From c46b658eecdb33c11b00c3059210fb0846373c9b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 6 Aug 2005 23:07:21 +0000 Subject: r9166: This checks more of auth subsystem in the PAC test. Andrew Bartlett (This used to be commit 1fa87223eb66825ef2dd93966652fa84de6b0b2f) --- source4/torture/auth/pac.c | 134 +++++++++++++++++++++++++++++++++++------ source4/torture/rpc/samlogon.c | 13 ++-- source4/torture/rpc/xplogin.c | 117 +++++++---------------------------- 3 files changed, 147 insertions(+), 117 deletions(-) (limited to 'source4/torture') diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 74a31af890..43a9fd44b5 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -34,6 +34,8 @@ static BOOL torture_pac_self_check(void) TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check"); DATA_BLOB tmp_blob; struct PAC_DATA *pac_data; + struct PAC_LOGON_INFO *logon_info; + union netr_Validation validation; /* Generate a nice, arbitary keyblock */ uint8_t server_bytes[16]; @@ -46,6 +48,7 @@ static BOOL torture_pac_self_check(void) struct smb_krb5_context *smb_krb5_context; struct auth_serversupplied_info *server_info; + struct auth_serversupplied_info *server_info_out; ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context); @@ -62,10 +65,10 @@ static BOOL torture_pac_self_check(void) server_bytes, sizeof(server_bytes), &server_keyblock); if (ret) { - DEBUG(1, ("Server Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); - + printf("Server Keyblock encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx)); + talloc_free(mem_ctx); return False; } @@ -75,10 +78,10 @@ static BOOL torture_pac_self_check(void) krbtgt_bytes, sizeof(krbtgt_bytes), &krbtgt_keyblock); if (ret) { - DEBUG(1, ("KRBTGT Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); - + printf("KRBTGT Keyblock encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx)); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); talloc_free(mem_ctx); @@ -105,9 +108,9 @@ static BOOL torture_pac_self_check(void) &tmp_blob); if (ret) { - DEBUG(1, ("PAC encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); + printf("PAC encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx)); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); @@ -126,18 +129,64 @@ static BOOL torture_pac_self_check(void) &krbtgt_keyblock, &server_keyblock); + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + DEBUG(1, ("PAC decoding failed: %s\n", + nt_errstr(nt_status))); + + talloc_free(mem_ctx); + return False; + } + + /* Now check that we can read it back */ + nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, + tmp_blob, + smb_krb5_context, + &krbtgt_keyblock, + &server_keyblock); + + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + printf("PAC decoding (for logon info) failed: %s\n", + nt_errstr(nt_status)); + + talloc_free(mem_ctx); + return False; + } + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - if (ret) { - DEBUG(1, ("PAC decoding failed: %s\n", - nt_errstr(nt_status))); + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(mem_ctx, + "", + 3, &validation, + &server_info_out); + if (!NT_STATUS_IS_OK(nt_status)) { + printf("PAC decoding (make server info) failed: %s\n", + nt_errstr(nt_status)); + talloc_free(mem_ctx); return False; } - + + if (!dom_sid_equal(server_info->account_sid, + server_info_out->account_sid)) { + printf("PAC Decode resulted in *different* domain SID: %s != %s\n", + dom_sid_string(mem_ctx, server_info->account_sid), + dom_sid_string(mem_ctx, server_info_out->account_sid)); + talloc_free(mem_ctx); + return False; + } + talloc_free(mem_ctx); return True; } @@ -196,6 +245,11 @@ static BOOL torture_pac_saved_check(void) TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check"); DATA_BLOB tmp_blob, validate_blob; struct PAC_DATA *pac_data; + struct PAC_LOGON_INFO *logon_info; + union netr_Validation validation; + + struct auth_serversupplied_info *server_info_out; + krb5_keyblock server_keyblock; krb5_keyblock