2
Unix SMB/CIFS implementation.
4
test suite for netlogon rpc operations
6
Copyright (C) Andrew Tridgell 2003
7
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8
Copyright (C) Tim Potter 2003
10
This program is free software; you can redistribute it and/or modify
11
it under the terms of the GNU General Public License as published by
12
the Free Software Foundation; either version 3 of the License, or
13
(at your option) any later version.
15
This program is distributed in the hope that it will be useful,
16
but WITHOUT ANY WARRANTY; without even the implied warranty of
17
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
GNU General Public License for more details.
20
You should have received a copy of the GNU General Public License
21
along with this program. If not, see <http://www.gnu.org/licenses/>.
25
#include "torture/torture.h"
26
#include "lib/events/events.h"
27
#include "auth/auth.h"
28
#include "auth/gensec/gensec.h"
29
#include "lib/cmdline/popt_common.h"
30
#include "torture/rpc/rpc.h"
31
#include "torture/rpc/netlogon.h"
32
#include "../lib/crypto/crypto.h"
33
#include "libcli/auth/libcli_auth.h"
34
#include "librpc/gen_ndr/ndr_netlogon_c.h"
35
#include "librpc/gen_ndr/ndr_netlogon.h"
36
#include "librpc/gen_ndr/ndr_lsa_c.h"
37
#include "param/param.h"
38
#include "libcli/security/security.h"
40
#define TEST_MACHINE_NAME "torturetest"
42
static bool test_LogonUasLogon(struct torture_context *tctx,
43
struct dcerpc_pipe *p)
46
struct netr_LogonUasLogon r;
47
struct netr_UasInfo *info = NULL;
49
r.in.server_name = NULL;
50
r.in.account_name = cli_credentials_get_username(cmdline_credentials);
51
r.in.workstation = TEST_MACHINE_NAME;
54
status = dcerpc_netr_LogonUasLogon(p, tctx, &r);
55
torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
60
static bool test_LogonUasLogoff(struct torture_context *tctx,
61
struct dcerpc_pipe *p)
64
struct netr_LogonUasLogoff r;
65
struct netr_UasLogoffInfo info;
67
r.in.server_name = NULL;
68
r.in.account_name = cli_credentials_get_username(cmdline_credentials);
69
r.in.workstation = TEST_MACHINE_NAME;
72
status = dcerpc_netr_LogonUasLogoff(p, tctx, &r);
73
torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
78
bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
79
struct cli_credentials *credentials,
80
struct creds_CredentialState **creds_out)
83
struct netr_ServerReqChallenge r;
84
struct netr_ServerAuthenticate a;
85
struct netr_Credential credentials1, credentials2, credentials3;
86
struct creds_CredentialState *creds;
87
const struct samr_Password *mach_password;
88
const char *machine_name;
90
mach_password = cli_credentials_get_nt_hash(credentials, tctx);
91
machine_name = cli_credentials_get_workstation(credentials);
93
torture_comment(tctx, "Testing ServerReqChallenge\n");
95
creds = talloc(tctx, struct creds_CredentialState);
96
torture_assert(tctx, creds != NULL, "memory allocation");
98
r.in.server_name = NULL;
99
r.in.computer_name = machine_name;
100
r.in.credentials = &credentials1;
101
r.out.return_credentials = &credentials2;
103
generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105
status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
106
torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
108
a.in.server_name = NULL;
109
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
110
a.in.secure_channel_type = SEC_CHAN_BDC;
111
a.in.computer_name = machine_name;
112
a.in.credentials = &credentials3;
113
a.out.return_credentials = &credentials3;
115
creds_client_init(creds, &credentials1, &credentials2,
116
mach_password, &credentials3,
119
torture_comment(tctx, "Testing ServerAuthenticate\n");
121
status = dcerpc_netr_ServerAuthenticate(p, tctx, &a);
123
/* This allows the tests to continue against the more fussy windows 2008 */
124
if (NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED)) {
125
return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
126
credentials, SEC_CHAN_BDC, creds_out);
129
torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
131
torture_assert(tctx, creds_client_check(creds, &credentials3),
132
"Credential chaining failed");
138
bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
139
uint32_t negotiate_flags,
140
struct cli_credentials *machine_credentials,
142
struct creds_CredentialState **creds_out)
145
struct netr_ServerReqChallenge r;
146
struct netr_ServerAuthenticate2 a;
147
struct netr_Credential credentials1, credentials2, credentials3;
148
struct creds_CredentialState *creds;
149
const struct samr_Password *mach_password;
150
const char *machine_name;
152
mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
153
machine_name = cli_credentials_get_workstation(machine_credentials);
155
torture_comment(tctx, "Testing ServerReqChallenge\n");
157
creds = talloc(tctx, struct creds_CredentialState);
158
torture_assert(tctx, creds != NULL, "memory allocation");
160
r.in.server_name = NULL;
161
r.in.computer_name = machine_name;
162
r.in.credentials = &credentials1;
163
r.out.return_credentials = &credentials2;
165
generate_random_buffer(credentials1.data, sizeof(credentials1.data));
167
status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
168
torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
170
a.in.server_name = NULL;
171
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
172
a.in.secure_channel_type = sec_chan_type;
173
a.in.computer_name = machine_name;
174
a.in.negotiate_flags = &negotiate_flags;
175
a.out.negotiate_flags = &negotiate_flags;
176
a.in.credentials = &credentials3;
177
a.out.return_credentials = &credentials3;
179
creds_client_init(creds, &credentials1, &credentials2,
180
mach_password, &credentials3,
183
torture_comment(tctx, "Testing ServerAuthenticate2\n");
185
status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
186
torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
188
torture_assert(tctx, creds_client_check(creds, &credentials3),
189
"Credential chaining failed");
191
torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
198
static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
199
uint32_t negotiate_flags,
200
struct cli_credentials *machine_credentials,
201
struct creds_CredentialState **creds_out)
204
struct netr_ServerReqChallenge r;
205
struct netr_ServerAuthenticate3 a;
206
struct netr_Credential credentials1, credentials2, credentials3;
207
struct creds_CredentialState *creds;
208
struct samr_Password mach_password;
210
const char *machine_name;
211
const char *plain_pass;
213
machine_name = cli_credentials_get_workstation(machine_credentials);
214
plain_pass = cli_credentials_get_password(machine_credentials);
216
torture_comment(tctx, "Testing ServerReqChallenge\n");
218
creds = talloc(tctx, struct creds_CredentialState);
219
torture_assert(tctx, creds != NULL, "memory allocation");
221
r.in.server_name = NULL;
222
r.in.computer_name = machine_name;
223
r.in.credentials = &credentials1;
224
r.out.return_credentials = &credentials2;
226
generate_random_buffer(credentials1.data, sizeof(credentials1.data));
228
status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
229
torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
231
E_md4hash(plain_pass, mach_password.hash);
233
a.in.server_name = NULL;
234
a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
235
a.in.secure_channel_type = SEC_CHAN_BDC;
236
a.in.computer_name = machine_name;
237
a.in.negotiate_flags = &negotiate_flags;
238
a.in.credentials = &credentials3;
239
a.out.return_credentials = &credentials3;
240
a.out.negotiate_flags = &negotiate_flags;
243
creds_client_init(creds, &credentials1, &credentials2,
244
&mach_password, &credentials3,
247
torture_comment(tctx, "Testing ServerAuthenticate3\n");
249
status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
250
torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
251
torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed");
253
torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
255
