summaryrefslogtreecommitdiff
path: root/source4/torture/rpc/samlogon.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11370: Samba4 now passes it's own RPC-SAMLOGON test again.Andrew Bartlett1-6/+17
This avoids the nasty user@DOMAIN test for now, as it has very odd semantics with NTLMv2. Allow only user accounts to do an interactive login. Andrew Bartlett (This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
2007-10-10r11360: Pass down a flag indicating that this is an 'old password', and toAndrew Bartlett1-18/+50
expect funny buisness. Andrew Bartlett (This used to be commit b2810bd702b14375ddc237ba39be0badbae20aa5)
2007-10-10r11355: Test for error returns when we don't specify the newly discoveredAndrew Bartlett1-0/+9
'workstation for account on NTLM' flag. Andrew Bartlett (This used to be commit aa5b6cf7c4cabd25655dc11d90d00c5faec67d6c)
2007-10-10r11352: Add newly discovered (via the radiator lists) flags for controllingAndrew Bartlett1-14/+51
plaintext and machine account logins. Update tests to confirm this behaviour. Andrew Bartlett (This used to be commit a0ed41d379f4b15a7f44ca93de9907f02bada163)
2007-10-10r10847: Fix up new 'decrypt samlogon reply' routine to be more robust, and useAndrew Bartlett1-57/+19
it in the RPC-SAMLOGON test. Andrew Bartlett (This used to be commit 675b7df2eedbcb7ea89c0411f76429d8e2357222)
2007-10-10r10805: Move RPC-SAMLOGON to C99 initialisationAndrew Bartlett1-97/+97
Andrew Bartlett (This used to be commit 0f994275ce5d84bdb746524c5da7d9661fbadb63)
2007-10-10r10703: Add a new user account, change the password and test it in the ↵Andrew Bartlett1-34/+125
SAMLOGON test. The semantics for the user account are very odd, the old password is still valid, but the session keys appear to be blanked out. Andrew Bartlett (This used to be commit bbfaf4821d81116efa91313655acb75d6f577953)
2007-10-10r10697: Change the torture join code to return a credentials structure, asAndrew Bartlett1-25/+12
that is what most of the callers want anyway. Remove and re-add the account for the torture case, rather than just modify it. Test with a user account (needs work to change the password). Andrew Bartlett (This used to be commit 38bebef02454164cbe882347d80e03abee656205)
2007-10-10r10528: Add credentials.h back into includes.h as some compilers don'tJelmer Vernooij1-1/+0
seem to be able to handle incomplete enum types. (This used to be commit 540155fad3c8e3d79fb631bb3f14273f82130a73)
2007-10-10r10510: Decrease the amount of data included by includes.h a bitJelmer Vernooij1-0/+1
(This used to be commit 03647e1321cf6c9bd6ced3945265f635e9468973)
2007-10-10r10440: Start passing against Win2k3 SP1 again, with the NTLMv2 changesAndrew Bartlett1-1/+1
described on the list. I probably need to write more specific NTLMv2 sucess and failure mode tests. Andrew Bartlett (This used to be commit c4d608734a98277b1f761142eb3f89086b539847)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett1-128/+230
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-4/+4
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r9166: This checks more of auth subsystem in the PAC test.Andrew Bartlett1-5/+8
Andrew Bartlett (This used to be commit 1fa87223eb66825ef2dd93966652fa84de6b0b2f)
2007-10-10r8854: #if 0 out the right things this time. (Sorry about the build breakage)Andrew Bartlett1-5/+3
Use "" for the no domain case. Andrew Bartlett (This used to be commit 4989ffe870408e9d9a9427b3cc79d756c94ed803)
2007-10-10r8852: fixed the buildAndrew Tridgell1-0/+2
andrew, please check (This used to be commit 0dda73add315e837defd7a705af988aca4cd4556)
2007-10-10r8846: Test yet more NTLMv2 combinations.Andrew Bartlett1-30/+134
I can't get a few of the session key values right (and these tests are #if 0'ed out), but this expands the testing. Andrew Bartlett (This used to be commit e947c8a8f2a5cb458c708e902eabfca94d24d0f3)
2007-10-10r8824: Fix indentation, and don't send 'invalid' LM password.Andrew Bartlett1-3/+7
Andrew Bartlett (This used to be commit a1c1aecc7e4688cb377ca9322238c27de8fdc69c)
2007-10-10r7757: Add NTLMv2 support to the NT1 Session setup (ie, not SPNEGO/NTLMSSP)Andrew Bartlett1-2/+4
Session Setup code. Add a mem_ctx argument to a few of the NTLMv2 support functions, and add smb.conf options to control client NTLMv2 behaviour. Andrew Bartlett (This used to be commit 3f35cdb218a3dae08a05e77452ca9f73716ceb28)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell1-1/+1
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r7521: Remove useless loops from SAMLOGON test, which speeds it up a lot.Andrew Bartlett1-16/+17
Andrew Bartlett (This used to be commit d74b7c20b6e547dba039992f69cea31b46d92286)
2007-10-10r6793: Move auth_sam to use the dnsDomain rather than theAndrew Bartlett1-0/+6
soon-to-be-depricated 'realm'. Add torture test for this behaviour. Andrew Bartlet (This used to be commit 6b9020661a13fd5ec6c5d1e21344d9f654978987)
2007-10-10r6565: Cludge, cludge, cludge...Andrew Bartlett1-1/+3
We need to pass the 'secure channel type' to the NETLOGON layer, which must match the account type. (Yes, jelmer objects to this inclusion of the kitchen sink ;-) Andrew Bartlett (This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett1-22/+30
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
2007-10-10r5928: Use cli_credentials in:Jelmer Vernooij1-13/+19