krbtgt_keyblock; uint8_t server_bytes[16]; @@ -255,9 +309,9 @@ static BOOL torture_pac_saved_check(void) } tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac)); - + /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/ - + dump_data(10,tmp_blob.data,tmp_blob.length); /* Decode and verify the signaure on the PAC */ @@ -278,6 +332,52 @@ static BOOL torture_pac_saved_check(void) return False; } + /* Parse the PAC again, for the logon info this time */ + nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, + tmp_blob, + smb_krb5_context, + &krbtgt_keyblock, + &server_keyblock); + + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + printf("PAC decoding (for logon info) failed: %s\n", + nt_errstr(nt_status)); + + talloc_free(mem_ctx); + return False; + } + + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(mem_ctx, + "", + 3, &validation, + &server_info_out); + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + + printf("PAC decoding (make server info) failed: %s\n", + nt_errstr(nt_status)); + + talloc_free(mem_ctx); + return False; + } + + if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), + server_info_out->account_sid)) { + printf("PAC Decode resulted in *different* domain SID: %s != %s\n", + "S-1-5-21-3048156945-3961193616-3706469200-1005", + dom_sid_string(mem_ctx, server_info_out->account_sid)); + talloc_free(mem_ctx); + return False; + } + ret = kerberos_encode_pac(mem_ctx, pac_data, smb_krb5_context->krb5_context, diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index e219e9c140..607dbaec8a 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -1259,10 +1259,11 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, /* test an ADS style interactive domain logon */ -static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds, - const char *account_domain, const char *account_name, - const char *plain_pass) +BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + struct creds_CredentialState *creds, + const char *workstation_name, + const char *account_domain, const char *account_name, + const char *plain_pass) { NTSTATUS status; TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context"); @@ -1290,7 +1291,7 @@ static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, pinfo.identity_info.logon_id_low = 0; pinfo.identity_info.logon_id_high = 0; pinfo.identity_info.account_name.string = account_name; - pinfo.identity_info.workstation.string = TEST_MACHINE_NAME; + pinfo.identity_info.workstation.string = workstation_name; if (!E_deshash(plain_pass, pinfo.lmpassword.hash)) { ZERO_STRUCT(pinfo.lmpassword.hash); @@ -1491,6 +1492,7 @@ BOOL torture_rpc_samlogon(void) for (ci = 0; ci < ARRAY_SIZE(usercreds); ci++) { if (!test_InteractiveLogon(p, mem_ctx, creds, + TEST_MACHINE_NAME, usercreds[ci].domain, usercreds[ci].username, usercreds[ci].password)) { @@ -1514,6 +1516,7 @@ BOOL torture_rpc_samlogon(void) for (i=0; i < ARRAY_SIZE(credential_flags); i++) { if (!test_InteractiveLogon(p, mem_ctx, creds, + TEST_MACHINE_NAME, usercreds[0].domain, usercreds[0].username, usercreds[0].password)) { diff --git a/source4/torture/rpc/xplogin.c b/source4/torture/rpc/xplogin.c index c841267d97..acf7a41657 100644 --- a/source4/torture/rpc/xplogin.c +++ b/source4/torture/rpc/xplogin.c @@ -29,6 +29,7 @@ #include "libcli/composite/composite.h" #if 0 + static NTSTATUS after_negprot(struct smbcli_transport **dst_transport, const char *dest_host, uint16_t port, const char *my_name) @@ -501,79 +502,6 @@ static NTSTATUS setup_netlogon_creds(struct smbcli_transport *transport, return NT_STATUS_OK; } -static NTSTATUS torture_samlogon(struct dcerpc_pipe *p, - struct creds_CredentialState *netlogon_creds, - const char *workstation, - const char *domain, - const char *username, - const char *password) -{ - TALLOC_CTX *mem_ctx; - struct netr_LogonSamLogon log; - struct netr_NetworkInfo ninfo; - struct netr_Authenticator auth, auth2; - uint8_t user_session_key[16]; - DATA_BLOB ntlmv2_response = data_blob(NULL, 0); - DATA_BLOB lmv2_response = data_blob(NULL, 0); - DATA_BLOB names_blob; - DATA_BLOB chall; - NTSTATUS status; - - mem_ctx = talloc_init("torture_samlogon"); - - ZERO_STRUCT(user_session_key); - - printf("testing netr_LogonSamLogon\n"); - - log.