diff options
| -rw-r--r-- | source4/torture/rpc/netlogon.c | 54 | ||||
| -rw-r--r-- | source4/torture/rpc/schannel.c | 8 |
2 files changed, 62 insertions, 0 deletions
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 0fe594cf7e..d60b2e3c18 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -885,6 +885,60 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx, } /* + try a netlogon GetCapabilities +*/ +bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *tctx, + struct cli_credentials *credentials, + struct netlogon_creds_CredentialState *creds) +{ + NTSTATUS status; + struct netr_LogonGetCapabilities r; + union netr_Capabilities capabilities; + struct netr_Authenticator auth, return_auth; + struct netlogon_creds_CredentialState tmp_creds; + struct dcerpc_binding_handle *b = p->binding_handle; + + r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); + r.in.computer_name = cli_credentials_get_workstation(credentials); + r.in.credential = &auth; + r.in.return_authenticator = &return_auth; + r.in.query_level = 1; + r.out.capabilities = &capabilities; + r.out.return_authenticator = &return_auth; + + torture_comment(tctx, "Testing LogonGetCapabilities\n"); + + ZERO_STRUCT(return_auth); + + /* + * we need to operate on a temporary copy of creds + * because dcerpc_netr_LogonGetCapabilities was + * dcerpc_netr_DummyFunction and returns NT_STATUS_NOT_IMPLEMENTED + * without looking a the authenticator. + */ + tmp_creds = *creds; + netlogon_creds_client_authenticator(&tmp_creds, &auth); + + status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities failed"); + if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) { + return true; + } + + *creds = tmp_creds; + + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), + "Credential chaining failed"); + + torture_assert_int_equal(tctx, creds->negotiate_flags, + capabilities.server_capabilities, + "negotiate flags"); + + return true; +} + +/* try a netlogon SamLogon */ static bool test_SamLogon(struct torture_context *tctx, diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index dff9fe7055..30b8a1d1ae 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -312,6 +312,10 @@ static bool test_schannel(struct torture_context *tctx, status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds); torture_assert_ntstatus_ok(tctx, status, "schannel creds"); + /* checks the capabilities */ + torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds), + "Failed to process schannel secured capability ops (on fresh connection)"); + /* do a couple of logins */ torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds), "Failed to process schannel secured NETLOGON ops"); @@ -391,6 +395,10 @@ static bool test_schannel(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "auth failed"); + /* checks the capabilities */ + torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds), + "Failed to process schannel secured capability ops (on fresh connection)"); + /* Try the schannel-only SamLogonEx operation */ torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds), "Failed to process schannel secured NETLOGON EX ops (on fresh connection)"); |