/* Prove that requesting a challenge again won't break it */
256
status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
257
torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
264
try a change password for our machine account
266
static bool test_SetPassword(struct torture_context *tctx,
267
struct dcerpc_pipe *p,
268
struct cli_credentials *machine_credentials)
271
struct netr_ServerPasswordSet r;
272
const char *password;
273
struct creds_CredentialState *creds;
274
struct netr_Authenticator credential, return_authenticator;
275
struct samr_Password new_password;
277
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
281
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
282
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
283
r.in.secure_channel_type = SEC_CHAN_BDC;
284
r.in.computer_name = TEST_MACHINE_NAME;
285
r.in.credential = &credential;
286
r.in.new_password = &new_password;
287
r.out.return_authenticator = &return_authenticator;
289
password = generate_random_str(tctx, 8);
290
E_md4hash(password, new_password.hash);
292
creds_des_encrypt(creds, &new_password);
294
torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
295
torture_comment(tctx, "Changing machine account password to '%s'\n",
298
creds_client_authenticator(creds, &credential);
300
status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
301
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
303
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
304
torture_comment(tctx, "Credential chaining failed\n");
307
/* by changing the machine password twice we test the
308
credentials chaining fully, and we verify that the server
309
allows the password to be set to the same value twice in a
310
row (match win2k3) */
311
torture_comment(tctx,
312
"Testing a second ServerPasswordSet on machine account\n");
313
torture_comment(tctx,
314
"Changing machine account password to '%s' (same as previous run)\n", password);
316
creds_client_authenticator(creds, &credential);
318
status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
319
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
321
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
322
torture_comment(tctx, "Credential chaining failed\n");
325
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
328
test_SetupCredentials(p, tctx, machine_credentials, &creds),
329
"ServerPasswordSet failed to actually change the password");
335
generate a random password for password change tests
337
static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
340
DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
341
generate_random_buffer(password.data, password.length);
343
for (i=0; i < len; i++) {
344
if (((uint16_t *)password.data)[i] == 0) {
345
((uint16_t *)password.data)[i] = 1;
353
try a change password for our machine account
355
static bool test_SetPassword2(struct torture_context *tctx,
356
struct dcerpc_pipe *p,
357
struct cli_credentials *machine_credentials)
360
struct netr_ServerPasswordSet2 r;
361
const char *password;
362
DATA_BLOB new_random_pass;
363
struct creds_CredentialState *creds;
364
struct samr_CryptPassword password_buf;
365
struct samr_Password nt_hash;
366
struct netr_Authenticator credential, return_authenticator;
367
struct netr_CryptPassword new_password;
369
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
373
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
374
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
375
r.in.secure_channel_type = SEC_CHAN_BDC;
376
r.in.computer_name = TEST_MACHINE_NAME;
377
r.in.credential = &credential;
378
r.in.new_password = &new_password;
379
r.out.return_authenticator = &return_authenticator;
381
password = generate_random_str(tctx, 8);
382
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
383
creds_arcfour_crypt(creds, password_buf.data, 516);
385
memcpy(new_password.data, password_buf.data, 512);
386
new_password.length = IVAL(password_buf.data, 512);
388
torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
389
torture_comment(tctx, "Changing machine account password to '%s'\n", password);
391
creds_client_authenticator(creds, &credential);
393
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
394
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
396
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
397
torture_comment(tctx, "Credential chaining failed\n");
400
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
402
if (!torture_setting_bool(tctx, "dangerous", false)) {
403
torture_comment(tctx,
404
"Not testing ability to set password to '', enable dangerous tests to perform this test\n");
406
/* by changing the machine password to ""
407
* we check if the server uses password restrictions
408
* for ServerPasswordSet2
409
* (win2k3 accepts "")
412
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
413
creds_arcfour_crypt(creds, password_buf.data, 516);
415
memcpy(new_password.data, password_buf.data, 512);
416
new_password.length = IVAL(password_buf.data, 512);
418
torture_comment(tctx,
419
"Testing ServerPasswordSet2 on machine account\n");
420
torture_comment(tctx,
421
"Changing machine account password to '%s'\n", password);
423
creds_client_authenticator(creds, &credential);
425
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
426
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
428
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
429
torture_comment(tctx, "Credential chaining failed\n");
432
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
435
torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
436
"ServerPasswordSet failed to actually change the password");
438
/* now try a random password */
439
password = generate_random_str(tctx, 8);
440
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
441
creds_arcfour_crypt(creds, password_buf.data, 516);
443
memcpy(new_password.data, password_buf.data, 512);
444
new_password.length = IVAL(password_buf.data, 512);
446
torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
447
torture_comment(tctx, "Changing machine account password to '%s'\n", password);
449
creds_client_authenticator(creds, &credential);
451
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
452
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
454
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
455
torture_comment(tctx, "Credential chaining failed\n");
458
/* by changing the machine password twice we test the
459
credentials chaining fully, and we verify that the server
460
allows the password to be set to the same value twice in a
461
row (match win2k3) */
462
torture_comment(tctx,
463
"Testing a second ServerPasswordSet2 on machine account\n");
464
torture_comment(tctx,
465
"Changing machine account password to '%s' (same as previous run)\n", password);
467
creds_client_authenticator(creds, &credential);
469
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
470
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
472
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
473
torture_comment(tctx, "Credential chaining failed\n");
476
cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
478
torture_assert (tctx,
479
test_SetupCredentials(p, tctx, machine_credentials, &creds),
480
"ServerPasswordSet failed to actually change the password");
482
new_random_pass = netlogon_very_rand_pass(tctx, 128);
484
/* now try a random stream of bytes for a password */
485
set_pw_in_buffer(password_buf.data, &new_random_pass);
487
creds_arcfour_crypt(creds, password_buf.data, 516);
489
memcpy(new_password.data, password_buf.data, 512);
490
new_password.length = IVAL(password_buf.data, 512);
492
torture_comment(tctx,
493
"Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
495
creds_client_authenticator(creds, &credential);
497
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
498
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
500
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
501
torture_comment(tctx, "Credential chaining failed\n");
