summaryrefslogtreecommitdiff
path: root/source3/torture
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-08-08 15:22:03 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-08-08 08:03:21 +0200
commitb7b48793501915ecf5cb52b3044fd2f902987802 (patch)
tree1370735b71ea95397876ca160dd0052f5dbbcc0e /source3/torture
parentde2d813898bcfc530d13753a57ac8356b7c7bf0e (diff)
downloadsamba-b7b48793501915ecf5cb52b3044fd2f902987802.tar.gz
samba-b7b48793501915ecf5cb52b3044fd2f902987802.tar.bz2
samba-b7b48793501915ecf5cb52b3044fd2f902987802.zip
s3-torture: Extend pdbtest to also run an authentication unit-test
This tests both the builtin auth_sam against passdb directly and the configured auth module. Andrew Bartlett
Diffstat (limited to 'source3/torture')
-rw-r--r--source3/torture/pdbtest.c117
1 files changed, 116 insertions, 1 deletions
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index 821f39bee7..d0d529e922 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -4,6 +4,7 @@
Copyright (C) Wilco Baan Hofman 2006
Copyright (C) Jelmer Vernooij 2006
+ Copyright (C) Andrew Bartlett 2012
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -27,6 +28,10 @@
#include "../librpc/gen_ndr/drsblobs.h"
#include "../librpc/gen_ndr/ndr_drsblobs.h"
#include "../libcli/security/dom_sid.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "../auth/common_auth.h"
+#include "lib/tsocket/tsocket.h"
+#include "include/auth.h"
#define TRUST_DOM "trustdom"
#define TRUST_PWD "trustpwd1232"
@@ -38,6 +43,7 @@ static bool samu_correct(struct samu *s1, struct samu *s2)
uint32 s1_len, s2_len;
const char *s1_buf, *s2_buf;
const uint8 *d1_buf, *d2_buf;
+ const struct dom_sid *s1_sid, *s2_sid;
/* Check Unix username */
s1_buf = pdb_get_username(s1);
@@ -233,11 +239,111 @@ static bool samu_correct(struct samu *s1, struct samu *s2)
ret = False;
}
- /* TODO Check user and group sids */
+ /* Check user and group sids */
+ s1_sid = pdb_get_user_sid(s1);
+ s2_sid = pdb_get_user_sid(s2);
+ if (s2_sid == NULL && s1_sid != NULL) {
+ DEBUG(0, ("USER SID not set\n"));
+ ret = False;
+ } else if (s1_sid == NULL) {
+ /* Do nothing */
+ } else if (!dom_sid_equal(s1_sid, s2_sid)) {
+ DEBUG(0, ("USER SID is not written correctly\n"));
+ ret = False;
+ }
return ret;
}
+static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
+{
+ struct auth_usersupplied_info *user_info;
+ struct auth_context *auth_context;
+ static const uint8_t challenge_8[8] = {1, 2, 3, 4, 5, 6, 7, 8};
+ DATA_BLOB challenge = data_blob_const(challenge_8, sizeof(challenge_8));
+ struct tsocket_address *tsocket_address;
+ unsigned char local_nt_response[24];
+ DATA_BLOB nt_resp = data_blob_const(local_nt_response, sizeof(local_nt_response));
+ unsigned char local_nt_session_key[16];
+ struct netr_SamInfo3 *info3_sam, *info3_auth;
+ struct auth_serversupplied_info *server_info;
+ NTSTATUS status;
+
+ SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
+ local_nt_response);
+ SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
+
+ if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &tsocket_address) != 0) {
+ return False;
+ }
+
+ status = make_user_info(&user_info, pdb_get_username(pdb_entry), pdb_get_username(pdb_entry),
+ pdb_get_domain(pdb_entry), pdb_get_domain(pdb_entry), lp_netbios_name(),
+ tsocket_address, NULL, &nt_resp, NULL, NULL, NULL,
+ AUTH_PASSWORD_RESPONSE);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ status = check_sam_security_info3(&challenge, NULL, user_info, &info3_sam);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ if (memcmp(info3_sam->base.key.key, local_nt_session_key, 16) != 0) {
+ DEBUG(0, ("Returned NT session key is incorrect\n"));
+ return False;
+ }
+
+ status = make_auth_context_fixed(NULL, &auth_context, challenge.data);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ status = auth_check_ntlm_password(auth_context, user_info, &server_info);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ info3_auth = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (info3_auth == NULL) {
+ return False;
+ }
+
+ status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3_auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
+ nt_errstr(status)));
+ return False;
+ }
+
+ if (memcmp(info3_auth->base.key.key, local_nt_session_key, 16) != 0) {
+ DEBUG(0, ("Returned NT session key is incorrect\n"));
+ return False;
+ }
+
+ if (!dom_sid_equal(info3_sam->base.domain_sid, info3_auth->base.domain_sid)) {
+ DEBUG(0, ("domain_sid in SAM info3 %s does not match domain_sid in AUTH info3 %s\n",
+ dom_sid_string(NULL, info3_sam->base.domain_sid),
+ dom_sid_string(NULL, info3_auth->base.domain_sid)));
+ return False;
+ }
+
+ /* TODO:
+ * Compre more details from the two info3 structures,
+ * then test that an expired/disabled/pwdmustchange account
+ * returns the correct errors
+ */
+
+ return True;
+}
+
static bool test_trusted_domains(TALLOC_CTX *ctx,
struct pdb_methods *pdb,
bool *error)
@@ -363,6 +469,7 @@ int main(int argc, char **argv)
/* Load configuration */
lp_load_global(get_dyn_CONFIGFILE());
setup_logging("pdbtest", DEBUG_STDOUT);
+ init_names();
if (backend == NULL) {
backend = lp_passdb_backend();
@@ -464,6 +571,14 @@ int main(int argc, char **argv)
error = True;
}
+ if (test_auth(ctx, out)) {
+ printf("Authentication module test passed\n");
+ } else {
+ printf("Authentication module test failed!\n");
+ error = True;
+ }
+
+
/* Delete account */
if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
fprintf(stderr, "Error in delete_sam_account %s\n",