r3686: The results of some work on the NETLOGON pipe:

Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC,
that will cross-verify all the values.

Add support for the way netlogon credentials are shared between the
pipe that sets up schannel and the pipe that is encrypted with it.

Test this support, by calling both NETLOGON and SAMR operations in the
RPC-SCHANNEL test.

Move some of the Netlogon NEG flags into the .idl, now we have an idea
what a few of them really are.

Rename the sam_pwd_hash into a name that has meaning (all other crypto
functions were renamed in Samba4 ages ago).

Break out NTLMv2 functionality for operation on the NT hash - I intend
to do NTLMv2 logins in the samsync test in future, and naturally I
only have the hash.

Andrew Bartlett
(This used to be commit 6e6cc6fb9842113a1b0c7f6904dac709b320a6e5)

5 files changed, 183 insertions, 8 deletions

diff --git a/source4/torture/config.mk b/source4/torture/config.mk
index cef76baac4..d939175bb3 100644
--- a/source4/torture/config.mk
+++ b/source4/torture/config.mk
@@ -90,6 +90,7 @@ ADD_OBJ_FILES = \
 		torture/rpc/schannel.o \
 		torture/rpc/netlogon.o \
 		torture/rpc/samlogon.o \
+		torture/rpc/samsync.o \
 		torture/rpc/bind.o
 REQUIRED_SUBSYSTEMS = \
 		LIBSMB
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index fe64727d79..9c87106550 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -316,6 +316,72 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	return True;
 }
 
+/*
+  try a netlogon SamLogon
+*/
+static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
+{
+	NTSTATUS status;
+	struct netr_LogonSamLogon r;
+	struct netr_Authenticator auth, auth2;
+	struct netr_NetworkInfo ninfo;
+	const char *username = lp_parm_string(-1, "torture", "username");
+	const char *password = lp_parm_string(-1, "torture", "password");
+	struct creds_CredentialState creds;
+
+	int i;
+	BOOL ret = True;
+
+	if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, 
+				   machine_password, &creds)) {
+		return False;
+	}
+
+	ninfo.identity_info.domain_name.string = lp_workgroup();
+	ninfo.identity_info.parameter_control = 0;
+	ninfo.identity_info.logon_id_low = 0;
+	ninfo.identity_info.logon_id_high = 0;
+	ninfo.identity_info.account_name.string = username;
+	ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
+	generate_random_buffer(ninfo.challenge, 
+			       sizeof(ninfo.challenge));
+	ninfo.nt.length = 24;
+	ninfo.nt.data = talloc(mem_ctx, 24);
+	SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
+	ninfo.lm.length = 24;
+	ninfo.lm.data = talloc(mem_ctx, 24);
+	SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
+
+	r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
+	r.in.workstation = TEST_MACHINE_NAME;
+	r.in.credential = &auth;
+	r.in.return_authenticator = &auth2;
+	r.in.logon_level = 2;
+	r.in.logon.network = &ninfo;
+
+	for (i=2;i<=3;i++) {
+		ZERO_STRUCT(auth2);
+		creds_client_authenticator(&creds, &auth);
+
+		r.in.validation_level = i;
+
+		printf("Testing SamLogon with validation level %d\n", i);
+
+		status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("LogonSamLogon - %s\n", nt_errstr(status));
+			ret = False;
+		}
+
+		if (!creds_client_check(&creds, &r.out.return_authenticator->cred)) {
+			printf("Credential chaining failed\n");
+		}
+	}
+
+	return ret;
+}
+
+
 
 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
 static uint64_t sequence_nums[3];
@@ -328,7 +394,7 @@ static BOOL test_DatabaseSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	NTSTATUS status;
 	struct netr_DatabaseSync r;
 	struct creds_CredentialState creds;
-	const uint32_t database_ids[] = {0, 1, 2}; 
+	const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; 
 	int i;
 	BOOL ret = True;
 