504
mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
506
cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
507
cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
509
torture_assert (tctx,
510
test_SetupCredentials(p, tctx, machine_credentials, &creds),
511
"ServerPasswordSet failed to actually change the password");
516
static bool test_GetPassword(struct torture_context *tctx,
517
struct dcerpc_pipe *p,
518
struct cli_credentials *machine_credentials)
520
struct netr_ServerPasswordGet r;
521
struct creds_CredentialState *creds;
522
struct netr_Authenticator credential;
524
struct netr_Authenticator return_authenticator;
525
struct samr_Password password;
527
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
531
creds_client_authenticator(creds, &credential);
533
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
534
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
535
r.in.secure_channel_type = SEC_CHAN_BDC;
536
r.in.computer_name = TEST_MACHINE_NAME;
537
r.in.credential = &credential;
538
r.out.return_authenticator = &return_authenticator;
539
r.out.password = &password;
541
status = dcerpc_netr_ServerPasswordGet(p, tctx, &r);
542
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
547
static bool test_GetTrustPasswords(struct torture_context *tctx,
548
struct dcerpc_pipe *p,
549
struct cli_credentials *machine_credentials)
551
struct netr_ServerTrustPasswordsGet r;
552
struct creds_CredentialState *creds;
553
struct netr_Authenticator credential;
555
struct netr_Authenticator return_authenticator;
556
struct samr_Password password, password2;
558
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
562
creds_client_authenticator(creds, &credential);
564
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
565
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
566
r.in.secure_channel_type = SEC_CHAN_BDC;
567
r.in.computer_name = TEST_MACHINE_NAME;
568
r.in.credential = &credential;
569
r.out.return_authenticator = &return_authenticator;
570
r.out.password = &password;
571
r.out.password2 = &password2;
573
status = dcerpc_netr_ServerTrustPasswordsGet(p, tctx, &r);
574
torture_assert_ntstatus_ok(tctx, status, "ServerTrustPasswordsGet");
580
try a netlogon SamLogon
582
bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
583
struct cli_credentials *credentials,
584
struct creds_CredentialState *creds)
587
struct netr_LogonSamLogon r;
588
struct netr_Authenticator auth, auth2;
589
union netr_LogonLevel logon;
590
union netr_Validation validation;
591
uint8_t authoritative;
592
struct netr_NetworkInfo ninfo;
593
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
595
int flags = CLI_CRED_NTLM_AUTH;
596
if (lp_client_lanman_auth(tctx->lp_ctx)) {
597
flags |= CLI_CRED_LANMAN_AUTH;
600
if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
601
flags |= CLI_CRED_NTLMv2_AUTH;
604
cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
605
&ninfo.identity_info.account_name.string,
606
&ninfo.identity_info.domain_name.string);
608
generate_random_buffer(ninfo.challenge,
609
sizeof(ninfo.challenge));
610
chal = data_blob_const(ninfo.challenge,
611
sizeof(ninfo.challenge));
613
names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
614
cli_credentials_get_domain(credentials));
616
status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
622
torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
624
ninfo.lm.data = lm_resp.data;
625
ninfo.lm.length = lm_resp.length;
627
ninfo.nt.data = nt_resp.data;
628
ninfo.nt.length = nt_resp.length;
630
ninfo.identity_info.parameter_control = 0;
631
ninfo.identity_info.logon_id_low = 0;
632
ninfo.identity_info.logon_id_high = 0;
633
ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
635
logon.network = &ninfo;
637
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
638
r.in.computer_name = cli_credentials_get_workstation(credentials);
639
r.in.credential = &auth;
640
r.in.return_authenticator = &auth2;
641
r.in.logon_level = 2;
643
r.out.validation = &validation;
644
r.out.authoritative = &authoritative;
646
d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
650
creds_client_authenticator(creds, &auth);
652
r.in.validation_level = i;
654
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
655
torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
657
torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
658
"Credential chaining failed");
661
r.in.credential = NULL;
665
r.in.validation_level = i;
667
torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
669
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
670
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
671
"LogonSamLogon expected INVALID_PARAMETER");
679
try a netlogon SamLogon
681
static bool test_SamLogon(struct torture_context *tctx,
682
struct dcerpc_pipe *p,
683
struct cli_credentials *credentials)
685
struct creds_CredentialState *creds;
687
if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
691
return test_netlogon_ops(p, tctx, credentials, creds);
694
/* we remember the sequence numbers so we can easily do a DatabaseDelta */
695
static uint64_t sequence_nums[3];
698
try a netlogon DatabaseSync
700
static bool test_DatabaseSync(struct torture_context *tctx,
701
struct dcerpc_pipe *p,
702
struct cli_credentials *machine_credentials)
705
struct netr_DatabaseSync r;
706
struct creds_CredentialState *creds;
707
const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
709
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
710
struct netr_Authenticator credential, return_authenticator;
712
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
716
ZERO_STRUCT(return_authenticator);
718
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
719
r.in.computername = TEST_MACHINE_NAME;
720
r.in.preferredmaximumlength = (uint32_t)-1;
721
r.in.return_authenticator = &return_authenticator;
722
r.out.delta_enum_array = &delta_enum_array;
723
r.out.return_authenticator = &return_authenticator;
725
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
727
uint32_t sync_context = 0;
729
r.in.database_id = database_ids[i];
730
r.in.sync_context = &sync_context;
731
r.out.sync_context = &sync_context;
733
torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
736
creds_client_authenticator(creds, &credential);
738
r.in.credential = &credential;
740
status = dcerpc_netr_DatabaseSync(p, tctx, &r);
741
if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
744
/* Native mode servers don't do this */
745
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
748
torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
750
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
751
torture_comment(tctx, "Credential chaining failed\n");
754
if (delta_enum_array &&
755
delta_enum_array->num_deltas > 0 &&
756
delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
757
delta_enum_array->delta_enum[0].delta_union.domain) {
758
sequence_nums[r.in.database_id] =
759
delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
760
torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
762
(unsigned long long)sequence_nums[r.in.database_id]);
764
} while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
772
try a netlogon DatabaseDeltas
774
static bool test_DatabaseDeltas(struct torture_context *tctx,
775
struct dcerpc_pipe *p,
776
struct cli_credentials *machine_credentials)
779
struct netr_DatabaseDeltas r;
780
struct creds_CredentialState *creds;
781
struct netr_Authenticator credential;
782
struct netr_Authenticator return_authenticator;
783
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
784
const uint32_t database_ids[] = {0, 1, 2};
787
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
791
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
792
r.in.computername = TEST_MACHINE_NAME;
793
r.in.preferredmaximumlength = (uint32_t)-1;
794
ZERO_STRUCT(r.in.return_authenticator);
795
r.out.return_authenticator = &return_authenticator;
796
r.out.delta_enum_array = &delta_enum_array;
