2
Unix SMB/CIFS implementation.
3
test suite for lsa rpc operations
5
Copyright (C) Andrew Tridgell 2003
6
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8
This program is free software; you can redistribute it and/or modify
9
it under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 3 of the License, or
11
(at your option) any later version.
13
This program is distributed in the hope that it will be useful,
14
but WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
GNU General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
#include "torture/torture.h"
24
#include "librpc/gen_ndr/ndr_lsa_c.h"
25
#include "librpc/gen_ndr/netlogon.h"
26
#include "librpc/gen_ndr/ndr_drsblobs.h"
27
#include "lib/events/events.h"
28
#include "libcli/security/security.h"
29
#include "libcli/auth/libcli_auth.h"
30
#include "torture/rpc/rpc.h"
31
#include "param/param.h"
32
#include "../lib/crypto/crypto.h"
33
#define TEST_MACHINENAME "lsatestmach"
35
static void init_lsa_String(struct lsa_String *name, const char *s)
40
static bool test_OpenPolicy(struct dcerpc_pipe *p,
41
struct torture_context *tctx)
43
struct lsa_ObjectAttribute attr;
44
struct policy_handle handle;
45
struct lsa_QosInfo qos;
46
struct lsa_OpenPolicy r;
48
uint16_t system_name = '\\';
50
printf("\nTesting OpenPolicy\n");
53
qos.impersonation_level = 2;
55
qos.effective_only = 0;
59
attr.object_name = NULL;
64
r.in.system_name = &system_name;
66
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
67
r.out.handle = &handle;
69
status = dcerpc_lsa_OpenPolicy(p, tctx, &r);
70
if (!NT_STATUS_IS_OK(status)) {
71
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
72
NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
73
printf("not considering %s to be an error\n", nt_errstr(status));
76
printf("OpenPolicy failed - %s\n", nt_errstr(status));
84
bool test_lsa_OpenPolicy2(struct dcerpc_pipe *p,
85
struct torture_context *tctx,
86
struct policy_handle **handle)
88
struct lsa_ObjectAttribute attr;
89
struct lsa_QosInfo qos;
90
struct lsa_OpenPolicy2 r;
93
printf("\nTesting OpenPolicy2\n");
95
*handle = talloc(tctx, struct policy_handle);
101
qos.impersonation_level = 2;
102
qos.context_mode = 1;
103
qos.effective_only = 0;
106
attr.root_dir = NULL;
107
attr.object_name = NULL;
109
attr.sec_desc = NULL;
112
r.in.system_name = "\\";
114
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
115
r.out.handle = *handle;
117
status = dcerpc_lsa_OpenPolicy2(p, tctx, &r);
118
if (!NT_STATUS_IS_OK(status)) {
119
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
120
NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
121
printf("not considering %s to be an error\n", nt_errstr(status));
122
talloc_free(*handle);
126
printf("OpenPolicy2 failed - %s\n", nt_errstr(status));
134
static const char *sid_type_lookup(enum lsa_SidType r)
137
case SID_NAME_USE_NONE: return "SID_NAME_USE_NONE"; break;
138
case SID_NAME_USER: return "SID_NAME_USER"; break;
139
case SID_NAME_DOM_GRP: return "SID_NAME_DOM_GRP"; break;
140
case SID_NAME_DOMAIN: return "SID_NAME_DOMAIN"; break;
141
case SID_NAME_ALIAS: return "SID_NAME_ALIAS"; break;
142
case SID_NAME_WKN_GRP: return "SID_NAME_WKN_GRP"; break;
143
case SID_NAME_DELETED: return "SID_NAME_DELETED"; break;
144
case SID_NAME_INVALID: return "SID_NAME_INVALID"; break;
145
case SID_NAME_UNKNOWN: return "SID_NAME_UNKNOWN"; break;
146
case SID_NAME_COMPUTER: return "SID_NAME_COMPUTER"; break;
148
return "Invalid sid type\n";
151
static bool test_LookupNames(struct dcerpc_pipe *p,
152
struct torture_context *tctx,
153
struct policy_handle *handle,
154
struct lsa_TransNameArray *tnames)
156
struct lsa_LookupNames r;
157
struct lsa_TransSidArray sids;
158
struct lsa_RefDomainList *domains = NULL;
159
struct lsa_String *names;
164
printf("\nTesting LookupNames with %d names\n", tnames->count);
169
names = talloc_array(tctx, struct lsa_String, tnames->count);
170
for (i=0;i<tnames->count;i++) {
171
init_lsa_String(&names[i], tnames->names[i].name.string);
174
r.in.handle = handle;
175
r.in.num_names = tnames->count;
180
r.out.count = &count;
182
r.out.domains = &domains;
184
status = dcerpc_lsa_LookupNames(p, tctx, &r);
186
if (NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
187
NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
188
for (i=0;i< tnames->count;i++) {
189
if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) {
190
printf("LookupName of %s was unmapped\n",
191
tnames->names[i].name.string);
192
} else if (i >=count) {
193
printf("LookupName of %s failed to return a result\n",
194
tnames->names[i].name.string);
197
printf("LookupNames failed - %s\n", nt_errstr(status));
199
} else if (!NT_STATUS_IS_OK(status)) {
200
printf("LookupNames failed - %s\n", nt_errstr(status));
204
for (i=0;i< tnames->count;i++) {
205
if (i < count && sids.sids[i].sid_type != tnames->names[i].sid_type) {
206
printf("LookupName of %s got unexpected name type: %s\n",
207
tnames->names[i].name.string, sid_type_lookup(sids.sids[i].sid_type));
208
} else if (i >=count) {
209
printf("LookupName of %s failed to return a result\n",
210
tnames->names[i].name.string);
218
static bool test_LookupNames_bogus(struct dcerpc_pipe *p,
219
struct torture_context *tctx,
220
struct policy_handle *handle)
222
struct lsa_LookupNames r;
223
struct lsa_TransSidArray sids;
224
struct lsa_RefDomainList *domains = NULL;
225
struct lsa_String *names;
230
struct lsa_TranslatedName name[2];
231
struct lsa_TransNameArray tnames;
235
name[0].name.string = "NT AUTHORITY\\BOGUS";
236
name[1].name.string = NULL;
238
printf("\nTesting LookupNames with bogus names\n");
243
names = talloc_array(tctx, struct lsa_String, tnames.count);
244
for (i=0;i<tnames.count;i++) {
245
init_lsa_String(&names[i], tnames.names[i].name.string);
248
r.in.handle = handle;
249
r.in.num_names = tnames.count;
254
r.out.count = &count;
256
r.out.domains = &domains;
258
status = dcerpc_lsa_LookupNames(p, tctx, &r);
259
if (!NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
260
printf("LookupNames failed - %s\n", nt_errstr(status));
269
static bool test_LookupNames_wellknown(struct dcerpc_pipe *p,
270
struct torture_context *tctx,
271
struct policy_handle *handle)
273
struct lsa_TranslatedName name;
274
struct lsa_TransNameArray tnames;
277
printf("Testing LookupNames with well known names\n");
279
tnames.names = &name;
281
name.name.string = "NT AUTHORITY\\SYSTEM";
282
name.sid_type = SID_NAME_WKN_GRP;
283
ret &= test_LookupNames(p, tctx, handle, &tnames);
285
name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON";
286
name.sid_type = SID_NAME_WKN_GRP;
287
ret &= test_LookupNames(p, tctx, handle, &tnames);
289
name.name.string = "NT AUTHORITY\\Authenticated Users";
290
name.sid_type = SID_NAME_WKN_GRP;
291
ret &= test_LookupNames(p, tctx, handle, &tnames);
294
name.name.string = "NT AUTHORITY";
295
ret &= test_LookupNames(p, tctx, handle, &tnames);
297
name.name.string = "NT AUTHORITY\\";
298
ret &= test_LookupNames(p, tctx, handle, &tnames);
301
name.name.string = "BUILTIN\\";
302
name.sid_type = SID_NAME_DOMAIN;
303
ret &= test_LookupNames(p, tctx, handle, &tnames);
305
name.name.string = "BUILTIN\\Administrators";
306
name.sid_type = SID_NAME_ALIAS;
307
ret &= test_LookupNames(p, tctx, handle, &tnames);
309
name.name.string = "SYSTEM";
310
name.sid_type = SID_NAME_WKN_GRP;
311
ret &= test_LookupNames(p, tctx, handle, &tnames);
313
name.name.string = "Everyone";
314
name.sid_type = SID_NAME_WKN_GRP;
315
ret &= test_LookupNames(p, tctx, handle, &tnames);
319
static bool test_LookupNames2(struct dcerpc_pipe *p,
320
struct torture_context *tctx,
321
struct policy_handle *handle,
322
struct lsa_TransNameArray2 *tnames,
325
struct lsa_LookupNames2 r;
326
struct lsa_TransSidArray2 sids;
327
struct lsa_RefDomainList *domains = NULL;
328
struct lsa_String *names;
333
printf("\nTesting LookupNames2 with %d names\n", tnames->count);
338
names = talloc_array(tctx, struct lsa_String, tnames->count);
339
for (i=0;i<tnames->count;i++) {
340
init_lsa_String(&names[i], tnames->names[i].name.string);
343
r.in.handle = handle;
344
r.in.num_names = tnames->count;
349
r.in.lookup_options = 0;
350
r.in.client_revision = 0;
351
r.out.count = &count;
353
r.out.domains = &domains;
355
status = dcerpc_lsa_LookupNames2(p, tctx, &r);
