diff options
Diffstat (limited to 'source4/torture/rpc')
-rw-r--r-- | source4/torture/rpc/drsuapi.c | 127 | ||||
-rw-r--r-- | source4/torture/rpc/drsuapi.h | 21 | ||||
-rw-r--r-- | source4/torture/rpc/dssync.c | 99 | ||||
-rw-r--r-- | source4/torture/rpc/frsapi.c | 3 | ||||
-rw-r--r-- | source4/torture/rpc/lsa_lookup.c | 4 | ||||
-rw-r--r-- | source4/torture/rpc/netlogon.c | 118 | ||||
-rw-r--r-- | source4/torture/rpc/samba3rpc.c | 12 | ||||
-rw-r--r-- | source4/torture/rpc/samlogon.c | 2 | ||||
-rw-r--r-- | source4/torture/rpc/samr.c | 89 | ||||
-rw-r--r-- | source4/torture/rpc/samsync.c | 2 | ||||
-rw-r--r-- | source4/torture/rpc/schannel.c | 2 | ||||
-rw-r--r-- | source4/torture/rpc/wkssvc.c | 2 |
12 files changed, 393 insertions, 88 deletions
diff --git a/source4/torture/rpc/drsuapi.c b/source4/torture/rpc/drsuapi.c index 174de5e981..8f6bbb163b 100644 --- a/source4/torture/rpc/drsuapi.c +++ b/source4/torture/rpc/drsuapi.c @@ -35,11 +35,46 @@ bool test_DsBind(struct dcerpc_pipe *p, { NTSTATUS status; struct drsuapi_DsBind r; + struct drsuapi_DsBindInfo28 *bind_info28; + struct drsuapi_DsBindInfoCtr bind_info_ctr; + + ZERO_STRUCT(bind_info_ctr); + bind_info_ctr.length = 28; + + bind_info28 = &bind_info_ctr.info.info28; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_BASE; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7; + bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT; GUID_from_string(DRSUAPI_DS_BIND_GUID, &priv->bind_guid); r.in.bind_guid = &priv->bind_guid; - r.in.bind_info = NULL; + r.in.bind_info = &bind_info_ctr; r.out.bind_handle = &priv->bind_handle; torture_comment(tctx, "testing DsBind\n"); @@ -47,6 +82,9 @@ bool test_DsBind(struct dcerpc_pipe *p, status = dcerpc_drsuapi_DsBind(p, tctx, &r); torture_drsuapi_assert_call(tctx, p, status, &r, "dcerpc_drsuapi_DsBind"); + /* cache server supported extensions, i.e. bind_info */ + priv->srv_bind_info = r.out.bind_info->info.info28; + return true; } @@ -416,51 +454,64 @@ static bool test_DsReplicaUpdateRefs(struct torture_context *tctx, { NTSTATUS status; struct dcerpc_pipe *p = priv->pipe; - int i; struct drsuapi_DsReplicaUpdateRefs r; struct drsuapi_DsReplicaObjectIdentifier nc; struct GUID null_guid; + struct GUID dest_dsa_guid; + const char *dest_dsa_guid_str; struct dom_sid null_sid; - struct { - int32_t level; - } array[] = { - { - 1 - } - }; - - if (torture_setting_bool(tctx, "samba4", false)) { - torture_comment(tctx, "skipping DsReplicaUpdateRefs test against Samba4\n"); - return true; - } ZERO_STRUCT(null_guid); ZERO_STRUCT(null_sid); + dest_dsa_guid = GUID_random(); + dest_dsa_guid_str = GUID_string(tctx, &dest_dsa_guid); - r.in.bind_handle = &priv->bind_handle; - - for (i=0; i < ARRAY_SIZE(array); i++) { - torture_comment(tctx, "testing DsReplicaUpdateRefs level %d\n", - array[i].level); - - r.in.level = array[i].level; - switch(r.in.level) { - case 1: - nc.guid = null_guid; - nc.sid = null_sid; - nc.dn = priv->domain_obj_dn ? priv->domain_obj_dn : ""; - - r.in.req.req1.naming_context = &nc; - r.in.req.req1.dest_dsa_dns_name = talloc_asprintf(tctx, "__some_dest_dsa_guid_string._msdn.%s", - priv->domain_dns_name); - r.in.req.req1.dest_dsa_guid = null_guid; - r.in.req.req1.options = 0; - break; - } - - status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r); - torture_drsuapi_assert_call(tctx, p, status, &r, "dcerpc_drsuapi_DsReplicaUpdateRefs"); - } + r.in.bind_handle = &priv->bind_handle; + r.in.level = 1; /* Only version 1 is defined presently */ + + /* setup NC */ + nc.guid = priv->domain_obj_dn ? null_guid : priv->domain_guid; + nc.sid = null_sid; + nc.dn = priv->domain_obj_dn ? priv->domain_obj_dn : ""; + + /* default setup for request */ + r.in.req.req1.naming_context = &nc; + r.in.req.req1.dest_dsa_dns_name = talloc_asprintf(tctx, "%s._msdn.