summaryrefslogtreecommitdiff
path: root/source4/torture/rpc/netlogon.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r13346: use private proto header files for the torture testsStefan Metzmacher1-0/+1
metze (This used to be commit 67837dbd2bcff8ec1917ba02884ee2eaa0776b46)
2007-10-10r12865: Upgrade the librpc and libnet code.Andrew Bartlett1-8/+1
In librpc, always try SMB level authentication, even if trying schannel, but allow fallback to anonymous. This should better function with servers that set restrict anonymous. There are too many parts of Samba that get, parse and modify the binding parameters. Avoid the extra work, and add a binding element to the struct dcerpc_pipe The libnet vampire code has been refactored, to reduce extra layers and to better conform with the standard argument pattern. Also, take advantage of the new libnet_Lookup code, so we don't require the silly 'password server' smb.conf parameter. To better support forcing traffic to be sealed for the vampire operation, the dcerpc_bind_auth() function now takes an auth level parameter. Andrew Bartlett (This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-0/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12693: Move core data structures out of smb.h into core.hJelmer Vernooij1-0/+1
torture prototypes in seperate header (This used to be commit 73610639b23ca3743077193fa0b1de7c7f65944d)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-1/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12510: Change the DCE/RPC interfaces to take a pointer to aJelmer Vernooij1-6/+2
dcerpc_interface_table struct rather then a tuple of interface name, UUID and version. This removes the requirement for having a global list of DCE/RPC interfaces, except for these parts of the code that use that list explicitly (ndrdump and the scanner torture test). This should also allow us to remove the hack that put the authservice parameter in the dcerpc_binding struct as it can now be read directly from dcerpc_interface_table. I will now modify some of these functions to take a dcerpc_syntax_id structure rather then a full dcerpc_interface_table. (This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
2007-10-10r11404: Another torture test and a new WERR.Andrew Bartlett1-0/+13
Andrew Bartlett (This used to be commit de83b8cd187b28ecb30550c44f9f84e373df692e)
2007-10-10r11402: In response to comments by volker, expand our Netlogon DsRGetDCNameAndrew Bartlett1-10/+111
IDL and testsuites. The server-side of this remains a stub, we should probably be doing ldb searches for the server reference record. Andrew Bartlett (This used to be commit 0141ed309a664e7a9893c95232c2dcb9768f9315)
2007-10-10r11298: Consolidate the 'short' samlogon tests, and move to using theAndrew Bartlett1-28/+70
credentials system for password -> NTLM translation. Andrew Bartlett (This used to be commit d22cbf1b0cae9ca211c916320754d5edfe360c30)
2007-10-10r10697: Change the torture join code to return a credentials structure, asAndrew Bartlett1-1/+4
that is what most of the callers want anyway. Remove and re-add the account for the torture case, rather than just modify it. Test with a user account (needs work to change the password). Andrew Bartlett (This used to be commit 38bebef02454164cbe882347d80e03abee656205)
2007-10-10r10486: This is a merge of Brad Henry's 'net join' rework, to better performAndrew Bartlett1-1/+1
an ADS join, particularly as a DC. This represents the bulk of his Google SOC work, and I'm very pleased to intergrate it into the tree. (Metze will intergrate the DRSUAPI work later). Both metze and myself have also put a lot of time into this patch, and in mentoring Brad in general. In return, Brad has been a very good student, and has taken the comments well. Since it's last appearance on samba-technical@, I have made correctness and valgrind fixups, as well as adding a new 'BINDING' mode to the libnet_rpc routines. This allows the exact binding string to be passed down from the torture code, including options and exact target host. Andrew Bartlett (This used to be commit d6fa105fdabbeb83a9b0e50dad49d1649afdb2a4)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett1-3/+3