356
if (!NT_STATUS_IS_OK(status)) {
357
printf("LookupNames2 failed - %s\n", nt_errstr(status));
362
torture_assert_int_equal(tctx, count, sids.count,
363
"unexpected number of results returned");
364
if (sids.count > 0) {
365
torture_assert(tctx, sids.sids, "invalid sid buffer");
375
static bool test_LookupNames3(struct dcerpc_pipe *p,
376
struct torture_context *tctx,
377
struct policy_handle *handle,
378
struct lsa_TransNameArray2 *tnames,
381
struct lsa_LookupNames3 r;
382
struct lsa_TransSidArray3 sids;
383
struct lsa_RefDomainList *domains = NULL;
384
struct lsa_String *names;
389
printf("\nTesting LookupNames3 with %d names\n", tnames->count);
394
names = talloc_array(tctx, struct lsa_String, tnames->count);
395
for (i=0;i<tnames->count;i++) {
396
init_lsa_String(&names[i], tnames->names[i].name.string);
399
r.in.handle = handle;
400
r.in.num_names = tnames->count;
405
r.in.lookup_options = 0;
406
r.in.client_revision = 0;
407
r.out.count = &count;
409
r.out.domains = &domains;
411
status = dcerpc_lsa_LookupNames3(p, tctx, &r);
412
if (!NT_STATUS_IS_OK(status)) {
413
printf("LookupNames3 failed - %s\n", nt_errstr(status));
418
torture_assert_int_equal(tctx, count, sids.count,
419
"unexpected number of results returned");
420
if (sids.count > 0) {
421
torture_assert(tctx, sids.sids, "invalid sid buffer");
430
static bool test_LookupNames4(struct dcerpc_pipe *p,
431
struct torture_context *tctx,
432
struct lsa_TransNameArray2 *tnames,
435
struct lsa_LookupNames4 r;
436
struct lsa_TransSidArray3 sids;
437
struct lsa_RefDomainList *domains = NULL;
438
struct lsa_String *names;
443
printf("\nTesting LookupNames4 with %d names\n", tnames->count);
448
names = talloc_array(tctx, struct lsa_String, tnames->count);
449
for (i=0;i<tnames->count;i++) {
450
init_lsa_String(&names[i], tnames->names[i].name.string);
453
r.in.num_names = tnames->count;
458
r.in.lookup_options = 0;
459
r.in.client_revision = 0;
460
r.out.count = &count;
462
r.out.domains = &domains;
464
status = dcerpc_lsa_LookupNames4(p, tctx, &r);
465
if (!NT_STATUS_IS_OK(status)) {
466
printf("LookupNames4 failed - %s\n", nt_errstr(status));
471
torture_assert_int_equal(tctx, count, sids.count,
472
"unexpected number of results returned");
473
if (sids.count > 0) {
474
torture_assert(tctx, sids.sids, "invalid sid buffer");
484
static bool test_LookupSids(struct dcerpc_pipe *p,
485
struct torture_context *tctx,
486
struct policy_handle *handle,
487
struct lsa_SidArray *sids)
489
struct lsa_LookupSids r;
490
struct lsa_TransNameArray names;
491
struct lsa_RefDomainList *domains = NULL;
492
uint32_t count = sids->num_sids;
495
printf("\nTesting LookupSids\n");
500
r.in.handle = handle;
505
r.out.count = &count;
506
r.out.names = &names;
507
r.out.domains = &domains;
509
status = dcerpc_lsa_LookupSids(p, tctx, &r);
510
if (!NT_STATUS_IS_OK(status)) {
511
printf("LookupSids failed - %s\n", nt_errstr(status));
517
if (!test_LookupNames(p, tctx, handle, &names)) {
525
static bool test_LookupSids2(struct dcerpc_pipe *p,
526
struct torture_context *tctx,
527
struct policy_handle *handle,
528
struct lsa_SidArray *sids)
530
struct lsa_LookupSids2 r;
531
struct lsa_TransNameArray2 names;
532
struct lsa_RefDomainList *domains = NULL;
533
uint32_t count = sids->num_sids;
536
printf("\nTesting LookupSids2\n");
541
r.in.handle = handle;
548
r.out.count = &count;
549
r.out.names = &names;
550
r.out.domains = &domains;
552
status = dcerpc_lsa_LookupSids2(p, tctx, &r);
553
if (!NT_STATUS_IS_OK(status)) {
554
printf("LookupSids2 failed - %s\n", nt_errstr(status));
560
if (!test_LookupNames2(p, tctx, handle, &names, false)) {
564
if (!test_LookupNames3(p, tctx, handle, &names, false)) {
571
static bool test_LookupSids3(struct dcerpc_pipe *p,
572
struct torture_context *tctx,
573
struct lsa_SidArray *sids)
575
struct lsa_LookupSids3 r;
576
struct lsa_TransNameArray2 names;
577
struct lsa_RefDomainList *domains = NULL;
578
uint32_t count = sids->num_sids;
581
printf("\nTesting LookupSids3\n");
592
r.out.domains = &domains;
593
r.out.count = &count;
594
r.out.names = &names;
596
status = dcerpc_lsa_LookupSids3(p, tctx, &r);
597
if (!NT_STATUS_IS_OK(status)) {
598
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
599
NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
600
printf("not considering %s to be an error\n", nt_errstr(status));
603
printf("LookupSids3 failed - %s - not considered an error\n",
610
if (!test_LookupNames4(p, tctx, &names, false)) {
617
bool test_many_LookupSids(struct dcerpc_pipe *p,
618
struct torture_context *tctx,
619
struct policy_handle *handle)
623
struct lsa_SidArray sids;
626
printf("\nTesting LookupSids with lots of SIDs\n");
630
sids.sids = talloc_array(tctx, struct lsa_SidPtr, sids.num_sids);
632
for (i=0; i<sids.num_sids; i++) {
633
const char *sidstr = "S-1-5-32-545";
634
sids.sids[i].sid = dom_sid_parse_talloc(tctx, sidstr);
637
count = sids.num_sids;
640
struct lsa_LookupSids r;
641
struct lsa_TransNameArray names;
642
struct lsa_RefDomainList *domains = NULL;
646
r.in.handle = handle;
650
r.in.count = &names.count;
651
r.out.count = &count;
652
r.out.names = &names;
653
r.out.domains = &domains;
655
status = dcerpc_lsa_LookupSids(p, tctx, &r);
656
if (!NT_STATUS_IS_OK(status)) {
657
printf("LookupSids failed - %s\n", nt_errstr(status));
663
if (!test_LookupNames(p, tctx, handle, &names)) {
666
} else if (p->conn->security_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
667
p->conn->security_state.auth_info->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
668
struct lsa_LookupSids3 r;
669
struct lsa_RefDomainList *domains = NULL;
670
struct lsa_TransNameArray2 names;
675
printf("\nTesting LookupSids3\n");
683
r.out.count = &count;
684
r.out.names = &names;
685
r.out.domains = &domains;
687
status = dcerpc_lsa_LookupSids3(p, tctx, &r);
688
if (!NT_STATUS_IS_OK(status)) {
689
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
690
NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
691
printf("not considering %s to be an error\n", nt_errstr(status));
694
printf("LookupSids3 failed - %s\n",
698
if (!test_LookupNames4(p, tctx, &names, false)) {
710
static void lookupsids_cb(struct rpc_request *req)
712
int *replies = (int *)req->async.private_data;
715
status = dcerpc_ndr_request_recv(req);
716
if (!NT_STATUS_IS_OK(status)) {
717
printf("lookupsids returned %s\n", nt_errstr(status));
726
static bool test_LookupSids_async(struct dcerpc_pipe *p,
727
struct torture_context *tctx,
728
struct policy_handle *handle)
730
struct lsa_SidArray sids;
731
struct lsa_SidPtr sidptr;
733
struct lsa_TransNameArray *names;
734
struct lsa_LookupSids *r;
735
struct lsa_RefDomainList *domains = NULL;
736
struct rpc_request **req;
739
const int num_async_requests = 50;
741
count = talloc_array(tctx, uint32_t, num_async_requests);
742
names = talloc_array(tctx, struct lsa_TransNameArray, num_async_requests);
743
r = talloc_array(tctx, struct lsa_LookupSids, num_async_requests);
745
printf("\nTesting %d async lookupsids request\n", num_async_requests);
747
req = talloc_array(tctx, struct rpc_request *, num_async_requests);
751
sidptr.sid = dom_sid_parse_talloc(tctx, "S-1-5-32-545");
755
for (i=0; i<num_async_requests; i++) {
758
names[i].names = NULL;
760
r[i].in.handle = handle;
761
r[i].in.sids = &sids;
762
r[i].in.names = &names[i];
764
r[i].in.count = &names[i].count;
765
r[i].out.count = &count[i];
766
r[i].out.names = &names[i];
767
r[i].out.domains = &domains;
769
req[i] = dcerpc_lsa_LookupSids_send(p, req, &r[i]);
770
if (req[i] == NULL) {
775
req[i]->async.callback = lookupsids_cb;
776
req[i]->async.private_data = &replies;
779
while (replies >= 0 && replies < num_async_requests) {
780
event_loop_once(p->conn->event_ctx);
792
static bool test_LookupPrivValue(struct dcerpc_pipe *p,
793
struct torture_context *tctx,
794
struct policy_handle *handle,
795
struct lsa_String *name)
798
struct lsa_LookupPrivValue r;
799
struct lsa_LUID luid;
801
r.in.handle = handle;
805
status = dcerpc_lsa_LookupPrivValue(p, tctx, &r);
806
if (!NT_STATUS_IS_OK(status)) {
807
printf("\nLookupPrivValue failed - %s\n", nt_errstr(status));
814
static bool test_LookupPrivName(struct dcerpc_pipe *p,
815
struct torture_context *tctx,
816
struct policy_handle *handle,
817
struct lsa_LUID *luid)
