r11287: Understand the new behaviour of the LSA pipe on ncacn_ip_tcp in Win2k3 SP1.

Only a few operations are supported (LookupSids3 and LookupNames4),
and these are only supported under schannel.  This appears to be the
operations Win2k3 SP1 uses to verify part of the PAC back to the
server.

The test is setup to pass, but not enforce (so far) this new
behaviour.

Andrew Bartlett
(This used to be commit e15e39866e9775ba662f669a19836d33f7633f6f)

1 files changed, 70 insertions, 64 deletions

diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index 056684631a..05b8695844 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -25,7 +25,7 @@
 #include "librpc/gen_ndr/ndr_netlogon.h"
 #include "lib/cmdline/popt_common.h"
 
-#define TEST_MACHINE_NAME "schanneltest"
+#define TEST_MACHINE_NAME "schannel"
 
 /*
   do some samr ops using the schannel connection
@@ -52,19 +52,24 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 
 	status = dcerpc_samr_Connect(p, mem_ctx, &connect);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("Connect failed - %s\n", nt_errstr(status));
-		return False;
-	}
-
-	opendom.in.connect_handle = &handle;
-	opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
-	opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
-	opendom.out.domain_handle = &domain_handle;
-
-	status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
-	if (!NT_STATUS_IS_OK(status)) {
-		printf("OpenDomain failed - %s\n", nt_errstr(status));
-		return False;
+		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+			printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
+			       nt_errstr(status));
+		} else {
+			printf("Connect failed - %s\n", nt_errstr(status));
+			return False;
+		}
+	} else {
+		opendom.in.connect_handle = &handle;
+		opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+		opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
+		opendom.out.domain_handle = &domain_handle;
+		
+		status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("OpenDomain failed - %s\n", nt_errstr(status));
+			return False;
+		}
 	}
 
 	printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
@@ -73,8 +78,10 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	for (i=0;i<5;i++) {
 		status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
 		if (!NT_STATUS_IS_OK(status)) {
-			printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
-			return False;
+			if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+				printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
+				return False;
+			}
 		}
 	}
 
@@ -91,7 +98,6 @@ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	NTSTATUS status;
 	BOOL ret = True;
 	struct lsa_StringPointer authority_name_p;
-	int i;
 
 	printf("\nTesting GetUserName\n");
 
@@ -100,34 +106,38 @@ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	r.in.authority_name = &authority_name_p;
 	authority_name_p.string = NULL;
 
-	/* do several ops to test credential chaining */
-	for (i=0;i<5;i++) {
-		status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
+	/* do several ops to test credential chaining and various operations */
+	status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
+	
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
+		printf("not considering %s to be an error\n", nt_errstr(status));
+	} else if (!NT_STATUS_IS_OK(status)) {
+		printf("GetUserName failed - %s\n", nt_errstr(status));
+		return False;
+	} else {
+		if (!r.out.account_name) {
+			return False;
+		}
 		
-		if (!NT_STATUS_IS_OK(status)) {
-			printf("GetUserName failed - %s\n", nt_errstr(status));
+		if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
+			printf("GetUserName returned wrong user: %s, expected %s\n",
+			       r.out.account_name->string, "ANONYMOUS LOGON");
+			return False;
+		}
+		if (!r.out.authority_name || !r.out.authority_name->string) {
+			return False;
+		}
+		
+		if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
+			printf("GetUserName returned wrong user: %s, expected %s\n",
+			       r.out.authority_name->string->string, "NT AUTHORITY");
 			return False;
-		} else {
-			if (!r.out.account_name) {
-				return False;
-			}
-
-			if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
-				printf("GetUserName returned wrong user: %s, expected %s\n",
-				       r.out.account_name->string, "ANONYMOUS LOGON");
-				return False;
-			}
-			if (!r.out.authority_name || !r.out.authority_name->string) {
-				return False;
-			}
-
-			if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
-				printf("GetUserName returned wrong user: %s, expected %s\n",
-				       r.out.authority_name->string->string, "NT AUTHORITY");
-				return False;
-			}
 		}
 	}
+	if (!test_many_LookupSids(p, mem_ctx, NULL)) {
+		printf("LsaLookupSids3 failed!\n");
+		return False;
+	}
 
 	return ret;
 }
@@ -137,6 +147,7 @@ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
   try a netlogon SamLogon
 */
 static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, 
+			      struct cli_credentials *credentials, 
 			      struct creds_CredentialState *creds)
 {
 	NTSTATUS status;
@@ -148,12 +159,12 @@ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 	int i;
 	BOOL ret = True;
 
-	ninfo.identity_info.domain_name.string = lp_workgroup();
+	ninfo.identity_info.domain_name.string = cli_credentials_get_domain(cmdline_credentials);
 	ninfo.identity_info.parameter_control = 0;
 	ninfo.identity_info.logon_id_low = 0;
 	ninfo.identity_info.logon_id_high = 0;
 	ninfo.identity_info.account_name.string = username;
-	ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
+	ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
 	generate_random_buffer(ninfo.challenge, 
 			       sizeof(ninfo.challenge));
 	ninfo.nt.length = 24;
@@ -165,7 +176,7 @@ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 
 
 	r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
-	r.in.workstation = TEST_MACHINE_NAME;
+	r.in.workstation = cli_credentials_get_workstation(credentials);
 	r.in.credential = &auth;
 	r.in.return_authenticator = &auth2;
 	r.in.logon_level = 2;
@@ -195,7 +206,7 @@ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  */
 static BOOL test_schannel(TALLOC_CTX *mem_ctx, 
 			  uint16_t acct_flags, uint32_t dcerpc_flags,
-			  uint32_t schannel_type)
+			  int i)
 {
 	BOOL ret = True;
 
@@ -211,7 +222,7 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 
 	TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 
-	join_ctx = torture_join_domain(TEST_MACHINE_NAME, 
+	join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i), 
 				       acct_flags, &credentials);
 	if (!join_ctx) {
 		printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
@@ -243,11 +254,6 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 		ret = False;
 	}
 
-	status = dcerpc_schannel_creds(p->conn->security_state.generic_state, test_ctx, &creds);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto failed;
-	}
-
 	/* Also test that when we connect to the netlogon pipe, that
 	 * the credentials we setup on the first pipe are valid for
 	 * the second */
@@ -282,7 +288,7 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 	}
 
 	/* do a couple of logins */
-	if (!test_netlogon_ops(p_netlogon, test_ctx, creds)) {
+	if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
 		printf("Failed to process schannel secured NETLOGON ops\n");
 		ret = False;
 	}
@@ -336,16 +342,15 @@ BOOL torture_rpc_schannel(void)
 	struct {
 		uint16_t acct_flags;
 		uint32_t dcerpc_flags;
-		uint32_t schannel_type;
 	} tests[] = {
-		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN,                       3 },
-		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL,                       3 },
-		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
-		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 },
-		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN,                               3 },
-		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL,                               3 },
-		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128,         3 },
-		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128,         3 }
+		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
+		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
+		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
+		{ ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
+		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
+		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
+		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
+		{ ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 	};
 	int i;
 
@@ -353,9 +358,10 @@ BOOL torture_rpc_schannel(void)
 
 	for (i=0;i<ARRAY_SIZE(tests);i++) {
 		if (!test_schannel(mem_ctx, 
-				   tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type)) {
-			printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x schannel_type=%d\n",
-			       tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type);
+				   tests[i].acct_flags, tests[i].dcerpc_flags,
+				   i)) {
+			printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
+			       tests[i].acct_flags, tests[i].dcerpc_flags);
 			ret = False;
 			break;
 		}