "PDC name should be in UNC form");
+
+ search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
+
+ printf("Trying with a GUID\n");
+ search.in.realm = NULL;
+ search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
+ CHECK_STRING(GUID_string(tctx, &search.out.netlogon.data.nt5_ex.domain_uuid), search.in.domain_guid);
+ torture_assert(tctx,
+ strstr(search.out.netlogon.data.nt5_ex.pdc_name, "\\\\") == NULL,
+ "PDC name should not be in UNC form");
+
+ printf("Trying with a incorrect GUID\n");
+ guid = GUID_random();
+ search.in.user = NULL;
+ search.in.domain_guid = GUID_string(tctx, &guid);
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
+
+ printf("Trying with a AAC\n");
+ search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST;
+ search.in.realm = n1.data.nt5_ex.dns_domain;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+
+ printf("Trying with a zero AAC\n");
+ search.in.acct_control = 0x0;
+ search.in.realm = n1.data.nt5_ex.dns_domain;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+
+ printf("Trying with a zero AAC and user=Administrator\n");
+ search.in.acct_control = 0x0;
+ search.in.user = "Administrator";
+ search.in.realm = n1.data.nt5_ex.dns_domain;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "Administrator");
+
+ printf("Trying with a bad AAC\n");
+ search.in.user = NULL;
+ search.in.acct_control = 0xFF00FF00;
+ search.in.realm = n1.data.nt5_ex.dns_domain;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+
+ printf("Trying with a user only\n");
+ search = empty_search;
+ search.in.user = "Administrator";
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
+
+ printf("Trying with just a bad username\n");
+ search.in.user = "___no_such_user___";
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
+
+ printf("Trying with just a bad domain\n");
+ search = empty_search;
+ search.in.realm = "___no_such_domain___";
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
+
+ printf("Trying with a incorrect domain and correct guid\n");
+ search.in.domain_guid = GUID_string(tctx, &n1.data.nt5_ex.domain_uuid);
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
+
+ printf("Trying with a incorrect domain and incorrect guid\n");
+ search.in.domain_guid = GUID_string(tctx, &guid);
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_NOT_FOUND);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
+
+ printf("Trying with a incorrect GUID and correct domain\n");
+ search.in.domain_guid = GUID_string(tctx, &guid);
+ search.in.realm = n1.data.nt5_ex.dns_domain;
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_VAL(search.out.netlogon.data.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, "");
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
+
+ printf("Proof other results\n");
+ search.in.user = "Administrator";
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.forest, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.dns_domain, n1.data.nt5_ex.dns_domain);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.domain_name, n1.data.nt5_ex.domain_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.pdc_name, n1.data.nt5_ex.pdc_name);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.user_name, search.in.user);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.server_site, n1.data.nt5_ex.server_site);
+ CHECK_STRING(search.out.netlogon.data.nt5_ex.client_site, n1.data.nt5_ex.client_site);
+
+ return true;
+}
+
+/*
+ test cldap netlogon server type flags
+*/
+static bool test_ldap_netlogon_flags(struct torture_context *tctx,