820
struct lsa_LookupPrivName r;
821
struct lsa_StringLarge *name = NULL;
823
r.in.handle = handle;
827
status = dcerpc_lsa_LookupPrivName(p, tctx, &r);
828
if (!NT_STATUS_IS_OK(status)) {
829
printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
836
static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p,
837
struct torture_context *tctx,
838
struct policy_handle *handle,
839
struct policy_handle *acct_handle,
840
struct lsa_LUID *luid)
843
struct lsa_RemovePrivilegesFromAccount r;
844
struct lsa_PrivilegeSet privs;
847
printf("\nTesting RemovePrivilegesFromAccount\n");
849
r.in.handle = acct_handle;
855
privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
856
privs.set[0].luid = *luid;
857
privs.set[0].attribute = 0;
859
status = dcerpc_lsa_RemovePrivilegesFromAccount(p, tctx, &r);
860
if (!NT_STATUS_IS_OK(status)) {
862
struct lsa_LookupPrivName r_name;
863
struct lsa_StringLarge *name = NULL;
865
r_name.in.handle = handle;
866
r_name.in.luid = luid;
867
r_name.out.name = &name;
869
status = dcerpc_lsa_LookupPrivName(p, tctx, &r_name);
870
if (!NT_STATUS_IS_OK(status)) {
871
printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
874
/* Windows 2008 does not allow this to be removed */
875
if (strcmp("SeAuditPrivilege", name->string) == 0) {
879
printf("RemovePrivilegesFromAccount failed to remove %s - %s\n",
888
static bool test_AddPrivilegesToAccount(struct dcerpc_pipe *p,
889
struct torture_context *tctx,
890
struct policy_handle *acct_handle,
891
struct lsa_LUID *luid)
894
struct lsa_AddPrivilegesToAccount r;
895
struct lsa_PrivilegeSet privs;
898
printf("\nTesting AddPrivilegesToAccount\n");
900
r.in.handle = acct_handle;
905
privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
906
privs.set[0].luid = *luid;
907
privs.set[0].attribute = 0;
909
status = dcerpc_lsa_AddPrivilegesToAccount(p, tctx, &r);
910
if (!NT_STATUS_IS_OK(status)) {
911
printf("AddPrivilegesToAccount failed - %s\n", nt_errstr(status));
918
static bool test_EnumPrivsAccount(struct dcerpc_pipe *p,
919
struct torture_context *tctx,
920
struct policy_handle *handle,
921
struct policy_handle *acct_handle)
924
struct lsa_EnumPrivsAccount r;
925
struct lsa_PrivilegeSet *privs = NULL;
928
printf("\nTesting EnumPrivsAccount\n");
930
r.in.handle = acct_handle;
931
r.out.privs = &privs;
933
status = dcerpc_lsa_EnumPrivsAccount(p, tctx, &r);
934
if (!NT_STATUS_IS_OK(status)) {
935
printf("EnumPrivsAccount failed - %s\n", nt_errstr(status));
939
if (privs && privs->count > 0) {
941
for (i=0;i<privs->count;i++) {
942
test_LookupPrivName(p, tctx, handle,
943
&privs->set[i].luid);
946
ret &= test_RemovePrivilegesFromAccount(p, tctx, handle, acct_handle,
947
&privs->set[0].luid);
948
ret &= test_AddPrivilegesToAccount(p, tctx, acct_handle,
949
&privs->set[0].luid);
955
static bool test_GetSystemAccessAccount(struct dcerpc_pipe *p,
956
struct torture_context *tctx,
957
struct policy_handle *handle,
958
struct policy_handle *acct_handle)
961
uint32_t access_mask;
962
struct lsa_GetSystemAccessAccount r;
964
printf("\nTesting GetSystemAccessAccount\n");
966
r.in.handle = acct_handle;
967
r.out.access_mask = &access_mask;
969
status = dcerpc_lsa_GetSystemAccessAccount(p, tctx, &r);
970
if (!NT_STATUS_IS_OK(status)) {
971
printf("GetSystemAccessAccount failed - %s\n", nt_errstr(status));
975
if (r.out.access_mask != NULL) {
977
if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE)
978
printf(" LSA_POLICY_MODE_INTERACTIVE");
979
if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK)
980
printf(" LSA_POLICY_MODE_NETWORK");
981
if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH)
982
printf(" LSA_POLICY_MODE_BATCH");
983
if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE)
984
printf(" LSA_POLICY_MODE_SERVICE");
985
if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY)
986
printf(" LSA_POLICY_MODE_PROXY");
987
if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE)
988
printf(" LSA_POLICY_MODE_DENY_INTERACTIVE");
989
if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK)
990
printf(" LSA_POLICY_MODE_DENY_NETWORK");
991
if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH)
992
printf(" LSA_POLICY_MODE_DENY_BATCH");
993
if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE)
994
printf(" LSA_POLICY_MODE_DENY_SERVICE");
995
if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE)
996
printf(" LSA_POLICY_MODE_REMOTE_INTERACTIVE");
997
if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE)
998
printf(" LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE");
999
if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL)
1000
printf(" LSA_POLICY_MODE_ALL");
1001
if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4)
1002
printf(" LSA_POLICY_MODE_ALL_NT4");
1009
static bool test_Delete(struct dcerpc_pipe *p,
1010
struct torture_context *tctx,
1011
struct policy_handle *handle)
1014
struct lsa_Delete r;
1016
printf("\nTesting Delete\n");
1018
r.in.handle = handle;
1019
status = dcerpc_lsa_Delete(p, tctx, &r);
1020
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1021
printf("Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(status));
1028
static bool test_DeleteObject(struct dcerpc_pipe *p,
1029
struct torture_context *tctx,
1030
struct policy_handle *handle)
1033
struct lsa_DeleteObject r;
1035
printf("\nTesting DeleteObject\n");
1037
r.in.handle = handle;
1038
r.out.handle = handle;
1039
status = dcerpc_lsa_DeleteObject(p, tctx, &r);
1040
if (!NT_STATUS_IS_OK(status)) {
1041
printf("DeleteObject failed - %s\n", nt_errstr(status));
1049
static bool test_CreateAccount(struct dcerpc_pipe *p,
1050
struct torture_context *tctx,
1051
struct policy_handle *handle)
1054
struct lsa_CreateAccount r;
1055
struct dom_sid2 *newsid;
1056
struct policy_handle acct_handle;
1058
newsid = dom_sid_parse_talloc(tctx, "S-1-5-12349876-4321-2854");
1060
printf("\nTesting CreateAccount\n");
1062
r.in.handle = handle;
1064
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1065
r.out.acct_handle = &acct_handle;
1067
status = dcerpc_lsa_CreateAccount(p, tctx, &r);
1068
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
1069
struct lsa_OpenAccount r_o;
1070
r_o.in.handle = handle;
1071
r_o.in.sid = newsid;
1072
r_o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1073
r_o.out.acct_handle = &acct_handle;
1075
status = dcerpc_lsa_OpenAccount(p, tctx, &r_o);
1076
if (!NT_STATUS_IS_OK(status)) {
1077
printf("OpenAccount failed - %s\n", nt_errstr(status));
1080
} else if (!NT_STATUS_IS_OK(status)) {
1081
printf("CreateAccount failed - %s\n", nt_errstr(status));
1085
if (!test_Delete(p, tctx, &acct_handle)) {
1089
if (!test_DeleteObject(p, tctx, &acct_handle)) {
1096
static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p,
1097
struct torture_context *tctx,
1098
struct policy_handle *handle,
1099
struct lsa_StringLarge name)
1102
struct lsa_OpenTrustedDomainByName r;
1103
struct policy_handle trustdom_handle;
1105
r.in.handle = handle;
1106
r.in.name.string = name.string;
1107
r.in.access_mask = SEC_STD_DELETE;
1108
r.out.trustdom_handle = &trustdom_handle;
1110
status = dcerpc_lsa_OpenTrustedDomainByName(p, tctx, &r);
1111
if (!NT_STATUS_IS_OK(status)) {
1112
printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status));
1116
if (!test_Delete(p, tctx, &trustdom_handle)) {
1120
if (!test_DeleteObject(p, tctx, &trustdom_handle)) {
1127
static bool test_DeleteTrustedDomainBySid(struct dcerpc_pipe *p,
1128
struct torture_context *tctx,
1129
struct policy_handle *handle,
1130
struct dom_sid *sid)
1133
struct lsa_DeleteTrustedDomain r;
1135
r.in.handle = handle;
1138
status = dcerpc_lsa_DeleteTrustedDomain(p, tctx, &r);
1139
if (!NT_STATUS_IS_OK(status)) {
1140
printf("DeleteTrustedDomain failed - %s\n", nt_errstr(status));
1148
static bool test_CreateSecret(struct dcerpc_pipe *p,
1149
struct torture_context *tctx,
1150
struct policy_handle *handle)
1153
struct lsa_CreateSecret r;
1154
struct lsa_OpenSecret r2;
1155
struct lsa_SetSecret r3;
1156
struct lsa_QuerySecret r4;
1157
struct lsa_SetSecret r5;
1158
struct lsa_QuerySecret r6;
1159
struct lsa_SetSecret r7;
1160
struct lsa_QuerySecret r8;
1161
struct policy_handle sec_handle, sec_handle2, sec_handle3;
1162
struct lsa_DeleteObject d_o;
1163
struct lsa_DATA_BUF buf1;
1164
struct lsa_DATA_BUF_PTR bufp1;