@@ -366,7 +432,7 @@ static BOOL test_DatabaseSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 
 			if (r.out.delta_enum_array &&
 			    r.out.delta_enum_array->num_deltas > 0 &&
-			    r.out.delta_enum_array->delta_enum[0].delta_type == 1 &&
+			    r.out.delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
 			    r.out.delta_enum_array->delta_enum[0].delta_union.domain) {
 				sequence_nums[r.in.database_id] = 
 					r.out.delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
@@ -969,7 +1035,7 @@ BOOL torture_rpc_netlogon(void)
         struct dcerpc_pipe *p;
 	TALLOC_CTX *mem_ctx;
 	BOOL ret = True;
-	void *join_ctx;
+	struct test_join *join_ctx;
 
 	mem_ctx = talloc_init("torture_rpc_netlogon");
 
@@ -996,6 +1062,10 @@ BOOL torture_rpc_netlogon(void)
 		ret = False;
 	}
 
+	if (!test_SamLogon(p, mem_ctx)) {
+		ret = False;
+	}
+
 	if (!test_SetPassword(p, mem_ctx)) {
 		ret = False;
 	}
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index 323adde534..7a9786fa2d 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -53,6 +53,63 @@ static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	return True;
 }
 
+
+/*
+  try a netlogon SamLogon
+*/
+static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, 
+				  struct creds_CredentialState *creds)
+{
+	NTSTATUS status;
+	struct netr_LogonSamLogon r;
+	struct netr_Authenticator auth, auth2;
+	struct netr_NetworkInfo ninfo;
+	const char *username = lp_parm_string(-1, "torture", "username");
+	const char *password = lp_parm_string(-1, "torture", "password");
+
+	int i;
+	BOOL ret = True;
+
+	ninfo.identity_info.domain_name.string = lp_workgroup();
+	ninfo.identity_info.parameter_control = 0;
+	ninfo.identity_info.logon_id_low = 0;
+	ninfo.identity_info.logon_id_high = 0;
+	ninfo.identity_info.account_name.string = username;
+	ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
+	generate_random_buffer(ninfo.challenge, 
+			       sizeof(ninfo.challenge));
+	ninfo.nt.length = 24;
+	ninfo.nt.data = talloc(mem_ctx, 24);
+	SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
+	ninfo.lm.length = 24;
+	ninfo.lm.data = talloc(mem_ctx, 24);
+	SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
+
+
+	r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
+	r.in.workstation = TEST_MACHINE_NAME;
+	r.in.credential = &auth;
+	r.in.return_authenticator = &auth2;
+	r.in.logon_level = 2;
+	r.in.logon.network = &ninfo;
+
+	for (i=2;i<3;i++) {
+		ZERO_STRUCT(auth2);
+		creds_client_authenticator(creds, &auth);
+		
+		r.in.validation_level = i;
+		
+		status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
+		
+		if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+			printf("Credential chaining failed\n");
+			ret = False;
+		}
+		
+	}
+		return ret;
+}
+
 /*
   test a schannel connection with the given flags
  */
@@ -66,6 +123,8 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 	const char *binding = lp_parm_string(-1, "torture", "binding");
 	struct dcerpc_binding b;
 	struct dcerpc_pipe *p;
+	struct dcerpc_pipe *p_netlogon;
+	struct creds_CredentialState *creds;
 
 	join_ctx = torture_join_domain(TEST_MACHINE_NAME, lp_workgroup(), acct_flags,
 				       &machine_password);
@@ -99,12 +158,51 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 		goto failed;
 	}
 
+
+	status = dcerpc_parse_binding(mem_ctx, binding, &b);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("Bad binding string %s\n", binding);
+		goto failed;
+	}
+
+
+	/* Also test that when we connect to the netlogon pipe, that
+	 * the credentials we setup on the first pipe are valid for
+	 * the second */
+
+	b.flags &= ~DCERPC_AUTH_OPTIONS;
+	b.flags |= dcerpc_flags;
+
+	status = dcerpc_pipe_connect_b(&p_netlogon, &b, 
+				       DCERPC_NETLOGON_UUID,
+				       DCERPC_NETLOGON_VERSION,
+				       lp_workgroup(), 
+				       TEST_MACHINE_NAME,
+				       machine_password);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		goto failed;
+	}
+
+	status = dcerpc_schannel_creds(p_netlogon->security_state.generic_state, mem_ctx, &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto failed;
+	}
+
+	/* do a couple of logins */
+	if (!test_netlogon_ops(p_netlogon, mem_ctx, creds)) {
+		printf("Failed to process schannel secured ops\n");
+		goto failed;
+	}
+
 	torture_leave_domain(join_ctx);
+	dcerpc_pipe_close(p_netlogon);
 	dcerpc_pipe_close(p);
 	return True;
 
