From 7b1d6a6a0568a62943877c61d95f6d7bb1fd1d1d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 2 Aug 2011 13:17:24 +1000
Subject: selftest: test plugin_s4_dc against all ncacn_np tests

Changes to the s3 epmapper behaviour seem to have fixed the rest of these
tests.

Andrew Bartlett
---
 source3/auth/auth.c         |  3 ++-
 source3/auth/auth_ntlmssp.c | 36 ++++++++++++++++++++++++++++++++++++
 source3/auth/auth_samba4.c  |  1 +
 source3/auth/proto.h        |  2 ++
 source3/include/auth.h      |  2 ++
 source3/librpc/rpc/dcerpc.h |  2 ++
 source4/selftest/tests.py   |  2 +-
 7 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index f2cd703297..4e413b1de5 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -462,9 +462,10 @@ static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
 
 	/* Look for the first module to provide a start_gensec hook, and set that if provided */
 	for (method = (*auth_context)->auth_method_list; method; method = method->next) {
-		if (method->prepare_gensec && method->gensec_start_mech_by_oid) {
+		if (method->prepare_gensec) {
 			(*auth_context)->prepare_gensec = method->prepare_gensec;
 			(*auth_context)->gensec_start_mech_by_oid = method->gensec_start_mech_by_oid;
+			(*auth_context)->gensec_start_mech_by_authtype = method->gensec_start_mech_by_authtype;
 			break;
 		}
 	}
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index e52cf9209d..cccb319ccc 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -27,6 +27,7 @@
 #include "../librpc/gen_ndr/netlogon.h"
 #include "../lib/tsocket/tsocket.h"
 #include "auth/gensec/gensec.h"
+#include "librpc/rpc/dcerpc.h"
 
 NTSTATUS auth_ntlmssp_session_info(TALLOC_CTX *mem_ctx,
 				   struct auth_ntlmssp_state *auth_ntlmssp_state,
@@ -290,6 +291,41 @@ NTSTATUS auth_generic_start(struct auth_ntlmssp_state *auth_ntlmssp_state, const
 	return NT_STATUS_OK;
 }
 
+NTSTATUS auth_generic_authtype_start(struct auth_ntlmssp_state *auth_ntlmssp_state, 
+				     uint8_t auth_type, uint8_t auth_level)
+{
+	if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype) {
+		return auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype(auth_ntlmssp_state->gensec_security,
+										       auth_type, auth_level);
+	}
+
+	if (auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
+		/* The caller will then free the auth_ntlmssp_state,
+		 * undoing what was done in auth_ntlmssp_prepare().
+		 *
+		 * We can't do that logic here, as
+		 * auth_ntlmssp_want_feature() may have been called in
+		 * between.
+		 */
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+		auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SIGN);
+	} else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+		/* Always implies both sign and seal for ntlmssp */
+		auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
+	} else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
+		/* Default features */
+	} else {
+		DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
+			 auth_level));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	return NT_STATUS_OK;
+}
+
 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state)
 {
 	return auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index 2c9a6a0f8c..7315c1621b 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -187,6 +187,7 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context,
 	result->auth = check_samba4_security;
 	result->prepare_gensec = prepare_gensec;
 	result->gensec_start_mech_by_oid = gensec_start_mech_by_oid;
+	result->gensec_start_mech_by_authtype = gensec_start_mech_by_authtype;
 
         *auth_method = result;
 	return NT_STATUS_OK;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 239e8ff454..5dded1421c 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -76,6 +76,8 @@ NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address,
 			      struct auth_ntlmssp_state **auth_ntlmssp_state);
 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state);
 NTSTATUS auth_generic_start(struct auth_ntlmssp_state *auth_ntlmssp_state, const char *oid);
+NTSTATUS auth_generic_authtype_start(struct auth_ntlmssp_state *auth_ntlmssp_state, 
+				     uint8_t auth_type, uint8_t auth_level);
 
 
 /* The following definitions come from auth/auth_sam.c  */
diff --git a/source3/include/auth.h b/source3/include/auth.h
index f7422f0600..6721b1f188 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -88,6 +88,7 @@ struct auth_context {
 	NTSTATUS (*prepare_gensec)(TALLOC_CTX *mem_ctx,
 				 struct gensec_security **gensec_context);
 	NTSTATUS (*gensec_start_mech_by_oid)(struct gensec_security *gensec_context, const char *oid_string);
+	NTSTATUS (*gensec_start_mech_by_authtype)(struct gensec_security *gensec_context, uint8_t auth_type, uint8_t auth_level);
 };
 
 typedef struct auth_methods
@@ -113,6 +114,7 @@ typedef struct auth_methods
 	NTSTATUS (*prepare_gensec)(TALLOC_CTX *mem_ctx,
 				 struct gensec_security **gensec_context);
 	NTSTATUS (*gensec_start_mech_by_oid)(struct gensec_security *gensec_context, const char *oid_string);
+	NTSTATUS (*gensec_start_mech_by_authtype)(struct gensec_security *gensec_context, uint8_t auth_type, uint8_t auth_level);
 	/* Used to keep tabs on things like the cli for SMB server authentication */
 	void *private_data;
 
diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index d7e8e0c193..be23e10130 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -39,6 +39,8 @@ struct NL_AUTH_MESSAGE;
 struct pipe_auth_data {
 	enum dcerpc_AuthType auth_type;
 	enum dcerpc_AuthLevel auth_level;
+	
+	bool gensec_hook;
 
 	void *auth_ctx;
 
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 538ec5d451..0902a3ec29 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -135,7 +135,7 @@ for bindoptions in ["seal,padcheck"] + validate_list + ["bigendian"]:
 #Plugin S4 DC tests (confirms named pipe auth forwarding).  This can be expanded once kerberos is supported in the plugin DC
 #
 for bindoptions in ["seal,padcheck"] + validate_list + ["bigendian"]:
-    for t in [ "rpc.lsalookup", "rpc.lsa.secrets", "rpc.lsa-getuser", "rpc.handles", "rpc.asyncbind", "rpc.authcontext", "rpc.lsa"]:
+    for t in ncacn_np_tests:
         env = "plugin_s4_dc"
         transport = "ncacn_np"
         plantestsuite_loadlist("samba4.%s with %s" % (t, bindoptions), env, [valgrindify(smb4torture), "$LISTOPT", "%s:$SERVER[%s]" % (transport, bindoptions), '-U$USERNAME%$PASSWORD', '-W', '$DOMAIN', '-k', 'no', t])
-- 
cgit