1165
struct lsa_DATA_BUF_PTR bufp2;
1168
DATA_BLOB session_key;
1169
NTTIME old_mtime, new_mtime;
1170
DATA_BLOB blob1, blob2;
1171
const char *secret1 = "abcdef12345699qwerty";
1173
const char *secret3 = "ABCDEF12345699QWERTY";
1175
const char *secret5 = "NEW-SAMBA4-SECRET";
1179
const int LOCAL = 0;
1180
const int GLOBAL = 1;
1182
secname[LOCAL] = talloc_asprintf(tctx, "torturesecret-%u", (uint_t)random());
1183
secname[GLOBAL] = talloc_asprintf(tctx, "G$torturesecret-%u", (uint_t)random());
1185
for (i=0; i< 2; i++) {
1186
printf("\nTesting CreateSecret of %s\n", secname[i]);
1188
init_lsa_String(&r.in.name, secname[i]);
1190
r.in.handle = handle;
1191
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1192
r.out.sec_handle = &sec_handle;
1194
status = dcerpc_lsa_CreateSecret(p, tctx, &r);
1195
if (!NT_STATUS_IS_OK(status)) {
1196
printf("CreateSecret failed - %s\n", nt_errstr(status));
1200
r.in.handle = handle;
1201
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1202
r.out.sec_handle = &sec_handle3;
1204
status = dcerpc_lsa_CreateSecret(p, tctx, &r);
1205
if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
1206
printf("CreateSecret should have failed OBJECT_NAME_COLLISION - %s\n", nt_errstr(status));
1210
r2.in.handle = handle;
1211
r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1212
r2.in.name = r.in.name;
1213
r2.out.sec_handle = &sec_handle2;
1215
printf("Testing OpenSecret\n");
1217
status = dcerpc_lsa_OpenSecret(p, tctx, &r2);
1218
if (!NT_STATUS_IS_OK(status)) {
1219
printf("OpenSecret failed - %s\n", nt_errstr(status));
1223
status = dcerpc_fetch_session_key(p, &session_key);
1224
if (!NT_STATUS_IS_OK(status)) {
1225
printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
1229
enc_key = sess_encrypt_string(secret1, &session_key);
1231
r3.in.sec_handle = &sec_handle;
1232
r3.in.new_val = &buf1;
1233
r3.in.old_val = NULL;
1234
r3.in.new_val->data = enc_key.data;
1235
r3.in.new_val->length = enc_key.length;
1236
r3.in.new_val->size = enc_key.length;
1238
printf("Testing SetSecret\n");
1240
status = dcerpc_lsa_SetSecret(p, tctx, &r3);
1241
if (!NT_STATUS_IS_OK(status)) {
1242
printf("SetSecret failed - %s\n", nt_errstr(status));
1246
r3.in.sec_handle = &sec_handle;
1247
r3.in.new_val = &buf1;
1248
r3.in.old_val = NULL;
1249
r3.in.new_val->data = enc_key.data;
1250
r3.in.new_val->length = enc_key.length;
1251
r3.in.new_val->size = enc_key.length;
1253
/* break the encrypted data */
1256
printf("Testing SetSecret with broken key\n");
1258
status = dcerpc_lsa_SetSecret(p, tctx, &r3);
1259
if (!NT_STATUS_EQUAL(status, NT_STATUS_UNKNOWN_REVISION)) {
1260
printf("SetSecret should have failed UNKNOWN_REVISION - %s\n", nt_errstr(status));
1264
data_blob_free(&enc_key);
1266
ZERO_STRUCT(new_mtime);
1267
ZERO_STRUCT(old_mtime);
1269
/* fetch the secret back again */
1270
r4.in.sec_handle = &sec_handle;
1271
r4.in.new_val = &bufp1;
1272
r4.in.new_mtime = &new_mtime;
1273
r4.in.old_val = NULL;
1274
r4.in.old_mtime = NULL;
1278
printf("Testing QuerySecret\n");
1279
status = dcerpc_lsa_QuerySecret(p, tctx, &r4);
1280
if (!NT_STATUS_IS_OK(status)) {
1281
printf("QuerySecret failed - %s\n", nt_errstr(status));
1284
if (r4.out.new_val == NULL || r4.out.new_val->buf == NULL) {
1285
printf("No secret buffer returned\n");
1288
blob1.data = r4.out.new_val->buf->data;
1289
blob1.length = r4.out.new_val->buf->size;
1291
blob2 = data_blob_talloc(tctx, NULL, blob1.length);
1293
secret2 = sess_decrypt_string(tctx,
1294
&blob1, &session_key);
1296
if (strcmp(secret1, secret2) != 0) {
1297
printf("Returned secret (r4) '%s' doesn't match '%s'\n",
1304
enc_key = sess_encrypt_string(secret3, &session_key);
1306
r5.in.sec_handle = &sec_handle;
1307
r5.in.new_val = &buf1;
1308
r5.in.old_val = NULL;
1309
r5.in.new_val->data = enc_key.data;
1310
r5.in.new_val->length = enc_key.length;
1311
r5.in.new_val->size = enc_key.length;
1315
printf("Testing SetSecret (existing value should move to old)\n");
1317
status = dcerpc_lsa_SetSecret(p, tctx, &r5);
1318
if (!NT_STATUS_IS_OK(status)) {
1319
printf("SetSecret failed - %s\n", nt_errstr(status));
1323
data_blob_free(&enc_key);
1325
ZERO_STRUCT(new_mtime);
1326
ZERO_STRUCT(old_mtime);
1328
/* fetch the secret back again */
1329
r6.in.sec_handle = &sec_handle;
1330
r6.in.new_val = &bufp1;
1331
r6.in.new_mtime = &new_mtime;
1332
r6.in.old_val = &bufp2;
1333
r6.in.old_mtime = &old_mtime;
1338
status = dcerpc_lsa_QuerySecret(p, tctx, &r6);
1339
if (!NT_STATUS_IS_OK(status)) {
1340
printf("QuerySecret failed - %s\n", nt_errstr(status));
1345
if (r6.out.new_val->buf == NULL || r6.out.old_val->buf == NULL
1346
|| r6.out.new_mtime == NULL || r6.out.old_mtime == NULL) {
1347
printf("Both secret buffers and both times not returned\n");
1351
blob1.data = r6.out.new_val->buf->data;
1352
blob1.length = r6.out.new_val->buf->size;
1354
blob2 = data_blob_talloc(tctx, NULL, blob1.length);
1356
secret4 = sess_decrypt_string(tctx,
1357
&blob1, &session_key);
1359
if (strcmp(secret3, secret4) != 0) {
1360
printf("Returned NEW secret %s doesn't match %s\n", secret4, secret3);
1364
blob1.data = r6.out.old_val->buf->data;
1365
blob1.length = r6.out.old_val->buf->length;
1367
blob2 = data_blob_talloc(tctx, NULL, blob1.length);
1369
secret2 = sess_decrypt_string(tctx,
1370
&blob1, &session_key);
1372
if (strcmp(secret1, secret2) != 0) {
1373
printf("Returned OLD secret %s doesn't match %s\n", secret2, secret1);
1377
if (*r6.out.new_mtime == *r6.out.old_mtime) {
1378
printf("Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s\n",
1381
nt_time_string(tctx, *r6.out.old_mtime),
1382
nt_time_string(tctx, *r6.out.new_mtime));
1388
enc_key = sess_encrypt_string(secret5, &session_key);
1390
r7.in.sec_handle = &sec_handle;
1391
r7.in.old_val = &buf1;
1392
r7.in.old_val->data = enc_key.data;
1393
r7.in.old_val->length = enc_key.length;
1394
r7.in.old_val->size = enc_key.length;
1395
r7.in.new_val = NULL;
1397
printf("Testing SetSecret of old Secret only\n");
1399
status = dcerpc_lsa_SetSecret(p, tctx, &r7);
1400
if (!NT_STATUS_IS_OK(status)) {
1401
printf("SetSecret failed - %s\n", nt_errstr(status));
1405
data_blob_free(&enc_key);
1407
/* fetch the secret back again */
1408
r8.in.sec_handle = &sec_handle;
1409
r8.in.new_val = &bufp1;
1410
r8.in.new_mtime = &new_mtime;
1411
r8.in.old_val = &bufp2;
1412
r8.in.old_mtime = &old_mtime;
1417
status = dcerpc_lsa_QuerySecret(p, tctx, &r8);
1418
if (!NT_STATUS_IS_OK(status)) {
1419
printf("QuerySecret failed - %s\n", nt_errstr(status));
1422
if (!r8.out.new_val || !r8.out.old_val) {
1423
printf("in/out pointers not returned, despite being set on in for QuerySecret\n");
1425
} else if (r8.out.new_val->buf != NULL) {
1426
printf("NEW secret buffer must not be returned after OLD set\n");
1428
} else if (r8.out.old_val->buf == NULL) {
1429
printf("OLD secret buffer was not returned after OLD set\n");
1431
} else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) {
1432
printf("Both times not returned after OLD set\n");
1435
blob1.data = r8.out.old_val->buf->data;
1436
blob1.length = r8.out.old_val->buf->size;
1438
blob2 = data_blob_talloc(tctx, NULL, blob1.length);
1440
secret6 = sess_decrypt_string(tctx,
1441
&blob1, &session_key);
1443
if (strcmp(secret5, secret6) != 0) {
1444
printf("Returned OLD secret %s doesn't match %s\n", secret5, secret6);
1448
if (*r8.out.new_mtime != *r8.out.old_mtime) {
1449
printf("Returned secret (r8) %s did not had same mtime for both secrets: %s != %s\n",
1451
nt_time_string(tctx, *r8.out.old_mtime),
1452
nt_time_string(tctx, *r8.out.new_mtime));
1458
if (!test_Delete(p, tctx, &sec_handle)) {
1462
if (!test_DeleteObject(p, tctx, &sec_handle)) {
1466
d_o.in.handle = &sec_handle2;
1467
d_o.out.handle = &sec_handle2;
1468
status = dcerpc_lsa_DeleteObject(p, tctx, &d_o);
1469
if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
1470
printf("Second delete expected INVALID_HANDLE - %s\n", nt_errstr(status));
1474
printf("Testing OpenSecret of just-deleted secret\n");
1476
status = dcerpc_lsa_OpenSecret(p, tctx, &r2);
1477
if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1478
printf("OpenSecret expected OBJECT_NAME_NOT_FOUND - %s\n", nt_errstr(status));
1489
static bool test_EnumAccountRights(struct dcerpc_pipe *p,
1490
struct torture_context *tctx,