- gtk+ (returned by GtkHostBindingDialog as well now) - torture/ - librpc/ - lib/com/dcom/ (This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
2007-10-10r5902: A rather large change...Andrew Bartlett1-100/+135
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5668: Add tests to RPC-SAMLOGON to test for user@REALM style logins. TheseAndrew Bartlett1-10/+77
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I need to look into it a bit more). Add support to the Samba4 server for these logins. This will need extension when we handle trusted domains as a DC, as it is a principal name, not just another format for the username. Andrew Bartlett (This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell1-1/+1
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell1-1/+1
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4675: Prevent global warming, and save tridge's sainity by short-cutting theAndrew Bartlett1-4/+8
testsuite for all the different flag types. (We really only need to know if we are getting the session key crypto stuff right, and one call can tell us that). Andrew Bartlett (This used to be commit 8807498f6d3ff248c4d42bf18db45cfe25bd3b2f)
2007-10-10r4616: the first phase in the addition of proper support forAndrew Tridgell1-1/+1
dcerpc_alter_context and multiple context_ids in the dcerpc client library. This stage does the following: - split "struct dcerpc_pipe" into two parts, the main part being "struct dcerpc_connection", which contains all the parts not dependent on the context, and "struct dcerpc_pipe" which has the context dependent part. This is similar to the layering in libcli_*() for SMB - disable the current dcerpc_alter code. I've used a #warning until i get the 2nd phase finished. I don't know how portable #warning is, but it won't be long before I add full alter context support anyway, so it won't last long - cleanup the allocation of dcerpc_pipe structures. The previous code was quite awkward. (This used to be commit 4004c69937be7e5dae56f9567ca607f982d395d3)
2007-10-10r4614: Fix RPC-SAMLOGON, to use the workstation context (forgot to globally ↵Andrew Bartlett1-3/+4
replace). Andrew Bartlett (This used to be commit ddb54d4ea1610b38e011e2f217ded7b6278d5290)
2007-10-10r4610: You can't join as a BDC and test against trusted domains. This testAndrew Bartlett1-1/+4
only needs WS privilages anyway. Andrew Bartlett (This used to be commit a093c4f98e833198ee59064b2cb9b9b45a188a59)
2007-10-10r4566: Fix Samba4 to pass it's own RPC-SAMLOGON torture test.Andrew Bartlett1-28/+34
Include RPC-SAMLOGON in the list of tests expected to pass Remove silly extra loops from the RPC-SAMLOGON test, which mostly just slowed htings down. Andrew Bartlett (This used to be commit 518ca9fb695b0f9d480122a74a2159f7f17a3219)
2007-10-10r4510: Some more tests for RPC-NETLOGON, checking the idea that we couldAndrew Bartlett1-0/+147
combine the NTLM and LMv2 responses, for maximum compatability from a client perspective, allowing access to servers that require NTLMv2, as well as those that don't support it. Currently, this is unfortunetly not possible against Win2k3 (and Samba is being coded to match that behaviour at this point). Andrew Bartlett (This used to be commit 93b46ebe0f3cccd26b5ddd213553667e612c3701)
2007-10-10r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test.Andrew Bartlett1-3/+8
I just need to fix a couple of NTLMv2 issues before we can fully pass, and put this in test_rpc.sh, as a 'should pass' test. Andrew Bartlett (This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
2007-10-10r4037: fixed a bunch of "might be uninitialised" warnings after enabling -O1 ↵Andrew Tridgell1-4/+2
in my compile (This used to be commit 0928b1f5b68c858922c3ea6c27ed03b5091c6221)
2007-10-10r3959: fix compiler warningsStefan Metzmacher1-32/+32
metze (This used to be commit e28351f710525ca9863210974544a8b1a537e63a)
2007-10-10r3922: Add yet another NETLOGON RPC. This is another varient of SamLogon,Andrew Bartlett1-25/+84
that works only on SCHANNEL secured connections (as it needs the implicit credentials). Fix some of the IDL. Andrew Bartlett (This used to be commit 90cd7b34cc18e758e939e0183281b7a517d728f0)
2007-10-10r3904: * Add new LSA calls to open trusted domainsAndrew Bartlett1-1/+1
* Add new tests for ACCOUNTs in SamSync * Clean up names in NETLOGON and LSA * Verify Security Descriptors against LSA, as well as SamR Andrew Bartlett (This used to be commit 7094502fe0346255a89667f702289b4c8dc9fa08)
2007-10-10r3680: Move the multiple runs of this test into a loop. Also check that noAndrew Bartlett1-62/+36
flags individually have an impact (above what we already expect). Andrew Bartlett (This used to be commit 68dd173dc0539f290f40ee90f398591409765932)
2007-10-10r3679: We now know a few more of the Netlogon negotiate flags.Andrew Bartlett1-6/+31
Interestingly, all the interesting flags are a '4' (as hex digits in the flag). Andrew Bartlett (This used to be commit 295e09fa3ea2cae48da1e934c1ec180e5678f0c9)
2007-10-10r3677: Seperate the SamLogon tests from the main RPC-NETLOGON test into aAndrew Bartlett1-0/+1085
RPC-SAMLOGON of their own. I have expanded the tests to validate the use of various flags, which change some of the crypto behaviour. Andrew Bartlett (This used to be commit 3a140a3691ce49ebf4d1efcb99cfffd26c68a28f)