2 Unix SMB/CIFS implementation.
3 test suite for lsa rpc lookup operations
5 Copyright (C) Volker Lendecke 2006
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "torture/rpc/rpc.h"
23 #include "librpc/gen_ndr/ndr_lsa_c.h"
24 #include "libcli/security/security.h"
26 static bool open_policy(struct torture_context *tctx,
27 struct dcerpc_binding_handle *b,
28 struct policy_handle **handle)
30 struct lsa_ObjectAttribute attr;
31 struct lsa_QosInfo qos;
32 struct lsa_OpenPolicy2 r;
34 *handle = talloc(tctx, struct policy_handle);
40 qos.impersonation_level = 2;
42 qos.effective_only = 0;
46 attr.object_name = NULL;
51 r.in.system_name = "\\";
53 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
54 r.out.handle = *handle;
56 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b, tctx, &r),
57 "OpenPolicy2 failed");
59 return NT_STATUS_IS_OK(r.out.result);
62 static bool get_domainsid(struct torture_context *tctx,
63 struct dcerpc_binding_handle *b,
64 struct policy_handle *handle,
67 struct lsa_QueryInfoPolicy r;
68 union lsa_PolicyInformation *info = NULL;
70 r.in.level = LSA_POLICY_INFO_DOMAIN;
74 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryInfoPolicy_r(b, tctx, &r),
75 "QueryInfoPolicy failed");
76 torture_assert_ntstatus_ok(tctx, r.out.result, "QueryInfoPolicy failed");
78 *sid = info->domain.sid;
82 static NTSTATUS lookup_sids(struct torture_context *tctx,
84 struct dcerpc_binding_handle *b,
85 struct policy_handle *handle,
86 struct dom_sid **sids, uint32_t num_sids,
87 struct lsa_TransNameArray *names)
89 struct lsa_LookupSids r;
90 struct lsa_SidArray sidarray;
91 struct lsa_RefDomainList *domains;
99 sidarray.num_sids = num_sids;
100 sidarray.sids = talloc_array(tctx, struct lsa_SidPtr, num_sids);
102 for (i=0; i<num_sids; i++) {
103 sidarray.sids[i].sid = sids[i];
106 r.in.handle = handle;
107 r.in.sids = &sidarray;
112 r.out.count = &count;
113 r.out.domains = &domains;
115 status = dcerpc_lsa_LookupSids_r(b, tctx, &r);
116 if (!NT_STATUS_IS_OK(status)) {
122 static const char *sid_type_lookup(enum lsa_SidType r)
125 case SID_NAME_USE_NONE: return "SID_NAME_USE_NONE"; break;
126 case SID_NAME_USER: return "SID_NAME_USER"; break;
127 case SID_NAME_DOM_GRP: return "SID_NAME_DOM_GRP"; break;
128 case SID_NAME_DOMAIN: return "SID_NAME_DOMAIN"; break;
129 case SID_NAME_ALIAS: return "SID_NAME_ALIAS"; break;
130 case SID_NAME_WKN_GRP: return "SID_NAME_WKN_GRP"; break;
131 case SID_NAME_DELETED: return "SID_NAME_DELETED"; break;
132 case SID_NAME_INVALID: return "SID_NAME_INVALID"; break;
133 case SID_NAME_UNKNOWN: return "SID_NAME_UNKNOWN"; break;
134 case SID_NAME_COMPUTER: return "SID_NAME_COMPUTER"; break;
136 return "Invalid sid type\n";
139 static bool test_lookupsids(struct torture_context *tctx,
140 struct dcerpc_binding_handle *b,
141 struct policy_handle *handle,
142 struct dom_sid **sids, uint32_t num_sids,
143 int level, NTSTATUS expected_result,
144 enum lsa_SidType *types)
146 struct lsa_TransNameArray names;
151 status = lookup_sids(tctx, level, b, handle, sids, num_sids,
153 if (!NT_STATUS_EQUAL(status, expected_result)) {
154 printf("For level %d expected %s, got %s\n",
155 level, nt_errstr(expected_result),
160 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK) &&
161 !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
165 for (i=0; i<num_sids; i++) {
166 if (names.names[i].sid_type != types[i]) {
167 printf("In level %d, for sid %s expected %s, "
169 dom_sid_string(tctx, sids[i]),
170 sid_type_lookup(types[i]),
171 sid_type_lookup(names.names[i].sid_type));