+ request_netlogon_t request_netlogon,
+ void *cldap,
+ const char *dest)
+{
+ NTSTATUS status;
+ struct cldap_netlogon search;
+ struct netlogon_samlogon_response n1;
+ uint32_t server_type;
+
+ printf("Printing out netlogon server type flags: %s\n", dest);
+
+ ZERO_STRUCT(search);
+ search.in.dest_address = NULL;
+ search.in.dest_port = 0;
+ search.in.acct_control = -1;
+ search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
+ search.in.map_response = true;
+
+ status = request_netlogon(cldap, tctx, &search);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ n1 = search.out.netlogon;
+ if (n1.ntver == NETLOGON_NT_VERSION_5)
+ server_type = n1.data.nt5.server_type;
+ else if (n1.ntver == NETLOGON_NT_VERSION_5EX)
+ server_type = n1.data.nt5_ex.server_type;
+
+ printf("The word is: %i\n", server_type);
+ if (server_type & NBT_SERVER_PDC)
+ printf("NBT_SERVER_PDC ");
+ if (server_type & NBT_SERVER_GC)
+ printf("NBT_SERVER_GC ");
+ if (server_type & NBT_SERVER_LDAP)
+ printf("NBT_SERVER_LDAP ");
+ if (server_type & NBT_SERVER_DS)
+ printf("NBT_SERVER_DS ");
+ if (server_type & NBT_SERVER_KDC)
+ printf("NBT_SERVER_KDC ");
+ if (server_type & NBT_SERVER_TIMESERV)
+ printf("NBT_SERVER_TIMESERV ");
+ if (server_type & NBT_SERVER_CLOSEST)
+ printf("NBT_SERVER_CLOSEST ");
+ if (server_type & NBT_SERVER_WRITABLE)
+ printf("NBT_SERVER_WRITABLE ");
+ if (server_type & NBT_SERVER_GOOD_TIMESERV)
+ printf("NBT_SERVER_GOOD_TIMESERV ");
+ if (server_type & NBT_SERVER_NDNC)
+ printf("NBT_SERVER_NDNC ");
+ if (server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6)
+ printf("NBT_SERVER_SELECT_SECRET_DOMAIN_6");
+ if (server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6)
+ printf("NBT_SERVER_FULL_SECRET_DOMAIN_6");
+ if (server_type & DS_DNS_CONTROLLER)
+ printf("DS_DNS_CONTROLLER ");
+ if (server_type & DS_DNS_DOMAIN)
+ printf("DS_DNS_DOMAIN ");
+ if (server_type & DS_DNS_FOREST_ROOT)
+ printf("DS_DNS_FOREST_ROOT ");
+
+ printf("\n");
+
+ return true;
+}
+
+static NTSTATUS tcp_ldap_rootdse(void *data,
+ TALLOC_CTX *mem_ctx,
+ struct cldap_search *io)
+{
+ struct ldap_connection *conn = talloc_get_type(data,
+ struct ldap_connection);
+ struct ldap_message *msg, *result;
+ struct ldap_request *req;
+ int i;
+ NTSTATUS status;
+
+ msg = new_ldap_message(mem_ctx);
+ if (!msg) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->type = LDAP_TAG_SearchRequest;
+ msg->r.SearchRequest.basedn = "";
+ msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE;
+ msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
+ msg->r.SearchRequest.timelimit = 0;
+ msg->r.SearchRequest.sizelimit = 0;
+ msg->r.SearchRequest.attributesonly = false;
+ msg->r.SearchRequest.tree = ldb_parse_tree(msg, io->in.filter);
+ msg->r.SearchRequest.num_attributes = str_list_length(io->in.attributes);
+ msg->r.SearchRequest.attributes = io->in.attributes;
+
+ req = ldap_request_send(conn, msg);
+ if (req == NULL) {
+ printf("Could not setup ldap search\n");
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ZERO_STRUCT(io->out);
+ for (i = 0; i < 2; ++i) {
+ status = ldap_result_n(req, i, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ switch (result->type) {
+ case LDAP_TAG_SearchResultEntry:
+ if (i != 0) {
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
+ }
+ io->out.response = &result->r.SearchResultEntry;
+ break;
+ case LDAP_TAG_SearchResultDone:
+ io->out.result = &result->r.SearchResultDone;
+ if (io->out.result->resultcode != LDAP_SUCCESS) {