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r10255: Fix some more 64-bit warnings.Tim Potter1-2/+2
(This used to be commit f4f9337619f7793f5ad23fcb59a8e8751941fec6)
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-3/+3
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r6795: Make some functions static and remove some unused ones.Jelmer Vernooij1-3/+3
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
2007-10-10r6286: Add back metze's test of setting a trust password to ''. I removedAndrew Bartlett1-5/+33
this because I don't want our torture suite to leave behind accounts with known passwords if it is stopped in the wrong place. It is now run behind the -X (dangerous) wrapper. Andrew Bartlett (This used to be commit 057a81d81ed8dfaf323be118e32df2cf1c92cc09)
2007-10-10r6032: Fix up SetServerPassword2 on NETLOGON for [bigendian]. Clearly nobodyAndrew Bartlett1-41/+17
has the patience to run test_w2k3.sh to completion :-) It looks to me that the Windows server runs the RC4 over the C struct, not the NDR data. Andrew Bartlett (This used to be commit c324d974134c35b4c50c91d5a932a63c78b67046)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett1-9/+0
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett1-9/+10
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
2007-10-10r5902: A rather large change...Andrew Bartlett1-52/+96
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell1-1/+1
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5197: moved events code to lib/events/ (suggestion from metze)Andrew Tridgell1-1/+1
(This used to be commit 7f54c8a339f36aa43c9340be70ab7f0067593ef2)
2007-10-10r5185: make all the events data structures private to events.c. This willAndrew Tridgell1-0/+1
make it possible to add optimisations to the events code such as keeping the next timed event in a sorted list, and using epoll for file descriptor events. I also removed the loop events code, as it wasn't being used anywhere, and changed timed events to always be one-shot (as adding a new timed event in the event handler is so easy to do if needed) (This used to be commit d7b4b6de51342a65bf46fce772d313f92f8d73d3)
2007-10-10r5090: Fix up the IDL for LogonGetDomainInfo in NETLOGON.Andrew Bartlett1-10/+4
Andrew Bartlett (This used to be commit e5afc3609382a7b534c9d845e809d135a0d4eb3a)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell1-2/+2
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4707: w2k3 don't restict passwords onStefan Metzmacher1-0/+63
netr_ServerPasswordSet and netr_ServerPasswordSet2 so we do now I also add a torture test for this metze (This used to be commit d896ac603a5cf387a10b21e64e2c92ff2626bc4d)
2007-10-10r4706: Fix the build, after I renamed these elements in the IDL.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8f47c7b02cc28eda022154796c7341fd63a87cc5)
2007-10-10r4702: implment idl, torture test and server code for netr_ServerPasswordSet2()Stefan Metzmacher1-2/+69
metze (This used to be commit 7d8ba92da2b8babe7165f105591fd3e5738b2319)
2007-10-10r4616: the first phase in the addition of proper support forAndrew Tridgell1-1/+1
dcerpc_alter_context and multiple context_ids in the dcerpc client library. This stage does the following: - split "struct dcerpc_pipe" into two parts, the main part being "struct dcerpc_connection", which contains all the parts not dependent on the context, and "struct dcerpc_pipe" which has the context dependent part. This is similar to the layering in libcli_*() for SMB - disable the current dcerpc_alter code. I've used a #warning until i get the 2nd phase finished. I don't know how portable #warning is, but it won't be long before I add full alter context support anyway, so it won't last long - cleanup the allocation of dcerpc_pipe structures. The previous code was quite awkward. (This used to be commit 4004c69937be7e5dae56f9567ca607f982d395d3)
2007-10-10r4614: Fix RPC-SAMLOGON, to use the workstation context (forgot to globally ↵Andrew Bartlett1-2/+4
replace). Andrew Bartlett (This used to be commit ddb54d4ea1610b38e011e2f217ded7b6278d5290)