798
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
799
r.in.database_id = database_ids[i];
800
r.in.sequence_num = &sequence_nums[r.in.database_id];
802
if (*r.in.sequence_num == 0) continue;
804
*r.in.sequence_num -= 1;
806
torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
807
r.in.database_id, (unsigned long long)*r.in.sequence_num);
810
creds_client_authenticator(creds, &credential);
812
status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
813
if (NT_STATUS_EQUAL(status,
814
NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
815
torture_comment(tctx, "not considering %s to be an error\n",
819
if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
822
torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
824
if (!creds_client_check(creds, &return_authenticator.cred)) {
825
torture_comment(tctx, "Credential chaining failed\n");
828
(*r.in.sequence_num)++;
829
} while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
835
static bool test_DatabaseRedo(struct torture_context *tctx,
836
struct dcerpc_pipe *p,
837
struct cli_credentials *machine_credentials)
840
struct netr_DatabaseRedo r;
841
struct creds_CredentialState *creds;
842
struct netr_Authenticator credential;
843
struct netr_Authenticator return_authenticator;
844
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
845
struct netr_ChangeLogEntry e;
846
struct dom_sid null_sid, *sid;
849
ZERO_STRUCT(null_sid);
851
sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
862
NTSTATUS expected_error;
863
uint32_t expected_num_results;
864
uint8_t expected_delta_type_1;
865
uint8_t expected_delta_type_2;
869
/* SAM_DATABASE_DOMAIN */
874
.db_index = SAM_DATABASE_DOMAIN,
875
.delta_type = NETR_DELTA_MODIFY_COUNT,
878
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
879
.expected_num_results = 0,
880
.comment = "NETR_DELTA_MODIFY_COUNT"
885
.db_index = SAM_DATABASE_DOMAIN,
889
.expected_error = NT_STATUS_OK,
890
.expected_num_results = 1,
891
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
892
.comment = "NULL DELTA"
897
.db_index = SAM_DATABASE_DOMAIN,
898
.delta_type = NETR_DELTA_DOMAIN,
901
.expected_error = NT_STATUS_OK,
902
.expected_num_results = 1,
903
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
904
.comment = "NETR_DELTA_DOMAIN"
907
.rid = DOMAIN_RID_ADMINISTRATOR,
909
.db_index = SAM_DATABASE_DOMAIN,
910
.delta_type = NETR_DELTA_USER,
913
.expected_error = NT_STATUS_OK,
914
.expected_num_results = 1,
915
.expected_delta_type_1 = NETR_DELTA_USER,
916
.comment = "NETR_DELTA_USER by rid 500"
919
.rid = DOMAIN_RID_GUEST,
921
.db_index = SAM_DATABASE_DOMAIN,
922
.delta_type = NETR_DELTA_USER,
925
.expected_error = NT_STATUS_OK,
926
.expected_num_results = 1,
927
.expected_delta_type_1 = NETR_DELTA_USER,
928
.comment = "NETR_DELTA_USER by rid 501"
932
.flags = NETR_CHANGELOG_SID_INCLUDED,
933
.db_index = SAM_DATABASE_DOMAIN,
934
.delta_type = NETR_DELTA_USER,
937
.expected_error = NT_STATUS_OK,
938
.expected_num_results = 1,
939
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
940
.comment = "NETR_DELTA_USER by sid and flags"
944
.flags = NETR_CHANGELOG_SID_INCLUDED,
945
.db_index = SAM_DATABASE_DOMAIN,
946
.delta_type = NETR_DELTA_USER,
949
.expected_error = NT_STATUS_OK,
950
.expected_num_results = 1,
951
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
952
.comment = "NETR_DELTA_USER by null_sid and flags"
956
.flags = NETR_CHANGELOG_NAME_INCLUDED,
957
.db_index = SAM_DATABASE_DOMAIN,
958
.delta_type = NETR_DELTA_USER,
960
.name = "administrator",
961
.expected_error = NT_STATUS_OK,
962
.expected_num_results = 1,
963
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
964
.comment = "NETR_DELTA_USER by name 'administrator'"
967
.rid = DOMAIN_RID_ADMINS,
969
.db_index = SAM_DATABASE_DOMAIN,
970
.delta_type = NETR_DELTA_GROUP,
973
.expected_error = NT_STATUS_OK,
974
.expected_num_results = 2,
975
.expected_delta_type_1 = NETR_DELTA_GROUP,
976
.expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
977
.comment = "NETR_DELTA_GROUP by rid 512"
980
.rid = DOMAIN_RID_ADMINS,
982
.db_index = SAM_DATABASE_DOMAIN,
983
.delta_type = NETR_DELTA_GROUP_MEMBER,
986
.expected_error = NT_STATUS_OK,
987
.expected_num_results = 2,
988
.expected_delta_type_1 = NETR_DELTA_GROUP,
989
.expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
990
.comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
994
/* SAM_DATABASE_BUILTIN */
999
.db_index = SAM_DATABASE_BUILTIN,
1000
.delta_type = NETR_DELTA_MODIFY_COUNT,
1003
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1004
.expected_num_results = 0,
1005
.comment = "NETR_DELTA_MODIFY_COUNT"
1010
.db_index = SAM_DATABASE_BUILTIN,
1011
.delta_type = NETR_DELTA_DOMAIN,
1014
.expected_error = NT_STATUS_OK,
1015
.expected_num_results = 1,
1016
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
1017
.comment = "NETR_DELTA_DOMAIN"
1020
.rid = DOMAIN_RID_ADMINISTRATOR,
1022
.db_index = SAM_DATABASE_BUILTIN,
1023
.delta_type = NETR_DELTA_USER,
1026
.expected_error = NT_STATUS_OK,
1027
.expected_num_results = 1,
1028
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1029
.comment = "NETR_DELTA_USER by rid 500"
1034
.db_index = SAM_DATABASE_BUILTIN,
1035
.delta_type = NETR_DELTA_USER,
1038
.expected_error = NT_STATUS_OK,
1039
.expected_num_results = 1,
1040
.expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1041
.comment = "NETR_DELTA_USER"
1046
.db_index = SAM_DATABASE_BUILTIN,
1047
.delta_type = NETR_DELTA_ALIAS,
1050
.expected_error = NT_STATUS_OK,
1051
.expected_num_results = 2,
1052
.expected_delta_type_1 = NETR_DELTA_ALIAS,
1053
.expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1054
.comment = "NETR_DELTA_ALIAS by rid 544"
1059
.db_index = SAM_DATABASE_BUILTIN,
1060
.delta_type = NETR_DELTA_ALIAS_MEMBER,
1063
.expected_error = NT_STATUS_OK,
1064
.expected_num_results = 2,
1065
.expected_delta_type_1 = NETR_DELTA_ALIAS,
1066
.expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1067
.comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1072
.db_index = SAM_DATABASE_BUILTIN,
1076
.expected_error = NT_STATUS_OK,
1077
.expected_num_results = 1,
1078
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
1079
.comment = "NULL DELTA by rid 544"
1083
.flags = NETR_CHANGELOG_SID_INCLUDED,
1084
.db_index = SAM_DATABASE_BUILTIN,
1086
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1088
.expected_error = NT_STATUS_OK,
1089
.expected_num_results = 1,
1090
.expected_delta_type_1 = NETR_DELTA_DOMAIN,
1091
.comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1095
.flags = NETR_CHANGELOG_SID_INCLUDED,
1096
.db_index = SAM_DATABASE_BUILTIN,
1097
.delta_type = NETR_DELTA_ALIAS,
1098
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1100
.expected_error = NT_STATUS_OK,
1101
.expected_num_results = 2,
1102
.expected_delta_type_1 = NETR_DELTA_ALIAS,
1103
.expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1104
.comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1108
.flags = NETR_CHANGELOG_SID_INCLUDED,
1109
.db_index = SAM_DATABASE_BUILTIN,
1110
.delta_type = NETR_DELTA_ALIAS,
1111
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1113
.expected_error = NT_STATUS_OK,
1114
.expected_num_results = 1,
1115
.expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1116
.comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1119
/* SAM_DATABASE_PRIVS */
1124
.db_index = SAM_DATABASE_PRIVS,
1128
.expected_error = NT_STATUS_ACCESS_DENIED,
1129
.expected_num_results = 0,
1130
.comment = "NULL DELTA"
1135
.db_index = SAM_DATABASE_PRIVS,
1136
.delta_type = NETR_DELTA_MODIFY_COUNT,
1139
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1140
.expected_num_results = 0,
1141
.comment = "NETR_DELTA_MODIFY_COUNT"
1146
.db_index = SAM_DATABASE_PRIVS,
1147
.delta_type = NETR_DELTA_POLICY,
1150
.expected_error = NT_STATUS_OK,
1151
.expected_num_results = 1,
1152
.expected_delta_type_1 = NETR_DELTA_POLICY,
1153
.comment = "NETR_DELTA_POLICY"
1157
