summaryrefslogtreecommitdiff
path: root/source4/torture/rpc/netlogon.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-3/+3
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r6795: Make some functions static and remove some unused ones.Jelmer Vernooij1-3/+3
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
2007-10-10r6286: Add back metze's test of setting a trust password to ''. I removedAndrew Bartlett1-5/+33
this because I don't want our torture suite to leave behind accounts with known passwords if it is stopped in the wrong place. It is now run behind the -X (dangerous) wrapper. Andrew Bartlett (This used to be commit 057a81d81ed8dfaf323be118e32df2cf1c92cc09)
2007-10-10r6032: Fix up SetServerPassword2 on NETLOGON for [bigendian]. Clearly nobodyAndrew Bartlett1-41/+17
has the patience to run test_w2k3.sh to completion :-) It looks to me that the Windows server runs the RC4 over the C struct, not the NDR data. Andrew Bartlett (This used to be commit c324d974134c35b4c50c91d5a932a63c78b67046)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett1-9/+0
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett1-9/+10
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
2007-10-10r5902: A rather large change...Andrew Bartlett1-52/+96
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell1-1/+1
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5197: moved events code to lib/events/ (suggestion from metze)Andrew Tridgell1-1/+1
(This used to be commit 7f54c8a339f36aa43c9340be70ab7f0067593ef2)
2007-10-10r5185: make all the events data structures private to events.c. This willAndrew Tridgell1-0/+1
make it possible to add optimisations to the events code such as keeping the next timed event in a sorted list, and using epoll for file descriptor events. I also removed the loop events code, as it wasn't being used anywhere, and changed timed events to always be one-shot (as adding a new timed event in the event handler is so easy to do if needed) (This used to be commit d7b4b6de51342a65bf46fce772d313f92f8d73d3)
2007-10-10r5090: Fix up the IDL for LogonGetDomainInfo in NETLOGON.Andrew Bartlett1-10/+4
Andrew Bartlett (This used to be commit e5afc3609382a7b534c9d845e809d135a0d4eb3a)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell1-2/+2
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4707: w2k3 don't restict passwords onStefan Metzmacher1-0/+63
netr_ServerPasswordSet and netr_ServerPasswordSet2 so we do now I also add a torture test for this metze (This used to be commit d896ac603a5cf387a10b21e64e2c92ff2626bc4d)
2007-10-10r4706: Fix the build, after I renamed these elements in the IDL.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8f47c7b02cc28eda022154796c7341fd63a87cc5)
2007-10-10r4702: implment idl, torture test and server code for netr_ServerPasswordSet2()Stefan Metzmacher1-2/+69
metze (This used to be commit 7d8ba92da2b8babe7165f105591fd3e5738b2319)
2007-10-10r4616: the first phase in the addition of proper support forAndrew Tridgell1-1/+1
dcerpc_alter_context and multiple context_ids in the dcerpc client library. This stage does the following: - split "struct dcerpc_pipe" into two parts, the main part being "struct dcerpc_connection", which contains all the parts not dependent on the context, and "struct dcerpc_pipe" which has the context dependent part. This is similar to the layering in libcli_*() for SMB - disable the current dcerpc_alter code. I've used a #warning until i get the 2nd phase finished. I don't know how portable #warning is, but it won't be long before I add full alter context support anyway, so it won't last long - cleanup the allocation of dcerpc_pipe structures. The previous code was quite awkward. (This used to be commit 4004c69937be7e5dae56f9567ca607f982d395d3)
2007-10-10r4614: Fix RPC-SAMLOGON, to use the workstation context (forgot to globally ↵Andrew Bartlett1-2/+4
replace). Andrew Bartlett (This used to be commit ddb54d4ea1610b38e011e2f217ded7b6278d5290)
2007-10-10r4597: Recently I've come across a case where I suspect the GetAnyDCName ↵Volker Lendecke1-0/+94
request to kill the domain controller I'm asking. In samba4 torturing the DC is just so easy, commit the test to randomized ask for DCs for all trusted domains. Volker (This used to be commit edb918762e1e46909520f13e28dcf8cedb2919b1)
