From d2b08b56c152c82446bec58f00d38ae59a71ca50 Mon Sep 17 00:00:00 2001 From: Benjamin Franzke Date: Mon, 28 Oct 2013 14:21:20 +0100 Subject: s4:torture/ldap: Add test for netlogon over tcp This patch moves the udp netlogon tests from cldap.c to netlogon.c and passes a generic netlogon-send function as parameter. Therefore a tcp replacement for cldap_netlogon is also added. The two variants tcp and udp are added as 2 new torture tests: ldap.netlogon-udp & ldap.netlogon-tcp Both tests succeed. --- source4/torture/ldap/cldap.c | 329 --------------------------- source4/torture/ldap/common.c | 2 + source4/torture/ldap/netlogon.c | 480 ++++++++++++++++++++++++++++++++++++++++ source4/torture/wscript_build | 2 +- 4 files changed, 483 insertions(+), 330 deletions(-) create mode 100644 source4/torture/ldap/netlogon.c (limited to 'source4/torture') diff --git a/source4/torture/ldap/cldap.c b/source4/torture/ldap/cldap.c index fc8c337ff3..90c11958eb 100644 --- a/source4/torture/ldap/cldap.c +++ b/source4/torture/ldap/cldap.c @@ -24,7 +24,6 @@ #include "includes.h" #include "libcli/cldap/cldap.h" #include "libcli/ldap/ldap_client.h" -#include "librpc/gen_ndr/netlogon.h" #include "param/param.h" #include "../lib/tsocket/tsocket.h" @@ -36,332 +35,6 @@ #define CHECK_VAL(v, correct) torture_assert_int_equal(tctx, (v), (correct), "incorrect value"); #define CHECK_STRING(v, correct) torture_assert_str_equal(tctx, v, correct, "incorrect value"); -/* - test netlogon operations -*/ -static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest) -{ - struct cldap_socket *cldap; - NTSTATUS status; - struct cldap_netlogon search, empty_search; - struct netlogon_samlogon_response n1; - struct GUID guid; - int i; - struct tsocket_address *dest_addr; - int ret; - - ret = tsocket_address_inet_from_strings(tctx, "ip", - dest, - lpcfg_cldap_port(tctx->lp_ctx), - &dest_addr); - CHECK_VAL(ret, 0); - - status = cldap_socket_init(tctx, NULL, dest_addr, &cldap); - CHECK_STATUS(status, NT_STATUS_OK); - - ZERO_STRUCT(search); - search.in.dest_address = NULL; - search.in.dest_port = 0; - search.in.acct_control = -1; - search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX; - search.in.map_response = true; - - empty_search = search; - - printf("Trying without any attributes\n"); - search = empty_search; - status = cldap_netlogon(cldap, tctx, &search); - CHECK_STATUS(status, NT_STATUS_OK); - - n1 = search.out.netlogon; - - search.in.user = "Administrator"; - search.in.realm = n1.data.nt5_ex.dns_domain; - search.in.host = "__cldap_torture__"; - - printf("Scanning for netlogon levels\n"); - for (i=0;i<256;i++) { - search.in.version = i; - printf("Trying netlogon level %d\n", i); - status = cldap_netlogon(cldap, tctx, &search); - CHECK_STATUS(status, NT_STATUS_OK); - } - - printf("Scanning for netlogon level bits\n"); - for (i=0;i<31;i++) { - search.in.version = (1<lp_ctx), - &dest_addr); - CHECK_VAL(ret, 0); - - /* cldap_socket_init should now know about the dest. address */ - status = cldap_socket_init(tctx, NULL, dest_addr, &cldap); - CHECK_STATUS(status, NT_STATUS_OK); - - printf("Printing out netlogon server type flags: %s\n", dest); - - ZERO_STRUCT(search); - search.in.dest_address = NULL; - search.in.dest_port = 0; - search.in.acct_control = -1; - search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX; - search.in.map_response = true; - - status = cldap_netlogon(cldap, tctx, &search); - CHECK_STATUS(status, NT_STATUS_OK); - - n1 = search.out.netlogon; - if (n1.ntver == NETLOGON_NT_VERSION_5) - server_type = n1.data.nt5.server_type; - else if (n1.ntver == NETLOGON_NT_VERSION_5EX) - server_type = n1.data.nt5_ex.server_type; - - printf("The word is: %i\n", server_type); - if (server_type & NBT_SERVER_PDC) - printf("NBT_SERVER_PDC "); - if (server_type & NBT_SERVER_GC) - printf("NBT_SERVER_GC "); - if (server_type & NBT_SERVER_LDAP) - printf("NBT_SERVER_LDAP "); - if (server_type & NBT_SERVER_DS) - printf("NBT_SERVER_DS "); - if (server_type & NBT_SERVER_KDC) - printf("NBT_SERVER_KDC "); - if (server_type & NBT_SERVER_TIMESERV) - printf("NBT_SERVER_TIMESERV "); - if (server_type & NBT_SERVER_CLOSEST) - printf("NBT_SERVER_CLOSEST "); - if (server_type & NBT_SERVER_WRITABLE) - printf("NBT_SERVER_WRITABLE "); - if (server_type & NBT_SERVER_GOOD_TIMESERV) - printf("NBT_SERVER_GOOD_TIMESERV "); - if (server_type & NBT_SERVER_NDNC) - printf("NBT_SERVER_NDNC "); - if (server_type & NBT_SERVER_SELECT_SECRET_DOMAIN_6) - printf("NBT_SERVER_SELECT_SECRET_DOMAIN_6"); - if (server_type & NBT_SERVER_FULL_SECRET_DOMAIN_6) - printf("NBT_SERVER_FULL_SECRET_DOMAIN_6"); - if (server_type & DS_DNS_CONTROLLER) - printf("DS_DNS_CONTROLLER "); - if (server_type & DS_DNS_DOMAIN) - printf("DS_DNS_DOMAIN "); - if (server_type & DS_DNS_FOREST_ROOT) - printf("DS_DNS_FOREST_ROOT "); - - printf("\n"); - - return true; -} /* convert a ldap result message to a ldb message. This allows us to @@ -488,8 +161,6 @@ bool torture_cldap(struct torture_context *torture) bool ret = true; const char *host = torture_setting_string(torture, "host", NULL); - ret &= test_cldap_netlogon(torture, host); - ret &= test_cldap_netlogon_flags(torture, host); ret &= test_cldap_generic(torture, host); return ret; diff --git a/source4/torture/ldap/common.c b/source4/torture/ldap/common.c index 3af3d02491..a37af68e1f 100644 --- a/source4/torture/ldap/common.c +++ b/source4/torture/ldap/common.c @@ -136,6 +136,8 @@ NTSTATUS torture_ldap_init(void) torture_suite_add_simple_test(suite, "basic", torture_ldap_basic); torture_suite_add_simple_test(suite, "sort", torture_ldap_sort); torture_suite_add_simple_test(suite, "cldap", torture_cldap); + torture_suite_add_simple_test(suite, "netlogon-udp", torture_netlogon_udp); + torture_suite_add_simple_test(suite, "netlogon-tcp", torture_netlogon_tcp); torture_suite_add_simple_test(suite, "schema", torture_ldap_schema); torture_suite_add_simple_test(suite, "uptodatevector", torture_ldap_uptodatevector); torture_suite_add_simple_test(suite, "nested-search", test_ldap_nested_search); diff --git a/source4/torture/ldap/netlogon.c b/source4/torture/ldap/netlogon.c new file mode 100644 index 0000000000..950feac86d --- /dev/null +++ b/source4/torture/ldap/netlogon.c @@ -0,0 +1,480 @@ +/* + Unix SMB/CIFS mplementation. + + test CLDAP/LDAP netlogon operations + + Copyright (C) Andrew Tridgell 2005 + Copyright (C) Matthias Dieter Wallnöfer 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +*/ + +#include "includes.h" +#include "libcli/cldap/cldap.h" +#include "libcli/ldap/ldap_client.h" +#include "librpc/gen_ndr/netlogon.h" +#include "param/param.h" +#include "../lib/tsocket/tsocket.h" + +#include "torture/torture.h" +#include "torture/ldap/proto.h" + +#define CHECK_STATUS(status, correct) torture_assert_ntstatus_equal(tctx, status, correct, "incorrect status") + +#define CHECK_VAL(v, correct) torture_assert_int_equal(tctx, (v), (correct), "incorrect value"); + +#define CHECK_STRING(v, correct) torture_assert_str_equal(tctx, v, correct, "incorrect value"); + +typedef NTSTATUS (*request_netlogon_t)(void *cldap, + TALLOC_CTX *mem_ctx, + struct cldap_netlogon *io); + +/* + test netlogon operations +*/ +static bool test_ldap_netlogon(struct torture_context *tctx, + request_netlogon_t request_netlogon, + void *cldap, + const char *dest) +{ + NTSTATUS status; + struct cldap_netlogon search, empty_search; + struct netlogon_samlogon_response n1; + struct GUID guid; + int i; + + ZERO_STRUCT(search); + search.in.dest_address = NULL; + search.in.dest_port = 0; + search.in.acct_control = -1; + search.in.version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX; + search.in.map_response = true; + + empty_search = search; + + printf("Trying without any attributes\n"); + search = empty_search; + status = request_netlogon(cldap, tctx, &search); + CHECK_STATUS(status, NT_STATUS_OK); + + n1 = search.out.netlogon; + + search.in.user = "Administrator"; + search.in.realm = n1.data.nt5_ex.dns_domain; + search.in.host = "__cldap_torture__"; + + printf("Scanning