2 Unix SMB/CIFS implementation.
4 test suite for netlogon rpc operations
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Tim Potter 2003
9 Copyright (C) Matthias Dieter Wallnöfer 2009-2010
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "lib/cmdline/popt_common.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "param/param.h"
34 #include "libcli/security/security.h"
36 #include "lib/util/util_ldb.h"
38 #include "lib/replace/system/network.h"
39 #include "dsdb/samdb/samdb.h"
41 #define TEST_MACHINE_NAME "torturetest"
43 static bool test_LogonUasLogon(struct torture_context *tctx,
44 struct dcerpc_pipe *p)
47 struct netr_LogonUasLogon r;
48 struct netr_UasInfo *info = NULL;
49 struct dcerpc_binding_handle *b = p->binding_handle;
51 r.in.server_name = NULL;
52 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
53 r.in.workstation = TEST_MACHINE_NAME;
56 status = dcerpc_netr_LogonUasLogon_r(b, tctx, &r);
57 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogon");
62 static bool test_LogonUasLogoff(struct torture_context *tctx,
63 struct dcerpc_pipe *p)
66 struct netr_LogonUasLogoff r;
67 struct netr_UasLogoffInfo info;
68 struct dcerpc_binding_handle *b = p->binding_handle;
70 r.in.server_name = NULL;
71 r.in.account_name = cli_credentials_get_username(cmdline_credentials);
72 r.in.workstation = TEST_MACHINE_NAME;
75 status = dcerpc_netr_LogonUasLogoff_r(b, tctx, &r);
76 torture_assert_ntstatus_ok(tctx, status, "LogonUasLogoff");
81 bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
82 struct cli_credentials *credentials,
83 struct netlogon_creds_CredentialState **creds_out)
85 struct netr_ServerReqChallenge r;
86 struct netr_ServerAuthenticate a;
87 struct netr_Credential credentials1, credentials2, credentials3;
88 struct netlogon_creds_CredentialState *creds;
89 const struct samr_Password *mach_password;
90 const char *machine_name;
91 struct dcerpc_binding_handle *b = p->binding_handle;
93 mach_password = cli_credentials_get_nt_hash(credentials, tctx);
94 machine_name = cli_credentials_get_workstation(credentials);
96 torture_comment(tctx, "Testing ServerReqChallenge\n");
98 r.in.server_name = NULL;
99 r.in.computer_name = machine_name;
100 r.in.credentials = &credentials1;
101 r.out.return_credentials = &credentials2;
103 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
105 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
106 "ServerReqChallenge failed");
107 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
109 a.in.server_name = NULL;
110 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
111 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(credentials);
112 a.in.computer_name = machine_name;
113 a.in.credentials = &credentials3;
114 a.out.return_credentials = &credentials3;
116 creds = netlogon_creds_client_init(tctx, a.in.account_name,
118 &credentials1, &credentials2,
119 mach_password, &credentials3,
121 torture_assert(tctx, creds != NULL, "memory allocation");
124 torture_comment(tctx, "Testing ServerAuthenticate\n");
126 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate_r(b, tctx, &a),
127 "ServerAuthenticate failed");
129 /* This allows the tests to continue against the more fussy windows 2008 */
130 if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
131 return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
133 cli_credentials_get_secure_channel_type(credentials),
137 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate");
139 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
140 "Credential chaining failed");
146 bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
147 uint32_t negotiate_flags,
148 struct cli_credentials *machine_credentials,
149 enum netr_SchannelType sec_chan_type,
150 struct netlogon_creds_CredentialState **creds_out)
152 struct netr_ServerReqChallenge r;
153 struct netr_ServerAuthenticate2 a;
154 struct netr_Credential credentials1, credentials2, credentials3;
155 struct netlogon_creds_CredentialState *creds;
156 const struct samr_Password *mach_password;
157 const char *machine_name;
158 struct dcerpc_binding_handle *b = p->binding_handle;
160 mach_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
161 machine_name = cli_credentials_get_workstation(machine_credentials);
163 torture_comment(tctx, "Testing ServerReqChallenge\n");
166 r.in.server_name = NULL;
167 r.in.computer_name = machine_name;
168 r.in.credentials = &credentials1;
169 r.out.return_credentials = &credentials2;
171 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
173 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
174 "ServerReqChallenge failed");
175 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
177 a.in.server_name = NULL;
178 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
179 a.in.secure_channel_type = sec_chan_type;
180 a.in.computer_name = machine_name;
181 a.in.negotiate_flags = &negotiate_flags;
182 a.out.negotiate_flags = &negotiate_flags;
183 a.in.credentials = &credentials3;
184 a.out.return_credentials = &credentials3;
186 creds = netlogon_creds_client_init(tctx, a.in.account_name,
188 &credentials1, &credentials2,
189 mach_password, &credentials3,
192 torture_assert(tctx, creds != NULL, "memory allocation");
194 torture_comment(tctx, "Testing ServerAuthenticate2\n");
196 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a),
197 "ServerAuthenticate2 failed");
198 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate2 failed");
200 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
201 "Credential chaining failed");
203 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
210 bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
211 uint32_t negotiate_flags,
212 struct cli_credentials *machine_credentials,
213 struct netlogon_creds_CredentialState **creds_out)
215 struct netr_ServerReqChallenge r;
216 struct netr_ServerAuthenticate3 a;
217 struct netr_Credential credentials1, credentials2, credentials3;
218 struct netlogon_creds_CredentialState *creds;
219 struct samr_Password mach_password;
221 const char *machine_name;
222 const char *plain_pass;
223 struct dcerpc_binding_handle *b = p->binding_handle;
225 machine_name = cli_credentials_get_workstation(machine_credentials);
226 plain_pass = cli_credentials_get_password(machine_credentials);
228 torture_comment(tctx, "Testing ServerReqChallenge\n");
230 r.in.server_name = NULL;
231 r.in.computer_name = machine_name;
232 r.in.credentials = &credentials1;
233 r.out.return_credentials = &credentials2;
235 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
237 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
238 "ServerReqChallenge failed");
239 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
241 E_md4hash(plain_pass, mach_password.hash);
243 a.in.server_name = NULL;
244 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
245 a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
246 a.in.computer_name = machine_name;
247 a.in.negotiate_flags = &negotiate_flags;
248 a.in.credentials = &credentials3;
249 a.out.return_credentials = &credentials3;
250 a.out.negotiate_flags = &negotiate_flags;
253 creds = netlogon_creds_client_init(tctx, a.in.account_name,
255 &credentials1, &credentials2,
256 &mach_password, &credentials3,
259 torture_assert(tctx, creds != NULL, "memory allocation");
261 torture_comment(tctx, "Testing ServerAuthenticate3\n");
263 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
264 "ServerAuthenticate3 failed");
265 torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate3 failed");
266 torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
268 torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
270 /* Prove that requesting a challenge again won't break it */
271 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
272 "ServerReqChallenge failed");
273 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");
280 try a change password for our machine account
282 static bool test_SetPassword(struct torture_context *tctx,
283 struct dcerpc_pipe *p,
284 struct cli_credentials *machine_credentials)
286 struct netr_ServerPasswordSet r;
287 const char *password;
288 struct netlogon_creds_CredentialState *creds;
289 struct netr_Authenticator credential, return_authenticator;
290 struct samr_Password new_password;
291 struct dcerpc_binding_handle *b = p->binding_handle;
293 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
297 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
298 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
299 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
300 r.in.computer_name = TEST_MACHINE_NAME;
301 r.in.credential = &credential;
302 r.in.new_password = &new_password;
303 r.out.return_authenticator = &return_authenticator;
305 password = generate_random_password(tctx, 8, 255);
306 E_md4hash(password, new_password.hash);
308 netlogon_creds_des_encrypt(creds, &new_password);
310 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
311 torture_comment(tctx, "Changing machine account password to '%s'\n",
314 netlogon_creds_client_authenticator(creds, &credential);
316 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
317 "ServerPasswordSet failed");
318 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
320 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
321 torture_comment(tctx, "Credential chaining failed\n");
324 /* by changing the machine password twice we test the
325 credentials chaining fully, and we verify that the server
326 allows the password to be set to the same value twice in a
327 row (match win2k3) */
328 torture_comment(tctx,
329 "Testing a second ServerPasswordSet on machine account\n");
330 torture_comment(tctx,
331 "Changing machine account password to '%s' (same as previous run)\n", password);
333 netlogon_creds_client_authenticator(creds, &credential);
335 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
336 "ServerPasswordSet (2) failed");
337 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
339 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
340 torture_comment(tctx, "Credential chaining failed\n");
343 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
346 test_SetupCredentials(p, tctx, machine_credentials, &creds),
347 "ServerPasswordSet failed to actually change the password");
353 try a change password for our machine account
355 static bool test_SetPassword_flags(struct torture_context *tctx,
356 struct dcerpc_pipe *p,
357 struct cli_credentials *machine_credentials,
358 uint32_t negotiate_flags)
360 struct netr_ServerPasswordSet r;
361 const char *password;
362 struct netlogon_creds_CredentialState *creds;
363 struct netr_Authenticator credential, return_authenticator;
364 struct samr_Password new_password;
365 struct dcerpc_binding_handle *b = p->binding_handle;
367 if (!test_SetupCredentials2(p, tctx, negotiate_flags,
369 cli_credentials_get_secure_channel_type(machine_credentials),
374 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
375 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
376 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
377 r.in.computer_name = TEST_MACHINE_NAME;
378 r.in.credential = &credential;
379 r.in.new_password = &new_password;
380 r.out.return_authenticator = &return_authenticator;
382 password = generate_random_password(tctx, 8, 255);
383 E_md4hash(password, new_password.hash);
385 netlogon_creds_des_encrypt(creds, &new_password);
387 torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
388 torture_comment(tctx, "Changing machine account password to '%s'\n",
391 netlogon_creds_client_authenticator(creds, &credential);
393 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
394 "ServerPasswordSet failed");
395 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet failed");
397 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
398 torture_comment(tctx, "Credential chaining failed\n");
401 /* by changing the machine password twice we test the
402 credentials chaining fully, and we verify that the server
403 allows the password to be set to the same value twice in a
404 row (match win2k3) */
405 torture_comment(tctx,
406 "Testing a second ServerPasswordSet on machine account\n");
407 torture_comment(tctx,
408 "Changing machine account password to '%s' (same as previous run)\n", password);
410 netlogon_creds_client_authenticator(creds, &credential);
412 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet_r(b, tctx, &r),
413 "ServerPasswordSet (2) failed");
414 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (2) failed");
416 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
417 torture_comment(tctx, "Credential chaining failed\n");
420 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
423 test_SetupCredentials(p, tctx, machine_credentials, &creds),
424 "ServerPasswordSet failed to actually change the password");
431 generate a random password for password change tests
433 static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len)
436 DATA_BLOB password = data_blob_talloc(mem_ctx, NULL, len * 2 /* number of unicode chars */);
437 generate_random_buffer(password.data, password.length);
439 for (i=0; i < len; i++) {
440 if (((uint16_t *)password.data)[i] == 0) {
441 ((uint16_t *)password.data)[i] = 1;
449 try a change password for our machine account
451 static bool test_SetPassword2(struct torture_context *tctx,
452 struct dcerpc_pipe *p,
453 struct cli_credentials *machine_credentials)
455 struct netr_ServerPasswordSet2 r;
456 const char *password;
457 DATA_BLOB new_random_pass;
458 struct netlogon_creds_CredentialState *creds;
459 struct samr_CryptPassword password_buf;
460 struct samr_Password nt_hash;
461 struct netr_Authenticator credential, return_authenticator;
462 struct netr_CryptPassword new_password;
463 struct dcerpc_binding_handle *b = p->binding_handle;