1491
struct policy_handle *acct_handle,
1492
struct dom_sid *sid)
1495
struct lsa_EnumAccountRights r;
1496
struct lsa_RightSet rights;
1498
printf("\nTesting EnumAccountRights\n");
1500
r.in.handle = acct_handle;
1502
r.out.rights = &rights;
1504
status = dcerpc_lsa_EnumAccountRights(p, tctx, &r);
1505
if (!NT_STATUS_IS_OK(status)) {
1506
printf("EnumAccountRights of %s failed - %s\n",
1507
dom_sid_string(tctx, sid), nt_errstr(status));
1515
static bool test_QuerySecurity(struct dcerpc_pipe *p,
1516
struct torture_context *tctx,
1517
struct policy_handle *handle,
1518
struct policy_handle *acct_handle)
1521
struct lsa_QuerySecurity r;
1522
struct sec_desc_buf *sdbuf = NULL;
1524
if (torture_setting_bool(tctx, "samba4", false)) {
1525
printf("\nskipping QuerySecurity test against Samba4\n");
1529
printf("\nTesting QuerySecurity\n");
1531
r.in.handle = acct_handle;
1533
r.out.sdbuf = &sdbuf;
1535
status = dcerpc_lsa_QuerySecurity(p, tctx, &r);
1536
if (!NT_STATUS_IS_OK(status)) {
1537
printf("QuerySecurity failed - %s\n", nt_errstr(status));
1544
static bool test_OpenAccount(struct dcerpc_pipe *p,
1545
struct torture_context *tctx,
1546
struct policy_handle *handle,
1547
struct dom_sid *sid)
1550
struct lsa_OpenAccount r;
1551
struct policy_handle acct_handle;
1553
printf("\nTesting OpenAccount\n");
1555
r.in.handle = handle;
1557
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1558
r.out.acct_handle = &acct_handle;
1560
status = dcerpc_lsa_OpenAccount(p, tctx, &r);
1561
if (!NT_STATUS_IS_OK(status)) {
1562
printf("OpenAccount failed - %s\n", nt_errstr(status));
1566
if (!test_EnumPrivsAccount(p, tctx, handle, &acct_handle)) {
1570
if (!test_GetSystemAccessAccount(p, tctx, handle, &acct_handle)) {
1574
if (!test_QuerySecurity(p, tctx, handle, &acct_handle)) {
1581
static bool test_EnumAccounts(struct dcerpc_pipe *p,
1582
struct torture_context *tctx,
1583
struct policy_handle *handle)
1586
struct lsa_EnumAccounts r;
1587
struct lsa_SidArray sids1, sids2;
1588
uint32_t resume_handle = 0;
1592
printf("\nTesting EnumAccounts\n");
1594
r.in.handle = handle;
1595
r.in.resume_handle = &resume_handle;
1596
r.in.num_entries = 100;
1597
r.out.resume_handle = &resume_handle;
1598
r.out.sids = &sids1;
1602
status = dcerpc_lsa_EnumAccounts(p, tctx, &r);
1603
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES)) {
1606
if (!NT_STATUS_IS_OK(status)) {
1607
printf("EnumAccounts failed - %s\n", nt_errstr(status));
1611
if (!test_LookupSids(p, tctx, handle, &sids1)) {
1615
if (!test_LookupSids2(p, tctx, handle, &sids1)) {
1619
/* Can't test lookupSids3 here, as clearly we must not
1620
* be on schannel, or we would not be able to do the
1623
printf("Testing all accounts\n");
1624
for (i=0;i<sids1.num_sids;i++) {
1625
ret &= test_OpenAccount(p, tctx, handle, sids1.sids[i].sid);
1626
ret &= test_EnumAccountRights(p, tctx, handle, sids1.sids[i].sid);
1631
if (sids1.num_sids < 3) {
1635
printf("Trying EnumAccounts partial listing (asking for 1 at 2)\n");
1637
r.in.num_entries = 1;
1638
r.out.sids = &sids2;
1640
status = dcerpc_lsa_EnumAccounts(p, tctx, &r);
1641
if (!NT_STATUS_IS_OK(status)) {
1642
printf("EnumAccounts failed - %s\n", nt_errstr(status));
1646
if (sids2.num_sids != 1) {
1647
printf("Returned wrong number of entries (%d)\n", sids2.num_sids);
1654
static bool test_LookupPrivDisplayName(struct dcerpc_pipe *p,
1655
struct torture_context *tctx,
1656
struct policy_handle *handle,
1657
struct lsa_String *priv_name)
1659
struct lsa_LookupPrivDisplayName r;
1661
/* produce a reasonable range of language output without screwing up
1663
uint16_t language_id = (random() % 4) + 0x409;
1664
uint16_t returned_language_id = 0;
1665
struct lsa_StringLarge *disp_name = NULL;
1667
printf("\nTesting LookupPrivDisplayName(%s)\n", priv_name->string);
1669
r.in.handle = handle;
1670
r.in.name = priv_name;
1671
r.in.language_id = language_id;
1672
r.in.language_id_sys = 0;
1673
r.out.returned_language_id = &returned_language_id;
1674
r.out.disp_name = &disp_name;
1676
status = dcerpc_lsa_LookupPrivDisplayName(p, tctx, &r);
1677
if (!NT_STATUS_IS_OK(status)) {
1678
printf("LookupPrivDisplayName failed - %s\n", nt_errstr(status));
1681
printf("%s -> \"%s\" (language 0x%x/0x%x)\n",
1682
priv_name->string, disp_name->string,
1683
r.in.language_id, *r.out.returned_language_id);
1688
static bool test_EnumAccountsWithUserRight(struct dcerpc_pipe *p,
1689
struct torture_context *tctx,
1690
struct policy_handle *handle,
1691
struct lsa_String *priv_name)
1693
struct lsa_EnumAccountsWithUserRight r;
1694
struct lsa_SidArray sids;
1699
printf("\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string);
1701
r.in.handle = handle;
1702
r.in.name = priv_name;
1705
status = dcerpc_lsa_EnumAccountsWithUserRight(p, tctx, &r);
1707
/* NT_STATUS_NO_MORE_ENTRIES means noone has this privilege */
1708
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES)) {
1712
if (!NT_STATUS_IS_OK(status)) {
1713
printf("EnumAccountsWithUserRight failed - %s\n", nt_errstr(status));
1721
static bool test_EnumPrivs(struct dcerpc_pipe *p,
1722
struct torture_context *tctx,
1723
struct policy_handle *handle)
1726
struct lsa_EnumPrivs r;
1727
struct lsa_PrivArray privs1;
1728
uint32_t resume_handle = 0;
1732
printf("\nTesting EnumPrivs\n");
1734
r.in.handle = handle;
1735
r.in.resume_handle = &resume_handle;
1736
r.in.max_count = 100;
1737
r.out.resume_handle = &resume_handle;
1738
r.out.privs = &privs1;
1741
status = dcerpc_lsa_EnumPrivs(p, tctx, &r);
1742
if (!NT_STATUS_IS_OK(status)) {
1743
printf("EnumPrivs failed - %s\n", nt_errstr(status));
1747
for (i = 0; i< privs1.count; i++) {
1748
test_LookupPrivDisplayName(p, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
1749
test_LookupPrivValue(p, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
1750
if (!test_EnumAccountsWithUserRight(p, tctx, handle, (struct lsa_String *)&privs1.privs[i].name)) {
1758
static bool test_QueryForestTrustInformation(struct dcerpc_pipe *p,
1759
struct torture_context *tctx,
1760
struct policy_handle *handle,
1761
const char *trusted_domain_name)
1764
struct lsa_lsaRQueryForestTrustInformation r;
1766
struct lsa_String string;
1767
struct lsa_ForestTrustInformation info, *info_ptr;
1769
printf("\nTesting lsaRQueryForestTrustInformation\n");
1771
if (torture_setting_bool(tctx, "samba4", false)) {
1772
printf("skipping QueryForestTrustInformation against Samba4\n");
1776
ZERO_STRUCT(string);
1778
if (trusted_domain_name) {
1779
init_lsa_String(&string, trusted_domain_name);
1784
r.in.handle = handle;
1785
r.in.trusted_domain_name = &string;
1787
r.out.forest_trust_info = &info_ptr;
1789
status = dcerpc_lsa_lsaRQueryForestTrustInformation(p, tctx, &r);
1791
if (!NT_STATUS_IS_OK(status)) {
1792
printf("lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(status));
1799
static bool test_query_each_TrustDomEx(struct dcerpc_pipe *p,
1800
struct torture_context *tctx,
1801
struct policy_handle *handle,
1802
struct lsa_DomainListEx *domains)
1807
for (i=0; i< domains->count; i++) {
1809
if (domains->domains[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1810
ret &= test_QueryForestTrustInformation(p, tctx, handle,
1811
domains->domains[i].domain_name.string);
1818
static bool test_query_each_TrustDom(struct dcerpc_pipe *p,
1819
struct torture_context *tctx,
1820
struct policy_handle *handle,
1821
struct lsa_DomainList *domains)
1827
printf("\nTesting OpenTrustedDomain, OpenTrustedDomainByName and QueryInfoTrustedDomain\n");
1828
for (i=0; i< domains->count; i++) {
1829
struct lsa_OpenTrustedDomain trust;
1830
struct lsa_OpenTrustedDomainByName trust_by_name;
1831
struct policy_handle trustdom_handle;
1832
struct policy_handle handle2;
1834
struct lsa_CloseTrustedDomainEx c_trust;
1835
int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13};
1836
int ok[] = {1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1};
1838
if (domains->domains[i].sid) {
1839
trust.in.handle = handle;
1840
trust.in.sid = domains->domains[i].sid;
1841
trust.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1842
trust.out.trustdom_handle = &trustdom_handle;
1844
status = dcerpc_lsa_OpenTrustedDomain(p, tctx, &trust);
1846
if (!NT_STATUS_IS_OK(status)) {
1847
printf("OpenTrustedDomain failed - %s\n", nt_errstr(status));
1851