+ return NT_STATUS_LDAP(io->out.result->resultcode);
+ }
+
+ return NT_STATUS_OK;
+ default:
+ return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS tcp_ldap_netlogon(void *conn,
+ TALLOC_CTX *mem_ctx,
+ struct cldap_netlogon *io)
+{
+ struct cldap_search search;
+ struct ldap_SearchResEntry *res;
+ NTSTATUS status;
+ DATA_BLOB *blob;
+
+ ZERO_STRUCT(search);
+ search.in.attributes = (const char *[]) { "netlogon", NULL };
+ search.in.filter = cldap_netlogon_create_filter(mem_ctx, io);
+ if (search.in.filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = tcp_ldap_rootdse(conn, mem_ctx, &search);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ res = search.out.response;
+ if (res == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ if (res->num_attributes != 1 ||
+ strcasecmp(res->attributes[0].name, "netlogon") != 0 ||
+ res->attributes[0].num_values != 1 ||
+ res->attributes[0].values->length < 2) {
+ return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
+ }
+
+ blob = res->attributes[0].values;
+ status = pull_netlogon_samlogon_response(blob, mem_ctx,
+ &io->out.netlogon);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (io->in.map_response) {
+ map_netlogon_samlogon_response(&io->out.netlogon);
+ }
+
+ return NT_STATUS_OK;
+}
+
+bool torture_netlogon_tcp(struct torture_context *tctx)
+{
+ const char *host = torture_setting_string(tctx, "host", NULL);
+ bool ret = true;
+ NTSTATUS status;
+ struct ldap_connection *conn;
+ TALLOC_CTX *mem_ctx;
+ const char *url;
+
+ mem_ctx = talloc_init("torture_ldap_netlogon");
+
+ url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
+
+ status = torture_ldap_connection(tctx, &conn, url);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ ret &= test_ldap_netlogon(tctx, tcp_ldap_netlogon, conn, host);
+ ret &= test_ldap_netlogon_flags(tctx, tcp_ldap_netlogon, conn, host);
+
+ return ret;
+}
+
+static NTSTATUS udp_ldap_netlogon(void *data,
+ TALLOC_CTX *mem_ctx,
+ struct cldap_netlogon *io)
+{
+ struct cldap_socket *cldap = talloc_get_type(data,
+ struct cldap_socket);
+
+ return cldap_netlogon(cldap, mem_ctx, io);
+}
+
+bool torture_netlogon_udp(struct torture_context *tctx)
+{
+ const char *host = torture_setting_string(tctx, "host", NULL);
+ bool ret = true;
+ int r;
+ struct cldap_socket *cldap;
+ NTSTATUS status;
+ struct tsocket_address *dest_addr;
+
+ r = tsocket_address_inet_from_strings(tctx, "ip",
+ host,
+ lpcfg_cldap_port(tctx->lp_ctx),
+ &dest_addr);
+ CHECK_VAL(r, 0);
+
+ /* cldap_socket_init should now know about the dest. address */
+ status = cldap_socket_init(tctx, NULL, dest_addr, &cldap);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ ret &= test_ldap_netlogon(tctx, udp_ldap_netlogon, cldap, host);
+ ret &= test_ldap_netlogon_flags(tctx, udp_ldap_netlogon, cldap, host);
+
+ return ret;
+}
diff --git a/source4/torture/wscript_build b/source4/torture/wscript_build
index c3c997ada2..61c3a09148 100755
--- a/source4/torture/wscript_build
+++ b/source4/torture/wscript_build
@@ -108,7 +108,7 @@ bld.SAMBA_MODULE('TORTURE_UNIX',
bld.SAMBA_MODULE('TORTURE_LDAP',
- source='ldap/common.c ldap/basic.c ldap/schema.c ldap/uptodatevector.c ldap/cldap.c ldap/cldapbench.c ldap/ldap_sort.c ldap/nested_search.c',
+ source='ldap/common.c ldap/basic.c ldap/schema.c ldap/uptodatevector.c ldap/cldap.c ldap/netlogon.c ldap/cldapbench.c ldap/ldap_sort.c ldap/nested_search.c',
subsystem='smbtorture',
deps='cli-ldap cli_cldap samdb POPT_CREDENTIALS torture ldbsamba',
internal_module=True,