diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-11-11 23:24:30 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:05:43 -0500 |
| commit | fd5135a63b4c81688c4e2d729380ca954f22286d (patch) | |
| tree | 7179bf31f404359a702f94ed5db03a1a4732617c /source4/torture/rpc/schannel.c | |
| parent | 32e368502d80517dd7b00c1c3bc8b042887d9db0 (diff) | |
| download | samba-fd5135a63b4c81688c4e2d729380ca954f22286d.tar.gz samba-fd5135a63b4c81688c4e2d729380ca954f22286d.tar.bz2 samba-fd5135a63b4c81688c4e2d729380ca954f22286d.zip | |
r3686: The results of some work on the NETLOGON pipe:
Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC,
that will cross-verify all the values.
Add support for the way netlogon credentials are shared between the
pipe that sets up schannel and the pipe that is encrypted with it.
Test this support, by calling both NETLOGON and SAMR operations in the
RPC-SCHANNEL test.
Move some of the Netlogon NEG flags into the .idl, now we have an idea
what a few of them really are.
Rename the sam_pwd_hash into a name that has meaning (all other crypto
functions were renamed in Samba4 ages ago).
Break out NTLMv2 functionality for operation on the NT hash - I intend
to do NTLMv2 logins in the samsync test in future, and naturally I
only have the hash.
Andrew Bartlett
(This used to be commit 6e6cc6fb9842113a1b0c7f6904dac709b320a6e5)
Diffstat (limited to 'source4/torture/rpc/schannel.c')
| -rw-r--r-- | source4/torture/rpc/schannel.c | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 323adde534..7a9786fa2d 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -53,6 +53,63 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) return True; } + +/* + try a netlogon SamLogon +*/ +static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + struct creds_CredentialState *creds) +{ + NTSTATUS status; + struct netr_LogonSamLogon r; + struct netr_Authenticator auth, auth2; + struct netr_NetworkInfo ninfo; + const char *username = lp_parm_string(-1, "torture", "username"); + const char *password = lp_parm_string(-1, "torture", "password"); + + int i; + BOOL ret = True; + + ninfo.identity_info.domain_name.string = lp_workgroup(); + ninfo.identity_info.parameter_control = 0; + ninfo.identity_info.logon_id_low = 0; + ninfo.identity_info.logon_id_high = 0; + ninfo.identity_info.account_name.string = username; + ninfo.identity_info.workstation.string = TEST_MACHINE_NAME; + generate_random_buffer(ninfo.challenge, + sizeof(ninfo.challenge)); + ninfo.nt.length = 24; + ninfo.nt.data = talloc(mem_ctx, 24); + SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data); + ninfo.lm.length = 24; + ninfo.lm.data = talloc(mem_ctx, 24); + SMBencrypt(password, ninfo.challenge, ninfo.lm.data); + + + r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); + r.in.workstation = TEST_MACHINE_NAME; + r.in.credential = &auth; + r.in.return_authenticator = &auth2; + r.in.logon_level = 2; + r.in.logon.network = &ninfo; + + for (i=2;i<3;i++) { + ZERO_STRUCT(auth2); + creds_client_authenticator(creds, &auth); + + r.in.validation_level = i; + + status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r); + + if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + printf("Credential chaining failed\n"); + ret = False; + } + + } + return ret; +} + /* test a schannel connection with the given flags */ @@ -66,6 +123,8 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, const char *binding = lp_parm_string(-1, "torture", "binding"); struct dcerpc_binding b; struct dcerpc_pipe *p; + struct dcerpc_pipe *p_netlogon; + struct creds_CredentialState *creds; join_ctx = torture_join_domain(TEST_MACHINE_NAME, lp_workgroup(), acct_flags, &machine_password); @@ -99,12 +158,51 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, goto failed; } + + status = dcerpc_parse_binding(mem_ctx, binding, &b); + if (!NT_STATUS_IS_OK(status)) { + printf("Bad binding string %s\n", binding); + goto failed; + } + + + /* Also test that when we connect to the netlogon pipe, that + * the credentials we setup on the first pipe are valid for + * the second */ + + b.flags &= ~DCERPC_AUTH_OPTIONS; + b.flags |= dcerpc_flags; + + status = dcerpc_pipe_connect_b(&p_netlogon, &b, + DCERPC_NETLOGON_UUID, + DCERPC_NETLOGON_VERSION, + lp_workgroup(), + TEST_MACHINE_NAME, + machine_password); + + if (!NT_STATUS_IS_OK(status)) { + goto failed; + } + + status = dcerpc_schannel_creds(p_netlogon->security_state.generic_state, mem_ctx, &creds); + if (!NT_STATUS_IS_OK(status)) { + goto failed; + } + + /* do a couple of logins */ + if (!test_netlogon_ops(p_netlogon, mem_ctx, creds)) { + printf("Failed to process schannel secured ops\n"); + goto failed; + } + torture_leave_domain(join_ctx); + dcerpc_pipe_close(p_netlogon); dcerpc_pipe_close(p); return True; failed: torture_leave_domain(join_ctx); + dcerpc_pipe_close(p_netlogon); dcerpc_pipe_close(p); return False; } |