c.in.handle = &trustdom_handle;
1852
c.out.handle = &handle2;
1854
c_trust.in.handle = &trustdom_handle;
1855
c_trust.out.handle = &handle2;
1857
for (j=0; j < ARRAY_SIZE(levels); j++) {
1858
struct lsa_QueryTrustedDomainInfo q;
1859
union lsa_TrustedDomainInfo *info = NULL;
1860
q.in.trustdom_handle = &trustdom_handle;
1861
q.in.level = levels[j];
1863
status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q);
1864
if (!NT_STATUS_IS_OK(status) && ok[j]) {
1865
printf("QueryTrustedDomainInfo level %d failed - %s\n",
1866
levels[j], nt_errstr(status));
1868
} else if (NT_STATUS_IS_OK(status) && !ok[j]) {
1869
printf("QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
1870
levels[j], nt_errstr(status));
1875
status = dcerpc_lsa_CloseTrustedDomainEx(p, tctx, &c_trust);
1876
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
1877
printf("Expected CloseTrustedDomainEx to return NT_STATUS_NOT_IMPLEMENTED, instead - %s\n", nt_errstr(status));
1881
c.in.handle = &trustdom_handle;
1882
c.out.handle = &handle2;
1884
status = dcerpc_lsa_Close(p, tctx, &c);
1885
if (!NT_STATUS_IS_OK(status)) {
1886
printf("Close of trusted domain failed - %s\n", nt_errstr(status));
1890
for (j=0; j < ARRAY_SIZE(levels); j++) {
1891
struct lsa_QueryTrustedDomainInfoBySid q;
1892
union lsa_TrustedDomainInfo *info = NULL;
1894
if (!domains->domains[i].sid) {
1898
q.in.handle = handle;
1899
q.in.dom_sid = domains->domains[i].sid;
1900
q.in.level = levels[j];
1903
status = dcerpc_lsa_QueryTrustedDomainInfoBySid(p, tctx, &q);
1904
if (!NT_STATUS_IS_OK(status) && ok[j]) {
1905
printf("QueryTrustedDomainInfoBySid level %d failed - %s\n",
1906
levels[j], nt_errstr(status));
1908
} else if (NT_STATUS_IS_OK(status) && !ok[j]) {
1909
printf("QueryTrustedDomainInfoBySid level %d unexpectedly succeeded - %s\n",
1910
levels[j], nt_errstr(status));
1916
trust_by_name.in.handle = handle;
1917
trust_by_name.in.name.string = domains->domains[i].name.string;
1918
trust_by_name.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1919
trust_by_name.out.trustdom_handle = &trustdom_handle;
1921
status = dcerpc_lsa_OpenTrustedDomainByName(p, tctx, &trust_by_name);
1923
if (!NT_STATUS_IS_OK(status)) {
1924
printf("OpenTrustedDomainByName failed - %s\n", nt_errstr(status));
1928
for (j=0; j < ARRAY_SIZE(levels); j++) {
1929
struct lsa_QueryTrustedDomainInfo q;
1930
union lsa_TrustedDomainInfo *info = NULL;
1931
q.in.trustdom_handle = &trustdom_handle;
1932
q.in.level = levels[j];
1934
status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q);
1935
if (!NT_STATUS_IS_OK(status) && ok[j]) {
1936
printf("QueryTrustedDomainInfo level %d failed - %s\n",
1937
levels[j], nt_errstr(status));
1939
} else if (NT_STATUS_IS_OK(status) && !ok[j]) {
1940
printf("QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
1941
levels[j], nt_errstr(status));
1946
c.in.handle = &trustdom_handle;
1947
c.out.handle = &handle2;
1949
status = dcerpc_lsa_Close(p, tctx, &c);
1950
if (!NT_STATUS_IS_OK(status)) {
1951
printf("Close of trusted domain failed - %s\n", nt_errstr(status));
1955
for (j=0; j < ARRAY_SIZE(levels); j++) {
1956
struct lsa_QueryTrustedDomainInfoByName q;
1957
union lsa_TrustedDomainInfo *info = NULL;
1958
struct lsa_String name;
1960
name.string = domains->domains[i].name.string;
1962
q.in.handle = handle;
1963
q.in.trusted_domain = &name;
1964
q.in.level = levels[j];
1966
status = dcerpc_lsa_QueryTrustedDomainInfoByName(p, tctx, &q);
1967
if (!NT_STATUS_IS_OK(status) && ok[j]) {
1968
printf("QueryTrustedDomainInfoByName level %d failed - %s\n",
1969
levels[j], nt_errstr(status));
1971
} else if (NT_STATUS_IS_OK(status) && !ok[j]) {
1972
printf("QueryTrustedDomainInfoByName level %d unexpectedly succeeded - %s\n",
1973
levels[j], nt_errstr(status));
1981
static bool test_EnumTrustDom(struct dcerpc_pipe *p,
1982
struct torture_context *tctx,
1983
struct policy_handle *handle)
1985
struct lsa_EnumTrustDom r;
1986
struct lsa_EnumTrustedDomainsEx r_ex;
1987
NTSTATUS enum_status;
1988
uint32_t resume_handle = 0;
1989
struct lsa_DomainList domains;
1990
struct lsa_DomainListEx domains_ex;
1993
printf("\nTesting EnumTrustDom\n");
1995
r.in.handle = handle;
1996
r.in.resume_handle = &resume_handle;
1998
r.out.domains = &domains;
1999
r.out.resume_handle = &resume_handle;
2001
enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r);
2003
if (NT_STATUS_IS_OK(enum_status)) {
2004
if (domains.count == 0) {
2005
printf("EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2008
} else if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) {
2009
printf("EnumTrustDom of zero size failed - %s\n", nt_errstr(enum_status));
2013
/* Start from the bottom again */
2017
r.in.handle = handle;
2018
r.in.resume_handle = &resume_handle;
2019
r.in.max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3;
2020
r.out.domains = &domains;
2021
r.out.resume_handle = &resume_handle;
2023
enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r);
2025
/* NO_MORE_ENTRIES is allowed */
2026
if (NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES)) {
2027
if (domains.count == 0) {
2030
printf("EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
2032
} else if (NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) {
2033
/* Windows 2003 gets this off by one on the first run */
2034
if (r.out.domains->count < 3 || r.out.domains->count > 4) {
2035
printf("EnumTrustDom didn't fill the buffer we "
2036
"asked it to (got %d, expected %d / %d == %d entries)\n",
2037
r.out.domains->count, LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3,
2038
LSA_ENUM_TRUST_DOMAIN_MULTIPLIER, r.in.max_size);
2041
} else if (!NT_STATUS_IS_OK(enum_status)) {
2042
printf("EnumTrustDom failed - %s\n", nt_errstr(enum_status));
2046
if (domains.count == 0) {
2047
printf("EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2051
ret &= test_query_each_TrustDom(p, tctx, handle, &domains);
2053
} while ((NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)));
2055
printf("\nTesting EnumTrustedDomainsEx\n");
2057
r_ex.in.handle = handle;
2058
r_ex.in.resume_handle = &resume_handle;
2059
r_ex.in.max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3;
2060
r_ex.out.domains = &domains_ex;
2061
r_ex.out.resume_handle = &resume_handle;
2063
enum_status = dcerpc_lsa_EnumTrustedDomainsEx(p, tctx, &r_ex);
2065
if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) {
2066
printf("EnumTrustedDomainEx of zero size failed - %s\n", nt_errstr(enum_status));
2072
r_ex.in.handle = handle;
2073
r_ex.in.resume_handle = &resume_handle;
2074
r_ex.in.max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3;
2075
r_ex.out.domains = &domains_ex;
2076
r_ex.out.resume_handle = &resume_handle;
2078
enum_status = dcerpc_lsa_EnumTrustedDomainsEx(p, tctx, &r_ex);
2080
/* NO_MORE_ENTRIES is allowed */
2081
if (NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES)) {
2082
if (domains_ex.count == 0) {
2085
printf("EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
2087
} else if (NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) {
2088
/* Windows 2003 gets this off by one on the first run */
2089
if (r_ex.out.domains->count < 3 || r_ex.out.domains->count > 4) {
2090
printf("EnumTrustDom didn't fill the buffer we "
2091
"asked it to (got %d, expected %d / %d == %d entries)\n",
2092
r_ex.out.domains->count,
2094
LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER,
2095
r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER);
2097
} else if (!NT_STATUS_IS_OK(enum_status)) {
2098
printf("EnumTrustedDomainEx failed - %s\n", nt_errstr(enum_status));
2102
if (domains_ex.count == 0) {
2103
printf("EnumTrustDomainEx failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
2107
ret &= test_query_each_TrustDomEx(p, tctx, handle, &domains_ex);
2109
} while ((NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)));
2114
static bool test_CreateTrustedDomain(struct dcerpc_pipe *p,
2115
struct torture_context *tctx,
2116
struct policy_handle *handle)
2120
struct lsa_CreateTrustedDomain r;
2121
struct lsa_DomainInfo trustinfo;
2122
struct dom_sid *domsid[12];
2123
struct policy_handle trustdom_handle[12];
2124
struct lsa_QueryTrustedDomainInfo q;
2125
union lsa_TrustedDomainInfo *info = NULL;
2128
printf("\nTesting CreateTrustedDomain for 12 domains\n");