2007-10-10r4560: - fixed crash bugs in the RPC-SCHANNEL and RPC-NETLOGON testsAndrew Tridgell1-75/+29
- disabled the async netlogon tests for now until we better understand async rpc - added a test_w2k3.sh script that runs rpc tests that a w2k3 DC should pass. This is useful for regression testing when PIDL changes are made. (This used to be commit f7d4d3db489ad79457de70a85ad990159f6e74f8)
2007-10-10r4549: got rid of a lot more uses of plain talloc(), instead usingAndrew Tridgell1-2/+2
talloc_size() or talloc_array_p() where appropriate. also fixed a memory leak in pvfs_copy_file() (failed to free a memory context) (This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503)
2007-10-10r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test.Andrew Bartlett1-0/+16
I just need to fix a couple of NTLMv2 issues before we can fully pass, and put this in test_rpc.sh, as a 'should pass' test. Andrew Bartlett (This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
2007-10-10r3914: add idl, torture test and simple server for netr_DrsGetDCNameEx2()Stefan Metzmacher1-0/+44
metze (This used to be commit 1ffabbaa667c7dec6657ec523f92f072a2a47a95)
2007-10-10r3686: The results of some work on the NETLOGON pipe:Andrew Bartlett1-3/+73
Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC, that will cross-verify all the values. Add support for the way netlogon credentials are shared between the pipe that sets up schannel and the pipe that is encrypted with it. Test this support, by calling both NETLOGON and SAMR operations in the RPC-SCHANNEL test. Move some of the Netlogon NEG flags into the .idl, now we have an idea what a few of them really are. Rename the sam_pwd_hash into a name that has meaning (all other crypto functions were renamed in Samba4 ages ago). Break out NTLMv2 functionality for operation on the NT hash - I intend to do NTLMv2 logins in the samsync test in future, and naturally I only have the hash. Andrew Bartlett (This used to be commit 6e6cc6fb9842113a1b0c7f6904dac709b320a6e5)
2007-10-10r3677: Seperate the SamLogon tests from the main RPC-NETLOGON test into aAndrew Bartlett1-1011/+37
RPC-SAMLOGON of their own. I have expanded the tests to validate the use of various flags, which change some of the crypto behaviour. Andrew Bartlett (This used to be commit 3a140a3691ce49ebf4d1efcb99cfffd26c68a28f)
2007-10-10r3676: Add a negitive test for NTLM2 session security (which should notAndrew Bartlett1-10/+96
appear in netlogon, despite what the LM response may look like). Make the logon tests less verbose - only print test names on failure. Andrew Bartlett (This used to be commit 49c335bcd8852bcf2f4663b9fd514bf3da0fa50d)
2007-10-10r3657: More netlogon torture. We now test both function calls (SamLogon and ↵Andrew Bartlett1-43/+102
SamLogonWithFlags). Andrew Bartlett (This used to be commit 7937503849125e8a351abd547accab3715fc8b13)
2007-10-10r3653: Move Interactive login tests up with the rest of the logon tests.Andrew Bartlett1-71/+126
(Hmm, this whole section should be broken out into a new file, I think). Add new tests, particularly of the LM key for NTLMv2 responses, and the (changed, apparently) session key for LMv2 only logins. Next is to add SAMR modification and cross-validation. Andrew Bartlett (This used to be commit be99ee4719a98c3fca13136d0c72f18a852fbd4e)
2007-10-10r3557: Use a switch, not a series of if/else if statements.Andrew Bartlett1-8/+11
Andrew Bartlett (This used to be commit fb7bc73f581c8b13041a91a115b4932f76b00ca7)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3428: switched to using minimal includes for the auto-generated RPC code.Andrew Tridgell1-0/+1
The thing that finally convinced me that minimal includes was worth pursuing for rpc was a compiler (tcc) that failed to build Samba due to reaching internal limits of the size of include files. Also the fact that includes.h.gch was 16MB, which really seems excessive. This patch brings it back to 12M, which is still too large, but better. Note that this patch speeds up compile times for both the pch and non-pch case. This change also includes the addition iof a "depends()" option in our IDL files, allowing you to specify that one IDL file depends on another. This capability was needed for the auto-includes generation. (This used to be commit b8f5fa8ac8e8725f3d321004f0aedf4246fc6b49)