 failed:
 	torture_leave_domain(join_ctx);
+	dcerpc_pipe_close(p_netlogon);
 	dcerpc_pipe_close(p);
 	return False;	
 }
diff --git a/source4/torture/rpc/xplogin.c b/source4/torture/rpc/xplogin.c
index a3cca7003c..e0bb706255 100644
--- a/source4/torture/rpc/xplogin.c
+++ b/source4/torture/rpc/xplogin.c
@@ -1021,7 +1021,7 @@ static BOOL xp_login(const char *dcname, const char *wksname,
 	struct smbcli_transport *transport;
 
         struct dcerpc_pipe *netlogon_pipe;
-	struct creds_CredentialState netlogon_creds;
+	struct creds_CredentialState *netlogon_creds;
 
 	struct dcerpc_pipe *netlogon_schannel_pipe;
 
@@ -1032,13 +1032,18 @@ static BOOL xp_login(const char *dcname, const char *wksname,
 	if (mem_ctx == NULL)
 		return False;
 
+	netlogon_creds = talloc_p(mem_ctx, struct creds_CredentialState);
+	if (!netlogon_creds) {
+		return False;
+	}
+
 	if (!NT_STATUS_IS_OK(after_negprot(&transport, dcname, 139,
 					   wksname)))
 		return False;
 
 	if (!NT_STATUS_IS_OK(setup_netlogon_creds(transport, &netlogon_pipe,
 						  wksname, domain, wkspwd,
-						  &netlogon_creds)))
+						  netlogon_creds)))
 		return False;
 
 	if (!NT_STATUS_IS_OK(test_enumtrusts(transport)))
@@ -1063,13 +1068,13 @@ static BOOL xp_login(const char *dcname, const char *wksname,
 						   DCERPC_NETLOGON_UUID,
 						   DCERPC_NETLOGON_VERSION,
 						   "", "", "",
-						   netlogon_creds.session_key);
+						   netlogon_creds);
 
 	if (!NT_STATUS_IS_OK(status))
                 return False;
 
 	status = torture_samlogon(netlogon_schannel_pipe,
-				  &netlogon_creds, wksname, domain,
+				  netlogon_creds, wksname, domain,
 				  user1name, user1pw);
 
 	if (!NT_STATUS_IS_OK(status))
@@ -1078,7 +1083,7 @@ static BOOL xp_login(const char *dcname, const char *wksname,
 	talloc_free(netlogon_pipe);
 
 	status = torture_samlogon(netlogon_schannel_pipe,
-				  &netlogon_creds, wksname, domain,
+				  netlogon_creds, wksname, domain,
 				  user2name, user2pw);
 
 	if (!NT_STATUS_IS_OK(status))
diff --git a/source4/torture/torture.c b/source4/torture/torture.c
index 975b83e6ad..4db4662f6c 100644
--- a/source4/torture/torture.c
+++ b/source4/torture/torture.c
@@ -2439,6 +2439,7 @@ static struct {
         {"RPC-SAMR", torture_rpc_samr, 0},
         {"RPC-NETLOGON", torture_rpc_netlogon, 0},
         {"RPC-SAMLOGON", torture_rpc_samlogon, 0},
+        {"RPC-SAMSYNC", torture_rpc_samsync, 0},
         {"RPC-SCHANNEL", torture_rpc_schannel, 0},
         {"RPC-WKSSVC", torture_rpc_wkssvc, 0},
         {"RPC-SRVSVC", torture_rpc_srvsvc, 0},