465 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
469 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
470 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
471 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
472 r.in.computer_name = TEST_MACHINE_NAME;
473 r.in.credential = &credential;
474 r.in.new_password = &new_password;
475 r.out.return_authenticator = &return_authenticator;
477 password = generate_random_password(tctx, 8, 255);
478 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
479 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
481 memcpy(new_password.data, password_buf.data, 512);
482 new_password.length = IVAL(password_buf.data, 512);
484 torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
485 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
487 netlogon_creds_client_authenticator(creds, &credential);
489 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
490 "ServerPasswordSet2 failed");
491 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
493 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
494 torture_comment(tctx, "Credential chaining failed\n");
497 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
499 if (!torture_setting_bool(tctx, "dangerous", false)) {
500 torture_comment(tctx,
501 "Not testing ability to set password to '', enable dangerous tests to perform this test\n");
503 /* by changing the machine password to ""
504 * we check if the server uses password restrictions
505 * for ServerPasswordSet2
506 * (win2k3 accepts "")
509 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
510 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
512 memcpy(new_password.data, password_buf.data, 512);
513 new_password.length = IVAL(password_buf.data, 512);
515 torture_comment(tctx,
516 "Testing ServerPasswordSet2 on machine account\n");
517 torture_comment(tctx,
518 "Changing machine account password to '%s'\n", password);
520 netlogon_creds_client_authenticator(creds, &credential);
522 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
523 "ServerPasswordSet2 failed");
524 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed");
526 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
527 torture_comment(tctx, "Credential chaining failed\n");
530 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
533 torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds),
534 "ServerPasswordSet failed to actually change the password");
536 /* now try a random password */
537 password = generate_random_password(tctx, 8, 255);
538 encode_pw_buffer(password_buf.data, password, STR_UNICODE);
539 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
541 memcpy(new_password.data, password_buf.data, 512);
542 new_password.length = IVAL(password_buf.data, 512);
544 torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
545 torture_comment(tctx, "Changing machine account password to '%s'\n", password);
547 netlogon_creds_client_authenticator(creds, &credential);
549 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
550 "ServerPasswordSet2 (2) failed");
551 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 (2) failed");
553 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
554 torture_comment(tctx, "Credential chaining failed\n");
557 /* by changing the machine password twice we test the
558 credentials chaining fully, and we verify that the server
559 allows the password to be set to the same value twice in a
560 row (match win2k3) */
561 torture_comment(tctx,
562 "Testing a second ServerPasswordSet2 on machine account\n");
563 torture_comment(tctx,
564 "Changing machine account password to '%s' (same as previous run)\n", password);
566 netlogon_creds_client_authenticator(creds, &credential);
568 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
569 "ServerPasswordSet (3) failed");
570 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
572 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
573 torture_comment(tctx, "Credential chaining failed\n");
576 cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED);
578 torture_assert (tctx,
579 test_SetupCredentials(p, tctx, machine_credentials, &creds),
580 "ServerPasswordSet failed to actually change the password");
582 new_random_pass = netlogon_very_rand_pass(tctx, 128);
584 /* now try a random stream of bytes for a password */
585 set_pw_in_buffer(password_buf.data, &new_random_pass);
587 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
589 memcpy(new_password.data, password_buf.data, 512);
590 new_password.length = IVAL(password_buf.data, 512);
592 torture_comment(tctx,
593 "Testing a third ServerPasswordSet2 on machine account, with a completely random password\n");
595 netlogon_creds_client_authenticator(creds, &credential);
597 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r),
598 "ServerPasswordSet (3) failed");
599 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet (3) failed");
601 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
602 torture_comment(tctx, "Credential chaining failed\n");
605 mdfour(nt_hash.hash, new_random_pass.data, new_random_pass.length);
607 cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED);
608 cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED);
610 torture_assert (tctx,
611 test_SetupCredentials(p, tctx, machine_credentials, &creds),
612 "ServerPasswordSet failed to actually change the password");
617 static bool test_GetPassword(struct torture_context *tctx,
618 struct dcerpc_pipe *p,
619 struct cli_credentials *machine_credentials)
621 struct netr_ServerPasswordGet r;
622 struct netlogon_creds_CredentialState *creds;
623 struct netr_Authenticator credential;
625 struct netr_Authenticator return_authenticator;
626 struct samr_Password password;
627 struct dcerpc_binding_handle *b = p->binding_handle;
629 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
633 netlogon_creds_client_authenticator(creds, &credential);
635 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
636 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
637 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
638 r.in.computer_name = TEST_MACHINE_NAME;
639 r.in.credential = &credential;
640 r.out.return_authenticator = &return_authenticator;
641 r.out.password = &password;
643 status = dcerpc_netr_ServerPasswordGet_r(b, tctx, &r);
644 torture_assert_ntstatus_ok(tctx, status, "ServerPasswordGet");
649 static bool test_GetTrustPasswords(struct torture_context *tctx,
650 struct dcerpc_pipe *p,
651 struct cli_credentials *machine_credentials)
653 struct netr_ServerTrustPasswordsGet r;
654 struct netlogon_creds_CredentialState *creds;
655 struct netr_Authenticator credential;
656 struct netr_Authenticator return_authenticator;
657 struct samr_Password password, password2;
658 struct dcerpc_binding_handle *b = p->binding_handle;
660 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
664 netlogon_creds_client_authenticator(creds, &credential);
666 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
667 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
668 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
669 r.in.computer_name = TEST_MACHINE_NAME;
670 r.in.credential = &credential;
671 r.out.return_authenticator = &return_authenticator;
672 r.out.password = &password;
673 r.out.password2 = &password2;
675 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerTrustPasswordsGet_r(b, tctx, &r),
676 "ServerTrustPasswordsGet failed");
677 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerTrustPasswordsGet failed");
683 try a netlogon SamLogon
685 static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context *tctx,
686 struct cli_credentials *credentials,
687 struct netlogon_creds_CredentialState *creds,
691 struct netr_LogonSamLogon r;
692 struct netr_Authenticator auth, auth2;
693 static const struct netr_Authenticator auth_zero;
694 union netr_LogonLevel logon;
695 union netr_Validation validation;
696 uint8_t authoritative;
697 struct netr_NetworkInfo ninfo;
698 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
700 struct dcerpc_binding_handle *b = p->binding_handle;
701 int flags = CLI_CRED_NTLM_AUTH;
702 if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
703 flags |= CLI_CRED_LANMAN_AUTH;
706 if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx) && !null_domain) {
707 flags |= CLI_CRED_NTLMv2_AUTH;
710 cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
711 &ninfo.identity_info.account_name.string,
712 &ninfo.identity_info.domain_name.string);
715 ninfo.identity_info.domain_name.string = NULL;
718 generate_random_buffer(ninfo.challenge,
719 sizeof(ninfo.challenge));
720 chal = data_blob_const(ninfo.challenge,
721 sizeof(ninfo.challenge));
723 names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
724 cli_credentials_get_domain(credentials));
726 status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
732 torture_assert_ntstatus_ok(tctx, status, "cli_credentials_get_ntlm_response failed");
734 ninfo.lm.data = lm_resp.data;
735 ninfo.lm.length = lm_resp.length;
737 ninfo.nt.data = nt_resp.data;
738 ninfo.nt.length = nt_resp.length;
740 ninfo.identity_info.parameter_control = 0;
741 ninfo.identity_info.logon_id_low = 0;
742 ninfo.identity_info.logon_id_high = 0;
743 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
745 logon.network = &ninfo;
747 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
748 r.in.computer_name = cli_credentials_get_workstation(credentials);
749 r.in.credential = &auth;
750 r.in.return_authenticator = &auth2;
751 r.in.logon_level = 2;
753 r.out.validation = &validation;
754 r.out.authoritative = &authoritative;
756 d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
760 netlogon_creds_client_authenticator(creds, &auth);
762 r.in.validation_level = i;
764 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
765 "LogonSamLogon failed");
766 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
768 torture_assert(tctx, netlogon_creds_client_check(creds,
769 &r.out.return_authenticator->cred),
770 "Credential chaining failed");
771 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
772 "LogonSamLogon invalid *r.out.authoritative");
775 /* this makes sure we get the unmarshalling right for invalid levels */
776 for (i=52;i<53;i++) {
778 /* the authenticator should be ignored by the server */
779 generate_random_buffer((uint8_t *) &auth, sizeof(auth));
781 r.in.validation_level = i;
783 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
784 "LogonSamLogon failed");
785 torture_assert_ntstatus_equal(tctx, r.out.result,
786 NT_STATUS_INVALID_INFO_CLASS,
787 "LogonSamLogon failed");
789 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
790 "LogonSamLogon invalid *r.out.authoritative");
792 memcmp(&auth2, &auth_zero, sizeof(auth2)) == 0,
793 "Return authenticator non zero");
798 netlogon_creds_client_authenticator(creds, &auth);
800 r.in.validation_level = i;
802 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
803 "LogonSamLogon failed");
804 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
806 torture_assert(tctx, netlogon_creds_client_check(creds,
807 &r.out.return_authenticator->cred),
808 "Credential chaining failed");
809 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
810 "LogonSamLogon invalid *r.out.authoritative");
813 r.in.logon_level = 52;
817 /* the authenticator should be ignored by the server */
818 generate_random_buffer((uint8_t *) &auth, sizeof(auth));
820 r.in.validation_level = i;
822 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
824 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
825 "LogonSamLogon failed");
826 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
827 "LogonSamLogon expected INVALID_PARAMETER");
830 memcmp(&auth2, &auth_zero, sizeof(auth2)) == 0,
831 "Return authenticator non zero");
832 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
833 "LogonSamLogon invalid *r.out.authoritative");
836 r.in.credential = NULL;
841 r.in.validation_level = i;
843 torture_comment(tctx, "Testing SamLogon with validation level %d and a NULL credential\n", i);
845 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
846 "LogonSamLogon failed");
847 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER,
848 "LogonSamLogon expected INVALID_PARAMETER");
851 memcmp(&auth2, &auth_zero, sizeof(auth2)) == 0,
852 "Return authenticator non zero");
853 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
854 "LogonSamLogon invalid *r.out.authoritative");
857 r.in.logon_level = 2;
858 r.in.credential = &auth;
862 netlogon_creds_client_authenticator(creds, &auth);
864 r.in.validation_level = i;
866 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
867 "LogonSamLogon failed");
868 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
870 torture_assert(tctx, netlogon_creds_client_check(creds,
871 &r.out.return_authenticator->cred),
872 "Credential chaining failed");
873 torture_assert_int_equal(tctx, *r.out.authoritative, 1,
874 "LogonSamLogon invalid *r.out.authoritative");
880 bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
881 struct cli_credentials *credentials,
882 struct netlogon_creds_CredentialState *creds)
884 return test_netlogon_ops_args(p, tctx, credentials, creds, false);
888 try a netlogon SamLogon
890 static bool test_SamLogon(struct torture_context *tctx,
891 struct dcerpc_pipe *p,
892 struct cli_credentials *credentials)
894 struct netlogon_creds_CredentialState *creds;
896 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
900 return test_netlogon_ops(p, tctx, credentials, creds);
903 static bool test_SamLogon_NULL_domain(struct torture_context *tctx,
904 struct dcerpc_pipe *p,
905 struct cli_credentials *credentials)
907 struct netlogon_creds_CredentialState *creds;
909 if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