2130
if (!test_EnumTrustDom(p, tctx, handle)) {
2134
for (i=0; i< 12; i++) {
2135
char *trust_name = talloc_asprintf(tctx, "torturedom%02d", i);
2136
char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-100%02d", i);
2138
domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);
2140
trustinfo.sid = domsid[i];
2141
init_lsa_String((struct lsa_String *)&trustinfo.name, trust_name);
2143
r.in.policy_handle = handle;
2144
r.in.info = &trustinfo;
2145
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2146
r.out.trustdom_handle = &trustdom_handle[i];
2148
status = dcerpc_lsa_CreateTrustedDomain(p, tctx, &r);
2149
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
2150
test_DeleteTrustedDomain(p, tctx, handle, trustinfo.name);
2151
status = dcerpc_lsa_CreateTrustedDomain(p, tctx, &r);
2153
if (!NT_STATUS_IS_OK(status)) {
2154
printf("CreateTrustedDomain failed - %s\n", nt_errstr(status));
2158
q.in.trustdom_handle = &trustdom_handle[i];
2159
q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
2161
status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q);
2162
if (!NT_STATUS_IS_OK(status)) {
2163
printf("QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(status));
2165
} else if (!q.out.info) {
2168
if (strcmp(info->info_ex.netbios_name.string, trustinfo.name.string) != 0) {
2169
printf("QueryTrustedDomainInfo returned inconsistant short name: %s != %s\n",
2170
info->info_ex.netbios_name.string, trustinfo.name.string);
2173
if (info->info_ex.trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
2174
printf("QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
2175
trust_name, info->info_ex.trust_type, LSA_TRUST_TYPE_DOWNLEVEL);
2178
if (info->info_ex.trust_attributes != 0) {
2179
printf("QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
2180
trust_name, info->info_ex.trust_attributes, 0);
2183
if (info->info_ex.trust_direction != LSA_TRUST_DIRECTION_OUTBOUND) {
2184
printf("QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
2185
trust_name, info->info_ex.trust_direction, LSA_TRUST_DIRECTION_OUTBOUND);
2192
/* now that we have some domains to look over, we can test the enum calls */
2193
if (!test_EnumTrustDom(p, tctx, handle)) {
2197
for (i=0; i<12; i++) {
2198
if (!test_DeleteTrustedDomainBySid(p, tctx, handle, domsid[i])) {
2206
static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
2207
struct torture_context *tctx,
2208
struct policy_handle *handle)
2212
struct lsa_CreateTrustedDomainEx2 r;
2213
struct lsa_TrustDomainInfoInfoEx trustinfo;
2214
struct lsa_TrustDomainInfoAuthInfoInternal authinfo;
2215
struct trustDomainPasswords auth_struct;
2216
DATA_BLOB auth_blob;
2217
struct dom_sid *domsid[12];
2218
struct policy_handle trustdom_handle[12];
2219
struct lsa_QueryTrustedDomainInfo q;
2220
union lsa_TrustedDomainInfo *info = NULL;
2221
DATA_BLOB session_key;
2222
enum ndr_err_code ndr_err;
2225
printf("\nTesting CreateTrustedDomainEx2 for 12 domains\n");
2227
status = dcerpc_fetch_session_key(p, &session_key);
2228
if (!NT_STATUS_IS_OK(status)) {
2229
printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
2233
for (i=0; i< 12; i++) {
2234
char *trust_name = talloc_asprintf(tctx, "torturedom%02d", i);
2235
char *trust_name_dns = talloc_asprintf(tctx, "torturedom%02d.samba.example.com", i);
2236
char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-100%02d", i);
2238
domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);
2240
trustinfo.sid = domsid[i];
2241
trustinfo.netbios_name.string = trust_name;
2242
trustinfo.domain_name.string = trust_name_dns;
2244
/* Create inbound, some outbound, and some
2245
* bi-directional trusts in a repeating pattern based
2248
/* 1 == inbound, 2 == outbound, 3 == both */
2249
trustinfo.trust_direction = (i % 3) + 1;
2251
/* Try different trust types too */
2253
/* 1 == downlevel (NT4), 2 == uplevel (ADS), 3 == MIT (kerberos but not AD) */
2254
trustinfo.trust_type = (((i / 3) + 1) % 3) + 1;
2256
trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;
2258
generate_random_buffer(auth_struct.confounder, sizeof(auth_struct.confounder));
2260
auth_struct.outgoing.count = 0;
2261
auth_struct.incoming.count = 0;
2263
ndr_err = ndr_push_struct_blob(&auth_blob, tctx, lp_iconv_convenience(tctx->lp_ctx), &auth_struct,
2264
(ndr_push_flags_fn_t)ndr_push_trustDomainPasswords);
2265
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2266
printf("ndr_push_struct_blob of trustDomainPasswords structure failed");
2270
arcfour_crypt_blob(auth_blob.data, auth_blob.length, &session_key);
2272
authinfo.auth_blob.size = auth_blob.length;
2273
authinfo.auth_blob.data = auth_blob.data;
2275
r.in.policy_handle = handle;
2276
r.in.info = &trustinfo;
2277
r.in.auth_info = &authinfo;
2278
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2279
r.out.trustdom_handle = &trustdom_handle[i];
2281
status = dcerpc_lsa_CreateTrustedDomainEx2(p, tctx, &r);
2282
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
2283
test_DeleteTrustedDomain(p, tctx, handle, trustinfo.netbios_name);
2284
status = dcerpc_lsa_CreateTrustedDomainEx2(p, tctx, &r);
2286
if (!NT_STATUS_IS_OK(status)) {
2287
printf("CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status));
2291
q.in.trustdom_handle = &trustdom_handle[i];
2292
q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
2294
status = dcerpc_lsa_QueryTrustedDomainInfo(p, tctx, &q);
2295
if (!NT_STATUS_IS_OK(status)) {
2296
printf("QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(status));
2298
} else if (!q.out.info) {
2299
printf("QueryTrustedDomainInfo level 1 failed to return an info pointer\n");
2302
if (strcmp(info->info_ex.netbios_name.string, trustinfo.netbios_name.string) != 0) {
2303
printf("QueryTrustedDomainInfo returned inconsistant short name: %s != %s\n",
2304
info->info_ex.netbios_name.string, trustinfo.netbios_name.string);
2307
if (info->info_ex.trust_type != trustinfo.trust_type) {
2308
printf("QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
2309
trust_name, info->info_ex.trust_type, trustinfo.trust_type);
2312
if (info->info_ex.trust_attributes != LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION) {
2313
printf("QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
2314
trust_name, info->info_ex.trust_attributes, LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION);
2317
if (info->info_ex.trust_direction != trustinfo.trust_direction) {
2318
printf("QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
2319
trust_name, info->info_ex.trust_direction, trustinfo.trust_direction);
2326
/* now that we have some domains to look over, we can test the enum calls */
2327
if (!test_EnumTrustDom(p, tctx, handle)) {
2328
printf("test_EnumTrustDom failed\n");
2332
for (i=0; i<12; i++) {
2333
if (!test_DeleteTrustedDomainBySid(p, tctx, handle, domsid[i])) {
2334
printf("test_DeleteTrustedDomainBySid failed\n");
2342
static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
2343
struct torture_context *tctx,
2344
struct policy_handle *handle)
2346
struct lsa_QueryDomainInformationPolicy r;
2347
union lsa_DomainInformationPolicy *info = NULL;
2352
printf("\nTesting QueryDomainInformationPolicy\n");
2355
r.in.handle = handle;
2359
printf("\nTrying QueryDomainInformationPolicy level %d\n", i);
2361
status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r);
2363
/* If the server does not support EFS, then this is the correct return */
2364
if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
2366
} else if (!NT_STATUS_IS_OK(status)) {
2367
printf("QueryDomainInformationPolicy failed - %s\n", nt_errstr(status));
2377
static bool test_QueryInfoPolicyCalls( bool version2,
2378
struct dcerpc_pipe *p,
2379
struct torture_context *tctx,
2380
struct policy_handle *handle)
2382
struct lsa_QueryInfoPolicy r;
2383
union lsa_PolicyInformation *info = NULL;
2389
printf("\nTesting QueryInfoPolicy2\n");
2391
printf("\nTesting QueryInfoPolicy\n");
2393
for (i=1;i<=14;i++) {
2394
r.in.handle = handle;
2399
printf("\nTrying QueryInfoPolicy2 level %d\n", i);
2401
printf("\nTrying QueryInfoPolicy level %d\n", i);
2404
/* We can perform the cast, because both types are
2405
structurally equal */
2406
status = dcerpc_lsa_QueryInfoPolicy2(p, tctx,
2407
(struct lsa_QueryInfoPolicy2*) &r);
2409
status = dcerpc_lsa_QueryInfoPolicy(p, tctx, &r);