for netlogon levels\n"); + for (i=0;i<256;i++) { + search.in.version = i; + printf("Trying netlogon level %d\n", i); + status = request_netlogon(cldap, tctx, &search); + CHECK_STATUS(status, NT_STATUS_OK); + } + + printf("Scanning for netlogon level bits\n"); + for (i=0;i<31;i++) { + search.in.version = (1<type = LDAP_TAG_SearchRequest; + msg->r.SearchRequest.basedn = ""; + msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE; + msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER; + msg->r.SearchRequest.timelimit = 0; + msg->r.SearchRequest.sizelimit = 0; + msg->r.SearchRequest.attributesonly = false; + msg->r.SearchRequest.tree = ldb_parse_tree(msg, filter); + msg->r.SearchRequest.num_attributes = 1; + msg->r.SearchRequest.attributes = (const char *[]) { "netlogon" }; + + req = ldap_request_send(conn, msg); + if (req == NULL) { + printf("Could not setup ldap search\n"); + return NT_STATUS_UNSUCCESSFUL; + } + + status = ldap_result_one(req, &result, LDAP_TAG_SearchResultEntry); + if (!NT_STATUS_IS_OK(status)) { + /* Throw same error as cldap_netlogon. */ + if (NT_STATUS_EQUAL(status, NT_STATUS_UNEXPECTED_NETWORK_ERROR)) { + return NT_STATUS_NOT_FOUND; + } else { + return status; + } + } + + res = &result->r.SearchResultEntry; + if (res->num_attributes != 1 || + strcasecmp(res->attributes[0].name, "netlogon") != 0 || + res->attributes[0].num_values != 1 || + res->attributes[0].values->length < 2) { + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + + blob = res->attributes[0].values; + status = pull_netlogon_samlogon_response(blob, mem_ctx, + &io->out.netlogon); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (io->in.map_response) { + map_netlogon_samlogon_response(&io->out.netlogon); + } + + return NT_STATUS_OK; +} + +bool torture_netlogon_tcp(struct torture_context *tctx) +{ + const char *host = torture_setting_string(tctx, "host", NULL); + bool ret = true; + NTSTATUS status; + struct ldap_connection *conn; + TALLOC_CTX *mem_ctx; + const char *url; + + mem_ctx = talloc_init("torture_ldap_netlogon"); + + url = talloc_asprintf(mem_ctx, "ldap://%s/", host); + + status = torture_ldap_connection(tctx, &conn, url); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + ret &= test_ldap_netlogon(tctx, tcp_ldap_netlogon, conn, host); + ret &= test_ldap_netlogon_flags(tctx, tcp_ldap_netlogon, conn, host); + + return ret; +} + +static NTSTATUS udp_ldap_netlogon(void *data, + TALLOC_CTX *mem_ctx, + struct cldap_netlogon *io) +{ + struct cldap_socket *cldap = talloc_get_type(data, + struct cldap_socket); + + return cldap_netlogon(cldap, mem_ctx, io); +} + +bool torture_netlogon_udp(struct torture_context *tctx) +{ + const char *host = torture_setting_string(tctx, "host", NULL); + bool ret = true; + int r; + struct cldap_socket *cldap; + NTSTATUS status; + struct tsocket_address *dest_addr; + + r = tsocket_address_inet_from_strings(tctx, "ip", + host, + lpcfg_cldap_port(tctx->lp_ctx), + &dest_addr); + CHECK_VAL(r, 0); + + /* cldap_socket_init should now know about the dest. address */ + status = cldap_socket_init(tctx, NULL, dest_addr, &cldap); + CHECK_STATUS(status, NT_STATUS_OK); + + ret &= test_ldap_netlogon(tctx, udp_ldap_netlogon, cldap, host); + ret &= test_ldap_netlogon_flags(tctx, udp_ldap_netlogon, cldap, host); + + return ret; +} diff --git a/source4/torture/wscript_build b/source4/torture/wscript_build index c3c997ada2..61c3a09148 100755 --- a/source4/torture/wscript_build +++ b/source4/torture/wscript_build @@ -108,7 +108,7 @@ bld.SAMBA_MODULE('TORTURE_UNIX', bld.SAMBA_MODULE('TORTURE_LDAP', - source='ldap/common.c ldap/basic.c ldap/schema.c ldap/uptodatevector.c ldap/cldap.c ldap/cldapbench.c ldap/ldap_sort.c ldap/nested_search.c', + source='ldap/common.c ldap/basic.c ldap/schema.c ldap/uptodatevector.c ldap/cldap.c ldap/netlogon.c ldap/cldapbench.c ldap/ldap_sort.c ldap/nested_search.c', subsystem='smbtorture', deps='cli-ldap cli_cldap samdb POPT_CREDENTIALS torture ldbsamba', internal_module=True, -- cgit