913 return test_netlogon_ops_args(p, tctx, credentials, creds, true);
916 /* we remember the sequence numbers so we can easily do a DatabaseDelta */
917 static uint64_t sequence_nums[3];
920 try a netlogon DatabaseSync
922 static bool test_DatabaseSync(struct torture_context *tctx,
923 struct dcerpc_pipe *p,
924 struct cli_credentials *machine_credentials)
926 struct netr_DatabaseSync r;
927 struct netlogon_creds_CredentialState *creds;
928 const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
930 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
931 struct netr_Authenticator credential, return_authenticator;
932 struct dcerpc_binding_handle *b = p->binding_handle;
934 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
938 ZERO_STRUCT(return_authenticator);
940 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
941 r.in.computername = TEST_MACHINE_NAME;
942 r.in.preferredmaximumlength = (uint32_t)-1;
943 r.in.return_authenticator = &return_authenticator;
944 r.out.delta_enum_array = &delta_enum_array;
945 r.out.return_authenticator = &return_authenticator;
947 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
949 uint32_t sync_context = 0;
951 r.in.database_id = database_ids[i];
952 r.in.sync_context = &sync_context;
953 r.out.sync_context = &sync_context;
955 torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
958 netlogon_creds_client_authenticator(creds, &credential);
960 r.in.credential = &credential;
962 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync_r(b, tctx, &r),
963 "DatabaseSync failed");
964 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
967 /* Native mode servers don't do this */
968 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
971 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync");
973 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
974 torture_comment(tctx, "Credential chaining failed\n");
977 if (delta_enum_array &&
978 delta_enum_array->num_deltas > 0 &&
979 delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN &&
980 delta_enum_array->delta_enum[0].delta_union.domain) {
981 sequence_nums[r.in.database_id] =
982 delta_enum_array->delta_enum[0].delta_union.domain->sequence_num;
983 torture_comment(tctx, "\tsequence_nums[%d]=%llu\n",
985 (unsigned long long)sequence_nums[r.in.database_id]);
987 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
995 try a netlogon DatabaseDeltas
997 static bool test_DatabaseDeltas(struct torture_context *tctx,
998 struct dcerpc_pipe *p,
999 struct cli_credentials *machine_credentials)
1001 struct netr_DatabaseDeltas r;
1002 struct netlogon_creds_CredentialState *creds;
1003 struct netr_Authenticator credential;
1004 struct netr_Authenticator return_authenticator;
1005 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1006 const uint32_t database_ids[] = {0, 1, 2};
1008 struct dcerpc_binding_handle *b = p->binding_handle;
1010 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1014 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1015 r.in.computername = TEST_MACHINE_NAME;
1016 r.in.preferredmaximumlength = (uint32_t)-1;
1017 ZERO_STRUCT(r.in.return_authenticator);
1018 r.out.return_authenticator = &return_authenticator;
1019 r.out.delta_enum_array = &delta_enum_array;
1021 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
1022 r.in.database_id = database_ids[i];
1023 r.in.sequence_num = &sequence_nums[r.in.database_id];
1025 if (*r.in.sequence_num == 0) continue;
1027 *r.in.sequence_num -= 1;
1029 torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n",
1030 r.in.database_id, (unsigned long long)*r.in.sequence_num);
1033 netlogon_creds_client_authenticator(creds, &credential);
1035 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseDeltas_r(b, tctx, &r),
1036 "DatabaseDeltas failed");
1037 if (NT_STATUS_EQUAL(r.out.result,
1038 NT_STATUS_SYNCHRONIZATION_REQUIRED)) {
1039 torture_comment(tctx, "not considering %s to be an error\n",
1040 nt_errstr(r.out.result));
1043 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
1046 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseDeltas");
1048 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1049 torture_comment(tctx, "Credential chaining failed\n");
1052 (*r.in.sequence_num)++;
1053 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
1059 static bool test_DatabaseRedo(struct torture_context *tctx,
1060 struct dcerpc_pipe *p,
1061 struct cli_credentials *machine_credentials)
1063 struct netr_DatabaseRedo r;
1064 struct netlogon_creds_CredentialState *creds;
1065 struct netr_Authenticator credential;
1066 struct netr_Authenticator return_authenticator;
1067 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
1068 struct netr_ChangeLogEntry e;
1069 struct dom_sid null_sid, *sid;
1071 struct dcerpc_binding_handle *b = p->binding_handle;
1073 ZERO_STRUCT(null_sid);
1075 sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500");
1086 NTSTATUS expected_error;
1087 uint32_t expected_num_results;
1088 uint8_t expected_delta_type_1;
1089 uint8_t expected_delta_type_2;
1090 const char *comment;
1093 /* SAM_DATABASE_DOMAIN */
1098 .db_index = SAM_DATABASE_DOMAIN,
1099 .delta_type = NETR_DELTA_MODIFY_COUNT,
1102 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1103 .expected_num_results = 0,
1104 .comment = "NETR_DELTA_MODIFY_COUNT"
1109 .db_index = SAM_DATABASE_DOMAIN,
1113 .expected_error = NT_STATUS_OK,
1114 .expected_num_results = 1,
1115 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1116 .comment = "NULL DELTA"
1121 .db_index = SAM_DATABASE_DOMAIN,
1122 .delta_type = NETR_DELTA_DOMAIN,
1125 .expected_error = NT_STATUS_OK,
1126 .expected_num_results = 1,
1127 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1128 .comment = "NETR_DELTA_DOMAIN"
1131 .rid = DOMAIN_RID_ADMINISTRATOR,
1133 .db_index = SAM_DATABASE_DOMAIN,
1134 .delta_type = NETR_DELTA_USER,
1137 .expected_error = NT_STATUS_OK,
1138 .expected_num_results = 1,
1139 .expected_delta_type_1 = NETR_DELTA_USER,
1140 .comment = "NETR_DELTA_USER by rid 500"
1143 .rid = DOMAIN_RID_GUEST,
1145 .db_index = SAM_DATABASE_DOMAIN,
1146 .delta_type = NETR_DELTA_USER,
1149 .expected_error = NT_STATUS_OK,
1150 .expected_num_results = 1,
1151 .expected_delta_type_1 = NETR_DELTA_USER,
1152 .comment = "NETR_DELTA_USER by rid 501"
1156 .flags = NETR_CHANGELOG_SID_INCLUDED,
1157 .db_index = SAM_DATABASE_DOMAIN,
1158 .delta_type = NETR_DELTA_USER,
1161 .expected_error = NT_STATUS_OK,
1162 .expected_num_results = 1,
1163 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1164 .comment = "NETR_DELTA_USER by sid and flags"
1168 .flags = NETR_CHANGELOG_SID_INCLUDED,
1169 .db_index = SAM_DATABASE_DOMAIN,
1170 .delta_type = NETR_DELTA_USER,
1173 .expected_error = NT_STATUS_OK,
1174 .expected_num_results = 1,
1175 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1176 .comment = "NETR_DELTA_USER by null_sid and flags"
1180 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1181 .db_index = SAM_DATABASE_DOMAIN,
1182 .delta_type = NETR_DELTA_USER,
1184 .name = "administrator",
1185 .expected_error = NT_STATUS_OK,
1186 .expected_num_results = 1,
1187 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1188 .comment = "NETR_DELTA_USER by name 'administrator'"
1191 .rid = DOMAIN_RID_ADMINS,
1193 .db_index = SAM_DATABASE_DOMAIN,
1194 .delta_type = NETR_DELTA_GROUP,
1197 .expected_error = NT_STATUS_OK,
1198 .expected_num_results = 2,
1199 .expected_delta_type_1 = NETR_DELTA_GROUP,
1200 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1201 .comment = "NETR_DELTA_GROUP by rid 512"
1204 .rid = DOMAIN_RID_ADMINS,
1206 .db_index = SAM_DATABASE_DOMAIN,
1207 .delta_type = NETR_DELTA_GROUP_MEMBER,
1210 .expected_error = NT_STATUS_OK,
1211 .expected_num_results = 2,
1212 .expected_delta_type_1 = NETR_DELTA_GROUP,
1213 .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER,
1214 .comment = "NETR_DELTA_GROUP_MEMBER by rid 512"
1218 /* SAM_DATABASE_BUILTIN */
1223 .db_index = SAM_DATABASE_BUILTIN,
1224 .delta_type = NETR_DELTA_MODIFY_COUNT,
1227 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1228 .expected_num_results = 0,
1229 .comment = "NETR_DELTA_MODIFY_COUNT"
1234 .db_index = SAM_DATABASE_BUILTIN,
1235 .delta_type = NETR_DELTA_DOMAIN,
1238 .expected_error = NT_STATUS_OK,
1239 .expected_num_results = 1,
1240 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1241 .comment = "NETR_DELTA_DOMAIN"
1244 .rid = DOMAIN_RID_ADMINISTRATOR,
1246 .db_index = SAM_DATABASE_BUILTIN,
1247 .delta_type = NETR_DELTA_USER,
1250 .expected_error = NT_STATUS_OK,
1251 .expected_num_results = 1,
1252 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1253 .comment = "NETR_DELTA_USER by rid 500"
1258 .db_index = SAM_DATABASE_BUILTIN,
1259 .delta_type = NETR_DELTA_USER,
1262 .expected_error = NT_STATUS_OK,
1263 .expected_num_results = 1,
1264 .expected_delta_type_1 = NETR_DELTA_DELETE_USER,
1265 .comment = "NETR_DELTA_USER"
1270 .db_index = SAM_DATABASE_BUILTIN,
1271 .delta_type = NETR_DELTA_ALIAS,
1274 .expected_error = NT_STATUS_OK,
1275 .expected_num_results = 2,
1276 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1277 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1278 .comment = "NETR_DELTA_ALIAS by rid 544"
1283 .db_index = SAM_DATABASE_BUILTIN,
1284 .delta_type = NETR_DELTA_ALIAS_MEMBER,
1287 .expected_error = NT_STATUS_OK,
1288 .expected_num_results = 2,
1289 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1290 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1291 .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544"
1296 .db_index = SAM_DATABASE_BUILTIN,
1300 .expected_error = NT_STATUS_OK,
1301 .expected_num_results = 1,
1302 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1303 .comment = "NULL DELTA by rid 544"
1307 .flags = NETR_CHANGELOG_SID_INCLUDED,
1308 .db_index = SAM_DATABASE_BUILTIN,
1310 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1312 .expected_error = NT_STATUS_OK,
1313 .expected_num_results = 1,
1314 .expected_delta_type_1 = NETR_DELTA_DOMAIN,
1315 .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags"
1319 .flags = NETR_CHANGELOG_SID_INCLUDED,
1320 .db_index = SAM_DATABASE_BUILTIN,
1321 .delta_type = NETR_DELTA_ALIAS,
1322 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1324 .expected_error = NT_STATUS_OK,
1325 .expected_num_results = 2,
1326 .expected_delta_type_1 = NETR_DELTA_ALIAS,
1327 .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER,
1328 .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags"
1332 .flags = NETR_CHANGELOG_SID_INCLUDED,
1333 .db_index = SAM_DATABASE_BUILTIN,
1334 .delta_type = NETR_DELTA_ALIAS,
1335 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"),
1337 .expected_error = NT_STATUS_OK,
1338 .expected_num_results = 1,
1339 .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS,
1340 .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags"
1343 /* SAM_DATABASE_PRIVS */
1348 .db_index = SAM_DATABASE_PRIVS,
1352 .expected_error = NT_STATUS_ACCESS_DENIED,
1353 .expected_num_results = 0,
1354 .comment = "NULL DELTA"
1359 .db_index = SAM_DATABASE_PRIVS,
1360 .delta_type = NETR_DELTA_MODIFY_COUNT,
1363 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED,
1364 .expected_num_results = 0,
1365 .comment = "NETR_DELTA_MODIFY_COUNT"
1370 .db_index = SAM_DATABASE_PRIVS,
1371 .delta_type = NETR_DELTA_POLICY,
1374 .expected_error = NT_STATUS_OK,
1375 .expected_num_results = 1,
1376 .expected_delta_type_1 = NETR_DELTA_POLICY,
1377 .comment = "NETR_DELTA_POLICY"
1381 .flags = NETR_CHANGELOG_SID_INCLUDED,
1382 .db_index = SAM_DATABASE_PRIVS,
1383 .delta_type = NETR_DELTA_POLICY,
1386 .expected_error = NT_STATUS_OK,
1387 .expected_num_results = 1,
1388 .expected_delta_type_1 = NETR_DELTA_POLICY,
1389 .comment = "NETR_DELTA_POLICY by null sid and flags"
1393 .flags = NETR_CHANGELOG_SID_INCLUDED,
1394 .db_index = SAM_DATABASE_PRIVS,
1395 .delta_type = NETR_DELTA_POLICY,
1396 .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"),
1398 .expected_error = NT_STATUS_OK,
1399 .expected_num_results = 1,
1400 .expected_delta_type_1 = NETR_DELTA_POLICY,
1401 .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags"
1404 .rid = DOMAIN_RID_ADMINISTRATOR,
1406 .db_index = SAM_DATABASE_PRIVS,
1407 .delta_type = NETR_DELTA_ACCOUNT,
1410 .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */
1411 .expected_num_results = 0,
1412 .comment = "NETR_DELTA_ACCOUNT by rid 500"
1416 .flags = NETR_CHANGELOG_SID_INCLUDED,
1417 .db_index = SAM_DATABASE_PRIVS,
1418 .delta_type = NETR_DELTA_ACCOUNT,
1419 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1421 .expected_error = NT_STATUS_OK,
1422 .expected_num_results = 1,
1423 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1424 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags"
1428 .flags = NETR_CHANGELOG_SID_INCLUDED |
1429 NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED,
1430 .db_index = SAM_DATABASE_PRIVS,
1431 .delta_type = NETR_DELTA_ACCOUNT,
1432 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1434 .expected_error = NT_STATUS_OK,
1435 .expected_num_results = 1,
1436 .expected_delta_type_1 = NETR_DELTA_ACCOUNT,
1437 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags"
1441 .flags = NETR_CHANGELOG_SID_INCLUDED |
1442 NETR_CHANGELOG_NAME_INCLUDED,
1443 .db_index = SAM_DATABASE_PRIVS,
1444 .delta_type = NETR_DELTA_ACCOUNT,
1445 .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"),
1447 .expected_error = NT_STATUS_INVALID_PARAMETER,
1448 .expected_num_results = 0,
1449 .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags"
1452 .rid = DOMAIN_RID_ADMINISTRATOR,
1453 .flags = NETR_CHANGELOG_SID_INCLUDED,
1454 .db_index = SAM_DATABASE_PRIVS,
1455 .delta_type = NETR_DELTA_ACCOUNT,
1458 .expected_error = NT_STATUS_OK,
1459 .expected_num_results = 1,
