summaryrefslogtreecommitdiff
path: root/source4/torture/rpc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/torture/rpc')
-rw-r--r--source4/torture/rpc/lsa.c2
-rw-r--r--source4/torture/rpc/samba3rpc.c53
-rw-r--r--source4/torture/rpc/samr.c87
3 files changed, 116 insertions, 26 deletions
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 60d022fbea..04d13a97c1 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -295,8 +295,8 @@ static bool test_LookupNames_wellknown(struct dcerpc_pipe *p,
ret &= test_LookupNames(p, mem_ctx, handle, &tnames);
name.name.string = "BUILTIN\\Administrators";
- ret &= test_LookupNames(p, mem_ctx, handle, &tnames);
name.sid_type = SID_NAME_ALIAS;
+ ret &= test_LookupNames(p, mem_ctx, handle, &tnames);
name.name.string = "SYSTEM";
name.sid_type = SID_NAME_WKN_GRP;
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 95252e7397..204a9f2865 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -47,6 +47,7 @@
#include "libcli/smb_composite/smb_composite.h"
#include "libcli/auth/libcli_auth.h"
#include "lib/crypto/crypto.h"
+#include "auth/ntlmssp/ntlmssp.h"
#include "libcli/security/proto.h"
#include "param/param.h"
#include "lib/registry/registry.h"
@@ -682,6 +683,7 @@ static bool join3(struct smbcli_state *cli,
struct dcerpc_pipe *samr_pipe;
struct policy_handle *wks_handle;
bool ret = false;
+ NTTIME last_password_change;
if ((mem_ctx = talloc_init("join3")) == NULL) {
d_printf("talloc_init failed\n");
@@ -701,6 +703,22 @@ static bool join3(struct smbcli_state *cli,
goto done;
}
+ {
+ struct samr_QueryUserInfo q;
+
+ q.in.user_handle = wks_handle;
+ q.in.level = 21;
+
+ status = dcerpc_samr_QueryUserInfo(samr_pipe, mem_ctx, &q);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf("(%s) QueryUserInfo failed: %s\n",
+ __location__, nt_errstr(status));
+ goto done;
+ }
+
+ last_password_change = q.out.info->info21.last_password_change;
+ }
+
cli_credentials_set_domain(wks_creds, dom_name, CRED_SPECIFIED);
if (use_level25) {
@@ -794,6 +812,39 @@ static bool join3(struct smbcli_state *cli,
}
}
+ {
+ struct samr_QueryUserInfo q;
+
+ q.in.user_handle = wks_handle;
+ q.in.level = 21;
+
+ status = dcerpc_samr_QueryUserInfo(samr_pipe, mem_ctx, &q);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf("(%s) QueryUserInfo failed: %s\n",
+ __location__, nt_errstr(status));
+ goto done;
+ }
+
+ if (use_level25) {
+ if (last_password_change
+ == q.out.info->info21.last_password_change) {
+ d_printf("(%s) last_password_change unchanged "
+ "during join, level25 must change "
+ "it\n", __location__);
+ goto done;
+ }
+ }
+ else {
+ if (last_password_change
+ != q.out.info->info21.last_password_change) {
+ d_printf("(%s) last_password_change changed "
+ "during join, level24 doesn't "
+ "change it\n", __location__);
+ goto done;
+ }
+ }
+ }
+
ret = true;
done:
@@ -1321,6 +1372,8 @@ bool torture_samba3_sessionkey(struct torture_context *torture)
goto done;
}
+ cli_credentials_set_workstation(anon_creds, wks_name, CRED_SPECIFIED);
+
ret = true;
if (!torture_setting_bool(torture, "samba3", false)) {
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 1d6ec43399..55c75ba270 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2332,9 +2332,15 @@ static bool test_CreateAlias(struct dcerpc_pipe *p, struct torture_context *tctx
status = dcerpc_samr_CreateDomAlias(p, tctx, &r);
- if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
- printf("Server refused create of '%s'\n", r.in.alias_name->string);
- return true;
+ if (dom_sid_equal(domain_sid, dom_sid_parse_talloc(tctx, SID_BUILTIN))) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Server correctly refused create of '%s'\n", r.in.alias_name->string);
+ return true;
+ } else {
+ printf("Server should have refused create of '%s', got %s instead\n", r.in.alias_name->string,
+ nt_errstr(status));
+ return false;
+ }
}
if (NT_STATUS_EQUAL(status, NT_STATUS_ALIAS_EXISTS)) {
@@ -2515,7 +2521,8 @@ static bool test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
struct policy_handle *domain_handle,
- struct policy_handle *user_handle_out,
+ struct policy_handle *user_handle_out,
+ struct dom_sid *domain_sid,
enum torture_samr_choice which_ops)
{
@@ -2546,10 +2553,15 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
status = dcerpc_samr_CreateUser(p, user_ctx, &r);
- if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
- printf("Server refused create of '%s': %s\n", r.in.account_name->string, nt_errstr(status));
- talloc_free(user_ctx);
- return true;
+ if (dom_sid_equal(domain_sid, dom_sid_parse_talloc(tctx, SID_BUILTIN))) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Server correctly refused create of '%s'\n", r.in.account_name->string);
+ return true;
+ } else {
+ printf("Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
+ nt_errstr(status));
+ return false;