.flags = NETR_CHANGELOG_SID_INCLUDED,
1158
.db_index = SAM_DATABASE_PRIVS,
1159
.delta_type = NETR_DELTA_POLICY,
1162
.expected_error = NT_STATUS_OK,
1163
.expected_num_results = 1,
1164
.expected_delta_type_1 = NETR_DELTA_POLICY,
1165
.comment = "NETR_DELTA_POLICY by null sid and flags"
1169
.flags = NETR_CHANGELOG_SID_INCLUDED,
1170
.db_index = SAM_DATABASE_PRIVS,
1171
.delta_type = NETR_DELTA_POLICY,
1172
.sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1174
.expected_error = NT_STATUS_OK,
1175
.expected_num_results = 1,
1176
.expected_delta_type_1 = NETR_DELTA_POLICY,
1177
.comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1180
.rid = DOMAIN_RID_ADMINISTRATOR,
1182
.db_index = SAM_DATABASE_PRIVS,
1183
.delta_type = NETR_DELTA_ACCOUNT,
1186
.expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1187
.expected_num_results = 0,
1188
.comment = "NETR_DELTA_ACCOUNT by rid 500"
1192
.flags = NETR_CHANGELOG_SID_INCLUDED,
1193
.db_index = SAM_DATABASE_PRIVS,
1194
.delta_type = NETR_DELTA_ACCOUNT,
1195
.sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1197
.expected_error = NT_STATUS_OK,
1198
.expected_num_results = 1,
1199
.expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1200
.comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1204
.flags = NETR_CHANGELOG_SID_INCLUDED |
1205
NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1206
.db_index = SAM_DATABASE_PRIVS,
1207
.delta_type = NETR_DELTA_ACCOUNT,
1208
.sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1210
.expected_error = NT_STATUS_OK,
1211
.expected_num_results = 1,
1212
.expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1213
.comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1217
.flags = NETR_CHANGELOG_SID_INCLUDED |
1218
NETR_CHANGELOG_NAME_INCLUDED,
1219
.db_index = SAM_DATABASE_PRIVS,
1220
.delta_type = NETR_DELTA_ACCOUNT,
1221
.sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1223
.expected_error = NT_STATUS_INVALID_PARAMETER,
1224
.expected_num_results = 0,
1225
.comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1228
.rid = DOMAIN_RID_ADMINISTRATOR,
1229
.flags = NETR_CHANGELOG_SID_INCLUDED,
1230
.db_index = SAM_DATABASE_PRIVS,
1231
.delta_type = NETR_DELTA_ACCOUNT,
1234
.expected_error = NT_STATUS_OK,
1235
.expected_num_results = 1,
1236
.expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1237
.comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1241
.flags = NETR_CHANGELOG_NAME_INCLUDED,
1242
.db_index = SAM_DATABASE_PRIVS,
1243
.delta_type = NETR_DELTA_SECRET,
1245
.name = "IsurelydontexistIhope",
1246
.expected_error = NT_STATUS_OK,
1247
.expected_num_results = 1,
1248
.expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1249
.comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1253
.flags = NETR_CHANGELOG_NAME_INCLUDED,
1254
.db_index = SAM_DATABASE_PRIVS,
1255
.delta_type = NETR_DELTA_SECRET,
1257
.name = "G$BCKUPKEY_P",
1258
.expected_error = NT_STATUS_OK,
1259
.expected_num_results = 1,
1260
.expected_delta_type_1 = NETR_DELTA_SECRET,
1261
.comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1265
ZERO_STRUCT(return_authenticator);
1267
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1268
r.in.computername = TEST_MACHINE_NAME;
1269
r.in.return_authenticator = &return_authenticator;
1270
r.out.return_authenticator = &return_authenticator;
1271
r.out.delta_enum_array = &delta_enum_array;
1273
for (d=0; d<3; d++) {
1275
const char *database;
1282
database = "BUILTIN";
1291
torture_comment(tctx, "Testing DatabaseRedo\n");
1293
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1297
for (i=0;i<ARRAY_SIZE(changes);i++) {
1299
if (d != changes[i].db_index) {
1303
creds_client_authenticator(creds, &credential);
1305
r.in.credential = &credential;
1307
e.serial_number1 = 0;
1308
e.serial_number2 = 0;
1309
e.object_rid = changes[i].rid;
1310
e.flags = changes[i].flags;
1311
e.db_index = changes[i].db_index;
1312
e.delta_type = changes[i].delta_type;
1314
switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1315
case NETR_CHANGELOG_SID_INCLUDED:
1316
e.object.object_sid = changes[i].sid;
1318
case NETR_CHANGELOG_NAME_INCLUDED:
1319
e.object.object_name = changes[i].name;
1325
r.in.change_log_entry = e;
1327
torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1328
database, changes[i].comment);
1330
status = dcerpc_netr_DatabaseRedo(p, tctx, &r);
1331
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1335
torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment);
1336
if (delta_enum_array) {
1337
torture_assert_int_equal(tctx,
1338
delta_enum_array->num_deltas,
1339
changes[i].expected_num_results,
1340
changes[i].comment);
1341
if (delta_enum_array->num_deltas > 0) {
1342
torture_assert_int_equal(tctx,
1343
delta_enum_array->delta_enum[0].delta_type,
1344
changes[i].expected_delta_type_1,
1345
changes[i].comment);
1347
if (delta_enum_array->num_deltas > 1) {
1348
torture_assert_int_equal(tctx,
1349
delta_enum_array->delta_enum[1].delta_type,
1350
changes[i].expected_delta_type_2,
1351
changes[i].comment);
1355
if (!creds_client_check(creds, &return_authenticator.cred)) {
1356
torture_comment(tctx, "Credential chaining failed\n");
1357
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1369
try a netlogon AccountDeltas
1371
static bool test_AccountDeltas(struct torture_context *tctx,
1372
struct dcerpc_pipe *p,
1373
struct cli_credentials *machine_credentials)
1376
struct netr_AccountDeltas r;
1377
struct creds_CredentialState *creds;
1379
struct netr_AccountBuffer buffer;
1380
uint32_t count_returned = 0;
1381
uint32_t total_entries = 0;
1382
struct netr_UAS_INFO_0 recordid;
1383
struct netr_Authenticator return_authenticator;
1385
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1389
ZERO_STRUCT(return_authenticator);
1391
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1392
r.in.computername = TEST_MACHINE_NAME;
1393
r.in.return_authenticator = &return_authenticator;
1394
creds_client_authenticator(creds, &r.in.credential);
1395
ZERO_STRUCT(r.in.uas);
1398
r.in.buffersize=100;
1399
r.out.buffer = &buffer;
1400
r.out.count_returned = &count_returned;
1401
r.out.total_entries = &total_entries;
1402
r.out.recordid = &recordid;
1403
r.out.return_authenticator = &return_authenticator;
1405
/* w2k3 returns "NOT IMPLEMENTED" for this call */
1406
status = dcerpc_netr_AccountDeltas(p, tctx, &r);
1407
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1413
try a netlogon AccountSync
1415
static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1416
struct cli_credentials *machine_credentials)
1419
struct netr_AccountSync r;
1420
struct creds_CredentialState *creds;
1422
struct netr_AccountBuffer buffer;
1423
uint32_t count_returned = 0;
1424
uint32_t total_entries = 0;
1425
uint32_t next_reference = 0;
1426
struct netr_UAS_INFO_0 recordid;
1427
struct netr_Authenticator return_authenticator;
1429
ZERO_STRUCT(recordid);
1430
ZERO_STRUCT(return_authenticator);
1432
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1436
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1437
r.in.computername = TEST_MACHINE_NAME;
1438
r.in.return_authenticator = &return_authenticator;
1439
creds_client_authenticator(creds, &r.in.credential);
1440
r.in.recordid = &recordid;
1443
r.in.buffersize=100;
1444
r.out.buffer = &buffer;
1445
r.out.count_returned = &count_returned;
1446
r.out.total_entries = &total_entries;
1447
r.out.next_reference = &next_reference;
1448
r.out.recordid = &recordid;
1449
r.out.return_authenticator = &return_authenticator;
1451
/* w2k3 returns "NOT IMPLEMENTED" for this call */
1452
status = dcerpc_netr_AccountSync(p, tctx, &r);
1453
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1459
try a netlogon GetDcName
1461
static bool test_GetDcName(struct torture_context *tctx,
1462
struct dcerpc_pipe *p)
1465
struct netr_GetDcName r;
1466
const char *dcname = NULL;
1468
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1469
r.in.domainname = lp_workgroup(tctx->lp_ctx);