1460 .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT,
1461 .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags"
1465 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1466 .db_index = SAM_DATABASE_PRIVS,
1467 .delta_type = NETR_DELTA_SECRET,
1469 .name = "IsurelydontexistIhope",
1470 .expected_error = NT_STATUS_OK,
1471 .expected_num_results = 1,
1472 .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET,
1473 .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags"
1477 .flags = NETR_CHANGELOG_NAME_INCLUDED,
1478 .db_index = SAM_DATABASE_PRIVS,
1479 .delta_type = NETR_DELTA_SECRET,
1481 .name = "G$BCKUPKEY_P",
1482 .expected_error = NT_STATUS_OK,
1483 .expected_num_results = 1,
1484 .expected_delta_type_1 = NETR_DELTA_SECRET,
1485 .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags"
1489 ZERO_STRUCT(return_authenticator);
1491 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1492 r.in.computername = TEST_MACHINE_NAME;
1493 r.in.return_authenticator = &return_authenticator;
1494 r.out.return_authenticator = &return_authenticator;
1495 r.out.delta_enum_array = &delta_enum_array;
1497 for (d=0; d<3; d++) {
1498 const char *database = NULL;
1505 database = "BUILTIN";
1514 torture_comment(tctx, "Testing DatabaseRedo\n");
1516 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1520 for (i=0;i<ARRAY_SIZE(changes);i++) {
1522 if (d != changes[i].db_index) {
1526 netlogon_creds_client_authenticator(creds, &credential);
1528 r.in.credential = &credential;
1530 e.serial_number1 = 0;
1531 e.serial_number2 = 0;
1532 e.object_rid = changes[i].rid;
1533 e.flags = changes[i].flags;
1534 e.db_index = changes[i].db_index;
1535 e.delta_type = changes[i].delta_type;
1537 switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) {
1538 case NETR_CHANGELOG_SID_INCLUDED:
1539 e.object.object_sid = changes[i].sid;
1541 case NETR_CHANGELOG_NAME_INCLUDED:
1542 e.object.object_name = changes[i].name;
1548 r.in.change_log_entry = e;
1550 torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n",
1551 database, changes[i].comment);
1553 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseRedo_r(b, tctx, &r),
1554 "DatabaseRedo failed");
1555 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
1559 torture_assert_ntstatus_equal(tctx, r.out.result, changes[i].expected_error, changes[i].comment);
1560 if (delta_enum_array) {
1561 torture_assert_int_equal(tctx,
1562 delta_enum_array->num_deltas,
1563 changes[i].expected_num_results,
1564 changes[i].comment);
1565 if (delta_enum_array->num_deltas > 0) {
1566 torture_assert_int_equal(tctx,
1567 delta_enum_array->delta_enum[0].delta_type,
1568 changes[i].expected_delta_type_1,
1569 changes[i].comment);
1571 if (delta_enum_array->num_deltas > 1) {
1572 torture_assert_int_equal(tctx,
1573 delta_enum_array->delta_enum[1].delta_type,
1574 changes[i].expected_delta_type_2,
1575 changes[i].comment);
1579 if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
1580 torture_comment(tctx, "Credential chaining failed\n");
1581 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1593 try a netlogon AccountDeltas
1595 static bool test_AccountDeltas(struct torture_context *tctx,
1596 struct dcerpc_pipe *p,
1597 struct cli_credentials *machine_credentials)
1599 struct netr_AccountDeltas r;
1600 struct netlogon_creds_CredentialState *creds;
1602 struct netr_AccountBuffer buffer;
1603 uint32_t count_returned = 0;
1604 uint32_t total_entries = 0;
1605 struct netr_UAS_INFO_0 recordid;
1606 struct netr_Authenticator return_authenticator;
1607 struct dcerpc_binding_handle *b = p->binding_handle;
1609 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1613 ZERO_STRUCT(return_authenticator);
1615 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1616 r.in.computername = TEST_MACHINE_NAME;
1617 r.in.return_authenticator = &return_authenticator;
1618 netlogon_creds_client_authenticator(creds, &r.in.credential);
1619 ZERO_STRUCT(r.in.uas);
1622 r.in.buffersize=100;
1623 r.out.buffer = &buffer;
1624 r.out.count_returned = &count_returned;
1625 r.out.total_entries = &total_entries;
1626 r.out.recordid = &recordid;
1627 r.out.return_authenticator = &return_authenticator;
1629 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1630 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountDeltas_r(b, tctx, &r),
1631 "AccountDeltas failed");
1632 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountDeltas");
1638 try a netlogon AccountSync
1640 static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p,
1641 struct cli_credentials *machine_credentials)
1643 struct netr_AccountSync r;
1644 struct netlogon_creds_CredentialState *creds;
1646 struct netr_AccountBuffer buffer;
1647 uint32_t count_returned = 0;
1648 uint32_t total_entries = 0;
1649 uint32_t next_reference = 0;
1650 struct netr_UAS_INFO_0 recordid;
1651 struct netr_Authenticator return_authenticator;
1652 struct dcerpc_binding_handle *b = p->binding_handle;
1654 ZERO_STRUCT(recordid);
1655 ZERO_STRUCT(return_authenticator);
1657 if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
1661 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1662 r.in.computername = TEST_MACHINE_NAME;
1663 r.in.return_authenticator = &return_authenticator;
1664 netlogon_creds_client_authenticator(creds, &r.in.credential);
1665 r.in.recordid = &recordid;
1668 r.in.buffersize=100;
1669 r.out.buffer = &buffer;
1670 r.out.count_returned = &count_returned;
1671 r.out.total_entries = &total_entries;
1672 r.out.next_reference = &next_reference;
1673 r.out.recordid = &recordid;
1674 r.out.return_authenticator = &return_authenticator;
1676 /* w2k3 returns "NOT IMPLEMENTED" for this call */
1677 torture_assert_ntstatus_ok(tctx, dcerpc_netr_AccountSync_r(b, tctx, &r),
1678 "AccountSync failed");
1679 torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_IMPLEMENTED, "AccountSync");
1685 try a netlogon GetDcName
1687 static bool test_GetDcName(struct torture_context *tctx,
1688 struct dcerpc_pipe *p)
1690 struct netr_GetDcName r;
1691 const char *dcname = NULL;
1692 struct dcerpc_binding_handle *b = p->binding_handle;
1694 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1695 r.in.domainname = lpcfg_workgroup(tctx->lp_ctx);
1696 r.out.dcname = &dcname;
1698 torture_assert_ntstatus_ok(tctx, dcerpc_netr_GetDcName_r(b, tctx, &r),
1699 "GetDcName failed");
1700 torture_assert_werr_ok(tctx, r.out.result, "GetDcName failed");
1702 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1707 static const char *function_code_str(TALLOC_CTX *mem_ctx,
1708 enum netr_LogonControlCode function_code)
1710 switch (function_code) {
1711 case NETLOGON_CONTROL_QUERY:
1712 return "NETLOGON_CONTROL_QUERY";
1713 case NETLOGON_CONTROL_REPLICATE:
1714 return "NETLOGON_CONTROL_REPLICATE";
1715 case NETLOGON_CONTROL_SYNCHRONIZE:
1716 return "NETLOGON_CONTROL_SYNCHRONIZE";
1717 case NETLOGON_CONTROL_PDC_REPLICATE:
1718 return "NETLOGON_CONTROL_PDC_REPLICATE";
1719 case NETLOGON_CONTROL_REDISCOVER:
1720 return "NETLOGON_CONTROL_REDISCOVER";
1721 case NETLOGON_CONTROL_TC_QUERY:
1722 return "NETLOGON_CONTROL_TC_QUERY";
1723 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1724 return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
1725 case NETLOGON_CONTROL_FIND_USER:
1726 return "NETLOGON_CONTROL_FIND_USER";
1727 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1728 return "NETLOGON_CONTROL_CHANGE_PASSWORD";
1729 case NETLOGON_CONTROL_TC_VERIFY:
1730 return "NETLOGON_CONTROL_TC_VERIFY";
1731 case NETLOGON_CONTROL_FORCE_DNS_REG:
1732 return "NETLOGON_CONTROL_FORCE_DNS_REG";
1733 case NETLOGON_CONTROL_QUERY_DNS_REG:
1734 return "NETLOGON_CONTROL_QUERY_DNS_REG";
1735 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1736 return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
1737 case NETLOGON_CONTROL_TRUNCATE_LOG:
1738 return "NETLOGON_CONTROL_TRUNCATE_LOG";
1739 case NETLOGON_CONTROL_SET_DBFLAG:
1740 return "NETLOGON_CONTROL_SET_DBFLAG";
1741 case NETLOGON_CONTROL_BREAKPOINT:
1742 return "NETLOGON_CONTROL_BREAKPOINT";
1744 return talloc_asprintf(mem_ctx, "unknown function code: %d",
1751 try a netlogon LogonControl
1753 static bool test_LogonControl(struct torture_context *tctx,
1754 struct dcerpc_pipe *p,
1755 struct cli_credentials *machine_credentials)
1759 struct netr_LogonControl r;
1760 union netr_CONTROL_QUERY_INFORMATION query;
1762 enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
1763 struct dcerpc_binding_handle *b = p->binding_handle;
1765 uint32_t function_codes[] = {
1766 NETLOGON_CONTROL_QUERY,
1767 NETLOGON_CONTROL_REPLICATE,
1768 NETLOGON_CONTROL_SYNCHRONIZE,
1769 NETLOGON_CONTROL_PDC_REPLICATE,
1770 NETLOGON_CONTROL_REDISCOVER,
1771 NETLOGON_CONTROL_TC_QUERY,
1772 NETLOGON_CONTROL_TRANSPORT_NOTIFY,
1773 NETLOGON_CONTROL_FIND_USER,
1774 NETLOGON_CONTROL_CHANGE_PASSWORD,
1775 NETLOGON_CONTROL_TC_VERIFY,
1776 NETLOGON_CONTROL_FORCE_DNS_REG,
1777 NETLOGON_CONTROL_QUERY_DNS_REG,
1778 NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
1779 NETLOGON_CONTROL_TRUNCATE_LOG,
1780 NETLOGON_CONTROL_SET_DBFLAG,
1781 NETLOGON_CONTROL_BREAKPOINT
1784 if (machine_credentials) {
1785 secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
1788 torture_comment(tctx, "Testing LogonControl with secure channel type: %d\n",
1789 secure_channel_type);
1791 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1792 r.in.function_code = 1;
1793 r.out.query = &query;
1795 for (f=0;f<ARRAY_SIZE(function_codes); f++) {
1798 r.in.function_code = function_codes[f];
1801 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
1802 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1804 status = dcerpc_netr_LogonControl_r(b, tctx, &r);
1805 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1807 switch (r.in.level) {
1809 switch (r.in.function_code) {
1810 case NETLOGON_CONTROL_REPLICATE:
1811 case NETLOGON_CONTROL_SYNCHRONIZE:
1812 case NETLOGON_CONTROL_PDC_REPLICATE:
1813 case NETLOGON_CONTROL_BREAKPOINT:
1814 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
1815 if ((secure_channel_type == SEC_CHAN_BDC) ||
1816 (secure_channel_type == SEC_CHAN_WKSTA)) {
1817 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1818 "LogonControl returned unexpected error code");
1820 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1821 "LogonControl returned unexpected error code");
1825 case NETLOGON_CONTROL_REDISCOVER:
1826 case NETLOGON_CONTROL_TC_QUERY:
1827 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
1828 case NETLOGON_CONTROL_FIND_USER:
1829 case NETLOGON_CONTROL_CHANGE_PASSWORD:
1830 case NETLOGON_CONTROL_TC_VERIFY:
1831 case NETLOGON_CONTROL_FORCE_DNS_REG:
1832 case NETLOGON_CONTROL_QUERY_DNS_REG:
1833 case NETLOGON_CONTROL_SET_DBFLAG:
1834 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1835 "LogonControl returned unexpected error code");
1837 case NETLOGON_CONTROL_TRUNCATE_LOG:
1838 if ((secure_channel_type == SEC_CHAN_BDC) ||
1839 (secure_channel_type == SEC_CHAN_WKSTA)) {
1840 torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
1841 "LogonControl returned unexpected error code");
1843 torture_assert_werr_ok(tctx, r.out.result,
1844 "LogonControl returned unexpected result");
1848 torture_assert_werr_ok(tctx, r.out.result,
1849 "LogonControl returned unexpected result");
1854 torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
1855 "LogonControl returned unexpected error code");
1858 torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL,
1859 "LogonControl returned unexpected error code");
1866 torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
1867 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1868 status = dcerpc_netr_LogonControl_r(b, tctx, &r);
1869 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
1870 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_LEVEL, "LogonControl");
1877 try a netlogon GetAnyDCName
1879 static bool test_GetAnyDCName(struct torture_context *tctx,
1880 struct dcerpc_pipe *p)
1883 struct netr_GetAnyDCName r;
1884 const char *dcname = NULL;
1885 struct dcerpc_binding_handle *b = p->binding_handle;
1887 r.in.domainname = lpcfg_workgroup(tctx->lp_ctx);
1888 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1889 r.out.dcname = &dcname;
1891 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1892 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1893 if ((!W_ERROR_IS_OK(r.out.result)) &&
1894 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1899 torture_comment(tctx, "\tDC is at '%s'\n", dcname);
1902 r.in.domainname = NULL;
1904 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1905 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1906 if ((!W_ERROR_IS_OK(r.out.result)) &&
1907 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1911 r.in.domainname = "";
1913 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &r);
1914 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
1915 if ((!W_ERROR_IS_OK(r.out.result)) &&
1916 (!W_ERROR_EQUAL(r.out.result, WERR_NO_SUCH_DOMAIN))) {
1925 try a netlogon LogonControl2
1927 static bool test_LogonControl2(struct torture_context *tctx,
1928 struct dcerpc_pipe *p,
1929 struct cli_credentials *machine_credentials)
1933 struct netr_LogonControl2 r;
1934 union netr_CONTROL_DATA_INFORMATION data;
1935 union netr_CONTROL_QUERY_INFORMATION query;
1937 struct dcerpc_binding_handle *b = p->binding_handle;
1939 data.domain = lpcfg_workgroup(tctx->lp_ctx);
1941 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
1943 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
1945 r.out.query = &query;
1950 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
1951 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1953 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1954 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
1957 data.domain = lpcfg_workgroup(tctx->lp_ctx);