2007-10-10r4597: Recently I've come across a case where I suspect the GetAnyDCName ↵Volker Lendecke1-0/+94
request to kill the domain controller I'm asking. In samba4 torturing the DC is just so easy, commit the test to randomized ask for DCs for all trusted domains. Volker (This used to be commit edb918762e1e46909520f13e28dcf8cedb2919b1)
2007-10-10r4560: - fixed crash bugs in the RPC-SCHANNEL and RPC-NETLOGON testsAndrew Tridgell1-75/+29
- disabled the async netlogon tests for now until we better understand async rpc - added a test_w2k3.sh script that runs rpc tests that a w2k3 DC should pass. This is useful for regression testing when PIDL changes are made. (This used to be commit f7d4d3db489ad79457de70a85ad990159f6e74f8)
2007-10-10r4549: got rid of a lot more uses of plain talloc(), instead usingAndrew Tridgell1-2/+2
talloc_size() or talloc_array_p() where appropriate. also fixed a memory leak in pvfs_copy_file() (failed to free a memory context) (This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503)
2007-10-10r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test.Andrew Bartlett1-0/+16
I just need to fix a couple of NTLMv2 issues before we can fully pass, and put this in test_rpc.sh, as a 'should pass' test. Andrew Bartlett (This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
2007-10-10r3914: add idl, torture test and simple server for netr_DrsGetDCNameEx2()Stefan Metzmacher1-0/+44
metze (This used to be commit 1ffabbaa667c7dec6657ec523f92f072a2a47a95)
2007-10-10r3686: The results of some work on the NETLOGON pipe:Andrew Bartlett1-3/+73
Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC, that will cross-verify all the values. Add support for the way netlogon credentials are shared between the pipe that sets up schannel and the pipe that is encrypted with it. Test this support, by calling both NETLOGON and SAMR operations in the RPC-SCHANNEL test. Move some of the Netlogon NEG flags into the .idl, now we have an idea what a few of them really are. Rename the sam_pwd_hash into a name that has meaning (all other crypto functions were renamed in Samba4 ages ago). Break out NTLMv2 functionality for operation on the NT hash - I intend to do NTLMv2 logins in the samsync test in future, and naturally I only have the hash. Andrew Bartlett (This used to be commit 6e6cc6fb9842113a1b0c7f6904dac709b320a6e5)
2007-10-10r3677: Seperate the SamLogon tests from the main RPC-NETLOGON test into aAndrew Bartlett1-1011/+37
RPC-SAMLOGON of their own. I have expanded the tests to validate the use of various flags, which change some of the crypto behaviour. Andrew Bartlett (This used to be commit 3a140a3691ce49ebf4d1efcb99cfffd26c68a28f)
2007-10-10r3676: Add a negitive test for NTLM2 session security (which should notAndrew Bartlett1-10/+96
appear in netlogon, despite what the LM response may look like). Make the logon tests less verbose - only print test names on failure. Andrew Bartlett (This used to be commit 49c335bcd8852bcf2f4663b9fd514bf3da0fa50d)
2007-10-10r3657: More netlogon torture. We now test both function calls (SamLogon and ↵Andrew Bartlett1-43/+102
SamLogonWithFlags). Andrew Bartlett (This used to be commit 7937503849125e8a351abd547accab3715fc8b13)
2007-10-10r3653: Move Interactive login tests up with the rest of the logon tests.Andrew Bartlett1-71/+126
(Hmm, this whole section should be broken out into a new file, I think). Add new tests, particularly of the LM key for NTLMv2 responses, and the (changed, apparently) session key for LMv2 only logins. Next is to add SAMR modification and cross-validation. Andrew Bartlett (This used to be commit be99ee4719a98c3fca13136d0c72f18a852fbd4e)
2007-10-10r3557: Use a switch, not a series of if/else if statements.Andrew Bartlett1-8/+11
Andrew Bartlett (This used to be commit fb7bc73f581c8b13041a91a115b4932f76b00ca7)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3428: switched to using minimal includes for the auto-generated RPC code.Andrew Tridgell1-0/+1