2412
case LSA_POLICY_INFO_MOD:
2413
case LSA_POLICY_INFO_AUDIT_FULL_SET:
2414
case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
2415
if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
2416
printf("Server should have failed level %u: %s\n", i, nt_errstr(status));
2420
case LSA_POLICY_INFO_DOMAIN:
2421
case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
2422
case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
2423
case LSA_POLICY_INFO_DNS_INT:
2424
case LSA_POLICY_INFO_DNS:
2425
case LSA_POLICY_INFO_REPLICA:
2426
case LSA_POLICY_INFO_QUOTA:
2427
case LSA_POLICY_INFO_ROLE:
2428
case LSA_POLICY_INFO_AUDIT_LOG:
2429
case LSA_POLICY_INFO_AUDIT_EVENTS:
2430
case LSA_POLICY_INFO_PD:
2431
if (!NT_STATUS_IS_OK(status)) {
2433
printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
2435
printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
2440
if (torture_setting_bool(tctx, "samba4", false)) {
2441
/* Other levels not implemented yet */
2442
if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
2444
printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
2446
printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
2449
} else if (!NT_STATUS_IS_OK(status)) {
2451
printf("QueryInfoPolicy2 failed - %s\n", nt_errstr(status));
2453
printf("QueryInfoPolicy failed - %s\n", nt_errstr(status));
2459
if (NT_STATUS_IS_OK(status) && (i == LSA_POLICY_INFO_DNS
2460
|| i == LSA_POLICY_INFO_DNS_INT)) {
2461
/* Let's look up some of these names */
2463
struct lsa_TransNameArray tnames;
2465
tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count);
2466
tnames.names[0].name.string = info->dns.name.string;
2467
tnames.names[0].sid_type = SID_NAME_DOMAIN;
2468
tnames.names[1].name.string = info->dns.dns_domain.string;
2469
tnames.names[1].sid_type = SID_NAME_DOMAIN;
2470
tnames.names[2].name.string = talloc_asprintf(tctx, "%s\\", info->dns.name.string);
2471
tnames.names[2].sid_type = SID_NAME_DOMAIN;
2472
tnames.names[3].name.string = talloc_asprintf(tctx, "%s\\", info->dns.dns_domain.string);
2473
tnames.names[3].sid_type = SID_NAME_DOMAIN;
2474
tnames.names[4].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.name.string);
2475
tnames.names[4].sid_type = SID_NAME_USER;
2476
tnames.names[5].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.name.string);
2477
tnames.names[5].sid_type = SID_NAME_USER;
2478
tnames.names[6].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.dns_domain.string);
2479
tnames.names[6].sid_type = SID_NAME_USER;
2480
tnames.names[7].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.dns_domain.string);
2481
tnames.names[7].sid_type = SID_NAME_USER;
2482
tnames.names[8].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.name.string);
2483
tnames.names[8].sid_type = SID_NAME_USER;
2484
tnames.names[9].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.dns_domain.string);
2485
tnames.names[9].sid_type = SID_NAME_USER;
2486
tnames.names[10].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string);
2487
tnames.names[10].sid_type = SID_NAME_USER;
2488
tnames.names[11].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.dns_domain.string);
2489
tnames.names[11].sid_type = SID_NAME_USER;
2490
tnames.names[12].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.name.string);
2491
tnames.names[12].sid_type = SID_NAME_USER;
2492
tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string);
2493
tnames.names[13].sid_type = SID_NAME_USER;
2494
ret &= test_LookupNames(p, tctx, handle, &tnames);
2502
static bool test_QueryInfoPolicy(struct dcerpc_pipe *p,
2503
struct torture_context *tctx,
2504
struct policy_handle *handle)
2506
return test_QueryInfoPolicyCalls(false, p, tctx, handle);
2509
static bool test_QueryInfoPolicy2(struct dcerpc_pipe *p,
2510
struct torture_context *tctx,
2511
struct policy_handle *handle)
2513
return test_QueryInfoPolicyCalls(true, p, tctx, handle);
2516
static bool test_GetUserName(struct dcerpc_pipe *p,
2517
struct torture_context *tctx)
2519
struct lsa_GetUserName r;
2522
struct lsa_String *authority_name_p = NULL;
2523
struct lsa_String *account_name_p = NULL;
2525
printf("\nTesting GetUserName\n");
2527
r.in.system_name = "\\";
2528
r.in.account_name = &account_name_p;
2529
r.in.authority_name = NULL;
2530
r.out.account_name = &account_name_p;
2532
status = dcerpc_lsa_GetUserName(p, tctx, &r);
2534
if (!NT_STATUS_IS_OK(status)) {
2535
printf("GetUserName failed - %s\n", nt_errstr(status));
2539
account_name_p = NULL;
2540
r.in.account_name = &account_name_p;
2541
r.in.authority_name = &authority_name_p;
2542
r.out.account_name = &account_name_p;
2544
status = dcerpc_lsa_GetUserName(p, tctx, &r);
2546
if (!NT_STATUS_IS_OK(status)) {
2547
printf("GetUserName failed - %s\n", nt_errstr(status));
2554
bool test_lsa_Close(struct dcerpc_pipe *p,
2555
struct torture_context *tctx,
2556
struct policy_handle *handle)
2560
struct policy_handle handle2;
2562
printf("\nTesting Close\n");
2564
r.in.handle = handle;
2565
r.out.handle = &handle2;
2567
status = dcerpc_lsa_Close(p, tctx, &r);
2568
if (!NT_STATUS_IS_OK(status)) {
2569
printf("Close failed - %s\n", nt_errstr(status));
2573
status = dcerpc_lsa_Close(p, tctx, &r);
2574
/* its really a fault - we need a status code for rpc fault */
2575
if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
2576
printf("Close failed - %s\n", nt_errstr(status));
2585
bool torture_rpc_lsa(struct torture_context *tctx)
2588
struct dcerpc_pipe *p;
2590
struct policy_handle *handle;
2591
struct test_join *join = NULL;
2592
struct cli_credentials *machine_creds;
2594
status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
2595
if (!NT_STATUS_IS_OK(status)) {
2599
if (!test_OpenPolicy(p, tctx)) {
2603
if (!test_lsa_OpenPolicy2(p, tctx, &handle)) {
2608
join = torture_join_domain(tctx, TEST_MACHINENAME, ACB_WSTRUST, &machine_creds);
2612
if (!test_LookupNames_wellknown(p, tctx, handle)) {
2616
if (!test_LookupNames_bogus(p, tctx, handle)) {
2620
if (!test_LookupSids_async(p, tctx, handle)) {
2624
if (!test_QueryDomainInfoPolicy(p, tctx, handle)) {
2628
if (!test_CreateAccount(p, tctx, handle)) {
2632
if (!test_CreateSecret(p, tctx, handle)) {
2635
if (!test_CreateTrustedDomain(p, tctx, handle)) {
2639
if (!test_CreateTrustedDomainEx2(p, tctx, handle)) {
2643
if (!test_EnumAccounts(p, tctx, handle)) {
2647
if (!test_EnumPrivs(p, tctx, handle)) {
2651
if (!test_QueryInfoPolicy(p, tctx, handle)) {
2655
if (!test_QueryInfoPolicy2(p, tctx, handle)) {
2659
if (!test_Delete(p, tctx, handle)) {
2663
if (!test_many_LookupSids(p, tctx, handle)) {
2667
if (!test_lsa_Close(p, tctx, handle)) {
2671
torture_leave_domain(tctx, join);
2674
if (!test_many_LookupSids(p, tctx, handle)) {
2679
if (!test_GetUserName(p, tctx)) {
2686
bool torture_rpc_lsa_get_user(struct torture_context *tctx)
2689
struct dcerpc_pipe *p;
2692
status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
2693
if (!NT_STATUS_IS_OK(status)) {
2697
if (!test_GetUserName(p, tctx)) {
2704
static bool testcase_LookupNames(struct torture_context *tctx,
2705
struct dcerpc_pipe *p)
2708
struct policy_handle *handle;
2709
struct lsa_TransNameArray tnames;
2710
struct lsa_TransNameArray2 tnames2;
2712
if (!test_OpenPolicy(p, tctx)) {
2716
if (!test_lsa_OpenPolicy2(p, tctx, &handle)) {
2725
tnames.names = talloc_array(tctx, struct lsa_TranslatedName, tnames.count);
2726
ZERO_STRUCT(tnames.names[0]);
2727
tnames.names[0].name.string = "BUILTIN";
2728
tnames.names[0].sid_type = SID_NAME_DOMAIN;
2730
if (!test_LookupNames(p, tctx, handle, &tnames)) {
2735
tnames2.names = talloc_array(tctx, struct lsa_TranslatedName2, tnames2.count);
2736
ZERO_STRUCT(tnames2.names[0]);
2737
tnames2.names[0].name.string = "BUILTIN";
2738
tnames2.names[0].sid_type = SID_NAME_DOMAIN;
2740
if (!test_LookupNames2(p, tctx, handle, &tnames2, true)) {
2744
if (!test_LookupNames3(p, tctx, handle, &tnames2, true)) {
2748
if (!test_lsa_Close(p, tctx, handle)) {
2755
struct torture_suite *torture_rpc_lsa_lookup_names(TALLOC_CTX *mem_ctx)
2757
struct torture_suite *suite;
2758
struct torture_rpc_tcase *tcase;
2760
suite = torture_suite_create(mem_ctx, "LSA-LOOKUPNAMES");
2762
tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
2764
torture_rpc_tcase_add_test(tcase, "LookupNames",
2765
testcase_LookupNames);