1959 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
1965 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
1966 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1968 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1969 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
1972 data.domain = lpcfg_workgroup(tctx->lp_ctx);
1974 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
1980 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
1981 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1983 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1984 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
1987 data.debug_level = ~0;
1989 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
1995 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
1996 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
1998 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
1999 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2003 r.in.function_code = 52;
2006 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2007 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2009 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2010 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2011 torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL, "LogonControl2");
2013 data.debug_level = ~0;
2015 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2019 torture_comment(tctx, "Testing LogonControl2 function code %s (%d) level %d\n",
2020 function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
2022 status = dcerpc_netr_LogonControl2_r(b, tctx, &r);
2023 torture_assert_ntstatus_ok(tctx, status, "LogonControl2");
2024 torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL, "LogonControl2");
2030 try a netlogon DatabaseSync2
2032 static bool test_DatabaseSync2(struct torture_context *tctx,
2033 struct dcerpc_pipe *p,
2034 struct cli_credentials *machine_credentials)
2036 struct netr_DatabaseSync2 r;
2037 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
2038 struct netr_Authenticator return_authenticator, credential;
2040 struct netlogon_creds_CredentialState *creds;
2041 const uint32_t database_ids[] = {0, 1, 2};
2043 struct dcerpc_binding_handle *b = p->binding_handle;
2045 if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS,
2046 machine_credentials,
2047 cli_credentials_get_secure_channel_type(machine_credentials),
2052 ZERO_STRUCT(return_authenticator);
2054 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2055 r.in.computername = TEST_MACHINE_NAME;
2056 r.in.preferredmaximumlength = (uint32_t)-1;
2057 r.in.return_authenticator = &return_authenticator;
2058 r.out.return_authenticator = &return_authenticator;
2059 r.out.delta_enum_array = &delta_enum_array;
2061 for (i=0;i<ARRAY_SIZE(database_ids);i++) {
2063 uint32_t sync_context = 0;
2065 r.in.database_id = database_ids[i];
2066 r.in.sync_context = &sync_context;
2067 r.out.sync_context = &sync_context;
2068 r.in.restart_state = 0;
2070 torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
2073 netlogon_creds_client_authenticator(creds, &credential);
2075 r.in.credential = &credential;
2077 torture_assert_ntstatus_ok(tctx, dcerpc_netr_DatabaseSync2_r(b, tctx, &r),
2078 "DatabaseSync2 failed");
2079 if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
2082 /* Native mode servers don't do this */
2083 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_SUPPORTED)) {
2087 torture_assert_ntstatus_ok(tctx, r.out.result, "DatabaseSync2");
2089 if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
2090 torture_comment(tctx, "Credential chaining failed\n");
2093 } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));
2101 try a netlogon LogonControl2Ex
2103 static bool test_LogonControl2Ex(struct torture_context *tctx,
2104 struct dcerpc_pipe *p,
2105 struct cli_credentials *machine_credentials)
2109 struct netr_LogonControl2Ex r;
2110 union netr_CONTROL_DATA_INFORMATION data;
2111 union netr_CONTROL_QUERY_INFORMATION query;
2113 struct dcerpc_binding_handle *b = p->binding_handle;
2115 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2117 r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2119 r.in.function_code = NETLOGON_CONTROL_REDISCOVER;
2121 r.out.query = &query;
2126 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2127 i, r.in.function_code);
2129 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2130 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2133 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2135 r.in.function_code = NETLOGON_CONTROL_TC_QUERY;
2141 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2142 i, r.in.function_code);
2144 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2145 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2148 data.domain = lpcfg_workgroup(tctx->lp_ctx);
2150 r.in.function_code = NETLOGON_CONTROL_TRANSPORT_NOTIFY;
2156 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2157 i, r.in.function_code);
2159 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2160 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2163 data.debug_level = ~0;
2165 r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
2171 torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n",
2172 i, r.in.function_code);
2174 status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r);
2175 torture_assert_ntstatus_ok(tctx, status, "LogonControl");
2181 static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
2182 struct dcerpc_pipe *p,
2183 struct cli_credentials *machine_credentials)
2185 struct netr_GetForestTrustInformation r;
2186 struct netlogon_creds_CredentialState *creds;
2187 struct netr_Authenticator a;
2188 struct netr_Authenticator return_authenticator;
2189 struct lsa_ForestTrustInformation *forest_trust_info;
2190 struct dcerpc_binding_handle *b = p->binding_handle;
2192 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2193 machine_credentials, &creds)) {
2197 netlogon_creds_client_authenticator(creds, &a);
2199 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2200 r.in.computer_name = TEST_MACHINE_NAME;
2201 r.in.credential = &a;
2203 r.out.return_authenticator = &return_authenticator;
2204 r.out.forest_trust_info = &forest_trust_info;
2206 torture_assert_ntstatus_ok(tctx,
2207 dcerpc_netr_GetForestTrustInformation_r(b, tctx, &r),
2208 "netr_GetForestTrustInformation failed");
2209 if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
2210 torture_comment(tctx, "not considering NT_STATUS_NOT_IMPLEMENTED as an error\n");
2212 torture_assert_ntstatus_ok(tctx, r.out.result,
2213 "netr_GetForestTrustInformation failed");
2216 torture_assert(tctx,
2217 netlogon_creds_client_check(creds, &return_authenticator.cred),
2218 "Credential chaining failed");
2223 static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx,
2224 struct dcerpc_pipe *p, const char *trusted_domain_name)
2227 struct netr_DsRGetForestTrustInformation r;
2228 struct lsa_ForestTrustInformation info, *info_ptr;
2229 struct dcerpc_binding_handle *b = p->binding_handle;
2233 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2234 r.in.trusted_domain_name = trusted_domain_name;
2236 r.out.forest_trust_info = &info_ptr;
2238 torture_comment(tctx ,"Testing netr_DsRGetForestTrustInformation\n");
2240 status = dcerpc_netr_DsRGetForestTrustInformation_r(b, tctx, &r);
2241 torture_assert_ntstatus_ok(tctx, status, "DsRGetForestTrustInformation");
2242 torture_assert_werr_ok(tctx, r.out.result, "DsRGetForestTrustInformation");
2248 try a netlogon netr_DsrEnumerateDomainTrusts
2250 static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx,
2251 struct dcerpc_pipe *p)
2254 struct netr_DsrEnumerateDomainTrusts r;
2255 struct netr_DomainTrustList trusts;
2257 struct dcerpc_binding_handle *b = p->binding_handle;
2259 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2260 r.in.trust_flags = 0x3f;
2261 r.out.trusts = &trusts;
2263 status = dcerpc_netr_DsrEnumerateDomainTrusts_r(b, tctx, &r);
2264 torture_assert_ntstatus_ok(tctx, status, "DsrEnumerateDomaintrusts");
2265 torture_assert_werr_ok(tctx, r.out.result, "DsrEnumerateDomaintrusts");
2267 /* when trusted_domain_name is NULL, netr_DsRGetForestTrustInformation
2268 * will show non-forest trusts and all UPN suffixes of the own forest
2269 * as LSA_FOREST_TRUST_TOP_LEVEL_NAME types */
2271 if (r.out.trusts->count) {
2272 if (!test_netr_DsRGetForestTrustInformation(tctx, p, NULL)) {
2277 for (i=0; i<r.out.trusts->count; i++) {
2279 /* get info for transitive forest trusts */
2281 if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
2282 if (!test_netr_DsRGetForestTrustInformation(tctx, p,
2283 r.out.trusts->array[i].dns_name)) {
2292 static bool test_netr_NetrEnumerateTrustedDomains(struct torture_context *tctx,
2293 struct dcerpc_pipe *p)
2296 struct netr_NetrEnumerateTrustedDomains r;
2297 struct netr_Blob trusted_domains_blob;
2298 struct dcerpc_binding_handle *b = p->binding_handle;
2300 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2301 r.out.trusted_domains_blob = &trusted_domains_blob;
2303 status = dcerpc_netr_NetrEnumerateTrustedDomains_r(b, tctx, &r);
2304 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomains");
2305 torture_assert_ntstatus_ok(tctx, r.out.result, "NetrEnumerateTrustedDomains");
2310 static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx,
2311 struct dcerpc_pipe *p)
2314 struct netr_NetrEnumerateTrustedDomainsEx r;
2315 struct netr_DomainTrustList dom_trust_list;
2316 struct dcerpc_binding_handle *b = p->binding_handle;
2318 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2319 r.out.dom_trust_list = &dom_trust_list;
2321 status = dcerpc_netr_NetrEnumerateTrustedDomainsEx_r(b, tctx, &r);
2322 torture_assert_ntstatus_ok(tctx, status, "netr_NetrEnumerateTrustedDomainsEx");
2323 torture_assert_werr_ok(tctx, r.out.result, "NetrEnumerateTrustedDomainsEx");
2329 static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx,
2330 const char *computer_name,
2331 const char *expected_site)
2334 struct netr_DsRGetSiteName r;
2335 const char *site = NULL;
2336 struct dcerpc_binding_handle *b = p->binding_handle;
2338 r.in.computer_name = computer_name;
2340 torture_comment(tctx, "Testing netr_DsRGetSiteName\n");
2342 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
2343 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2344 torture_assert_werr_ok(tctx, r.out.result, "DsRGetSiteName");
2345 torture_assert_str_equal(tctx, expected_site, site, "netr_DsRGetSiteName");
2347 if (torture_setting_bool(tctx, "samba4", false))
2348 torture_skip(tctx, "skipping computer name check against Samba4");
2350 r.in.computer_name = talloc_asprintf(tctx, "\\\\%s", computer_name);
2351 torture_comment(tctx,
2352 "Testing netr_DsRGetSiteName with broken computer name: %s\n", r.in.computer_name);
2354 status = dcerpc_netr_DsRGetSiteName_r(b, tctx, &r);
2355 torture_assert_ntstatus_ok(tctx, status, "DsRGetSiteName");
2356 torture_assert_werr_equal(tctx, r.out.result, WERR_INVALID_COMPUTERNAME, "netr_DsRGetSiteName");
2362 try a netlogon netr_DsRGetDCName
2364 static bool test_netr_DsRGetDCName(struct torture_context *tctx,
2365 struct dcerpc_pipe *p)
2368 struct netr_DsRGetDCName r;
2369 struct netr_DsRGetDCNameInfo *info = NULL;
2370 struct dcerpc_binding_handle *b = p->binding_handle;
2372 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2373 r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
2374 r.in.domain_guid = NULL;
2375 r.in.site_guid = NULL;
2376 r.in.flags = DS_RETURN_DNS_NAME;
2379 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2380 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2381 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2383 r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
2385 status = dcerpc_netr_DsRGetDCName_r(b, tctx, &r);
2386 torture_assert_ntstatus_ok(tctx, status, "DsRGetDCName");
2387 torture_assert_werr_ok(tctx, r.out.result, "DsRGetDCName");
2389 return test_netr_DsRGetSiteName(p, tctx,
2391 info->dc_site_name);
2395 try a netlogon netr_DsRGetDCNameEx
2397 static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
2398 struct dcerpc_pipe *p)
2401 struct netr_DsRGetDCNameEx r;
2402 struct netr_DsRGetDCNameInfo *info = NULL;
2403 struct dcerpc_binding_handle *b = p->binding_handle;
2405 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2406 r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
2407 r.in.domain_guid = NULL;
2408 r.in.site_name = NULL;
2409 r.in.flags = DS_RETURN_DNS_NAME;
2412 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2413 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2414 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2416 r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
2418 status = dcerpc_netr_DsRGetDCNameEx_r(b, tctx, &r);
2419 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx");
2420 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx");
2422 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2423 info->dc_site_name);
2427 try a netlogon netr_DsRGetDCNameEx2
2429 static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
2430 struct dcerpc_pipe *p)
2433 struct netr_DsRGetDCNameEx2 r;
2434 struct netr_DsRGetDCNameInfo *info = NULL;
2435 struct dcerpc_binding_handle *b = p->binding_handle;
2437 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with no inputs\n");
2439 r.in.flags = DS_RETURN_DNS_NAME;
2442 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2443 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2444 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2446 r.in.server_unc = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2447 r.in.client_account = NULL;
2448 r.in.mask = 0x00000000;
2449 r.in.domain_name = lpcfg_dnsdomain(tctx->lp_ctx);
2450 r.in.domain_guid = NULL;
2451 r.in.site_name = NULL;