%s", + dest_dsa_guid_str, + priv->domain_dns_name); + r.in.req.req1.dest_dsa_guid = dest_dsa_guid; + + /* 1. deleting replica dest should fail */ + torture_comment(tctx, "delete: %s\n", r.in.req.req1.dest_dsa_dns_name); + r.in.req.req1.options = DRSUAPI_DS_REPLICA_UPDATE_DELETE_REFERENCE; + status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r); + torture_drsuapi_assert_call_werr(tctx, p, + status, WERR_DS_DRA_REF_NOT_FOUND, &r, + "dcerpc_drsuapi_DsReplicaUpdateRefs"); + + /* 2. hopefully adding random replica dest should succeed */ + torture_comment(tctx, "add : %s\n", r.in.req.req1.dest_dsa_dns_name); + r.in.req.req1.options = DRSUAPI_DS_REPLICA_UPDATE_ADD_REFERENCE; + status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r); + torture_drsuapi_assert_call_werr(tctx, p, + status, WERR_OK, &r, + "dcerpc_drsuapi_DsReplicaUpdateRefs"); + + /* 3. try adding same replica dest - should fail */ + torture_comment(tctx, "add : %s\n", r.in.req.req1.dest_dsa_dns_name); + r.in.req.req1.options = DRSUAPI_DS_REPLICA_UPDATE_ADD_REFERENCE; + status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r); + torture_drsuapi_assert_call_werr(tctx, p, + status, WERR_DS_DRA_REF_ALREADY_EXISTS, &r, + "dcerpc_drsuapi_DsReplicaUpdateRefs"); + + /* 4. delete random replicate added at step 2. */ + torture_comment(tctx, "delete: %s\n", r.in.req.req1.dest_dsa_dns_name); + r.in.req.req1.options = DRSUAPI_DS_REPLICA_UPDATE_DELETE_REFERENCE; + status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r); + torture_drsuapi_assert_call_werr(tctx, p, + status, WERR_OK, &r, + "dcerpc_drsuapi_DsReplicaUpdateRefs"); return true; } diff --git a/source4/torture/rpc/drsuapi.h b/source4/torture/rpc/drsuapi.h index d32a35ee2c..a10ea5068e 100644 --- a/source4/torture/rpc/drsuapi.h +++ b/source4/torture/rpc/drsuapi.h @@ -30,6 +30,8 @@ struct DsPrivate { struct dcerpc_pipe *pipe; struct policy_handle bind_handle; struct GUID bind_guid; + struct drsuapi_DsBindInfo28 srv_bind_info; + const char *domain_obj_dn; const char *domain_guid_str; const char *domain_dns_name; @@ -45,10 +47,11 @@ struct DsPrivate { * \param _tctx torture context * \param _p DCERPC pipe handle * \param _ntstatus NTSTATUS for dcerpc_drsuapi_ call - * \param _pr in/out DCEPRC request structure + * \param _werr_expected Expected windows error to be returned + * \param _pr in/out DCEPRC request structure - pointer * \param _msg error message prefix */ -#define torture_drsuapi_assert_call(_tctx, _p, _ntstat, _pr, _msg) \ +#define torture_drsuapi_assert_call_werr(_tctx, _p, _ntstat, _werr_expected, _pr, _msg) \ do { \ NTSTATUS __nt = _ntstat; \ if (!NT_STATUS_IS_OK(__nt)) { \ @@ -58,6 +61,18 @@ struct DsPrivate { } \ torture_fail(tctx, talloc_asprintf(_tctx, "%s failed - %s", _msg, errstr)); \ } \ - torture_assert_werr_ok(_tctx, (_pr)->out.result, _msg); \ + torture_assert_werr_equal(_tctx, (_pr)->out.result, _werr_expected, _msg); \ } while(0) +/** + * Custom torture macro to check dcerpc_drsuapi_ call + * return values printing more friendly messages + * \param _tctx torture context + * \param _p DCERPC pipe handle + * \param _ntstatus NTSTATUS for dcerpc_drsuapi_ call + * \param _pr in/out DCEPRC request structure + * \param _msg error message prefix + */ +#define torture_drsuapi_assert_call(_tctx, _p, _ntstat, _pr, _msg) \ + torture_drsuapi_assert_call_werr(_tctx, _p, _ntstat, WERR_OK, _pr, _msg) + diff --git a/source4/torture/rpc/dssync.c b/source4/torture/rpc/dssync.c index b47564cc91..a9341d569b 100644 --- a/source4/torture/rpc/dssync.c +++ b/source4/torture/rpc/dssync.c @@ -36,6 +36,9 @@ #include "auth/gensec/gensec.h" #include "param/param.h" #include "dsdb/samdb/samdb.h" +#include "torture/rpc/rpc.h" +#include "torture/drs/proto.h" + struct DsSyncBindInfo { struct dcerpc_pipe *pipe; @@ -489,6 +492,98 @@ static void test_analyse_objects(struct torture_context *tctx, } } +/** + * Fetch LDAP attribute name and DN by supplied OID + */ +static bool _drs_ldap_attr_by_oid(struct torture_context *tctx, + struct DsSyncTest *ctx, + const char *oid, + const char **attr_dn, + const char **attr_name) +{ + NTSTATUS status; + const char *config_dn; + const char *expression; + struct ldap_message **res_msg; + struct ldap_SearchResEntry *search_res; + TALLOC_CTX *tmp_ctx = NULL; + const char *search_attrs[] = {"lDAPDisplayName", NULL}; + + tmp_ctx = talloc_new(ctx); + + config_dn = talloc_asprintf(tmp_ctx, "CN=Schema,CN=Configuration,%s", ctx->domain_dn); + expression = talloc_asprintf(tmp_ctx, "(attributeID=%s)", oid); + + status = ildap_search(ctx->admin.ldap.conn, + config_dn, LDAP_SEARCH_SCOPE_SUB, + expression, search_attrs, false, + NULL, NULL, &res_msg); + torture_assert_ntstatus_ok(tctx, status, "LDAP search request failed"); + torture_assert(tctx, + ildap_count_entries(ctx->admin.ldap.conn, res_msg) == 1, + talloc_asprintf(tmp_ctx, "Failed to find attribute with OID=%s", oid)); + + search_res = &res_msg[0]->r.SearchResultEntry; + torture_assert(tctx, search_res->num_attributes > 0, "No attributes returned!") + torture_assert(tctx, strequal(search_attrs[0], search_res->attributes[0].name), + "Requested attributes for attribute class not returned"); + + if (attr_dn) { + *attr_dn = search_res->dn; + } + + if (attr_name) { + *attr_name = (const char *)search_res->attributes[0].values[0].data; + } + + talloc_free(tmp_ctx); + + return true; +} + +/** + * Make Attribute OID and verify such Attribute exists in schema + */ +static bool _drs_util_verify_attids(struct torture_context *tctx, + struct DsSyncTest *ctx, + struct drsuapi_DsReplicaOIDMapping_Ctr *prefix_map, + struct drsuapi_DsReplicaObjectListItemEx *cur) +{ + uint32_t i; + + DEBUG(1,("drs_test_verify_attids:\n")); + + for (; cur; cur = cur->next_object) { + const char *attr_dn = NULL; + const char *attr_name = NULL; + struct drsuapi_DsReplicaObject *obj = &cur->object; + + DEBUG(1,("%3s %-10s: %s\n", "", "object_dn", obj->identifier->dn)); + + for (i = 0; i < obj->attribute_ctr.num_attributes; i++) { + int map_idx; + const char *oid = NULL; + struct drsuapi_DsReplicaAttribute *attr; + + attr = &obj->attribute_ctr.attributes[i]; + if (!drs_util_oid_from_attid(tctx, prefix_map, attr->attid, &oid, &map_idx)) { + return false; + } + + if (!_drs_ldap_attr_by_oid(tctx, ctx, oid, &attr_dn, &attr_name)) { + return false; + } + + DEBUG(1,("%7s attr[%2d]: %-22s {map_idx=%2d; attid=0x%06x; ldap_name=%-26s; idl_name=%s}\n", "", + i, oid, map_idx, attr->attid, attr_name, + drs_util_DsAttributeId_to_string(attr->attid))); + } + } + + return true; +} + + static bool test_FetchData(struct torture_context *tctx, struct DsSyncTest *ctx) { NTSTATUS status; @@ -670,6 +765,8 @@ static bool test_FetchData(struct torture_context *tctx, struct DsSyncTest *ctx) (long long)ctr1->new_highwatermark.tmp_highest_usn, (long long)ctr1->new_highwatermark.highest_usn)); + _drs_util_verify_attids(tctx, ctx, &ctr1->mapping_ctr, ctr1->first_object); + test_analyse_objects(tctx, ctx, &gensec_skey, ctr1->first_object); if (ctr1->more_data) { @@ -700,6 +797,8 @@ static bool test_FetchData(struct torture_context *tctx, struct DsSyncTest *ctx) (long long)ctr6->new_highwatermark.tmp_highest_usn, (long long)ctr6->new_highwatermark.highest_usn)); + _drs_util_verify_attids(tctx, ctx, &ctr6->mapping_ctr, ctr6->first_object); + test_analyse_objects(tctx, ctx, &gensec_skey, ctr6->first_object); if (ctr6->more_data) { diff --git a/source4/torture/rpc/frsapi.c b/source4/torture/rpc/frsapi.c index e9a19bcf96..24d769a310 