1470
r.out.dcname = &dcname;
1472
status = dcerpc_netr_GetDcName(p, tctx, &r);
1473
torture_assert_ntstatus_ok(tctx, status, "GetDcName");
1474
torture_assert_werr_ok(tctx, r.out.result, "GetDcName");
1476
torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1482
try a netlogon LogonControl
1484
static bool test_LogonControl(struct torture_context *tctx,
1485
struct dcerpc_pipe *p)
1488
struct netr_LogonControl r;
1489
union netr_CONTROL_QUERY_INFORMATION info;
1492
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1493
r.in.function_code = 1;
1499
torture_comment(tctx, "Testing LogonControl level %d\n", i);
1501
status = dcerpc_netr_LogonControl(p, tctx, &r);
1502
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1510
try a netlogon GetAnyDCName
1512
static bool test_GetAnyDCName(struct torture_context *tctx,
1513
struct dcerpc_pipe *p)
1516
struct netr_GetAnyDCName r;
1517
const char *dcname = NULL;
1519
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1520
r.in.domainname = lp_workgroup(tctx->lp_ctx);
1521
r.out.dcname = &dcname;
1523
status = dcerpc_netr_GetAnyDCName(p, tctx, &r);
1524
torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1525
torture_assert_werr_ok(tctx, r.out.result, "GetAnyDCName");
1528
torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1536
try a netlogon LogonControl2
1538
static bool test_LogonControl2(struct torture_context *tctx,
1539
struct dcerpc_pipe *p)
1542
struct netr_LogonControl2 r;
1543
union netr_CONTROL_DATA_INFORMATION data;
1544
union netr_CONTROL_QUERY_INFORMATION query;
1547
data.domain = lp_workgroup(tctx->lp_ctx);
1549
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1551
r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1553
r.out.query = &query;
1558
torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1559
i, r.in.function_code);
1561
status = dcerpc_netr_LogonControl2(p, tctx, &r);
1562
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1565
data.domain = lp_workgroup(tctx->lp_ctx);
1567
r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1573
torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1574
i, r.in.function_code);
1576
status = dcerpc_netr_LogonControl2(p, tctx, &r);
1577
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1580
data.domain = lp_workgroup(tctx->lp_ctx);
1582
r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1588
torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1589
i, r.in.function_code);
1591
status = dcerpc_netr_LogonControl2(p, tctx, &r);
1592
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1595
data.debug_level = ~0;
1597
r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1603
torture_comment(tctx, "Testing LogonControl2 level %d function %d\n",
1604
i, r.in.function_code);
1606
status = dcerpc_netr_LogonControl2(p, tctx, &r);
1607
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1614
try a netlogon DatabaseSync2
1616
static bool test_DatabaseSync2(struct torture_context *tctx,
1617
struct dcerpc_pipe *p,
1618
struct cli_credentials *machine_credentials)
1621
struct netr_DatabaseSync2 r;
1622
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1623
struct netr_Authenticator return_authenticator, credential;
1625
struct creds_CredentialState *creds;
1626
const uint32_t database_ids[] = {0, 1, 2};
1629
if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
1630
machine_credentials,
1631
SEC_CHAN_BDC, &creds)) {
1635
ZERO_STRUCT(return_authenticator);
1637
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1638
r.in.computername = TEST_MACHINE_NAME;
1639
r.in.preferredmaximumlength = (uint32_t)-1;
1640
r.in.return_authenticator = &return_authenticator;
1641
r.out.return_authenticator = &return_authenticator;
1642
r.out.delta_enum_array = &delta_enum_array;
1644
for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1646
uint32_t sync_context = 0;
1648
r.in.database_id = database_ids[i];
1649
r.in.sync_context = &sync_context;
1650
r.out.sync_context = &sync_context;
1651
r.in.restart_state = 0;
1653
torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
1656
creds_client_authenticator(creds, &credential);
1658
r.in.credential = &credential;
1660
status = dcerpc_netr_DatabaseSync2(p, tctx, &r);
1661
if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES))
1664
/* Native mode servers don't do this */
1665
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
1669
torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
1671
if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
1672
torture_comment(tctx, "Credential chaining failed\n");
1675
} while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
1683
try a netlogon LogonControl2Ex
1685
static bool test_LogonControl2Ex(struct torture_context *tctx,
1686
struct dcerpc_pipe *p)
1689
struct netr_LogonControl2Ex r;
1690
union netr_CONTROL_DATA_INFORMATION data;
1691
union netr_CONTROL_QUERY_INFORMATION query;
1694
data.domain = lp_workgroup(tctx->lp_ctx);
1696
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1698
r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1700
r.out.query = &query;
1705
torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1706
i, r.in.function_code);
1708
status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1709
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1712
data.domain = lp_workgroup(tctx->lp_ctx);
1714
r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1720
torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1721
i, r.in.function_code);
1723
status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1724
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1727
data.domain = lp_workgroup(tctx->lp_ctx);
1729
r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1735
torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1736
i, r.in.function_code);
1738
status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1739
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1742
data.debug_level = ~0;
1744
r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1750
torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
1751
i, r.in.function_code);
1753
status = dcerpc_netr_LogonControl2Ex(p, tctx, &r);
1754
torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1760
static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
1761
struct dcerpc_pipe *p, const char *trusted_domain_name)
1764
struct netr_DsRGetForestTrustInformation r;
1765
struct lsa_ForestTrustInformation info, *info_ptr;
1769
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1770
r.in.trusted_domain_name = trusted_domain_name;
1772
r.out.forest_trust_info = &info_ptr;
1774
torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
1776
status = dcerpc_netr_DsRGetForestTrustInformation(p, tctx, &r);
1777
torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
1778
torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
1784
try a netlogon netr_DsrEnumerateDomainTrusts
1786
static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
1787
struct dcerpc_pipe *p)
1790
struct netr_DsrEnumerateDomainTrusts r;
1791
struct netr_DomainTrustList trusts;
1794
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1795
r.in.trust_flags = 0x3f;
1796
r.out.trusts = &trusts;
1798
status = dcerpc_netr_DsrEnumerateDomainTrusts(p, tctx, &r);
1799
torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
1800
torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
1802
/* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
1803
* will show non-forest trusts and all UPN suffixes of the own forest
1804
* as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
1806
if (r.out.trusts->count) {
1807
if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
1812
for (i=0; i<r.out.trusts->count; i++) {
1814
/* get info for transitive forest trusts */
1816
if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1817
if (!test_netr_DsRGetForestTrustInformation(tctx, p,
1818
r.out.trusts->array[i].dns_name)) {
1827