2007-10-10r3324: made the smbtorture code completely warning freeAndrew Tridgell1-1/+1
(This used to be commit 7067bb9b52223cafa28470f264f0b60646a07a01)
2007-10-10r3104: My Win2k3 server, with current updates, still sends the LM key for ↵Andrew Bartlett1-1/+1
level 6. I'm not quite sure what's going on here, but adjust expected values till I can find out how to reproduce this the other way... Andrew Bartlett (This used to be commit 3f0f6b38f2401e3654f73f46a22d5c10fbacaeca)
2007-10-10r2857: this commit gets rid of smb_ucs2_t, wpstring and fpstring, plus lots ↵Andrew Tridgell1-4/+3
of associated functions. The motivation for this change was to avoid having to convert to/from ucs2 strings for so many operations. Doing that was slow, used many static buffers, and was also incorrect as it didn't cope properly with unicode codepoints above 65536 (which could not be represented correctly as smb_ucs2_t chars) The two core functions that allowed this change are next_codepoint() and push_codepoint(). These functions allow you to correctly walk a arbitrary multi-byte string a character at a time without converting the whole string to ucs2. While doing this cleanup I also fixed several ucs2 string handling bugs. See the commit for details. The following code (which counts the number of occuraces of 'c' in a string) shows how to use the new interface: size_t count_chars(const char *s, char c) { size_t count = 0; while (*s) { size_t size; codepoint_t c2 = next_codepoint(s, &size); if (c2 == c) count++; s += size; } return count; } (This used to be commit 814881f0e50019196b3aa9fbe4aeadbb98172040)
2007-10-10r2552: Character set conversion and string handling updates.Andrew Bartlett1-5/+3
The intial motivation for this commit was to merge in some of the bugfixes present in Samba3's chrcnv and string handling code into Samba4. However, along the way I found a lot of unused functions, and decided to do a bit more... The strlen_m code now does not use a fixed buffer, but more work is needed to finish off other functions in str_util.c. These fixed length buffers hav caused very nasty, hard to chase down bugs at some sites. The strupper_m() function has a strupper_talloc() to replace it (we need to go around and fix more uses, but it's a start). Use of these new functions will avoid bugs where the upper or lowercase version of a string is a different length. I have removed the push_*_allocate functions, which are replaced by calls to push_*_talloc. Likewise, pstring and other 'fixed length' wrappers are removed, where possible. I have removed the first ('base pointer') argument, used by push_ucs2, as the Samba4 way of doing things ensures that this is always on an even boundary anyway. (It was used in only one place, in any case). (This used to be commit dfecb0150627b500cb026b8a4932fe87902ca392)
2007-10-10r2443: check return code of event_loop_once() to catch thet cases where the ↵Stefan Metzmacher1-1/+3
server closes the connetion and we got EBADF from select() and event_loop_once() fails metze (This used to be commit 9c0e50a6f3d628156b4543d5ded89e06be696f64)
2007-10-10r2220: Updates to the NETLOGON torture test. This copes with 'long'Andrew Bartlett1-125/+146
passwords - where the LM hash is invalid. Also, we now drive all the logon levels and validation levels from the outer loop, so we can check the expected return values (rather than overwriting them). Andrew Bartlett (This used to be commit f7f7c3de23ffb042f7cf7b4fa42b6b18c205719d)
2007-10-10r2185: add a callback function to the dcerpc async APIAndrew Tridgell1-4/+20
also add a demonstration of its use in the netlogon async example (This used to be commit f2a0438c66b999189c1a2ad726e91efd0748eb90)
2007-10-10r2181: an rpc async test on the netlogon pipeAndrew Tridgell1-0/+71
(This used to be commit 4c370c3c917f399497f936a2037ea2868b2196d2)
2007-10-10r2071: - change smbtorture to use the popt_common stuffStefan Metzmacher1-3/+5