2452 r.in.flags = DS_RETURN_DNS_NAME;
2455 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 without client account\n");
2457 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2458 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2459 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2461 r.in.domain_name = lpcfg_workgroup(tctx->lp_ctx);
2463 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2464 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2465 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2467 torture_comment(tctx, "Testing netr_DsRGetDCNameEx2 with client account\n");
2468 r.in.client_account = TEST_MACHINE_NAME"$";
2469 r.in.mask = ACB_SVRTRUST;
2470 r.in.flags = DS_RETURN_FLAT_NAME;
2473 status = dcerpc_netr_DsRGetDCNameEx2_r(b, tctx, &r);
2474 torture_assert_ntstatus_ok(tctx, status, "netr_DsRGetDCNameEx2");
2475 torture_assert_werr_ok(tctx, r.out.result, "netr_DsRGetDCNameEx2");
2477 return test_netr_DsRGetSiteName(p, tctx, info->dc_unc,
2478 info->dc_site_name);
2481 /* This is a substitution for "samdb_server_site_name" which relies on the
2482 * correct "lp_ctx" and therefore can't be used here. */
2483 static const char *server_site_name(struct torture_context *tctx,
2484 struct ldb_context *ldb)
2486 TALLOC_CTX *tmp_ctx;
2487 struct ldb_dn *dn, *server_dn;
2488 const struct ldb_val *site_name_val;
2489 const char *server_dn_str, *site_name;
2491 tmp_ctx = talloc_new(ldb);
2492 if (tmp_ctx == NULL) {
2496 dn = ldb_dn_new(tmp_ctx, ldb, "");
2501 server_dn_str = samdb_search_string(ldb, tmp_ctx, dn, "serverName",
2503 if (server_dn_str == NULL) {
2507 server_dn = ldb_dn_new(tmp_ctx, ldb, server_dn_str);
2508 if (server_dn == NULL) {
2512 /* CN=<Server name>, CN=Servers, CN=<Site name>, CN=Sites, ... */
2513 site_name_val = ldb_dn_get_component_val(server_dn, 2);
2514 if (site_name_val == NULL) {
2518 site_name = (const char *) site_name_val->data;
2520 talloc_steal(tctx, site_name);
2521 talloc_free(tmp_ctx);
2526 talloc_free(tmp_ctx);
2530 static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx,
2531 struct dcerpc_pipe *p)
2534 struct ldb_context *sam_ctx = NULL;
2536 struct netr_DsrGetDcSiteCoverageW r;
2537 struct DcSitesCtr *ctr = NULL;
2538 struct dcerpc_binding_handle *b = p->binding_handle;
2540 torture_comment(tctx, "This does only pass with the default site\n");
2542 /* We won't double-check this when we are over 'local' transports */
2543 if (dcerpc_server_name(p)) {
2544 /* Set up connection to SAMDB on DC */
2545 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2546 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2548 cmdline_credentials,
2551 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2554 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2557 status = dcerpc_netr_DsrGetDcSiteCoverageW_r(b, tctx, &r);
2558 torture_assert_ntstatus_ok(tctx, status, "failed");
2559 torture_assert_werr_ok(tctx, r.out.result, "failed");
2561 torture_assert(tctx, ctr->num_sites == 1,
2562 "we should per default only get the default site");
2563 if (sam_ctx != NULL) {
2564 torture_assert_casestr_equal(tctx, ctr->sites[0].string,
2565 server_site_name(tctx, sam_ctx),
2566 "didn't return default site");
2572 static bool test_netr_DsRAddressToSitenamesW(struct torture_context *tctx,
2573 struct dcerpc_pipe *p)
2576 struct ldb_context *sam_ctx = NULL;
2578 struct netr_DsRAddressToSitenamesW r;
2579 struct netr_DsRAddress addrs[6];
2580 struct sockaddr_in *addr;
2582 struct sockaddr_in6 *addr6;
2584 struct netr_DsRAddressToSitenamesWCtr *ctr;
2585 struct dcerpc_binding_handle *b = p->binding_handle;
2589 torture_comment(tctx, "This does only pass with the default site\n");
2591 /* We won't double-check this when we are over 'local' transports */
2592 if (dcerpc_server_name(p)) {
2593 /* Set up connection to SAMDB on DC */
2594 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2595 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2597 cmdline_credentials,
2600 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2603 /* First try valid IP addresses */
2605 addrs[0].size = sizeof(struct sockaddr_in);
2606 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
2607 addr = (struct sockaddr_in *) addrs[0].buffer;
2608 addrs[0].buffer[0] = AF_INET;
2609 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2610 torture_assert(tctx, ret > 0, "inet_pton failed");
2612 addrs[1].size = sizeof(struct sockaddr_in);
2613 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
2614 addr = (struct sockaddr_in *) addrs[1].buffer;
2615 addrs[1].buffer[0] = AF_INET;
2616 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2617 torture_assert(tctx, ret > 0, "inet_pton failed");
2619 addrs[2].size = sizeof(struct sockaddr_in);
2620 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
2621 addr = (struct sockaddr_in *) addrs[2].buffer;
2622 addrs[2].buffer[0] = AF_INET;
2623 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
2624 torture_assert(tctx, ret > 0, "inet_pton failed");
2627 addrs[3].size = sizeof(struct sockaddr_in6);
2628 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2629 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
2630 addrs[3].buffer[0] = AF_INET6;
2631 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
2632 torture_assert(tctx, ret > 0, "inet_pton failed");
2634 addrs[4].size = sizeof(struct sockaddr_in6);
2635 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2636 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
2637 addrs[4].buffer[0] = AF_INET6;
2638 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
2639 torture_assert(tctx, ret > 0, "inet_pton failed");
2641 addrs[5].size = sizeof(struct sockaddr_in6);
2642 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2643 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
2644 addrs[5].buffer[0] = AF_INET6;
2645 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
2646 torture_assert(tctx, ret > 0, "inet_pton failed");
2648 /* the test cases are repeated to have exactly 6. This is for
2649 * compatibility with IPv4-only machines */
2650 addrs[3].size = sizeof(struct sockaddr_in);
2651 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2652 addr = (struct sockaddr_in *) addrs[3].buffer;
2653 addrs[3].buffer[0] = AF_INET;
2654 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2655 torture_assert(tctx, ret > 0, "inet_pton failed");
2657 addrs[4].size = sizeof(struct sockaddr_in);
2658 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2659 addr = (struct sockaddr_in *) addrs[4].buffer;
2660 addrs[4].buffer[0] = AF_INET;
2661 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2662 torture_assert(tctx, ret > 0, "inet_pton failed");
2664 addrs[5].size = sizeof(struct sockaddr_in);
2665 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2666 addr = (struct sockaddr_in *) addrs[5].buffer;
2667 addrs[5].buffer[0] = AF_INET;
2668 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
2669 torture_assert(tctx, ret > 0, "inet_pton failed");
2672 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesWCtr);
2674 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2676 r.in.addresses = addrs;
2679 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2680 torture_assert_ntstatus_ok(tctx, status, "failed");
2681 torture_assert_werr_ok(tctx, r.out.result, "failed");
2683 if (sam_ctx != NULL) {
2684 for (i = 0; i < 3; i++) {
2685 torture_assert_casestr_equal(tctx,
2686 ctr->sitename[i].string,
2687 server_site_name(tctx, sam_ctx),
2688 "didn't return default site");
2690 for (i = 3; i < 6; i++) {
2691 /* Windows returns "NULL" for the sitename if it isn't
2692 * IPv6 configured */
2693 if (torture_setting_bool(tctx, "samba4", false)) {
2694 torture_assert_casestr_equal(tctx,
2695 ctr->sitename[i].string,
2696 server_site_name(tctx, sam_ctx),
2697 "didn't return default site");
2702 /* Now try invalid ones (too short buffers) */
2712 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2713 torture_assert_ntstatus_ok(tctx, status, "failed");
2714 torture_assert_werr_ok(tctx, r.out.result, "failed");
2716 for (i = 0; i < 6; i++) {
2717 torture_assert(tctx, ctr->sitename[i].string == NULL,
2718 "sitename should be null");
2721 /* Now try invalid ones (wrong address types) */
2724 addrs[0].buffer[0] = AF_UNSPEC;
2726 addrs[1].buffer[0] = AF_UNIX; /* AF_LOCAL = AF_UNIX */
2728 addrs[2].buffer[0] = AF_UNIX;
2731 addrs[3].buffer[0] = 250;
2733 addrs[4].buffer[0] = 251;
2735 addrs[5].buffer[0] = 252;
2737 status = dcerpc_netr_DsRAddressToSitenamesW_r(b, tctx, &r);
2738 torture_assert_ntstatus_ok(tctx, status, "failed");
2739 torture_assert_werr_ok(tctx, r.out.result, "failed");
2741 for (i = 0; i < 6; i++) {
2742 torture_assert(tctx, ctr->sitename[i].string == NULL,
2743 "sitename should be null");
2749 static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx,
2750 struct dcerpc_pipe *p)
2753 struct ldb_context *sam_ctx = NULL;
2755 struct netr_DsRAddressToSitenamesExW r;
2756 struct netr_DsRAddress addrs[6];
2757 struct sockaddr_in *addr;
2759 struct sockaddr_in6 *addr6;
2761 struct netr_DsRAddressToSitenamesExWCtr *ctr;
2762 struct dcerpc_binding_handle *b = p->binding_handle;
2766 torture_comment(tctx, "This does pass with the default site\n");
2768 /* We won't double-check this when we are over 'local' transports */
2769 if (dcerpc_server_name(p)) {
2770 /* Set up connection to SAMDB on DC */
2771 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
2772 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
2774 cmdline_credentials,
2777 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
2780 /* First try valid IP addresses */
2782 addrs[0].size = sizeof(struct sockaddr_in);
2783 addrs[0].buffer = talloc_zero_array(tctx, uint8_t, addrs[0].size);
2784 addr = (struct sockaddr_in *) addrs[0].buffer;
2785 addrs[0].buffer[0] = AF_INET;
2786 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2787 torture_assert(tctx, ret > 0, "inet_pton failed");
2789 addrs[1].size = sizeof(struct sockaddr_in);
2790 addrs[1].buffer = talloc_zero_array(tctx, uint8_t, addrs[1].size);
2791 addr = (struct sockaddr_in *) addrs[1].buffer;
2792 addrs[1].buffer[0] = AF_INET;
2793 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2794 torture_assert(tctx, ret > 0, "inet_pton failed");
2796 addrs[2].size = sizeof(struct sockaddr_in);
2797 addrs[2].buffer = talloc_zero_array(tctx, uint8_t, addrs[2].size);
2798 addr = (struct sockaddr_in *) addrs[2].buffer;
2799 addrs[2].buffer[0] = AF_INET;
2800 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
2801 torture_assert(tctx, ret > 0, "inet_pton failed");
2804 addrs[3].size = sizeof(struct sockaddr_in6);
2805 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2806 addr6 = (struct sockaddr_in6 *) addrs[3].buffer;
2807 addrs[3].buffer[0] = AF_INET6;
2808 ret = inet_pton(AF_INET6, "::1", &addr6->sin6_addr);
2809 torture_assert(tctx, ret > 0, "inet_pton failed");
2811 addrs[4].size = sizeof(struct sockaddr_in6);
2812 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2813 addr6 = (struct sockaddr_in6 *) addrs[4].buffer;
2814 addrs[4].buffer[0] = AF_INET6;
2815 ret = inet_pton(AF_INET6, "::", &addr6->sin6_addr);
2816 torture_assert(tctx, ret > 0, "inet_pton failed");
2818 addrs[5].size = sizeof(struct sockaddr_in6);
2819 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2820 addr6 = (struct sockaddr_in6 *) addrs[5].buffer;
2821 addrs[5].buffer[0] = AF_INET6;
2822 ret = inet_pton(AF_INET6, "ff02::1", &addr6->sin6_addr);
2823 torture_assert(tctx, ret > 0, "inet_pton failed");
2825 /* the test cases are repeated to have exactly 6. This is for
2826 * compatibility with IPv4-only machines */
2827 addrs[3].size = sizeof(struct sockaddr_in);
2828 addrs[3].buffer = talloc_zero_array(tctx, uint8_t, addrs[3].size);
2829 addr = (struct sockaddr_in *) addrs[3].buffer;
2830 addrs[3].buffer[0] = AF_INET;
2831 ret = inet_pton(AF_INET, "127.0.0.1", &addr->sin_addr);
2832 torture_assert(tctx, ret > 0, "inet_pton failed");
2834 addrs[4].size = sizeof(struct sockaddr_in);
2835 addrs[4].buffer = talloc_zero_array(tctx, uint8_t, addrs[4].size);
2836 addr = (struct sockaddr_in *) addrs[4].buffer;
2837 addrs[4].buffer[0] = AF_INET;
2838 ret = inet_pton(AF_INET, "0.0.0.0", &addr->sin_addr);
2839 torture_assert(tctx, ret > 0, "inet_pton failed");
2841 addrs[5].size = sizeof(struct sockaddr_in);
2842 addrs[5].buffer = talloc_zero_array(tctx, uint8_t, addrs[5].size);
2843 addr = (struct sockaddr_in *) addrs[5].buffer;
2844 addrs[5].buffer[0] = AF_INET;
2845 ret = inet_pton(AF_INET, "255.255.255.255", &addr->sin_addr);
2846 torture_assert(tctx, ret > 0, "inet_pton failed");
2849 ctr = talloc(tctx, struct netr_DsRAddressToSitenamesExWCtr);
2851 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2853 r.in.addresses = addrs;
2856 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2857 torture_assert_ntstatus_ok(tctx, status, "failed");
2858 torture_assert_werr_ok(tctx, r.out.result, "failed");
2860 if (sam_ctx != NULL) {
2861 for (i = 0; i < 3; i++) {
2862 torture_assert_casestr_equal(tctx,
2863 ctr->sitename[i].string,
2864 server_site_name(tctx, sam_ctx),
2865 "didn't return default site");
2866 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2867 "subnet should be null");
2869 for (i = 3; i < 6; i++) {
2870 /* Windows returns "NULL" for the sitename if it isn't
2871 * IPv6 configured */
2872 if (torture_setting_bool(tctx, "samba4", false)) {
2873 torture_assert_casestr_equal(tctx,
2874 ctr->sitename[i].string,
2875 server_site_name(tctx, sam_ctx),
2876 "didn't return default site");
2878 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2879 "subnet should be null");
2883 /* Now try invalid ones (too short buffers) */
2893 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2894 torture_assert_ntstatus_ok(tctx, status, "failed");
