From 9d1954c25d646c46daa38c3f96f4c4029b9bb417 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Feb 2006 00:07:59 +0000 Subject: r13583: Realise that the member server name appears in all calls that use the credentials. Consistantly rename these elements in the IDL to computer_name. Fix the server-side code to always lookup by this name. Add new, even nastier tests to RPC-SCHANNEL to prove this. Andrew Bartlett (This used to be commit 341a0abeb4a9f88d64ffd4681249cb1f643a7a5a) --- source4/torture/rpc/netlogon.c | 5 ++--- source4/torture/rpc/samlogon.c | 8 ++++---- source4/torture/rpc/samsync.c | 2 +- source4/torture/rpc/schannel.c | 30 +++++++++++++++++++++++++++--- 4 files changed, 34 insertions(+), 11 deletions(-) (limited to 'source4/torture/rpc') diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 7919e7c441..79e85cce57 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -539,7 +539,7 @@ BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials); r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - r.in.workstation = cli_credentials_get_workstation(credentials); + r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = 2; @@ -564,7 +564,6 @@ BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, printf("Credential chaining failed\n"); ret = False; } - } r.in.credential = NULL; @@ -573,7 +572,7 @@ BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.validation_level = i; - printf("Testing SamLogon with validation level %d\n", i); + printf("Testing SamLogon with validation level %d and a NULL credential\n", i); status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r); if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 69c9ff6ea9..03bec56ab6 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -1335,17 +1335,17 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, generate_random_buffer(samlogon_state.chall.data, 8); samlogon_state.r_flags.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r_flags.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r_flags.in.computer_name = TEST_MACHINE_NAME; samlogon_state.r_flags.in.credential = &samlogon_state.auth; samlogon_state.r_flags.in.return_authenticator = &samlogon_state.auth2; samlogon_state.r_flags.in.flags = 0; samlogon_state.r_ex.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r_ex.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r_ex.in.computer_name = TEST_MACHINE_NAME; samlogon_state.r_ex.in.flags = 0; samlogon_state.r.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r.in.computer_name = TEST_MACHINE_NAME; samlogon_state.r.in.credential = &samlogon_state.auth; samlogon_state.r.in.return_authenticator = &samlogon_state.auth2; @@ -1415,7 +1415,7 @@ BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, creds_client_authenticator(creds, &a); r.in.server_name = talloc_asprintf(fn_ctx, "\\\\%s", dcerpc_server_name(p)); - r.in.workstation = TEST_MACHINE_NAME; + r.in.computer_name = TEST_MACHINE_NAME; r.in.credential = &a; r.in.return_authenticator = &ra; r.in.logon_level = 5; diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index afa47e5932..f0f19f0818 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -77,7 +77,7 @@ static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - r.in.workstation = workstation; + r.in.computer_name = workstation; r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = 2; diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 80b223656d..3ad781c145 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -85,7 +85,7 @@ BOOL test_netlogon_ex_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials); r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - r.in.workstation = cli_credentials_get_workstation(credentials); + r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.logon_level = 2; r.in.logon.network = &ninfo; r.in.flags = 0; @@ -238,6 +238,7 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p = NULL; struct dcerpc_pipe *p_netlogon = NULL; struct dcerpc_pipe *p_netlogon2 = NULL; + struct dcerpc_pipe *p_netlogon3 = NULL; struct dcerpc_pipe *p_samr2 = NULL; struct dcerpc_pipe *p_lsa = NULL; struct creds_CredentialState *creds; @@ -395,14 +396,37 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, /* Try the schannel-only SamLogonEx operation */ if (!test_netlogon_ex_ops(p_netlogon2, test_ctx, credentials, creds)) { - printf("Failed to process schannel secured NETLOGON EX ops\n"); + printf("Failed to process schannel secured NETLOGON EX ops (on fresh connection)\n"); ret = False; } /* And the more traditional style, proving that the * credentials chaining state is fully present */ if (!test_netlogon_ops(p_netlogon2, test_ctx, credentials, creds)) { - printf("Failed to process schannel secured NETLOGON EX ops\n"); + printf("Failed to process schannel secured NETLOGON ops (on fresh connection)\n"); + ret = False; + } + + /* Drop the socket, we want to start from scratch (again) */ + talloc_free(p_samr2); + + /* We don't want schannel for this test */ + b->flags &= ~DCERPC_AUTH_OPTIONS; + + status = dcerpc_pipe_connect_b(test_ctx, &p_netlogon3, b, &dcerpc_table_netlogon, + credentials, NULL); + if (!NT_STATUS_IS_OK(status)) { + printf("Failed to connect without schannel: %s\n", nt_errstr(status)); + goto failed; + } + + if (test_netlogon_ex_ops(p_netlogon3, test_ctx, credentials, creds)) { + printf("Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)\n"); + ret = False; + } + + if (!test_netlogon_ops(p_netlogon3, test_ctx, credentials, creds)) { + printf("Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth\n"); ret = False; } -- cgit