178 static bool get_downleveltrust(struct torture_context *tctx, struct dcerpc_binding_handle *b,
179 struct policy_handle *handle,
180 struct dom_sid **sid)
182 struct lsa_EnumTrustDom r;
183 uint32_t resume_handle = 0;
184 struct lsa_DomainList domains;
187 r.in.handle = handle;
188 r.in.resume_handle = &resume_handle;
189 r.in.max_size = 1000;
190 r.out.domains = &domains;
191 r.out.resume_handle = &resume_handle;
193 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b, tctx, &r),
194 "EnumTrustDom failed");
196 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES))
197 torture_fail(tctx, "no trusts");
199 if (domains.count == 0) {
200 torture_fail(tctx, "no trusts");
203 for (i=0; i<domains.count; i++) {
204 struct lsa_QueryTrustedDomainInfoBySid q;
205 union lsa_TrustedDomainInfo *info = NULL;
207 if (domains.domains[i].sid == NULL)
210 q.in.handle = handle;
211 q.in.dom_sid = domains.domains[i].sid;
215 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfoBySid_r(b, tctx, &q),
216 "QueryTrustedDomainInfoBySid failed");
217 if (!NT_STATUS_IS_OK(q.out.result)) continue;
219 if ((info->info_ex.trust_direction & 2) &&
220 (info->info_ex.trust_type == 1)) {
221 *sid = domains.domains[i].sid;
226 torture_fail(tctx, "I need a AD DC with an outgoing trust to NT4");
231 bool torture_rpc_lsa_lookup(struct torture_context *torture)
234 struct dcerpc_pipe *p;
236 struct policy_handle *handle;
237 struct dom_sid *dom_sid = NULL;
238 struct dom_sid *trusted_sid = NULL;
239 struct dom_sid *sids[NUM_SIDS];
240 struct dcerpc_binding_handle *b;
242 status = torture_rpc_connection(torture, &p, &ndr_table_lsarpc);
243 if (!NT_STATUS_IS_OK(status)) {
244 torture_fail(torture, "unable to connect to table");
246 b = p->binding_handle;
248 ret &= open_policy(torture, b, &handle);
249 if (!ret) return false;
251 ret &= get_domainsid(torture, b, handle, &dom_sid);
252 if (!ret) return false;
254 ret &= get_downleveltrust(torture, b, handle, &trusted_sid);
255 if (!ret) return false;
257 torture_comment(torture, "domain sid: %s\n",
258 dom_sid_string(torture, dom_sid));
260 sids[0] = dom_sid_parse_talloc(torture, "S-1-1-0");
261 sids[1] = dom_sid_parse_talloc(torture, "S-1-5-4");
262 sids[2] = dom_sid_parse_talloc(torture, "S-1-5-32");
263 sids[3] = dom_sid_parse_talloc(torture, "S-1-5-32-545");
264 sids[4] = dom_sid_dup(torture, dom_sid);
265 sids[5] = dom_sid_add_rid(torture, dom_sid, 512);
266 sids[6] = dom_sid_dup(torture, trusted_sid);
267 sids[7] = dom_sid_add_rid(torture, trusted_sid, 512);
269 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 0,
270 NT_STATUS_INVALID_PARAMETER, NULL);
273 enum lsa_SidType types[NUM_SIDS] =
274 { SID_NAME_WKN_GRP, SID_NAME_WKN_GRP, SID_NAME_DOMAIN,
275 SID_NAME_ALIAS, SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
276 SID_NAME_DOMAIN, SID_NAME_DOM_GRP };
278 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 1,
279 NT_STATUS_OK, types);
283 enum lsa_SidType types[NUM_SIDS] =
284 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
285 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
286 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
287 SID_NAME_DOMAIN, SID_NAME_DOM_GRP };
288 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 2,
289 STATUS_SOME_UNMAPPED, types);
293 enum lsa_SidType types[NUM_SIDS] =
294 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
295 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
296 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
297 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN };
298 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 3,
299 STATUS_SOME_UNMAPPED, types);
303 enum lsa_SidType types[NUM_SIDS] =
304 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
305 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
306 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
307 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN };
308 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 4,
309 STATUS_SOME_UNMAPPED, types);
312 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 5,
313 NT_STATUS_NONE_MAPPED, NULL);
316 enum lsa_SidType types[NUM_SIDS] =
317 { SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
318 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN,
319 SID_NAME_DOMAIN, SID_NAME_DOM_GRP,
320 SID_NAME_UNKNOWN, SID_NAME_UNKNOWN };
321 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 6,
322 STATUS_SOME_UNMAPPED, types);
325 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 7,
326 NT_STATUS_INVALID_PARAMETER, NULL);
327 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 8,
328 NT_STATUS_INVALID_PARAMETER, NULL);
329 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 9,
330 NT_STATUS_INVALID_PARAMETER, NULL);
331 ret &= test_lookupsids(torture, b, handle, sids, NUM_SIDS, 10,
332 NT_STATUS_INVALID_PARAMETER, NULL);
337 static bool test_LookupSidsReply(struct torture_context *tctx,
338 struct dcerpc_pipe *p)
340 struct policy_handle *handle;
342 struct dom_sid **sids;
343 uint32_t num_sids = 1;
345 struct lsa_LookupSids r;
346 struct lsa_SidArray sidarray;
347 struct lsa_RefDomainList *domains = NULL;
348 struct lsa_TransNameArray names;
352 const char *dom_sid = "S-1-5-21-1111111111-2222222222-3333333333";
353 const char *dom_admin_sid;
354 struct dcerpc_binding_handle *b = p->binding_handle;
356 if (!open_policy(tctx, b, &handle)) {
360 dom_admin_sid = talloc_asprintf(tctx, "%s-%d", dom_sid, 512);
362 sids = talloc_array(tctx, struct dom_sid *, num_sids);
364 sids[0] = dom_sid_parse_talloc(tctx, dom_admin_sid);
369 sidarray.num_sids = num_sids;
370 sidarray.sids = talloc_array(tctx, struct lsa_SidPtr, num_sids);
372 for (i=0; i<num_sids; i++) {
373 sidarray.sids[i].sid = sids[i];
376 r.in.handle = handle;
377 r.in.sids = &sidarray;
379 r.in.level = LSA_LOOKUP_NAMES_ALL;
381 r.out.names = &names;
382 r.out.count = &count;
383 r.out.domains = &domains;
385 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
386 "LookupSids failed");
388 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NONE_MAPPED,
389 "unexpected error code");
391 torture_assert_int_equal(tctx, names.count, num_sids,
392 "unexpected names count");
393 torture_assert(tctx, names.names,
394 "unexpected names pointer");
395 torture_assert_str_equal(tctx, names.names[0].name.string, dom_admin_sid,
396 "unexpected names[0].string");
399 /* vista sp1 passes, w2k3 sp2 fails */
400 torture_assert_int_equal(tctx, domains->count, num_sids,
401 "unexpected domains count");
402 torture_assert(tctx, domains->domains,
403 "unexpected domains pointer");
404 torture_assert_str_equal(tctx, dom_sid_string(tctx, domains->domains[0].sid), dom_sid,
405 "unexpected domain sid");
411 /* check for lookup sids results */
412 struct torture_suite *torture_rpc_lsa_lookup_sids(TALLOC_CTX *mem_ctx)
414 struct torture_suite *suite;
415 struct torture_rpc_tcase *tcase;
417 suite = torture_suite_create(mem_ctx, "LSA-LOOKUPSIDS");
418 tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
421 torture_rpc_tcase_add_test(tcase, "LookupSidsReply", test_LookupSidsReply);
git.samba.org / metze / samba / wip.git / blob