static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
1828
struct dcerpc_pipe *p)
1831
struct netr_NetrEnumerateTrustedDomains r;
1832
struct netr_Blob trusted_domains_blob;
1834
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1835
r.out.trusted_domains_blob = &trusted_domains_blob;
1837
status = dcerpc_netr_NetrEnumerateTrustedDomains(p, tctx, &r);
1838
torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
1839
torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
1844
static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
1845
struct dcerpc_pipe *p)
1848
struct netr_NetrEnumerateTrustedDomainsEx r;
1849
struct netr_DomainTrustList dom_trust_list;
1851
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1852
r.out.dom_trust_list = &dom_trust_list;
1854
status = dcerpc_netr_NetrEnumerateTrustedDomainsEx(p, tctx, &r);
1855
torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
1856
torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
1862
static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
1863
const char *computer_name,
1864
const char *expected_site)
1867
struct netr_DsRGetSiteName r;
1868
const char *site = NULL;
1870
if (torture_setting_bool(tctx, "samba4", false))
1871
torture_skip(tctx, "skipping DsRGetSiteName test against Samba4");
1873
r.in.computer_name = computer_name;
1875
torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
1877
status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1878
torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1879
torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
1880
torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
1882
r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
1883
torture_comment(tctx,
1884
"Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
1886
status = dcerpc_netr_DsRGetSiteName(p, tctx, &r);
1887
torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
1888
torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
1894
try a netlogon netr_DsRGetDCName
1896
static bool test_netr_DsRGetDCName(struct torture_context *tctx,
1897
struct dcerpc_pipe *p)
1900
struct netr_DsRGetDCName r;
1901
struct netr_DsRGetDCNameInfo *info = NULL;
1903
r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1904
r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1905
r.in.domain_guid = NULL;
1906
r.in.site_guid = NULL;
1907
r.in.flags = DS_RETURN_DNS_NAME;
1910
status = dcerpc_netr_DsRGetDCName(p, tctx, &r);
1911
torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
1912
torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
1913
return test_netr_DsRGetSiteName(p, tctx,
1915
info->dc_site_name);
1919
try a netlogon netr_DsRGetDCNameEx
1921
static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
1922
struct dcerpc_pipe *p)
1925
struct netr_DsRGetDCNameEx r;
1926
struct netr_DsRGetDCNameInfo *info = NULL;
1928
r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1929
r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1930
r.in.domain_guid = NULL;
1931
r.in.site_name = NULL;
1932
r.in.flags = DS_RETURN_DNS_NAME;
1935
status = dcerpc_netr_DsRGetDCNameEx(p, tctx, &r);
1936
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
1937
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
1939
return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1940
info->dc_site_name);
1944
try a netlogon netr_DsRGetDCNameEx2
1946
static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
1947
struct dcerpc_pipe *p)
1950
struct netr_DsRGetDCNameEx2 r;
1951
struct netr_DsRGetDCNameInfo *info = NULL;
1953
r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1954
r.in.client_account = NULL;
1955
r.in.mask = 0x00000000;
1956
r.in.domain_name = talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
1957
r.in.domain_guid = NULL;
1958
r.in.site_name = NULL;
1959
r.in.flags = DS_RETURN_DNS_NAME;
1962
torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
1964
status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1965
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1966
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1968
torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client acount\n");
1969
r.in.client_account = TEST_MACHINE_NAME"$";
1970
r.in.mask = ACB_SVRTRUST;
1971
r.in.flags = DS_RETURN_FLAT_NAME;
1974
status = dcerpc_netr_DsRGetDCNameEx2(p, tctx, &r);
1975
torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
1976
torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
1977
return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
1978
info->dc_site_name);
1981
static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
1982
struct dcerpc_pipe *p)
1985
struct netr_DsrGetDcSiteCoverageW r;
1986
struct DcSitesCtr *ctr = NULL;
1988
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1991
status = dcerpc_netr_DsrGetDcSiteCoverageW(p, tctx, &r);
1992
torture_assert_ntstatus_ok(tctx, status, "failed");
1993
torture_assert_werr_ok(tctx, r.out.result, "failed");
1998
static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
1999
struct dcerpc_pipe *p)
2002
struct netr_DsRAddressToSitenamesW r;
2003
struct netr_DsRAddress addr;
2004
struct netr_DsRAddressToSitenamesWCtr *ctr;
2006
ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2009
addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2011
addr.buffer[0] = 2; /* AF_INET */
2012
addr.buffer[4] = 127;
2017
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2019
r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2020
r.in.addresses[0] = addr;
2023
status = dcerpc_netr_DsRAddressToSitenamesW(p, tctx, &r);
2024
torture_assert_ntstatus_ok(tctx, status, "failed");
2025
torture_assert_werr_ok(tctx, r.out.result, "failed");
2030
static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2031
struct dcerpc_pipe *p)
2034
struct netr_DsRAddressToSitenamesExW r;
2035
struct netr_DsRAddress addr;
2036
struct netr_DsRAddressToSitenamesExWCtr *ctr;
2038
ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2041
addr.buffer = talloc_zero_array(tctx, uint8_t, addr.size);
2043
addr.buffer[0] = 2; /* AF_INET */
2044
addr.buffer[4] = 127;
2049
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2051
r.in.addresses = talloc_zero_array(tctx, struct netr_DsRAddress, r.in.count);
2052
r.in.addresses[0] = addr;
2055
status = dcerpc_netr_DsRAddressToSitenamesExW(p, tctx, &r);
2056
torture_assert_ntstatus_ok(tctx, status, "failed");
2057
torture_assert_werr_ok(tctx, r.out.result, "failed");
2062
static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2063
struct dcerpc_pipe *p,
2064
struct cli_credentials *machine_credentials)
2067
struct netr_ServerGetTrustInfo r;
2069
struct netr_Authenticator a;
2070
struct netr_Authenticator return_authenticator;
2071
struct samr_Password new_owf_password;
2072
struct samr_Password old_owf_password;
2073
struct netr_TrustInfo *trust_info;
2075
struct creds_CredentialState *creds;
2077
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2078
machine_credentials, &creds)) {
2082
creds_client_authenticator(creds, &a);
2084
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2085
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2086
r.in.secure_channel_type = SEC_CHAN_BDC;
2087
r.in.computer_name = TEST_MACHINE_NAME;
2088
r.in.credential = &a;
2090
r.out.return_authenticator = &return_authenticator;
2091
r.out.new_owf_password = &new_owf_password;
2092
r.out.old_owf_password = &old_owf_password;
2093
r.out.trust_info = &trust_info;
2095
status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
2096
torture_assert_ntstatus_ok(tctx, status, "failed");
2097
torture_assert(tctx, creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2103
static bool test_GetDomainInfo(struct torture_context *tctx,
2104
struct dcerpc_pipe *p,
2105
struct cli_credentials *machine_credentials)
2108
struct netr_LogonGetDomainInfo r;
2109
struct netr_DomainQuery1 q1;
2110
struct netr_Authenticator a;
2111
struct creds_CredentialState *creds;
2112
union netr_DomainInfo info;