+ }
}
if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
@@ -2610,7 +2622,9 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx,
- struct policy_handle *domain_handle, enum torture_samr_choice which_ops)
+ struct policy_handle *domain_handle,
+ struct dom_sid *domain_sid,
+ enum torture_samr_choice which_ops)
{
NTSTATUS status;
struct samr_CreateUser2 r;
@@ -2663,12 +2677,19 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
status = dcerpc_samr_CreateUser2(p, user_ctx, &r);
- if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
- talloc_free(user_ctx);
- printf("Server refused create of '%s'\n", r.in.account_name->string);
- continue;
+ if (dom_sid_equal(domain_sid, dom_sid_parse_talloc(tctx, SID_BUILTIN))) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Server correctly refused create of '%s'\n", r.in.account_name->string);
+ continue;
+ } else {
+ printf("Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
+ nt_errstr(status));
+ ret = false;
+ continue;
+ }
+ }
- } else if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
if (!test_DeleteUser_byname(p, user_ctx, domain_handle, r.in.account_name->string)) {
talloc_free(user_ctx);
ret = false;
@@ -3893,6 +3914,7 @@ static bool test_GroupList(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
}
if (!q1.out.sam) {
+ printf("EnumDomainGroups failed to return q1.out.sam\n");
return false;
}
@@ -4138,7 +4160,9 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t
static bool test_CreateDomainGroup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct policy_handle *domain_handle, struct policy_handle *group_handle)
+ struct policy_handle *domain_handle,
+ struct policy_handle *group_handle,
+ struct dom_sid *domain_sid)
{
NTSTATUS status;
struct samr_CreateDomainGroup r;
@@ -4158,15 +4182,19 @@ static bool test_CreateDomainGroup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
status = dcerpc_samr_CreateDomainGroup(p, mem_ctx, &r);
- if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
- printf("Server refused create of '%s'\n", r.in.name->string);
- ZERO_STRUCTP(group_handle);
- return true;
+ if (dom_sid_equal(domain_sid, dom_sid_parse_talloc(mem_ctx, SID_BUILTIN))) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Server correctly refused create of '%s'\n", r.in.name->string);
+ return true;
+ } else {
+ printf("Server should have refused create of '%s', got %s instead\n", r.in.name->string,
+ nt_errstr(status));
+ return false;
+ }
}
if (NT_STATUS_EQUAL(status, NT_STATUS_GROUP_EXISTS)) {
if (!test_DeleteGroup_byname(p, mem_ctx, domain_handle, r.in.name->string)) {
-
printf("CreateDomainGroup failed: Could not delete domain group %s - %s\n", r.in.name->string,
nt_errstr(status));
return false;
@@ -4244,7 +4272,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
ZERO_STRUCT(group_handle);
ZERO_STRUCT(domain_handle);
- printf("Testing OpenDomain\n");
+ printf("Testing OpenDomain of %s\n", dom_sid_string(tctx, sid));
r.in.connect_handle = handle;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
@@ -4264,17 +4292,23 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
switch (which_ops) {
case TORTURE_SAMR_USER_ATTRIBUTES:
case TORTURE_SAMR_PASSWORDS:
- ret &= test_CreateUser2(p, tctx, &domain_handle, which_ops);
- ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, which_ops);
+ ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops);
+ ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops);
/* This test needs 'complex' users to validate */
ret &= test_QueryDisplayInfo(p, tctx, &domain_handle);
+ if (!ret) {
+ printf("Testing PASSWORDS or ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
+ }
break;
case TORTURE_SAMR_OTHER:
- ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, which_ops);
+ ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops);
+ if (!ret) {
+ printf("Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
+ }
ret &= test_QuerySecurity(p, tctx, &domain_handle);
ret &= test_RemoveMemberFromForeignDomain(p, tctx, &domain_handle);
ret &= test_CreateAlias(p, tctx, &domain_handle, &alias_handle, sid);
- ret &= test_CreateDomainGroup(p, tctx, &domain_handle, &group_handle);
+ ret &= test_CreateDomainGroup(p, tctx, &domain_handle, &group_handle, sid);
ret &= test_QueryDomainInfo(p, tctx, &domain_handle);
ret &= test_QueryDomainInfo2(p, tctx, &domain_handle);
ret &= test_EnumDomainUsers(p, tctx, &domain_handle);
@@ -4295,6 +4329,9 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
ret &= test_TestPrivateFunctionsDomain(p, tctx, &domain_handle);
ret &= test_RidToSid(p, tctx, sid, &domain_handle);
ret &= test_GetBootKeyInformation(p, tctx, &domain_handle);
+ if (!ret) {
+ printf("Testing SAMR-OTHER on domain %s failed!\n", dom_sid_string(tctx, sid));
+ }
break;
}
generated by cgit (git 2.34.1) at 2025-01-28 09:10:44 +0000