100644 --- a/source4/torture/rpc/frsapi.c +++ b/source4/torture/rpc/frsapi.c @@ -193,8 +193,7 @@ static bool test_ForceReplication(struct torture_context *tctx, r.in.replica_set_guid = NULL; r.in.connection_guid = NULL; - r.in.replica_set_name = talloc_asprintf(tctx, "%s", - lp_realm(tctx->lp_ctx)); + r.in.replica_set_name = lp_dnsdomain(tctx->lp_ctx); r.in.partner_dns_name = dcerpc_server_name(p); torture_assert_ntstatus_ok(tctx, diff --git a/source4/torture/rpc/lsa_lookup.c b/source4/torture/rpc/lsa_lookup.c index 0a4c9904d7..b1a348ce8a 100644 --- a/source4/torture/rpc/lsa_lookup.c +++ b/source4/torture/rpc/lsa_lookup.c @@ -227,8 +227,8 @@ bool torture_rpc_lsa_lookup(struct torture_context *torture) struct dcerpc_pipe *p; bool ret = true; struct policy_handle *handle; - struct dom_sid *dom_sid; - struct dom_sid *trusted_sid; + struct dom_sid *dom_sid = NULL; + struct dom_sid *trusted_sid = NULL; struct dom_sid *sids[NUM_SIDS]; status = torture_rpc_connection(torture, &p, &ndr_table_lsarpc); diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 35f1a5942f..f57c47b115 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1567,6 +1567,49 @@ static bool test_GetDcName(struct torture_context *tctx, return true; } +static const char *function_code_str(TALLOC_CTX *mem_ctx, + enum netr_LogonControlCode function_code) +{ + switch (function_code) { + case NETLOGON_CONTROL_QUERY: + return "NETLOGON_CONTROL_QUERY"; + case NETLOGON_CONTROL_REPLICATE: + return "NETLOGON_CONTROL_REPLICATE"; + case NETLOGON_CONTROL_SYNCHRONIZE: + return "NETLOGON_CONTROL_SYNCHRONIZE"; + case NETLOGON_CONTROL_PDC_REPLICATE: + return "NETLOGON_CONTROL_PDC_REPLICATE"; + case NETLOGON_CONTROL_REDISCOVER: + return "NETLOGON_CONTROL_REDISCOVER"; + case NETLOGON_CONTROL_TC_QUERY: + return "NETLOGON_CONTROL_TC_QUERY"; + case NETLOGON_CONTROL_TRANSPORT_NOTIFY: + return "NETLOGON_CONTROL_TRANSPORT_NOTIFY"; + case NETLOGON_CONTROL_FIND_USER: + return "NETLOGON_CONTROL_FIND_USER"; + case NETLOGON_CONTROL_CHANGE_PASSWORD: + return "NETLOGON_CONTROL_CHANGE_PASSWORD"; + case NETLOGON_CONTROL_TC_VERIFY: + return "NETLOGON_CONTROL_TC_VERIFY"; + case NETLOGON_CONTROL_FORCE_DNS_REG: + return "NETLOGON_CONTROL_FORCE_DNS_REG"; + case NETLOGON_CONTROL_QUERY_DNS_REG: + return "NETLOGON_CONTROL_QUERY_DNS_REG"; + case NETLOGON_CONTROL_BACKUP_CHANGE_LOG: + return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG"; + case NETLOGON_CONTROL_TRUNCATE_LOG: + return "NETLOGON_CONTROL_TRUNCATE_LOG"; + case NETLOGON_CONTROL_SET_DBFLAG: + return "NETLOGON_CONTROL_SET_DBFLAG"; + case NETLOGON_CONTROL_BREAKPOINT: + return "NETLOGON_CONTROL_BREAKPOINT"; + default: + return talloc_asprintf(mem_ctx, "unknown function code: %d", + function_code); + } +} + + /* try a netlogon LogonControl */ @@ -1576,19 +1619,82 @@ static bool test_LogonControl(struct torture_context *tctx, NTSTATUS status; struct netr_LogonControl r; union netr_CONTROL_QUERY_INFORMATION query; - int i; + int i,f; + uint32_t function_codes[] = { + NETLOGON_CONTROL_QUERY, + NETLOGON_CONTROL_REPLICATE, + NETLOGON_CONTROL_SYNCHRONIZE, + NETLOGON_CONTROL_PDC_REPLICATE, + NETLOGON_CONTROL_REDISCOVER, + NETLOGON_CONTROL_TC_QUERY, + NETLOGON_CONTROL_TRANSPORT_NOTIFY, + NETLOGON_CONTROL_FIND_USER, + NETLOGON_CONTROL_CHANGE_PASSWORD, + NETLOGON_CONTROL_TC_VERIFY, + NETLOGON_CONTROL_FORCE_DNS_REG, + NETLOGON_CONTROL_QUERY_DNS_REG, + NETLOGON_CONTROL_BACKUP_CHANGE_LOG, + NETLOGON_CONTROL_TRUNCATE_LOG, + NETLOGON_CONTROL_SET_DBFLAG, + NETLOGON_CONTROL_BREAKPOINT + }; r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.function_code = 1; r.out.query = &query; - for (i=1;i<4;i++) { + for (f=0;f<ARRAY_SIZE(function_codes); f++) { + for (i=1;i<5;i++) { + + r.in.function_code = function_codes[f]; r.in.level = i; - torture_comment(tctx, "Testing LogonControl level %d\n", i); + torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n", + function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level); status = dcerpc_netr_LogonControl(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "LogonControl"); + + switch (r.in.level) { + case 1: + switch (r.in.function_code) { + case NETLOGON_CONTROL_REPLICATE: + case NETLOGON_CONTROL_SYNCHRONIZE: + case NETLOGON_CONTROL_PDC_REPLICATE: + case NETLOGON_CONTROL_BACKUP_CHANGE_LOG: + case NETLOGON_CONTROL_TRUNCATE_LOG: + case NETLOGON_CONTROL_BREAKPOINT: + torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED, + "LogonControl returned unexpected error code"); + break; + case NETLOGON_CONTROL_REDISCOVER: + case NETLOGON_CONTROL_TC_QUERY: + case NETLOGON_CONTROL_TRANSPORT_NOTIFY: + case NETLOGON_CONTROL_FIND_USER: + case NETLOGON_CONTROL_CHANGE_PASSWORD: + case NETLOGON_CONTROL_TC_VERIFY: + case NETLOGON_CONTROL_FORCE_DNS_REG: + case NETLOGON_CONTROL_QUERY_DNS_REG: + case NETLOGON_CONTROL_SET_DBFLAG: + torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, + "LogonControl returned unexpected error code"); + break; + default: + torture_assert_werr_ok(tctx, r.out.result, + "LogonControl returned unexpected result"); + break; + } + break; + case 2: + torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, + "LogonControl returned unexpected error code"); + break; + default: + torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL, + "LogonControl returned unexpected error code"); + break; + } + } } return true; @@ -1991,7 +2097,7 @@ static bool test_netr_DsRGetDCName(struct torture_context *tctx, struct netr_DsRGetDCNameInfo *info = NULL; r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); - r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx)); + r.in.domain_name = lp_dnsdomain(tctx->lp_ctx); r.in.domain_guid = NULL; r.in.site_guid = NULL; r.in.flags = DS_RETURN_DNS_NAME; @@ -2016,7 +2122,7 @@ static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, struct netr_DsRGetDCNameInfo *info = NULL; r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); - r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx)); + r.in.domain_name = lp_dnsdomain(tctx->lp_ctx); r.in.domain_guid = NULL; r.in.site_name = NULL; r.in.flags = DS_RETURN_DNS_NAME; @@ -2043,7 +2149,7 @@ static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx, r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.client_account = NULL; r.in.mask = 0x00000000; - r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx)); + r.in.domain_name = lp_dnsdomain(tctx->lp_ctx); r.in.domain_guid = NULL; r.in.site_name = NULL; r.in.flags = DS_RETURN_DNS_NAME; diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index 65d251013b..4a529d38f6 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -2616,7 +2616,7 @@ static NTSTATUS find_printers(TALLOC_CTX *ctx, struct loadparm_context *lp_ctx, return NT_STATUS_OK; } -static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe, +static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p, const char *servername, int level, int *num_printers) { struct spoolss_EnumPrinters r; @@ -2635,7 +2635,7 @@ static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe, r.out.count = &count; r.out.info = &info; - status = dcerpc_spoolss_EnumPrinters(pipe, mem_ctx, &r); + status = dcerpc_spoolss_EnumPrinters(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) dcerpc_spoolss_EnumPrinters failed: %s\n", __location__, nt_errstr(status)); @@ -2658,7 +2658,7 @@ static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe, r.in.buffer = &blob; r.in.offered = needed; - status = dcerpc_spoolss_EnumPrinters(pipe, mem_ctx, &r); + status = dcerpc_spoolss_EnumPrinters(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) { d_printf("(%s) dcerpc_spoolss_EnumPrinters failed: %s, " "%s\n", __location__, nt_errstr(status), @@ -2671,7 +2671,7 @@ static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe, return true; } -static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *pipe, +static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *p, struct policy_handle *handle, int level, union spoolss_PrinterInfo **res) { @@ -2692,7 +2692,7 @@ static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *pipe, r.in.offered = 0; r.out.needed = &needed; - status = dcerpc_spoolss_GetPrinter(pipe, mem_ctx, &r); + status = dcerpc_spoolss_GetPrinter(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) dcerpc_spoolss_GetPrinter failed: %s\n", __location__, nt_errstr(status)); @@ -2719,7 +2719,7 @@ static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *pipe, r.in.buffer = &blob; r.in.offered = needed; - status = dcerpc_spoolss_GetPrinter(pipe, mem_ctx, &r); + status = dcerpc_spoolss_GetPrinter(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) { d_printf("(%s) dcerpc_spoolss_GetPrinter failed: %s, " "%s\n", __location__, nt_errstr(status), diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 8318930989..8e6c88425c 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -29,7 +29,7 @@ #include "../lib/crypto/crypto.h" #include "lib/cmdline/popt_common.h" #include "torture/rpc/rpc.h" -#include "auth/gensec/schannel_proto.h" +#include "../libcli/auth/schannel.h" #include "auth/gensec/gensec.h" #include "libcli/auth/libcli_auth.h" #include "param/param.h" diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index f8853c1093..c448b3bb83 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -2132,7 +2132,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct uint8_t old_lm_hash[16], new_lm_hash[16]; NTTIME t; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; torture_comment(tctx, "Testing ChangePasswordUser3\n"); @@ -2269,9 +2269,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct && (!null_nttime(last_password_change) || !dominfo->min_password_age)) { if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) { - if (reject && (reject->reason != SAMR_REJECT_OTHER)) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } } @@ -2288,40 +2288,40 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) && (last_password_change + dominfo->min_password_age > t)) { - if (reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } } else if ((dominfo->min_password_length > 0) && (strlen(newpass) < dominfo->min_password_length)) { - if (reject->reason != SAMR_REJECT_TOO_SHORT) { - torture_warning(tctx, "expected SAMR_REJECT_TOO_SHORT (%d), got %d\n", - SAMR_REJECT_TOO_SHORT, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n", + SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason); return false; } } else if ((dominfo->password_history_length > 0) && strequal(oldpass, newpass)) { - if (reject->reason != SAMR_REJECT_IN_HISTORY) { - torture_warning(tctx, "expected SAMR_REJECT_IN_HISTORY (%d), got %d\n", - SAMR_REJECT_IN_HISTORY, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n", + SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason); return false; } } else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) { - if (reject->reason != SAMR_REJECT_COMPLEXITY) { - torture_warning(tctx, "expected SAMR_REJECT_COMPLEXITY (%d), got %d\n", - SAMR_REJECT_COMPLEXITY, reject->reason); + if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n", + SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason); return false; } } - if (reject->reason == SAMR_REJECT_TOO_SHORT) { + if (reject->extendedFailureReason == SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) { /* retry