2895 torture_assert_werr_ok(tctx, r.out.result, "failed");
2897 for (i = 0; i < 6; i++) {
2898 torture_assert(tctx, ctr->sitename[i].string == NULL,
2899 "sitename should be null");
2900 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2901 "subnet should be null");
2905 addrs[0].buffer[0] = AF_UNSPEC;
2907 addrs[1].buffer[0] = AF_UNIX; /* AF_LOCAL = AF_UNIX */
2909 addrs[2].buffer[0] = AF_UNIX;
2912 addrs[3].buffer[0] = 250;
2914 addrs[4].buffer[0] = 251;
2916 addrs[5].buffer[0] = 252;
2918 status = dcerpc_netr_DsRAddressToSitenamesExW_r(b, tctx, &r);
2919 torture_assert_ntstatus_ok(tctx, status, "failed");
2920 torture_assert_werr_ok(tctx, r.out.result, "failed");
2922 for (i = 0; i < 6; i++) {
2923 torture_assert(tctx, ctr->sitename[i].string == NULL,
2924 "sitename should be null");
2925 torture_assert(tctx, ctr->subnetname[i].string == NULL,
2926 "subnet should be null");
2932 static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
2933 struct dcerpc_pipe *p,
2934 struct cli_credentials *machine_credentials)
2936 struct netr_ServerGetTrustInfo r;
2938 struct netr_Authenticator a;
2939 struct netr_Authenticator return_authenticator;
2940 struct samr_Password new_owf_password;
2941 struct samr_Password old_owf_password;
2942 struct netr_TrustInfo *trust_info;
2944 struct netlogon_creds_CredentialState *creds;
2945 struct dcerpc_binding_handle *b = p->binding_handle;
2947 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
2948 machine_credentials, &creds)) {
2952 netlogon_creds_client_authenticator(creds, &a);
2954 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
2955 r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
2956 r.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
2957 r.in.computer_name = TEST_MACHINE_NAME;
2958 r.in.credential = &a;
2960 r.out.return_authenticator = &return_authenticator;
2961 r.out.new_owf_password = &new_owf_password;
2962 r.out.old_owf_password = &old_owf_password;
2963 r.out.trust_info = &trust_info;
2965 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerGetTrustInfo_r(b, tctx, &r),
2966 "ServerGetTrustInfo failed");
2967 torture_assert_ntstatus_ok(tctx, r.out.result, "ServerGetTrustInfo failed");
2968 torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
2974 static bool test_GetDomainInfo(struct torture_context *tctx,
2975 struct dcerpc_pipe *p,
2976 struct cli_credentials *machine_credentials)
2978 struct netr_LogonGetDomainInfo r;
2979 struct netr_WorkstationInformation q1;
2980 struct netr_Authenticator a;
2981 struct netlogon_creds_CredentialState *creds;
2982 struct netr_OsVersion os;
2983 union netr_WorkstationInfo query;
2984 union netr_DomainInfo info;
2985 const char* const attrs[] = { "dNSHostName", "operatingSystem",
2986 "operatingSystemServicePack", "operatingSystemVersion",
2987 "servicePrincipalName", NULL };
2989 struct ldb_context *sam_ctx = NULL;
2990 struct ldb_message **res;
2991 struct ldb_message_element *spn_el;
2994 const char *old_dnsname = NULL;
2998 struct dcerpc_binding_handle *b = p->binding_handle;
3000 torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
3002 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
3003 machine_credentials, &creds)) {
3007 /* We won't double-check this when we are over 'local' transports */
3008 if (dcerpc_server_name(p)) {
3009 /* Set up connection to SAMDB on DC */
3010 url = talloc_asprintf(tctx, "ldap://%s", dcerpc_server_name(p));
3011 sam_ctx = ldb_wrap_connect(tctx, tctx->ev, tctx->lp_ctx, url,
3013 cmdline_credentials,
3016 torture_assert(tctx, sam_ctx, "Connection to the SAMDB on DC failed!");
3019 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 1st call (no variation of DNS hostname)\n");
3020 netlogon_creds_client_authenticator(creds, &a);
3023 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3024 r.in.computer_name = TEST_MACHINE_NAME;
3025 r.in.credential = &a;
3027 r.in.return_authenticator = &a;
3028 r.in.query = &query;
3029 r.out.return_authenticator = &a;
3033 os.os.MajorVersion = 123;
3034 os.os.MinorVersion = 456;
3035 os.os.BuildNumber = 789;
3036 os.os.CSDVersion = "Service Pack 10";
3037 os.os.ServicePackMajor = 10;
3038 os.os.ServicePackMinor = 1;
3039 os.os.SuiteMask = NETR_VER_SUITE_SINGLEUSERTS;
3040 os.os.ProductType = NETR_VER_NT_SERVER;
3043 version_str = talloc_asprintf(tctx, "%d.%d (%d)", os.os.MajorVersion,
3044 os.os.MinorVersion, os.os.BuildNumber);
3047 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3048 lpcfg_dnsdomain(tctx->lp_ctx));
3049 q1.sitename = "Default-First-Site-Name";
3050 q1.os_version.os = &os;
3051 q1.os_name.string = talloc_asprintf(tctx,
3052 "Tortured by Samba4 RPC-NETLOGON: %s",
3053 timestring(tctx, time(NULL)));
3055 /* The workstation handles the "servicePrincipalName" and DNS hostname
3057 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3059 query.workstation_info = &q1;
3062 /* Gets back the old DNS hostname in AD */
3063 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3064 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3066 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL);
3068 /* Gets back the "servicePrincipalName"s in AD */
3069 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3070 if (spn_el != NULL) {
3071 for (i=0; i < spn_el->num_values; i++) {
3072 spns = talloc_realloc(tctx, spns, char *, i + 1);
3073 spns[i] = (char *) spn_el->values[i].data;
3079 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3080 "LogonGetDomainInfo failed");
3081 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3082 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3087 /* AD workstation infos entry check */
3088 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3089 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3090 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3091 torture_assert_str_equal(tctx,
3092 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
3093 q1.os_name.string, "'operatingSystem' wrong!");
3094 torture_assert_str_equal(tctx,
3095 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL),
3096 os.os.CSDVersion, "'operatingSystemServicePack' wrong!");
3097 torture_assert_str_equal(tctx,
3098 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL),
3099 version_str, "'operatingSystemVersion' wrong!");
3101 if (old_dnsname != NULL) {
3102 /* If before a DNS hostname was set then it should remain
3103 the same in combination with the "servicePrincipalName"s.
3104 The DNS hostname should also be returned by our
3105 "LogonGetDomainInfo" call (in the domain info structure). */
3107 torture_assert_str_equal(tctx,
3108 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
3109 old_dnsname, "'DNS hostname' was not set!");
3111 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3112 torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)),
3113 "'servicePrincipalName's not set!");
3114 torture_assert(tctx, spn_el->num_values == num_spns,
3115 "'servicePrincipalName's incorrect!");
3116 for (i=0; (i < spn_el->num_values) && (i < num_spns); i++)
3117 torture_assert_str_equal(tctx,
3118 (char *) spn_el->values[i].data,
3119 spns[i], "'servicePrincipalName's incorrect!");
3121 torture_assert_str_equal(tctx,
3122 info.domain_info->dns_hostname.string,
3124 "Out 'DNS hostname' doesn't match the old one!");
3126 /* If no DNS hostname was set then also now none should be set,
3127 the "servicePrincipalName"s should remain empty and no DNS
3128 hostname should be returned by our "LogonGetDomainInfo"
3129 call (in the domain info structure). */
3131 torture_assert(tctx,
3132 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL,
3133 "'DNS hostname' was set!");
3135 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3136 torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)),
3137 "'servicePrincipalName's were set!");
3139 torture_assert(tctx,
3140 info.domain_info->dns_hostname.string == NULL,
3141 "Out 'DNS host name' was set!");
3145 /* Checks "workstation flags" */
3146 torture_assert(tctx,
3147 info.domain_info->workstation_flags
3148 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3149 "Out 'workstation flags' don't match!");
3152 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call (variation of DNS hostname doesn't work)\n");
3153 netlogon_creds_client_authenticator(creds, &a);
3155 /* Wipe out the osVersion, and prove which values still 'stick' */
3156 q1.os_version.os = NULL;
3158 /* Change also the DNS hostname to test differences in behaviour */
3159 talloc_free(discard_const_p(char, q1.dns_hostname));
3160 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
3161 lpcfg_dnsdomain(tctx->lp_ctx));
3163 /* The workstation handles the "servicePrincipalName" and DNS hostname
3165 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3167 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3168 "LogonGetDomainInfo failed");
3169 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3171 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3176 /* AD workstation infos entry check */
3177 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3178 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3179 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3181 torture_assert_str_equal(tctx,
3182 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
3183 q1.os_name.string, "'operatingSystem' should stick!");
3184 torture_assert(tctx,
3185 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
3186 "'operatingSystemServicePack' shouldn't stick!");
3187 torture_assert(tctx,
3188 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
3189 "'operatingSystemVersion' shouldn't stick!");
3191 /* The DNS host name shouldn't have been updated by the server */
3193 torture_assert_str_equal(tctx,
3194 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
3195 old_dnsname, "'DNS host name' did change!");
3197 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
3198 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
3200 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3201 torture_assert(tctx, spn_el != NULL,
3202 "There should exist 'servicePrincipalName's in AD!");
3203 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
3204 for (i=0; i < spn_el->num_values; i++)
3205 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3207 torture_assert(tctx, i != spn_el->num_values,
3208 "'servicePrincipalName' HOST/<Netbios name> not found!");
3209 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
3210 for (i=0; i < spn_el->num_values; i++)
3211 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3213 torture_assert(tctx, i != spn_el->num_values,
3214 "'servicePrincipalName' HOST/<FQDN name> not found!");
3216 /* Check that the out DNS hostname was set properly */
3217 torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string,
3218 old_dnsname, "Out 'DNS hostname' doesn't match the old one!");
3221 /* Checks "workstation flags" */
3222 torture_assert(tctx,
3223 info.domain_info->workstation_flags == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3224 "Out 'workstation flags' don't match!");
3227 /* Now try the same but the workstation flags set to 0 */
3229 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 3rd call (variation of DNS hostname doesn't work)\n");
3230 netlogon_creds_client_authenticator(creds, &a);
3232 /* Change also the DNS hostname to test differences in behaviour */
3233 talloc_free(discard_const_p(char, q1.dns_hostname));
3234 q1.dns_hostname = talloc_asprintf(tctx, "%s2.%s", TEST_MACHINE_NAME,
3235 lpcfg_dnsdomain(tctx->lp_ctx));
3237 /* Wipe out the osVersion, and prove which values still 'stick' */
3238 q1.os_version.os = NULL;
3240 /* Let the DC handle the "servicePrincipalName" and DNS hostname
3242 q1.workstation_flags = 0;
3244 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3245 "LogonGetDomainInfo failed");
3246 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3247 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3252 /* AD workstation infos entry check */
3253 ret = gendb_search(sam_ctx, tctx, NULL, &res, attrs,
3254 "(sAMAccountName=%s$)", TEST_MACHINE_NAME);
3255 torture_assert(tctx, ret == 1, "Test machine account not found in SAMDB on DC! Has the workstation been joined?");
3257 torture_assert_str_equal(tctx,
3258 ldb_msg_find_attr_as_string(res[0], "operatingSystem", NULL),
3259 q1.os_name.string, "'operatingSystem' should stick!");
3260 torture_assert(tctx,
3261 ldb_msg_find_attr_as_string(res[0], "operatingSystemServicePack", NULL) == NULL,
3262 "'operatingSystemServicePack' shouldn't stick!");
3263 torture_assert(tctx,
3264 ldb_msg_find_attr_as_string(res[0], "operatingSystemVersion", NULL) == NULL,
3265 "'operatingSystemVersion' shouldn't stick!");
3267 /* The DNS host name shouldn't have been updated by the server */
3269 torture_assert_str_equal(tctx,
3270 ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL),
3271 old_dnsname, "'DNS host name' did change!");
3273 /* Find the two "servicePrincipalName"s which the DC shouldn't have been
3274 updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC
3276 spn_el = ldb_msg_find_element(res[0], "servicePrincipalName");
3277 torture_assert(tctx, spn_el != NULL,
3278 "There should exist 'servicePrincipalName's in AD!");
3279 temp_str = talloc_asprintf(tctx, "HOST/%s", TEST_MACHINE_NAME);
3280 for (i=0; i < spn_el->num_values; i++)
3281 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3283 torture_assert(tctx, i != spn_el->num_values,
3284 "'servicePrincipalName' HOST/<Netbios name> not found!");
3285 temp_str = talloc_asprintf(tctx, "HOST/%s", old_dnsname);
3286 for (i=0; i < spn_el->num_values; i++)
3287 if (strcasecmp((char *) spn_el->values[i].data, temp_str) == 0)
3289 torture_assert(tctx, i != spn_el->num_values,
3290 "'servicePrincipalName' HOST/<FQDN name> not found!");