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", - dcerpc_server_name(p)); - log.in.workstation = workstation; - log.in.credential = &auth; - log.in.return_authenticator = &auth2; - log.in.validation_level = 3; - log.in.logon_level = 2; - log.in.logon.network = &ninfo; - - chall = data_blob_talloc(mem_ctx, NULL, 8); - generate_random_buffer(chall.data, 8); - - names_blob = NTLMv2_generate_names_blob(mem_ctx, workstation, - lp_workgroup()); - ZERO_STRUCT(user_session_key); - - if (!SMBNTLMv2encrypt(username, domain, password, - &chall, &names_blob, - &lmv2_response, &ntlmv2_response, - NULL, NULL)) { - data_blob_free(&names_blob); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - data_blob_free(&names_blob); - - ninfo.identity_info.domain_name.string = domain; - ninfo.identity_info.parameter_control = 0; - ninfo.identity_info.logon_id_low = 0; - ninfo.identity_info.logon_id_high = 0; - ninfo.identity_info.account_name.string = username; - ninfo.identity_info.workstation.string = workstation; - memcpy(ninfo.challenge, chall.data, 8); - ninfo.nt.data = ntlmv2_response.data; - ninfo.nt.length = ntlmv2_response.length; - ninfo.lm.data = NULL; - ninfo.lm.length = 0; - - ZERO_STRUCT(auth2); - creds_client_authenticator(netlogon_creds, &auth); - - log.out.return_authenticator = NULL; - status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &log); - talloc_free(mem_ctx); - data_blob_free(&lmv2_response); - data_blob_free(&ntlmv2_response); - return status; -} - static NTSTATUS test_getgroups(struct smbcli_transport *transport, const char *name) { @@ -659,7 +587,7 @@ static NTSTATUS test_getgroups(struct smbcli_transport *transport, { struct samr_LookupNames l; - struct samr_String samr_name; + struct lsa_String samr_name; struct samr_OpenUser o; samr_name.string = name; @@ -832,7 +760,7 @@ static NTSTATUS test_getallsids(struct smbcli_transport *transport, { struct samr_LookupNames l; - struct samr_String samr_name; + struct lsa_String samr_name; struct samr_OpenUser o; samr_name.string = name; @@ -1038,22 +966,20 @@ static BOOL xp_login(const char *dcname, const char *wksname, if (!NT_STATUS_IS_OK(status)) return False; - status = torture_samlogon(netlogon_schannel_pipe, - netlogon_creds, wksname, domain, - user1name, user1pw); - - if (!NT_STATUS_IS_OK(status)) - return False; - + if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx, + netlogon_creds, wksname, domain, + user1name, user1pw)) { + return False; + } + talloc_free(netlogon_pipe); - status = torture_samlogon(netlogon_schannel_pipe, - netlogon_creds, wksname, domain, - user2name, user2pw); - - if (!NT_STATUS_IS_OK(status)) - return False; - + if (!test_InteractiveLogon(netlogon_schannel_pipe, mem_ctx, + netlogon_creds, wksname, domain, + user1name, user1pw)) { + return False; + } + status = test_getgroups(transport, user2name); if (!NT_STATUS_IS_OK(status)) @@ -1093,8 +1019,6 @@ static BOOL xp_login(const char *dcname, const char *wksname, return True; } -#endif - struct user_pw { const char *username; const char *password; @@ -1112,10 +1036,8 @@ static const struct user_pw machines[] = { BOOL torture_rpc_login(void) { -#if 0 const char *pdcname = "pdcname"; const char *domainname = "domain"; -#endif int useridx1 = rand() % ARRAY_SIZE(users); int useridx2 = rand() % ARRAY_SIZE(users); @@ -1125,13 +1047,18 @@ BOOL torture_rpc_login(void) users[useridx1].username, users[useridx2].username); -#if 0 return xp_login(pdcname, machines[machidx].username, domainname, machines[machidx].password, users[useridx1].username, users[useridx1].password, users[useridx2].username, users[useridx2].password); -#endif return False; } +#else + +BOOL torture_rpc_login(void) +{ + return False; +} +#endif -- cgit