2114
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2115
machine_credentials, &creds)) {
2121
creds_client_authenticator(creds, &a);
2123
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2124
r.in.computer_name = TEST_MACHINE_NAME;
2126
r.in.credential = &a;
2127
r.in.return_authenticator = &a;
2128
r.out.return_authenticator = &a;
2131
r.in.query.query1 = &q1;
2134
/* this should really be the fully qualified name */
2135
q1.workstation_domain = TEST_MACHINE_NAME;
2136
q1.workstation_site = "Default-First-Site-Name";
2137
q1.blob2.length = 0;
2139
q1.blob2.array = NULL;
2140
q1.product.string = "product string";
2142
torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
2144
status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2145
torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2146
torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2148
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n");
2149
creds_client_authenticator(creds, &a);
2151
status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
2152
torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
2153
torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
2159
static void async_callback(struct rpc_request *req)
2161
int *counter = (int *)req->async.private_data;
2162
if (NT_STATUS_IS_OK(req->status)) {
2167
static bool test_GetDomainInfo_async(struct torture_context *tctx,
2168
struct dcerpc_pipe *p,
2169
struct cli_credentials *machine_credentials)
2172
struct netr_LogonGetDomainInfo r;
2173
struct netr_DomainQuery1 q1;
2174
struct netr_Authenticator a;
2175
#define ASYNC_COUNT 100
2176
struct creds_CredentialState *creds;
2177
struct creds_CredentialState *creds_async[ASYNC_COUNT];
2178
struct rpc_request *req[ASYNC_COUNT];
2180
int *async_counter = talloc(tctx, int);
2181
union netr_DomainInfo info;
2183
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2184
machine_credentials, &creds)) {
2189
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2190
r.in.computer_name = TEST_MACHINE_NAME;
2192
r.in.credential = &a;
2193
r.in.return_authenticator = &a;
2194
r.out.return_authenticator = &a;
2197
r.in.query.query1 = &q1;
2200
/* this should really be the fully qualified name */
2201
q1.workstation_domain = TEST_MACHINE_NAME;
2202
q1.workstation_site = "Default-First-Site-Name";
2203
q1.blob2.length = 0;
2205
q1.blob2.array = NULL;
2206
q1.product.string = "product string";
2208
torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
2212
for (i=0;i<ASYNC_COUNT;i++) {
2213
creds_client_authenticator(creds, &a);
2215
creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
2216
req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
2218
req[i]->async.callback = async_callback;
2219
req[i]->async.private_data = async_counter;
2221
/* even with this flush per request a w2k3 server seems to
2222
clag with multiple outstanding requests. bleergh. */
2223
torture_assert_int_equal(tctx, event_loop_once(dcerpc_event_context(p)), 0,
2224
"event_loop_once failed");
2227
for (i=0;i<ASYNC_COUNT;i++) {
2228
status = dcerpc_ndr_request_recv(req[i]);
2230
torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
2231
torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
2233
torture_assert(tctx, creds_client_check(creds_async[i], &a.cred),
2234
"Credential chaining failed at async");
2237
torture_comment(tctx,
2238
"Testing netr_LogonGetDomainInfo - async count %d OK\n", *async_counter);
2240
torture_assert_int_equal(tctx, (*async_counter), ASYNC_COUNT, "int");
2245
static bool test_ManyGetDCName(struct torture_context *tctx,
2246
struct dcerpc_pipe *p)
2249
struct dcerpc_pipe *p2;
2250
struct lsa_ObjectAttribute attr;
2251
struct lsa_QosInfo qos;
2252
struct lsa_OpenPolicy2 o;
2253
struct policy_handle lsa_handle;
2254
struct lsa_DomainList domains;
2256
struct lsa_EnumTrustDom t;
2257
uint32_t resume_handle = 0;
2258
struct netr_GetAnyDCName d;
2259
const char *dcname = NULL;
2263
if (p->conn->transport.transport != NCACN_NP) {
2267
torture_comment(tctx, "Torturing GetDCName\n");
2269
status = dcerpc_secondary_connection(p, &p2, p->binding);
2270
torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
2272
status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
2273
torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
2276
qos.impersonation_level = 2;
2277
qos.context_mode = 1;
2278
qos.effective_only = 0;
2281
attr.root_dir = NULL;
2282
attr.object_name = NULL;
2283
attr.attributes = 0;
2284
attr.sec_desc = NULL;
2285
attr.sec_qos = &qos;
2287
o.in.system_name = "\\";
2289
o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2290
o.out.handle = &lsa_handle;
2292
status = dcerpc_lsa_OpenPolicy2(p2, tctx, &o);
2293
torture_assert_ntstatus_ok(tctx, status, "OpenPolicy2 failed");
2295
t.in.handle = &lsa_handle;
2296
t.in.resume_handle = &resume_handle;
2297
t.in.max_size = 1000;
2298
t.out.domains = &domains;
2299
t.out.resume_handle = &resume_handle;
2301
status = dcerpc_lsa_EnumTrustDom(p2, tctx, &t);
2303
if ((!NT_STATUS_IS_OK(status) &&
2304
(!NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES))))
2305
torture_fail(tctx, "Could not list domains");
2309
d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
2310
dcerpc_server_name(p));
2311
d.out.dcname = &dcname;
2313
for (i=0; i<domains.count * 4; i++) {
2314
struct lsa_DomainInfo *info =
2315
&domains.domains[rand()%domains.count];
2317
d.in.domainname = info->name.string;
2319
status = dcerpc_netr_GetAnyDCName(p, tctx, &d);
2320
torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
2322
torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
2323
dcname ? dcname : "unknown");
2329
struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
2331
struct torture_suite *suite = torture_suite_create(mem_ctx, "NETLOGON");
2332
struct torture_rpc_tcase *tcase;
2333
struct torture_test *test;
2335
tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "netlogon",
2336
&ndr_table_netlogon, TEST_MACHINE_NAME);
2338
torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
2339
torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
2340
torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
2341
torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
2342
torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
2343
torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
2344
torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
2345
torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
2346
torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
2347
torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
2348
torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
2349
torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
2350
torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
2351
torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
2352
torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
2353
torture_rpc_tcase_add_test(tcase, "LogonControl", test_LogonControl);
2354
torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
2355
torture_rpc_tcase_add_test(tcase, "LogonControl2", test_LogonControl2);
2356
torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
2357
torture_rpc_tcase_add_test(tcase, "LogonControl2Ex", test_LogonControl2Ex);
2358
torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
2359
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
2360
torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
2361
test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
2362
test->dangerous = true;
2363
torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
2364
torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
2365
torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
2366
torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
2367
torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
2368
torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
2369
torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);