this means -U DOM\\user is know allowed - torture:userdomain is a new smb.conf parameter because lp_workgroup is not the domain of the user - we use torture:userdomain now in the tests instad of lp_workgroup - for backward compat the userdomain is lp_workgroup() by default and not lp_netbios_name(), which my change later to match 'net' and 'smbclient'.. - we now have dublicate options e.g. -N -s ... tridge: can we change this? metze (This used to be commit 4733dcbf5f17422a8a4c9f99664270b3aa66c586)
2007-10-10r2035: Fix spelling.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 4e2c5a5fb3e428ffcdeef3b95fab644a420cc20c)
2007-10-10r1995: a ndrdump file from abartlet make it clear that this isn't a pointerStefan Metzmacher1-3/+2
to a uint32, there're two uint32 with 0x00000000 metze (This used to be commit 80f27766cb6d2c4e00232f7e3d5cde75ad84d094)
2007-10-10r1647: destroy mem_ctxStefan Metzmacher1-1/+3
metze (This used to be commit 973ac69a012e579a09807d635061ff3550a10719)
2007-10-10r1498: (merge from 3.0)Andrew Bartlett1-5/+4
Rework our random number generation system. On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). This also requires that we start the secrets subsystem, as that is where the reseed value is stored, for systems without /dev/urandom. In order to aviod identical streams in forked children, the random state is re-initialised after the fork(), at the same point were we do that to the tdbs. Andrew Bartlett (This used to be commit b97d3cb2efd68310b1aea8a3ac40a64979c8cdae)
2007-10-10r1189: Now that we use a common 'base' return structure for the SamLogonAndrew Bartlett1-37/+25
call, avoid code duplication in the torture suite. Andrew Bartlett (This used to be commit b6128c2a9d8e23dad0b14106f45a0638655d6cd7)
2007-10-10r1150: - fixed interactive sam logon in the rpc serverAndrew Tridgell1-11/+70
- added a torture test for interactive login in smbtorture These changes allow winxp to perform an interactive login (a login on the winxp console) against a Samba4 DC. Our netlogon server code is still filling in many of the fields incorrectly, but it fills in enough that winxp can login. (This used to be commit db9ea488b047b5f0f7538fd75fb7dde8277eb06b)
2007-10-10r1141: - consolidated the netr_SamInfo structures using a netr_SamBaseInfoAndrew Tridgell1-22/+22
structure (andrew, this is the type of structure consolidation I think you were asking about. It's possible here in NDR as it isn't in the top level fn code) - added validation level 6 in sam logon With these changes I can successfully authentication smbclient to a winxp server, with the winxp server using a Samba4 ADS DC for account auth (This used to be commit 705205083a6e2430c420f44436a1d1ff8826bc73)
2007-10-10r1140: added IDL and test code for validation level 6 in sam logonAndrew Tridgell1-5/+14
(This used to be commit c8541098436d2cd83538375889560405ecb50034)
2007-10-10r1137: - added torture test for netr_LogonGetDomainInfo() callAndrew Tridgell1-0/+59
(This used to be commit fdf6e4169d531c4a7d4e1b937abd3eb3af03c860)
2007-10-10r1061: The start of the SamLogon call for the NETLOGON pipe.Andrew Bartlett1-26/+30
Changes: - Check for a valid 'pipe_state' in netr_ServerAuthenticate3 before we dereference it - removes the expansionroom[7] in the netr_SamInfo* structs to 7 individual elements. - renames netr_SamInfo -> netr_SamInfo2 netr_SamInfo2 -> netr_SamInfo3 - Having the thing we always called an 'info3' being 'netr_SamInfo2' was just too confusing. - Expand and fill in extra details about users from the SAM, into the server_info, for processing into the SamLogon reply. - Add a dum_sid_dup() function to duplicate a struct dom_sid The SamLogon code currently does not return supplementary groups, and is only tested with Samba4 smbtorture. Andrew Bartlett (This used to be commit 6c92563b7961f15fc74b02601e105d5e1d04f04d)
2007-10-10r1058: The start of work on the SamLogon call for NETLOGON.Andrew Bartlett1-6/+6
This starts to store information about the user in the server_info struct - like the account name, the full name etc. Also, continue to make the names of the structure elements in the logon reply more consistant with those in the SAMR pipe. Andrew Bartlett (This used to be commit 3ccd96bd945e0fd95e42c69ad8ff07055af2e62b)