with adjusted size */ return test_ChangePasswordUser3(p, tctx, account_string, dominfo->min_password_length, @@ -2330,9 +2330,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct } } else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -2369,7 +2369,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex uint8_t old_nt_hash[16], new_nt_hash[16]; NTTIME t; struct samr_DomInfo1 *dominfo = NULL; - struct samr_ChangeReject *reject = NULL; + struct userPwdChangeFailureInformation *reject = NULL; new_random_pass = samr_very_rand_pass(tctx, 128); @@ -2444,9 +2444,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -2482,9 +2482,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (reject && reject->reason != SAMR_REJECT_OTHER) { - torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, reject->reason); + if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) { + torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n", + SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -6754,6 +6754,35 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx, } +static bool test_samr_ValidatePassword(struct dcerpc_pipe *p, struct torture_context *tctx) +{ + struct samr_ValidatePassword r; + union samr_ValidatePasswordReq req; + union samr_ValidatePasswordRep *repp = NULL; + NTSTATUS status; + const char *passwords[] = { "penguin", "p@ssw0rd", "p@ssw0rd123$", NULL }; + int i; + + ZERO_STRUCT(r); + r.in.level = NetValidatePasswordReset; + r.in.req = &req; + r.out.rep = &repp; + + ZERO_STRUCT(req); + req.req3.account.string = "non-existant-account-aklsdji"; + + for (i=0; passwords[i]; i++) { + req.req3.password.string = passwords[i]; + status = dcerpc_samr_ValidatePassword(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "samr_ValidatePassword"); + torture_comment(tctx, "Server %s password '%s'\n", + repp->ctr3.status==SAMR_VALIDATION_STATUS_SUCCESS?"allowed":"refused", + req.req3.password.string); + } + + return true; +} + bool torture_rpc_samr(struct torture_context *torture) { NTSTATUS status; @@ -6766,6 +6795,11 @@ bool torture_rpc_samr(struct torture_context *torture) return false; } + + if (torture_setting_bool(torture, "dangerous", false)) { + ret &= test_samr_ValidatePassword(p, torture); + } + ret &= test_Connect(p, torture, &handle); if (!torture_setting_bool(torture, "samba3", false)) { @@ -7008,3 +7042,4 @@ struct torture_suite *torture_rpc_samr_large_dc(TALLOC_CTX *mem_ctx) return suite; } + diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 4cecab4017..2ee8e59e5a 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -28,7 +28,7 @@ #include "../lib/crypto/crypto.h" #include "system/time.h" #include "torture/rpc/rpc.h" -#include "auth/gensec/schannel_proto.h" +#include "../libcli/auth/schannel.h" #include "auth/gensec/gensec.h" #include "libcli/auth/libcli_auth.h" #include "libcli/samsync/samsync.h" diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 6c539b6117..0ada20d888 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -26,7 +26,7 @@ #include "auth/credentials/credentials.h" #include "torture/rpc/rpc.h" #include "lib/cmdline/popt_common.h" -#include "auth/gensec/schannel_proto.h" +#include "../libcli/auth/schannel.h" #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" #include "system/filesys.h" diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c index 06b1d05ee4..d5ef0a4fda 100644 --- a/source4/torture/rpc/wkssvc.c +++ b/source4/torture/rpc/wkssvc.c @@ -1132,7 +1132,7 @@ static bool test_NetrJoinDomain(struct torture_context *tctx, user); r.in.server_name = dcerpc_server_name(p); - r.in.domain_name = lp_realm(tctx->lp_ctx); + r.in.domain_name = lp_dnsdomain(tctx->lp_ctx); r.in.account_ou = NULL; r.in.Account = admin_account; r.in.password = NULL; |