3292 /* Here the server gives us NULL as the out DNS hostname */
3293 torture_assert(tctx, info.domain_info->dns_hostname.string == NULL,
3294 "Out 'DNS hostname' should be NULL!");
3297 /* Checks "workstation flags" */
3298 torture_assert(tctx,
3299 info.domain_info->workstation_flags == 0,
3300 "Out 'workstation flags' don't match!");
3303 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 4th call (verification of DNS hostname and check for trusted domains)\n");
3304 netlogon_creds_client_authenticator(creds, &a);
3306 /* Put the DNS hostname back */
3307 talloc_free(discard_const_p(char, q1.dns_hostname));
3308 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3309 lpcfg_dnsdomain(tctx->lp_ctx));
3311 /* The workstation handles the "servicePrincipalName" and DNS hostname
3313 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE;
3315 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3316 "LogonGetDomainInfo failed");
3317 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3318 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3322 /* Now the in/out DNS hostnames should be the same */
3323 torture_assert_str_equal(tctx,
3324 info.domain_info->dns_hostname.string,
3325 query.workstation_info->dns_hostname,
3326 "In/Out 'DNS hostnames' don't match!");
3327 old_dnsname = info.domain_info->dns_hostname.string;
3329 /* Checks "workstation flags" */
3330 torture_assert(tctx,
3331 info.domain_info->workstation_flags
3332 == NETR_WS_FLAG_HANDLES_SPN_UPDATE,
3333 "Out 'workstation flags' don't match!");
3335 /* Checks for trusted domains */
3336 torture_assert(tctx,
3337 (info.domain_info->trusted_domain_count != 0)
3338 && (info.domain_info->trusted_domains != NULL),
3339 "Trusted domains have been requested!");
3342 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 5th call (check for trusted domains)\n");
3343 netlogon_creds_client_authenticator(creds, &a);
3345 /* The workstation handles the "servicePrincipalName" and DNS hostname
3346 updates and requests inbound trusts */
3347 q1.workstation_flags = NETR_WS_FLAG_HANDLES_SPN_UPDATE
3348 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS;
3350 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3351 "LogonGetDomainInfo failed");
3352 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3353 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3357 /* Checks "workstation flags" */
3358 torture_assert(tctx,
3359 info.domain_info->workstation_flags
3360 == (NETR_WS_FLAG_HANDLES_SPN_UPDATE
3361 | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS),
3362 "Out 'workstation flags' don't match!");
3364 /* Checks for trusted domains */
3365 torture_assert(tctx,
3366 (info.domain_info->trusted_domain_count != 0)
3367 && (info.domain_info->trusted_domains != NULL),
3368 "Trusted domains have been requested!");
3371 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 6th call (no DNS hostname)\n");
3372 netlogon_creds_client_authenticator(creds, &a);
3374 query.workstation_info->dns_hostname = NULL;
3376 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3377 "LogonGetDomainInfo failed");
3378 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3379 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3381 /* The old DNS hostname should stick */
3382 torture_assert_str_equal(tctx,
3383 info.domain_info->dns_hostname.string,
3385 "'DNS hostname' changed!");
3388 if (!torture_setting_bool(tctx, "dangerous", false)) {
3389 torture_comment(tctx, "Not testing netr_LogonGetDomainInfo 7th call (no workstation info) - enable dangerous tests in order to do so\n");
3391 /* Try a call without the workstation information structure */
3393 torture_comment(tctx, "Testing netr_LogonGetDomainInfo 7th call (no workstation info)\n");
3394 netlogon_creds_client_authenticator(creds, &a);
3396 query.workstation_info = NULL;
3398 torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonGetDomainInfo_r(b, tctx, &r),
3399 "LogonGetDomainInfo failed");
3400 torture_assert_ntstatus_ok(tctx, r.out.result, "LogonGetDomainInfo failed");
3401 torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
3407 static bool test_GetDomainInfo_async(struct torture_context *tctx,
3408 struct dcerpc_pipe *p,
3409 struct cli_credentials *machine_credentials)
3412 struct netr_LogonGetDomainInfo r;
3413 struct netr_WorkstationInformation q1;
3414 struct netr_Authenticator a;
3415 #define ASYNC_COUNT 100
3416 struct netlogon_creds_CredentialState *creds;
3417 struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
3418 struct tevent_req *req[ASYNC_COUNT];
3420 union netr_WorkstationInfo query;
3421 union netr_DomainInfo info;
3423 torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
3425 if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
3426 machine_credentials, &creds)) {
3431 r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
3432 r.in.computer_name = TEST_MACHINE_NAME;
3433 r.in.credential = &a;
3435 r.in.return_authenticator = &a;
3436 r.in.query = &query;
3437 r.out.return_authenticator = &a;
3441 q1.dns_hostname = talloc_asprintf(tctx, "%s.%s", TEST_MACHINE_NAME,
3442 lpcfg_dnsdomain(tctx->lp_ctx));
3443 q1.sitename = "Default-First-Site-Name";
3444 q1.os_name.string = "UNIX/Linux or similar";
3446 query.workstation_info = &q1;
3448 for (i=0;i<ASYNC_COUNT;i++) {
3449 netlogon_creds_client_authenticator(creds, &a);
3451 creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
3452 req[i] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx, tctx->ev, p->binding_handle, &r);
3454 /* even with this flush per request a w2k3 server seems to
3455 clag with multiple outstanding requests. bleergh. */
3456 torture_assert_int_equal(tctx, tevent_loop_once(dcerpc_event_context(p)), 0,
3457 "tevent_loop_once failed");
3460 for (i=0;i<ASYNC_COUNT;i++) {
3461 torture_assert_int_equal(tctx, tevent_req_poll(req[i], tctx->ev), true,
3462 "tevent_req_poll() failed");
3464 status = dcerpc_netr_LogonGetDomainInfo_r_recv(req[i], tctx);
3466 torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
3467 torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
3469 torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred),
3470 "Credential chaining failed at async");
3473 torture_comment(tctx,
3474 "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT);
3479 static bool test_ManyGetDCName(struct torture_context *tctx,
3480 struct dcerpc_pipe *p)
3483 struct dcerpc_pipe *p2;
3484 struct lsa_ObjectAttribute attr;
3485 struct lsa_QosInfo qos;
3486 struct lsa_OpenPolicy2 o;
3487 struct policy_handle lsa_handle;
3488 struct lsa_DomainList domains;
3490 struct lsa_EnumTrustDom t;
3491 uint32_t resume_handle = 0;
3492 struct netr_GetAnyDCName d;
3493 const char *dcname = NULL;
3494 struct dcerpc_binding_handle *b = p->binding_handle;
3495 struct dcerpc_binding_handle *b2;
3499 if (p->conn->transport.transport != NCACN_NP) {
3503 torture_comment(tctx, "Torturing GetDCName\n");
3505 status = dcerpc_secondary_connection(p, &p2, p->binding);
3506 torture_assert_ntstatus_ok(tctx, status, "Failed to create secondary connection");
3508 status = dcerpc_bind_auth_none(p2, &ndr_table_lsarpc);
3509 torture_assert_ntstatus_ok(tctx, status, "Failed to create bind on secondary connection");
3510 b2 = p2->binding_handle;
3513 qos.impersonation_level = 2;
3514 qos.context_mode = 1;
3515 qos.effective_only = 0;
3518 attr.root_dir = NULL;
3519 attr.object_name = NULL;
3520 attr.attributes = 0;
3521 attr.sec_desc = NULL;
3522 attr.sec_qos = &qos;
3524 o.in.system_name = "\\";
3526 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
3527 o.out.handle = &lsa_handle;
3529 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy2_r(b2, tctx, &o),
3530 "OpenPolicy2 failed");
3531 torture_assert_ntstatus_ok(tctx, o.out.result, "OpenPolicy2 failed");
3533 t.in.handle = &lsa_handle;
3534 t.in.resume_handle = &resume_handle;
3535 t.in.max_size = 1000;
3536 t.out.domains = &domains;
3537 t.out.resume_handle = &resume_handle;
3539 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b2, tctx, &t),
3540 "EnumTrustDom failed");
3542 if ((!NT_STATUS_IS_OK(t.out.result) &&
3543 (!NT_STATUS_EQUAL(t.out.result, NT_STATUS_NO_MORE_ENTRIES))))
3544 torture_fail(tctx, "Could not list domains");
3548 d.in.logon_server = talloc_asprintf(tctx, "\\\\%s",
3549 dcerpc_server_name(p));
3550 d.out.dcname = &dcname;
3552 for (i=0; i<domains.count * 4; i++) {
3553 struct lsa_DomainInfo *info =
3554 &domains.domains[rand()%domains.count];
3556 d.in.domainname = info->name.string;
3558 status = dcerpc_netr_GetAnyDCName_r(b, tctx, &d);
3559 torture_assert_ntstatus_ok(tctx, status, "GetAnyDCName");
3561 torture_comment(tctx, "\tDC for domain %s is %s\n", info->name.string,
3562 dcname ? dcname : "unknown");
3568 static bool test_SetPassword_with_flags(struct torture_context *tctx,
3569 struct dcerpc_pipe *p,
3570 struct cli_credentials *machine_credentials)
3572 uint32_t flags[] = { 0, NETLOGON_NEG_STRONG_KEYS };
3573 struct netlogon_creds_CredentialState *creds;
3576 if (!test_SetupCredentials2(p, tctx, 0,
3577 machine_credentials,
3578 cli_credentials_get_secure_channel_type(machine_credentials),
3580 torture_skip(tctx, "DC does not support negotiation of 64bit session keys");
3583 for (i=0; i < ARRAY_SIZE(flags); i++) {
3584 torture_assert(tctx,
3585 test_SetPassword_flags(tctx, p, machine_credentials, flags[i]),
3586 talloc_asprintf(tctx, "failed to test SetPassword negotiating with 0x%08x flags", flags[i]));
3592 struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx)
3594 struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon");
3595 struct torture_rpc_tcase *tcase;
3596 struct torture_test *test;
3598 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3599 &ndr_table_netlogon, TEST_MACHINE_NAME);
3601 torture_rpc_tcase_add_test(tcase, "LogonUasLogon", test_LogonUasLogon);
3602 torture_rpc_tcase_add_test(tcase, "LogonUasLogoff", test_LogonUasLogoff);
3603 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
3604 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
3605 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
3606 torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword);
3607 torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords);
3608 torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo);
3609 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync);
3610 torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas);
3611 torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo);
3612 torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas);
3613 torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync);
3614 torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName);
3615 torture_rpc_tcase_add_test(tcase, "ManyGetDCName", test_ManyGetDCName);
3616 torture_rpc_tcase_add_test(tcase, "GetAnyDCName", test_GetAnyDCName);
3617 torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync2", test_DatabaseSync2);
3618 torture_rpc_tcase_add_test(tcase, "DsrEnumerateDomainTrusts", test_DsrEnumerateDomainTrusts);
3619 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
3620 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomainsEx", test_netr_NetrEnumerateTrustedDomainsEx);
3621 test = torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo_async", test_GetDomainInfo_async);
3622 test->dangerous = true;
3623 torture_rpc_tcase_add_test(tcase, "DsRGetDCName", test_netr_DsRGetDCName);
3624 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx", test_netr_DsRGetDCNameEx);
3625 torture_rpc_tcase_add_test(tcase, "DsRGetDCNameEx2", test_netr_DsRGetDCNameEx2);
3626 torture_rpc_tcase_add_test(tcase, "DsrGetDcSiteCoverageW", test_netr_DsrGetDcSiteCoverageW);
3627 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW);
3628 torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW);
3629 torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo);
3630 torture_rpc_tcase_add_test_creds(tcase, "GetForestTrustInformation", test_netr_GetForestTrustInformation);
3635 struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx)
3637 struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon-s3");
3638 struct torture_rpc_tcase *tcase;
3640 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3641 &ndr_table_netlogon, TEST_MACHINE_NAME);
3643 torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon);
3644 torture_rpc_tcase_add_test_creds(tcase, "SamLogon_NULL_domain", test_SamLogon_NULL_domain);
3645 torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword);
3646 torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags);
3647 torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2);
3648 torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains);
3653 struct torture_suite *torture_rpc_netlogon_admin(TALLOC_CTX *mem_ctx)
3655 struct torture_suite *suite = torture_suite_create(mem_ctx, "netlogon.admin");
3656 struct torture_rpc_tcase *tcase;
3658 tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon",
3659 &ndr_table_netlogon, TEST_MACHINE_NAME);
3660 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3661 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3662 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
3664 tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon",
3665 &ndr_table_netlogon, TEST_MACHINE_NAME);
3666 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3667 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3668 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);
3670 tcase = torture_suite_add_rpc_iface_tcase(suite, "netlogon",
3671 &ndr_table_netlogon);
3672 torture_rpc_tcase_add_test_creds(tcase, "LogonControl", test_LogonControl);
3673 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2", test_LogonControl2);
3674 torture_rpc_tcase_add_test_creds(tcase, "LogonControl2Ex", test_LogonControl2Ex);