The thing that finally convinced me that minimal includes was worth pursuing for rpc was a compiler (tcc) that failed to build Samba due to reaching internal limits of the size of include files. Also the fact that includes.h.gch was 16MB, which really seems excessive. This patch brings it back to 12M, which is still too large, but better. Note that this patch speeds up compile times for both the pch and non-pch case. This change also includes the addition iof a "depends()" option in our IDL files, allowing you to specify that one IDL file depends on another. This capability was needed for the auto-includes generation. (This used to be commit b8f5fa8ac8e8725f3d321004f0aedf4246fc6b49)
2007-10-10r3324: made the smbtorture code completely warning freeAndrew Tridgell1-1/+1
(This used to be commit 7067bb9b52223cafa28470f264f0b60646a07a01)
2007-10-10r3104: My Win2k3 server, with current updates, still sends the LM key for ↵Andrew Bartlett1-1/+1
level 6. I'm not quite sure what's going on here, but adjust expected values till I can find out how to reproduce this the other way... Andrew Bartlett (This used to be commit 3f0f6b38f2401e3654f73f46a22d5c10fbacaeca)
2007-10-10r2857: this commit gets rid of smb_ucs2_t, wpstring and fpstring, plus lots ↵Andrew Tridgell1-4/+3
of associated functions. The motivation for this change was to avoid having to convert to/from ucs2 strings for so many operations. Doing that was slow, used many static buffers, and was also incorrect as it didn't cope properly with unicode codepoints above 65536 (which could not be represented correctly as smb_ucs2_t chars) The two core functions that allowed this change are next_codepoint() and push_codepoint(). These functions allow you to correctly walk a arbitrary multi-byte string a character at a time without converting the whole string to ucs2. While doing this cleanup I also fixed several ucs2 string handling bugs. See the commit for details. The following code (which counts the number of occuraces of 'c' in a string) shows how to use the new interface: size_t count_chars(const char *s, char c) { size_t count = 0; while (*s) { size_t size; codepoint_t c2 = next_codepoint(s, &size); if (c2 == c) count++; s += size; } return count; } (This used to be commit 814881f0e50019196b3aa9fbe4aeadbb98172040)
2007-10-10r2552: Character set conversion and string handling updates.Andrew Bartlett1-5/+3
The intial motivation for this commit was to merge in some of the bugfixes present in Samba3's chrcnv and string handling code into Samba4. However, along the way I found a lot of unused functions, and decided to do a bit more... The strlen_m code now does not use a fixed buffer, but more work is needed to finish off other functions in str_util.c. These fixed length buffers hav caused very nasty, hard to chase down bugs at some sites. The strupper_m() function has a strupper_talloc() to replace it (we need to go around and fix more uses, but it's a start). Use of these new functions will avoid bugs where the upper or lowercase version of a string is a different length. I have removed the push_*_allocate functions, which are replaced by calls to push_*_talloc. Likewise, pstring and other 'fixed length' wrappers are removed, where possible. I have removed the first ('base pointer') argument, used by push_ucs2, as the Samba4 way of doing things ensures that this is always on an even boundary anyway. (It was used in only one place, in any case). (This used to be commit dfecb0150627b500cb026b8a4932fe87902ca392)
2007-10-10r2443: check return code of event_loop_once() to catch thet cases where the ↵Stefan Metzmacher1-1/+3
server closes the connetion and we got EBADF from select() and event_loop_once() fails metze (This used to be commit 9c0e50a6f3d628156b4543d5ded89e06be696f64)
2007-10-10r2220: Updates to the NETLOGON torture test. This copes with 'long'Andrew Bartlett1-125/+146
passwords - where the LM hash is invalid. Also, we now drive all the logon levels and validation levels from the outer loop, so we can check the expected return values (rather than overwriting them). Andrew Bartlett (This used to be commit f7f7c3de23ffb042f7cf7b4fa42b6b18c205719d)
2007-10-10r2185: add a callback function to the dcerpc async APIAndrew Tridgell1-4/+20
also add a demonstration of its use in the netlogon async example (This used to be commit f2a0438c66b999189c1a2ad726e91efd0748eb90)